Deepfakes have moved from online curiosities to a material enterprise risk that regulators now link directly to board accountability.

Recent UK developments are key:

• Economic Crime and Corporate Transparency Act (ECCTA) – introduces a “failure to prevent fraud” offense for large firms. This explicitly includes fraud enabled by deepfakes. Large companies can face unlimited fines if they cannot show they took reasonable steps to prevent such fraud.
• Corporate Governance Code – Provision 29 – requires boards to make a formal declaration on the effectiveness of material internal controls, including those covering cyber, fraud, social engineering, business email compromise and deepfake schemes.

Deepfake-enabled attacks are already causing significant losses. For example:

• A Hong Kong finance employee joined a realistic video meeting with a deepfaked CFO and colleagues and authorized payments of around $25 million before the fraud was detected.
• In Singapore, a finance director was tricked by an AI-generated CFO via WhatsApp and Zoom into wiring about $499,000; authorities later recovered most of the funds.

Because these incidents involve executive impersonation, fund transfers and reputational risk, regulators see them as governance and control issues, not just technology problems. Boards are now expected to:

• Oversee deepfake risk as part of fraud, cyber and operational risk.
• Ensure internal controls are designed and tested to address synthetic media threats.
• Disclose control effectiveness and any failures, along with remediation actions.

In short, deepfakes are reshaping how regulators think about corporate liability: it is no longer just about whether a fraud occurred, but whether the board can demonstrate robust, well-governed controls and transparent reporting.

ECCTA and Provision 29 together are reimagining how organizations are expected to manage deepfake risk. In practice, they push firms to move from ad hoc controls to a structured, documented framework.

Key expectations under ECCTA:

• Reasonable preventive procedures: Large firms must show they have taken reasonable steps to prevent fraud, including fraud enabled by deepfakes (e.g., executive impersonation on video calls, altered vendor details).
• Unlimited fines for failure to prevent fraud: If a company cannot evidence adequate procedures, it can face unlimited financial penalties.
• Wider corporate liability: Liability is extended to senior managers’ behavior during frauds, reinforcing the need for top-down oversight and clear accountability.

Key expectations under Provision 29:

• Board-level declaration on the effectiveness of material internal controls, explicitly covering fraud, deepfake, cyber and social-engineering risks.
• Transparent disclosure of any control failures and the remediation steps taken.
• Continuous monitoring of risk frameworks and internal controls, not just annual box-ticking.

To meet these expectations, organizations are encouraged to adopt a layered approach:

• Governance: Update policies to reflect that “seeing or hearing is not enough” for verification. Embed callback procedures and multi-person approvals for high-value payments or vendor changes.
• Controls and detection: Define tiered verification thresholds so that material transactions, news releases or identity changes require stronger checks and documentation. Deploy tools in security operations centers and conferencing gateways, with clear escalation paths.
• Training: Run deepfake-focused training for finance, HR and other exposed teams, including voice and video drills and board tabletop exercises.
• Crisis readiness: Approve playbooks that cover operational and reputational response, including detection, takedown and communication workflows, and review cyber insurance coverage.
• Third-party governance: Build verification protocols and notification duties into supplier contracts so that external exposure is managed with the same rigor as internal processes.

Regulators are signaling that failure to prepare for deepfake-enabled fraud is no longer just a risk management gap; it can lead to regulatory sanctions, reputational damage and, in some cases, criminal liability.

Defending against deepfakes requires a layered, practical approach that combines governance, controls, technology and training. No single tool is sufficient, so the focus should be on building a coherent framework.

1. Update governance and policies

• Explicitly recognize deepfakes as a fraud, cyber and operational risk in your risk register.
• Revise policies so that visual or audio confirmation alone is never enough for sensitive actions like fund transfers or vendor changes.
• Introduce multi-person approval for high-value payments and critical data changes.

2. Implement tiered verification controls

• Define thresholds where additional checks are mandatory (e.g., callbacks to known numbers, secondary channel confirmation, document verification).
• Apply stronger verification for material transactions, market-moving announcements and executive identity changes.
• Integrate checks into workflows used by finance, treasury, procurement and HR.

3. Deploy detection and escalation capabilities

• Use tools at conferencing gateways and in security operations centers to flag anomalies in voice and video sessions.
• Set up clear escalation protocols so staff know when and how to pause a transaction or meeting if something feels off.

4. Train teams using the VOICE checklist

Organization-wide training should focus on practical behaviors. One recommended framework is the VOICE checklist:

• V – Verify callbacks: Independently call back using trusted contact details, not those provided in the request.
• O – Observe anomalies: Watch for odd video artifacts, unusual speech patterns, inconsistent background details or behavior that does not match the person’s usual style.
• I – Involve peers: Bring in a colleague or manager when something feels urgent or unusual, especially for payment requests.
• C – Confirm details: Double-check account numbers, email domains, and instructions against existing records.
• E – Escalate: If doubts remain, escalate to security, legal or risk teams before acting.

5. Prepare crisis and third-party playbooks

• Develop board-approved playbooks for responding to deepfake incidents, covering detection, internal communication, external messaging and takedown efforts.
• Review cyber insurance to ensure coverage for synthetic media and social-engineering losses, noting that synthetic media losses are projected to triple by 2027.
• Update supplier contracts to include verification standards and notification obligations if they experience deepfake fraud attempts.

By embedding these measures into everyday processes, organizations can move from reacting to individual incidents to systematically managing deepfake risk as part of modern corporate governance.