Other Compliance Frameworks
Beyond the core frameworks (EU AI Act, GDPR, ISO 42001, SOC 2, NIST AI RMF, HIPAA), Compliance AI supports 30+ additional frameworks covering privacy laws, sector-specific rules, and emerging AI regulations in 22 jurisdictions.
Global Privacy Laws
CCPA (California Consumer Privacy Act)
Jurisdiction: California, USA (applies globally to CA residents) Trigger: Business collects personal info of CA residents Max penalty: $7,500 per violation
Key rights:
- Know what data is collected
- Delete personal data
- Opt out of data sales
- Non-discrimination for exercising rights
For AI systems:
- If AI trains on CA resident data → CCPA applies
- Must disclose AI data collection
- Honor deletion requests (retrain model without that person’s data)
- Do not discriminate against opt-outs
Expanding to: CPRA (2024), other US states
LGPD (Lei Geral de Proteção de Dados)
Jurisdiction: Brazil Scope: Any org processing Brazil resident data Max penalty: 2% of revenue or $15M per violation
Similar to GDPR but with key differences:
- Requires legitimate interest assessment
- Consent often needed (even for company’s interests)
- Shorter timeframes for data subject requests (15 days)
- Mandatory Data Protection Officer for large processors
For AI systems:
- Very similar to GDPR (conduct DPIA, document legal basis, honor data subject rights)
- Compliance AI’s GDPR module covers most LGPD
PDPA (Personal Data Protection Act)
Jurisdiction: Singapore, Malaysia, Japan Scope: Any org collecting Singapore resident personal data Max penalty: $1M SGD
Key principles:
- Notice (tell people you’re collecting)
- Purpose limitation (only use for stated purpose)
- Consent (usually needed)
- Accuracy
- Protection
- Openness
- Access and correction
- Accountability
For AI systems:
- Similar consent/notice requirements as GDPR
- Document data usage for each AI system
- Implement access/correction procedures
AIDA (Artificial Intelligence and Data Act)
Jurisdiction: Canada (proposed, not yet passed) Proposed trigger: High-risk AI systems Proposed requirements:
- Risk assessment
- Bias testing
- Documentation
- Human oversight for high-risk decisions
- Incident reporting
Status: Expected 2024-2025 TruthVouch support: AIDA compliance checklist (will auto-activate when law passes)
Japan APPI (Act on Protection of Personal Information)
Jurisdiction: Japan Scope: Any org collecting Japan resident personal data Max penalty: ¥100M or 1% revenue (highest globally)
Key requirements:
- Privacy policy required
- Consent usually needed
- Security safeguards
- Purpose limitation
- Cross-border transfer restrictions (need explicit consent or safe harbor)
For AI systems:
- If training data includes Japan residents → APPI applies
- Similar to GDPR/LGPD requirements
- Stricter on cross-border transfers
Australia Privacy Act (Australian Privacy Principles)
Jurisdiction: Australia Scope: Orgs collecting Australia resident data Max penalty: A$2.5M
13 Australian Privacy Principles (APPs):
- Open & transparent management (privacy policy)
- Anonymity & pseudonymity
- Collection of solicited personal information
- Dealing with unsolicited information
- Notification (when collecting)
- Use/disclosure (purpose limitation)
- Data quality & data correction
- Data security
- Openness (access to personal data)
- Unique identifiers
- Anonymity (where practicable)
- Transborder data flows
- Sensitive information (health, biometric, etc. — higher protection)
For AI systems:
- Privacy policy must disclose AI usage
- For sensitive data (health, race, union), stricter consent needed
- APPs similar to GDPR in spirit
India DPDP Act (Digital Personal Data Protection)
Jurisdiction: India Effective: 2024 Scope: India resident personal data Max penalty: ₹500 Cr ($60M)
Key principles:
- Purpose and choice (consent-based)
- Collection minimization
- Notice
- Accuracy
- Safety
- Storage limitation (delete when purpose met)
- Transparency & grievance redress
- Processing limitations (use only for stated purpose)
For AI systems:
- If training data includes India residents → DPDP applies
- Consent-based approach similar to GDPR
- Data minimization important (don’t collect unnecessary data)
South Korea POPIA (Personal Information Protection Act)
Jurisdiction: South Korea Scope: Any org collecting SK resident data Max penalty: ₩100M or 1% revenue
Key requirements:
- Privacy policy & notice required
- Consent usually needed
- Purpose limitation
- Security safeguards
- Data subject access & correction rights
- Unique identifiers restricted
- Sensitive data (biometric, health) extra protection
For AI systems:
- Similar to GDPR/LGPD
- Biometric AI (facial recognition) heavily regulated
- Cross-border transfers restricted
Sector-Specific Frameworks
FINRA (Financial Industry Regulatory Authority)
Jurisdiction: US brokerage/investment firms Trigger: Firms offering securities, investment advice, or trading Focus areas for AI:
- Algorithmic trading transparency
- Market manipulation detection
- Robo-advice fairness
- Customer suitability assessment
- Anti-money laundering (AML) AI
Key regulations:
- Rule 3110 (supervision, including AI algorithms)
- Rule 4512 (communications with public, including AI-generated)
- Regulation SCI (systems compliance & integrity)
For AI:
- Document algorithm development & testing
- Fairness assessment (does it recommend suitable products?)
- Surveillance for market manipulation
- Regular audits
Prudential Regulation
Jurisdiction: UK, EU banking sector Trigger: Banks, insurance, large investment firms Focus: Operational resilience, risk management, governance
AI focus areas:
- Model risk management (validation, monitoring)
- Data quality
- Fair lending (no discrimination)
- Cybersecurity
Requirement: Chief Model Risk Officer role
FINMA (Swiss Financial Regulator)
Jurisdiction: Switzerland banking Trigger: Banks operating in Switzerland AI guidance: Guidelines on AI & Machine Learning (2021)
Expectations:
- Model governance & testing
- Model performance monitoring
- Bias & fairness assessment
- Human oversight for critical decisions
- Regular audits
Singapore Monetary Authority (MAS)
Jurisdiction: Singapore financial sector Trigger: Banks, fintech, investment firms AI guidance: Principles on AI governance (2020)
Expectations:
- AI governance framework
- Risk assessment
- Testing & validation
- Bias monitoring
- Human oversight
- Transparency to customers
Emerging AI Regulations
China CAC AI Rules
Jurisdiction: China Trigger: AI services (generative AI, recommendation, etc.) available in China Focus: Content safety, national security, data privacy
Key requirements (translated):
- Content moderation for prohibited content (political, adult, violence, etc.)
- Data minimization (only collect necessary data)
- User consent
- Incident reporting to authorities
- Algorithm transparency to users
For AI systems:
- Content moderation system required
- Training data documented
- Bias/fairness tested
- User can report concerns
Note: Compliance may be impossible for some companies (e.g., western media platforms)
Saudi Arabia GOSI Guidelines
Jurisdiction: Saudi Arabia Status: Draft/guidance (not law, enforcement TBD) Focus: AI governance, safety, fairness
Proposed areas:
- AI governance structure
- Risk assessment
- Bias testing
- Human oversight
- Transparency
Compliance: Voluntary compliance demonstrates responsible AI; expected to become mandatory
UAE AI Strategy
Jurisdiction: United Arab Emirates Status: Guidance & strategy (not mandated, but preferred by government) Focus: Responsible AI, transparency, explainability
Emphasis:
- Explainability to affected individuals
- Human-in-the-loop for critical decisions
- Transparency about AI usage
- Data protection (GDPR-like)
Compliance: Government vendors expected to follow; increasingly required for government contracts
Financial Institution AI Regulations
Fed Guidance (US Federal Reserve)
Jurisdiction: US banks supervised by Federal Reserve Status: Guidance (not rule, but enforced in practice) Requirements:
- AI governance & risk management
- Model risk management
- Third-party AI vendor oversight
- Fair lending compliance
- Cybersecurity
ECB Guidance (European Central Bank)
Jurisdiction: EU banks Status: Guidance on AI risk (2021) Requirements:
- AI risk classification
- Model validation
- Bias testing & monitoring
- Human oversight
- Vendor risk management
OCC Guidance (US Comptroller)
Jurisdiction: US national banks Status: Guidance on model risk management Requirements:
- Model inventory
- Risk classification
- Validation testing
- Ongoing monitoring
- Challenge function (independent review)
Industry-Specific Guidance
| Industry | Framework | Focus |
|---|---|---|
| Automotive | SAE J3016 (Autonomous vehicles) | Safety levels, testing, validation |
| Aerospace | ARP 4761 (Safety) | Failure analysis, robustness testing |
| Utilities | NERC CIP (Critical infrastructure) | Cybersecurity, access control, monitoring |
| Telecom | 3GPP (Standards) | Network security, encryption |
| Energy | NIST Cybersecurity Framework | Risk management, resilience |
How to Use Compliance AI for Multiple Frameworks
- Go to Compliance > Frameworks
- Filter by:
- Industry (Finance, Healthcare, Energy, Retail, etc.)
- Region (EU, US, Asia, etc.)
- Certification (ISO, SOC 2, etc.)
- Enable frameworks that apply to you
- Compliance AI maps all systems to selected frameworks
- Run scan to assess compliance against all enabled frameworks
Framework Adoption Timeline
Immediate (in force NOW):
- EU AI Act (limited to prohibited practices; full compliance Aug 2026)
- GDPR (EU & UK)
- SOC 2 (if SaaS)
- HIPAA (if healthcare)
Near-term (next 1-2 years):
- AIDA (Canada, expected 2024-2025)
- Colorado AI Act variants (US states)
- NIST AI RMF (US government vendors)
Emerging (watch list):
- China CAC (stricter enforcement expected)
- Saudi Arabia GOSI (likely to mandate)
- UAE regulations (government contracts)
- Japan, Korea, India (stricter enforcement)
Next Steps
- See which frameworks apply to you: Go to Compliance > Frameworks and filter by Industry + Region
- Run a multi-framework scan: Running Scans
- Compare framework requirements: Frameworks Overview