APAC Races to Regulate Digital Identity & AI Amid Deepfake Surge

Let’s zero in on one of the fastest-growing digital economies on Earth: Asia-Pacific.

In the past 18 months, at least six major digital identity and AI frameworks have come into force across APAC countries, with more still being actively drafted. Together, they change a single thing: how organizations are allowed to verify identity.

Understanding what’s driving these changes – and what they require – is the first step to getting ahead of them.

Deepfake Fraud Is Driving APAC’s Regulatory Response

These regulations are a direct response to the surge in AI-powered identity fraud.

A 2025 Gartner survey found that 62% of organizations experienced a deepfake attack in the prior year. 37% of organizations have encountered deepfakes on video calls. So it’s not a theoretical risk. Not a proof-of-concept in a lab. These are real attacks, against real organizations, with real money at stake.

Real-world incidents:

• In South Korea, voice phishing losses surpassed ₩1 trillion (~$718 million) in just the first 10 months of 2025 – the first time on record – with KFCPA President Wook Kang warning that generative AI and deepfake technologies are driving the surge.
• A deepfake video call defrauded engineering firm Arup of $25 million.
• iProov’s own 2026 Threat Intelligence Report recorded a 720% surge in attacks across Southeast Asia in Q3 2025, alongside a 1,151% increase in iOS injection attacks in the second half of 2025, a platform once considered attacker-resistant.

This is the industrialization of identity fraud. Criminal networks are deploying commodity deepfake tools at scale, and APAC regulators have noticed.

The bottom line: expanding biometric infrastructure and tightening regulation across APAC demands high-assurance identity verification. Organizations choosing solutions that only defend against basic presentation attacks risk regulatory exposure as frameworks mature to address injection attacks and synthetic media.

APAC Biometric & AI Regulations Are Accelerating: Examples

Frameworks span three distinct regulatory domains – AI governance, data protection, and digital identity – but they converge on the same requirement: organizations that verify identity using biometric AI must now meet higher standards of assurance, privacy, and accountability across all three.

AI-specific laws:

• Vietnam’s comprehensive AI law came into force on March 1, 2026, the first standalone AI legislation in Southeast Asia. It mandates human oversight of AI systems, requires labeling of AI-generated content like deepfakes, and applies to foreign entities handling Vietnamese personal data. If your biometric technology processes Vietnamese personal data, even through a partner integration, you already have regulatory obligations to assess. Though enacted, implementation guidance is still being detailed, which makes early scoping now even more important.
• South Korea’s AI Basic Act took effect in January 2026, with risk-based oversight for AI systems in finance, healthcare, and public services.
  

Data protection & consent:

• India is rolling out its Digital Personal Data Protection Act across three phases, bringing new consent requirements and data fiduciary classifications that reshape how biometric data can be collected and processed.
• Indonesia and Malaysia are both pushing updated data protection laws into implementation, with Malaysia’s PDPA amendments introducing mandatory breach reporting, data protection officer requirements, and – critically for biometric providers – reclassifying biometric data as sensitive personal data requiring explicit consent.
• Thailand has moved quickly and decisively on the AI-and-privacy intersection: in February 2026, the Personal Data Protection Committee released draft Guidelines on Personal Data Protection in AI Development and Use, requiring impact assessments for high-risk AI and security duties. A separate draft AI Act, mirroring the EU AI Act’s risk-based architecture, is expected to progress toward enactment in 2026.

Digital ID frameworks:

• Australia is tightening identity verification from both ends: its Digital ID Act establishes a federated trust framework with accreditation tiers for identity service providers. Its Privacy Act is being reformed too, expanding the definition of personal information to explicitly cover biometric and technical data.

More established markets are showing how differently regulators can approach the same problem. Singapore continues to operate one of the world’s most advanced national digital identity systems through Singpass, which integrates facial verification as a core authentication and mature IDV method for over 2,700 public and private sector services. Japan’s 2025 AI Promotion Act takes a lighter approach: innovation-first, and notably without monetary penalties – a contrast to the prescriptive approaches emerging elsewhere in the region.

The momentum extends beyond the headline economies, too: Cambodia has drafted a comprehensive data protection law, Laos has begun national digital ID issuance, and Myanmar has adopted MOSIP for a digital ID pilot.

Alongside this regulatory push, biometric adoption across the region is accelerating. Industry analyst Alan Goode has observed that APAC markets are moving toward facial biometrics as the primary access credential in physical environments, with a tokenless model replacing cards entirely. He sees face becoming the dominant modality in biometric physical access control within the next two to three years.

Different countries, different stages of maturity. But the through-line is unmistakable: regulators across APAC are demanding that organizations prove they can verify identity at a high level of assurance, handle biometric data responsibly, and explain how their AI makes decisions.

APAC’s New Biometric Laws Raise the Compliance Bar

For organizations relying on basic liveness checks or legacy identity verification, the implication is direct: the new APAC frameworks don’t just ask whether you verify identity. They ask how.

• Deepfake and injection attack defense. Vietnam’s law requires AI-generated content to be identifiable. South Korea’s framework demands risk assessments for high-impact AI. You can’t meet these obligations with a solution that only defends against printed photos held up to a camera. You need detection that covers presentation attacks, digital injection attacks, and the synthetic media that’s now readily available to anyone with a laptop.
• Privacy by architecture, not by policy. India’s DPDP and Vietnam’s Personal Data Protection Law enforce strict consent and processing requirements. Organizations need solutions that convert facial data into biometric templates, with personal data and biometric data structurally separated – where no single entity can associate a face with a name. That’s a design decision, not a policy document.
• Continuous threat monitoring, not point-in-time certification. Regulators increasingly want to see that AI systems are actively managed. A liveness test that was certified twelve months ago and hasn’t evolved since can be a liability rather than an asset. What matters is whether your solution is adapting to the attacks happening right now – which is exactly what a Security Operations Center approach delivers.
• Alignment with emerging global standards. The FIDO Alliance is hosting its first-ever Authenticate APAC conference in Singapore in June 2026. NIST SP 800-63-4, FIDO Face Verification, and CEN/TS 18099 are becoming benchmarks APAC regulators reference. If your biometric provider can’t point to independent, accredited certifications against these standards, that’s a problem.

Note: many APAC frameworks may only reference standards like ISO 30107-3, without explicitly requiring digital injection attack (DIA) detection. DIAs are the most dangerous form of attack, but standards are still playing catch-up. NIST SP 800-63-4 requires demonstrated resistance to injection attacks, and CEN/TS 18099 provides the independent testing methodology. APAC regulators are likely to follow in these footsteps as the discussed regulations develop and evolve.

What’s Next? How to Prepare for APAC Digital Identity Compliance

These regulations affect any organization verifying identity in APAC – whether you’re onboarding customers, authenticating employees, or enabling transactions across borders. Here’s where to start:

Assess your regulatory footprint: If you’re processing personal data in Vietnam, India, Indonesia, or other APAC markets – even through third-party integrations – identify which frameworks apply to your operations and what level of identity assurance they expect.

Audit your identity verification stack: Does your current solution defend against injection attacks and deepfakes, or just basic spoofing? The gap between the two is where attackers thrive and where regulatory exposure sits.

Prioritize privacy architecture over privacy theater: Look for solutions with structural data separation, pseudonymization, and cloud-based processing that prevents any single party from re-identifying an individual. If your provider can’t explain their architecture in these terms, keep looking.

Require independent certifications: Ask your biometric provider which standards they’re certified against – NIST, FIDO, ISO, CEN – and by which accredited lab. Self-asserted claims aren’t evidence.

• See how iProov’s APAC-compliant biometric solutions help organizations meet the highest identity assurance levels → Book a Demo
• For a full view of how these attacks are evolving → iProov’s 2026 Threat Intelligence Report.

iProov provides high-assurance biometric face verification for key governments and organizations, including GovTech Singapore, the US Department of Homeland Security, and the UK Home Office. iProov surpassed one million daily biometric verifications in 2025 and is the first biometrics vendor independently certified to meet NIST 800-63-4.