We’re seeing evolving cross-border rules in finance across the region, with regulatory approaches to technology both accelerating innovation and presenting challenges for fintechs navigating the market.
This is especially observable in Hong Kong, Singapore, and China.
DigifinAsia had the opportunity to discuss with Ying Wang, Partner at international law firm Simmons & Simmons, how the region’s diverse regulatory frameworks are shaping cross-border financial activities and technology integration.
Wang also shared where her clients are excelling in the adoption of new technology, as well as where challenges still lie for Asia Pacific’s fintech industry.
Under what regulatory trends are you seeing your clients excelling in, within Asia Pacific (APAC)?
Wang: Three themes stand out:
- Digital asset licensing and compliance readiness. Clients who invested early in building compliant digital asset operations — through proactive licensing, restructuring service offerings, or engaging regulators ahead of deadlines — are pulling ahead. Spoiler: the wait is over. In Hong Kong, new legislation expected in 2026 will require all firms providing virtual asset dealing, advisory, or custody services to be formally licensed. In Vietnam, the Law on Digital Technology Industry came into force on 1 January 2026, formalizing the digital asset ecosystem in one of Southeast Asia’s fastest-growing markets.
- Operational resilience. Beyond the vendor checklist. MAS has proposed new Third-Party Risk Management Guidelines that go well beyond traditional outsourcing obligations, while HKMA requires banks to fully implement their operational resilience framework by May 2026. Clients treating resilience as a board-level governance issue, not just an IT problem, are ahead of the curve.
- AI governance. Not just an EU issue. Most enterprises try to implement AI governance consistently across their international operations — but APAC is making that harder than it sounds. Singapore, Vietnam, Thailand, Malaysia, and Korea are each moving at their own pace with their own frameworks. Clients who built flexible, jurisdiction-aware governance structures early are finding themselves considerably less dusty than the rest.
Who do you see facing significant hurdles under the diverse countries’ approaches?
Wang: The honest answer is: almost everyone — but some more than others.
Digital assets and crypto firms face the sharpest edges of regulatory fragmentation. Across APAC, a licence in one jurisdiction gives you precisely nothing in the next. Each market has its own regime, its own licensing thresholds, and its own timeline — there is no passport, no shortcut, and no sign of harmonisation on the horizon.
The complications run deeper than licensing. Stablecoins are now widely used for payments, but their regulatory treatment varies so significantly across APAC that traditional payment companies are increasingly finding themselves required to obtain or vary licences to cover digital asset activities they had not originally anticipated.
And, as markets mature, licensed crypto entities are discovering a new frustration: the inability to work on fused crypto and tokenized real-world asset products, because regulators treat capital markets products and crypto assets under entirely separate frameworks that were never designed to speak to each other.
When might upcoming regulatory shifts impact cross-border finance (i.e. what’s on the horizon for you clients)?
Wang: Two developments stand out as having the most immediate practical consequences.
- Digital assets. As APAC jurisdictions continue building out their own digital asset regulatory frameworks, the window for offshore unlicensed entities to service customers within those markets is closing — and closing faster than many firms have anticipated. This is not a distant horizon issue. Licensing deadlines in Hong Kong and Singapore are live, Vietnam’s framework is already in force, and others are following close behind. Firms still relying on cross-border service models without local licensing should be treating this as urgent.
- Operational resilience. MAS’s proposed Third-Party Risk Management Guidelines, when finalised, will require firms to re-examine their entire third-party ecosystem — not just what was previously captured under outsourcing arrangements. The practical implications are significant: group-level arrangements that historically sat outside the scope of outsourcing regulation may now fall squarely within it. For financial institutions operating across multiple APAC jurisdictions with centralised group functions, this is likely to require a fundamental rethink of how those arrangements are structured and documented.
How are lessons from EMEA and other jurisdictions bringing additional perspective to the APAC region?
Wang: Four lessons are travelling well.
- Operational resilience — DORA as a blueprint. The EU’s approach under DORA drove a decisive shift — moving beyond outsourcing to acknowledge the broader systemic risk posed by all third-party service providers. MAS’s proposed TPRM Guidelines follow precisely this trajectory, as does Australia’s CPS 230. For clients who already went through DORA remediation, the good news is that those playbooks and contract frameworks are directly transferable — a significant head start.
- AI governance — don’t reinvent the wheel. The EU AI Act’s influence on APAC legislative design is direct and visible across Korea, Vietnam, Thailand, and Malaysia. A well-designed EU AI Act compliance programme provides a genuine starting point for APAC obligations, rather than requiring a ground-up rebuild. Small mercies.
- Consumer protection — The UK FCA’s Consumer Duty is being watched closely by APAC regulators navigating retail crypto, BNPL, and embedded finance — particularly as digital financial services reach a broader retail base across Southeast Asia.
- Geopolitical and quantum security risks — EMEA’s post-Ukraine experience underscored how geopolitical disruption can threaten financial infrastructure. MAS’s CTREX advisory panel has already flagged quantum security as an emerging threat, urging financial institutions to urgently inventorise cryptographic solutions vulnerable to quantum attacks. In an increasingly fractured geopolitical landscape, APAC firms would do well to heed that warning sooner rather than later.
