China vs. Singapore: Why Your AI Compliance Strategy Needs Two Separate Playbooks

If your firm has clients, operations, or ambitions in Asia, you may already be running AI tools that touch data flowing through the Far East. What most UK professional services firms have not yet reckoned with is that the two dominant regulatory environments in that region — China and Singapore — demand fundamentally different compliance responses. Not variations on a theme. Two entirely distinct playbooks.

Getting this wrong is not an abstract risk. Chinese regulators are actively investigating and penalising AI providers right now. Singapore is establishing frameworks that carry direct implications for how you handle client data and professional responsibility. Neither jurisdiction will wait for your firm to catch up.

The Fork in the Road: Prescription Versus Principles

China operates one of the most prescriptive AI regulatory regimes in the world. The Interim Measures for Generative AI Services create a mandatory pre-launch approval model, requiring algorithm registration, real-name user verification, and demonstrated alignment with state-defined "socialist core values." There is no voluntary opt-in here. If you provide or use a generative AI service in China, you are operating within a compliance framework that the state controls and actively monitors.

Singapore takes the opposite approach. The Personal Data Protection Commission (PDPC) relies on voluntary frameworks, principles-based guidance, and existing law — primarily the Personal Data Protection Act (PDPA) — rather than a dedicated AI registration regime. The goal is to enable responsible innovation while preserving regulatory flexibility. It is a pragmatic environment, but that does not mean it is without teeth or substance.

Understanding this philosophical divide is the starting point for everything that follows.

What China Requires: Labelling, Localisation, and Liability

China's regulatory demands are concrete and expanding. From September 2025, the AI-Generated and Synthesized Content Labelling Measures require providers to embed both explicit labels — visible corner watermarks or audio rhythms — and implicit metadata labels across the entire content lifecycle. This is not a disclosure at the point of publishing. It applies throughout creation, distribution, and storage.

Enforcement is not aspirational. Shanghai's Cyberspace Administration recently conducted "Operation Bright Sword," formally investigating and sanctioning AI service providers for bypassing mandatory security assessments, failing to suppress prohibited content such as doxxing tutorials, and generating synthetic voice clones without biometric consent. Penalties can reach 50 million RMB or 5% of annual revenue, with potential criminal liability layered on top. These are not theoretical maximums — they are being applied.

For UK professional services firms, the operational consequence is unambiguous: you cannot run global AI models in China and expect compliance. China's data localisation requirements, pre-launch security review obligations, and content filtering mandates mean that any AI deployment in China must be built on an entirely isolated, China-specific technology stack. Your standard enterprise AI tooling — the same stack you use in London or Edinburgh — simply cannot be transplanted. This is an infrastructure decision, not a policy tweak.

What Singapore Enables: Safe Harbours, Flexibility, and Regional Hub Potential

Singapore's March 2024 Advisory Guidelines on the Use of Personal Data in AI Systems introduced something practically valuable: clarity on when firms can process personal data without seeking explicit consent. The "Business Improvement" and "Research" exceptions create genuine safe harbours for firms building or refining AI systems, provided the processing is proportionate and appropriately governed.

In May 2024, Singapore also updated its Model AI Governance Framework for Generative AI to address risks specific to foundation models — the large, general-purpose models underpinning most enterprise AI tools today. The update covers issues including data provenance, incident response, and accountability structures.

Critically, Singapore's cross-border data transfer policies are considerably more flexible than China's. This makes Singapore the natural regional hub for broader APAC AI deployments. If your firm is building an Asia-Pacific AI strategy, Singapore is where that architecture should be centred — not as a workaround, but as a genuinely well-suited jurisdiction for compliant, scalable operations.

Professional Responsibility Cannot Be Delegated to a Machine

Singapore's Ministry of Law issued a Guide for Using Generative AI in the Legal Sector in September 2024. While it is addressed to legal professionals, its core principle applies across the whole of professional services — accountancy, HR consultancy, marketing, and beyond.

The guidance is explicit: professional responsibility cannot be delegated to AI. Firms must institute proportionate human oversight to independently verify that AI-generated outputs are factually accurate and fit for purpose before acting on them. This is not a recommendation to be cautious. It is a statement of where legal and professional accountability sits — with the human professional, regardless of how the output was generated.

For UK firms operating under FRC, SRA, or ICO oversight and deploying AI tools that touch APAC client matters, this principle creates a clear internal governance requirement. Your AI use policies, supervision frameworks, and quality review processes must reflect this standard. If a junior professional submits an AI-generated deliverable without independent verification, the firm bears the liability — not the model vendor.

Client Confidentiality and the Vendor Contract Problem

There is a procurement issue that too many firms are overlooking. Standard enterprise AI contracts do not automatically prohibit vendors from using your inputs — including client data — to train or refine their foundation models. In a professional services context, this is not a minor data governance concern. It is a potential breach of client confidentiality, professional privilege, and in some cases, regulatory duty.

Firms must ensure that vendor contracts explicitly and unambiguously prohibit the use of confidential client inputs for foundation model training. This clause needs to be present, not assumed. Review your existing agreements.

Related to this is the matter of transparency. Professionals in Singapore — and increasingly in other jurisdictions — are expected to disclose substantial generative AI use to clients, particularly where it influences a deliverable, a strategic recommendation, or the billing structure of the engagement. This is not about disclaiming responsibility. It is about maintaining the informed consent and trust that underpin professional relationships.

Two Jurisdictions, Two Compliance Frameworks — No Shortcuts

The temptation for many firms will be to develop a single "Asia AI policy" and apply it broadly. That approach will not hold. China demands mandatory registration, content controls, localised infrastructure, and accepts no deviation. Singapore offers flexibility and safe harbours, but imposes clear standards around human oversight, data governance, and professional accountability. These frameworks cannot be reconciled into one document. They require two distinct, jurisdiction-specific responses.

The compliance overhead is real. But so is the commercial and reputational risk of operating in these markets without adequate governance in place.

If your firm is deploying AI tools that touch Asia-Pacific operations, client data, or cross-border engagements, now is the time to assess your exposure.

Ops Intel works with UK accountants, solicitors, HR consultancies, and marketing agencies to build jurisdiction-specific AI compliance frameworks — practical, proportionate, and built for professional services. Get in touch with the Ops Intel team to arrange a compliance review and find out exactly where your current AI governance stands.