APAC Regulatory Fragmentation in 2026: What In-House Legal Teams Need to Know

July 2026
Posted by Jacob Flax

Regulation across Asia Pacific is changing at different speeds, in different directions, and with different priorities, depending on where you operate. For in-house legal and compliance teams trying to support a regional or global business, this creates a specific kind of pressure.

The question isn’t, “How do we comply?” It’s “How do we decide what to act on first, with limited time and an even more limited budget?”

That was the focus of a recent Axiom webinar I moderated, which brought together legal leaders with direct experience managing this exact problem. Rikhab Chand, Regional Counsel at IBM ASEAN, Kuan Wei Lee, Head of Global Regulatory Legal at Stripe, and Tania Pavaskar, ACC Director & Counsel at Axiom, walked through where they're actually feeling the pressure right now, and how they're making calls when the right answer isn't fully settled yet.

The shift from permissive to prescriptive

Kuan Wei highlighted a trend that's reshaping fintech and financial services across the region: Regulators are tightening up. A decade ago, fintechs were treated as a new category of financial services and therefore allowed some room to innovate. But that's changed. As digital asset failures like FTX shook confidence in the sector, regulators moved from a principles-based approach back toward something more prescriptive and controlled.

Layered on top of that is fragmentation. Stablecoin regulation in Singapore, Hong Kong, and Australia is comparatively mature, while other markets are still catching up. Even in more established categories like payments, frameworks are being overhauled in real time, including ongoing changes in Indonesia and Australia. And regulators are increasingly enforcement-minded, looking for proof of real controls rather than policies that exist only on paper.

Put together, that means less ability to scale a single compliance approach across the region, little cross-border compatibility, and a growing share of resources going toward compliance rather than growth.

Data residency as a case study in fragmentation

Rikhab framed the in-house challenge through two lenses: keeping pace with fast-moving technology; and managing a genuinely fragmented regulatory landscape. The Association of Southeast Asian Nations (ASEAN) alone covers six main countries, each with its own regulatory regime.

Data residency is where this shows up most clearly. Vietnam has the strictest cross-border data transfer rules in the region, with a new data law introducing categories like “core” and “important” data that companies are still working to interpret. Indonesia and Malaysia sit in the middle, with sector-specific rules that still require real compliance work. Singapore, the Philippines, and Thailand are comparatively relaxed.

Rikhab shared the example of how a cloud-based HR company in Singapore that collects employee data from people in Indonesia, India, and Vietnam needs three separate legal assessments just to move that data to its own servers. India requires consent and attention to contractual terms. Indonesia requires specific safeguards. Vietnam requires significantly more. AI governance follows a similar pattern, from Korea's flexible AI Basic Act to Vietnam's stricter, already-enacted AI law, to Singapore's voluntary governance framework.

The practical result, according to Rikhab, is that the old model of one legal team based in a hub market no longer works. Teams need data privacy lawyers with jurisdiction-specific experience, country by country.

In-house legal teams need scalable support across multiple markets without permanent expansion

India's new data law, and the questions nobody has fully answered yet

Tania pointed to India's Digital Personal Data Protection Act (DPDPA) as the development she's watching most closely. Unlike GDPR's six lawful bases for processing data, the Indian law is built almost entirely around consent, with detailed notice requirements that companies will need to revisit closely.

A few specifics are already reshaping how multinational companies need to think about compliance in India. The law introduces a “white list” of approved countries for data transfers. It sets the age of consent at 18, raising real operational questions for any consumer product used by minors. Tania pointed to ride-sharing apps with in-cabin video recording as one example where the consent chain (parent, child, or both) still needs to be worked out. And it introduces the concept of a “significant data fiduciary,” a category that companies will need to assess themselves against once the criteria are clearer.

The law is rolling out in phases, and according to Tania, that rollout is happening on a real timeline, an estimated eighteen months, not the two or three years some had expected.

Building a compliance program for constant change

So how do legal teams actually operationalize all of this without growing headcount at the same rate the regulation grows? A few practical approaches came up:

Start with fundamentals

Tania advised knowing where your data sits, why you have it, how long you keep it, and what it's used for. Get that foundation right with IT, including proper data tagging and access controls, before layering anything more sophisticated on top.

Build to the strictest standard, then localize

Rikhab's suggested model is to build one global compliance program calibrated to the most demanding jurisdiction, then adjust downward for markets with lighter requirements, rather than building each market's program from scratch.

Triage based on real risk, not just legal exposure

Rikhab also described applying a cost-benefit lens. In other words, weighing the probability and severity of enforcement against the cost of compliance, and factoring in actual business impact. Markets with active enforcement histories, like Singapore, Australia, and Thailand, warrant a heavier compliance investment than smaller markets with less enforcement activity.

Treat low-risk AI use cases accordingly

Several frameworks in the region, including Vietnam's AI law, already categorize AI systems by risk level. Rikhab's point was that if an internal risk assessment puts a system in the low-risk category, that's not where the budget should go.

Build the heat map before you need it

Kuan Wei's framing was both external and internal. Externally, map out which markets have settled regulation, which are still in flux, and where there might be a chance to engage regulators before a rule is finalized, including potential sandbox opportunities. Internally, stay close to the business itself, so legal isn't just reacting to a list of new rules but actually understanding what the business is trying to do and where it's headed next.

There's a talent gap here, too. Rikhab cited a McKinsey finding that 78% of organizations use AI in at least one business function, but only 13% have hired AI-specific compliance legal talent. That's a meaningful gap between where governance needs to be and where the people sit today.

The soft skill nobody talks about: How to say “no”

As compliance demands grow but legal team sizes mostly don't, the hardest part of the job isn't legal analysis. It's communication.

As Rikhab explained, knowing how to say no, and saying it at the right moment, is one of the most important skills an in-house leader can have. Tania distinguished between risk-based areas like privacy, where decisions can be documented and explained, and gated requirements like sanctions compliance, where there's no flexibility once a determination is made. Both pointed to the same underlying need, though: building enough trust with the business that “no” is understood as risk management, not obstruction.

Tania also flagged that the same arguments used to justify in-person collaboration (like building trust and brainstorming in real time) apply just as much to legal teams as anywhere else, even as more of the work shifts toward AI-assisted tools.

What would make this easier?

When asked what one thing they'd change about how regulators engage with in-house teams, all three pointed to the same model: Singapore. Why? Genuine public consultation before laws are finalized, the ability to call a regulator directly and get a question clarified, and sandbox programs that let companies test an approach before it becomes binding. Kuan Wei added another: regulators that don't make rules publicly available, restricting access to regulated entities only, create unnecessary friction for everyone trying to operate responsibly.

The throughline across the entire conversation is that there's no single playbook that works across APAC right now. The work is in building the judgment and the regional experience to know where to invest compliance energy first, and where it's safe to wait.

 

Posted by Jacob Flax

Jacob Flax is Managing Director and Head of APAC at Axiom, where he helps in-house legal teams improve operational and financial performance through high-quality legal talent and innovative solutions. Previously, he served as Senior Vice President at Gerson Lehrman Group (GLG) Australia and held roles at Bloomberg LP and Deloitte Australia's Financial Advisory Services division.