If your Singapore fintech uses OpenAI, Google Gemini, or Anthropic Claude to make or assist with credit decisions, you almost certainly have a live compliance gap — and you may not know it. The AI vendor's data retention policy and MAS's audit trail requirement are on a collision course.
When you call the OpenAI API to run a credit scoring model, generate a loan decision explanation, or flag a suspicious transaction, that request and response passes through OpenAI's infrastructure. How long does OpenAI keep those records?
| Vendor | Default API Log Retention | Zero-Retention Option | Notes |
|---|---|---|---|
| OpenAI | 30 days | Yes (enterprise agreement, Zero Data Retention) | ZDR means no logs at all — not helpful for audit |
| Google Gemini (API) | Up to 30 days for abuse monitoring | Google Cloud Enterprise options vary | Google Cloud retains model inputs/outputs per service agreement |
| Anthropic Claude | Up to 30 days for safety/abuse | Enterprise agreements available | API access logs (metadata) retained separately from content |
| AWS Bedrock | No content retention by default | N/A — must enable model invocation logging manually | CloudWatch or S3 logging must be explicitly configured |
| Azure OpenAI | Abuse monitoring data: up to 30 days | Abuse monitoring opt-out available (enterprise) | Customer data not used for training by default |
If your fintech is running credit decisions through any of these APIs and relying on the vendor's logs to reconstruct what happened when MAS comes to examine you — that is not a viable compliance strategy.
The relevant requirements come from two sources: the MAS Technology Risk Management (TRM) Guidelines and the MAS FEAT (Fairness, Ethics, Accountability, Transparency) Principles for AI in Financial Services.
Section 7.3.3 of the MAS TRM Guidelines states that financial institutions should retain activity logs for a minimum period as required by applicable laws and regulations — with MAS examinations typically expecting 5 years of records for material systems. For any system that touches a credit decision, loan approval, or risk assessment, that system is material.
The key phrase is "activity logs." MAS expects to see:
The FEAT Accountability principle requires that your institution be able to identify who or what made a decision and why. For AI-assisted decisions, this means the model's reasoning — not just the final output — must be traceable. The Transparency principle requires that individuals affected by AI decisions can receive an explanation.
Some teams respond to this by adding a database write after each API call: store the final credit score, the decision (approve/decline), and a timestamp. This is better than nothing, but it fails the FEAT audit test for three reasons.
A credit decision is not just the output number. It's the full context: the applicant's input features, the prompt template that framed the question, any retrieved context from a RAG system, and the specific model version. Without capturing the complete input, you cannot explain why the model scored an applicant the way it did — even if you know the score itself.
OpenAI regularly updates models. When you call gpt-4o, you are not pinned to a specific
snapshot. The model you called in January 2026 may behave differently from the model you call today
under the same model name. If a customer disputes a decision made 8 months ago, you need to know
which exact model version was in use — not just the alias you called.
MAS does not just want records. For a material system, MAS expects those records to be integrity-protected — you should be able to demonstrate that the record has not been altered since the time of the decision. A database row that an engineer can UPDATE is not sufficient evidence of an unaltered audit trail.
Here is how three common implementation approaches map to MAS compliance risk.
Your application calls the OpenAI API directly. The response is used in the credit workflow. No additional logging is implemented beyond what the vendor retains.
MAS exposure: After 30 days, you have no evidence of what inputs were provided, what the model returned, or which model version was used. A MAS examination would find a gap in your activity log continuity. FEAT Accountability: fails. FEAT Transparency: fails.
Your application logs the final decision and output score to your own database. Inputs and the full prompt are not captured. Model version metadata is not stored.
MAS exposure: You can show what the model decided, but not why — the inputs that led to that output are lost. Partial compliance at best. A sophisticated MAS examination will probe for input traceability. FEAT Accountability: partial. FEAT Transparency: partial.
Every API call is intercepted before it reaches the vendor. The complete input (features, prompt, context), model identifier and version, response, latency, and timestamp are written to a tamper-evident store with cryptographic integrity verification. Records are retained for 5+ years.
MAS exposure: You can reconstruct any decision at any point in time, prove the record has not been altered, and produce it during an examination. FEAT Accountability: satisfied. FEAT Transparency: satisfied.
If you're currently running Architecture A or B, you have two options.
The engineering scope for a compliant in-house solution includes:
Realistic build estimate for a two-engineer team: 3–6 weeks to get to production, longer to get to MAS examination quality. Every LLM integration in your stack needs to be instrumented separately. Ongoing maintenance is non-trivial.
Veritrail is a drop-in audit trail layer for AI decisions. It intercepts your LLM API calls, captures the complete decision record (inputs, outputs, model version, timestamp), generates a tamper-evident hash chain, and writes to a MAS TRM-compliant immutable store — all before returning control to your application.
# Python — wrap your existing OpenAI client
from veritrail import audit
client = audit(openai.OpenAI(), retain_years=5)
# Use exactly as before — audit trail is automatic
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": credit_prompt}]
)
Every call now produces a cryptographically signed, tamper-evident record in your audit store. Records are retained for 5 years, indexed by customer ID, decision type, and timestamp. When MAS requests records, you export a signed audit package — not a database dump.
The gap between a 30-day vendor retention window and a 5-year regulatory requirement is not a theoretical risk. It is a live compliance gap for every Singapore fintech using LLM APIs in a decision workflow today.
MAS thematic inspections on AI risk management are increasing. The FEAT principles are moving from guidance to examination criteria. Getting examined with an 18-month gap in your AI decision logs — because you assumed the vendor kept them — is not a position you want to defend.
The fix is not expensive or slow. But it needs to happen before the next examination, not after.
Own your own audit trail. Veritrail captures every AI decision your fintech makes — complete, tamper-evident, MAS TRM-compliant, 5-year retention.
Book a 20-minute demo →No sales pressure. We'll show you the gap in your current stack and whether Veritrail closes it.