Deepfakes have crossed a critical threshold: they're no longer just a cybersecurity concern, but a regulatory and legal liability that can expose company boards to unlimited fines and criminal penalties. The UK's Economic Crime and Corporate Transparency Act (ECCTA), effective September 2025, introduces a "failure to prevent fraud" offense that applies specifically to deepfake-enabled attacks. Starting January 2026, corporate governance rules require board-level declarations confirming the effectiveness of controls against deepfake schemes. Companies that fail to demonstrate "reasonable steps" to prevent such fraud face unlimited financial penalties.

The shift reflects a sobering reality: deepfake fraud is no longer theoretical. In 2024, a Hong Kong finance employee participated in a realistic video meeting featuring a deepfaked chief financial officer and colleagues, ultimately transferring approximately $25 million before the fraud was detected. In 2025, a finance director at a Singaporean corporation was deceived by an AI-generated CFO impersonation executed primarily via WhatsApp and a Zoom call, resulting in a $499,000 wire transfer. These incidents demonstrate that deepfakes are increasingly effective at exploiting trust, particularly when combined with reconnaissance, phishing, and pressure tactics that demand rapid payment.

Why Are Regulators Treating Deepfakes as a Board-Level Risk?

The regulatory response reflects the scale and sophistication of the threat. Synthetic media losses are projected to triple by 2027, according to industry forecasts cited in the sources. Unlike traditional fraud, deepfakes bypass visual and auditory verification, the human senses we rely on most. A video call showing a senior executive requesting an urgent fund transfer feels authentic because it looks and sounds authentic. Encryption alone cannot protect against this attack vector; end-to-end encryption protects data in transit, but once a deepfaked video appears on screen, the damage is already done.

The UK's regulatory framework recognizes this gap. Under ECCTA, large firms must implement preventive procedures specifically designed to counter fraud via deepfakes. Under Provision 29 of the updated corporate governance code, boards must formally declare the effectiveness of internal controls covering cyber and fraud channels, disclose any control failures and remediation actions, and demonstrate continuous monitoring of risk frameworks. This represents a fundamental shift: boards are now personally accountable for deepfake risk management, not just IT departments.

What Federal and State Laws Are Emerging to Combat Deepfakes?

The regulatory landscape is evolving rapidly across multiple jurisdictions. In May 2025, the U.S. Congress passed the TAKE IT DOWN Act, the first major federal statute directly targeting non-consensual intimate imagery, including AI-generated deepfakes. The law criminalizes the distribution or threatened distribution of intimate images or videos created or manipulated using AI without consent, defining a "digital forgery" as imagery that appears indistinguishable from genuine to a reasonable observer. Platforms are required to implement a "notice and takedown" process, removing content within 48 hours of notice and taking reasonable efforts to eliminate duplicates. Typical penalties include up to three years imprisonment and/or fines, with stricter penalties for aggravating factors.

Beyond the TAKE IT DOWN Act, multiple pieces of federal legislation are advancing through Congress. The DEFIANCE Act (Disrupt Explicit Forged Images and Nonconsensual Edits) would provide victims with a federal civil cause of action for deepfake distribution without consent. The NO FAKES Act would criminalize unauthorized AI-generated copies of someone's voice or likeness, with carve-outs for parody and commentary. The Protect Elections from Deceptive AI Act would criminalize materially deceptive AI-generated media about candidates for federal office in connection with elections.

At the state level, legislation is already in effect. Multiple states have enacted laws addressing deepfakes in specific contexts. These include prohibitions on creating or distributing private images without consent, criminal and civil penalties for distributing materially deceptive media intended to influence elections, and requirements for clear disclosure when AI-generated content appears in political advertisements. Some states have also criminalized the intentional distribution of AI-generated or deepfake images that realistically depict another person's intimate body parts or sexual acts.

How Should Companies Build Deepfake Defenses?

Experts emphasize that no single control will defeat a threat evolving as rapidly as deepfake technology. Instead, organizations must implement a layered architecture of governance, detection, and culture. This approach addresses the reality that deepfakes exploit human trust and perception, not just technical vulnerabilities.

• Governance and Verification: Policies should embed the principle that seeing or hearing is no longer sufficient for verification. Organizations must implement callback procedures and multi-person approval requirements for financial transactions, vendor changes, or sensitive communications. Risk mapping should align to regulatory requirements like Provision 29, with board oversight extending explicitly to fraud, deepfake, cyber, and third-party risk frameworks.
• Detection and Technical Controls: Tiered verification thresholds should be established so that material transactions, news releases, or identity changes require robust sign-off and documentation checks. Tools should be deployed across security operations centers and conferencing gateways, supported by clear escalation protocols. Organizations should also confirm that cyber insurance coverage is appropriate for deepfake-related losses.
• Training and Culture: Scenario-based training should be introduced for finance and HR teams, incorporating voice and video deepfake drills alongside tabletop exercises for boards. The "VOICE" checklist provides a practical framework: verify callbacks, observe anomalies, involve peers, confirm details, and escalate. This approach embeds deepfake awareness into day-to-day decision-making rather than treating it as an abstract threat.
• Crisis Readiness and Third-Party Governance: Boards should approve playbooks covering both operational and reputational response, with detection and takedown workflows ensuring content can be traced, attributed, and responded to swiftly. Supplier contracts should stipulate clear verification protocols and notification obligations in the event of deepfake fraud attempts, ensuring third-party exposure is governed with the same rigor applied internally.

"No single control will defeat a threat evolving as rapidly as deepfake technology. What is required is a layered architecture of governance, detection and culture," noted experts cited in corporate governance analysis.

K2 Integrity and Corporate Governance Experts

What Are the Real-World Implications for Your Organization?

The convergence of regulatory pressure and sophisticated attacks means that deepfake risk management is no longer optional. Under UK law, failure to prepare is not just poor risk management; it can trigger regulatory sanctions, reputational damage, and even criminal liability for board members. Companies operating in the UK or with UK operations face immediate compliance obligations under ECCTA and Provision 29. Even organizations outside the UK should monitor these developments, as other jurisdictions are likely to follow similar regulatory paths.

The financial stakes are substantial. Individual deepfake fraud incidents have already cost companies tens of millions of dollars. With synthetic media losses projected to triple by 2027, the aggregate exposure across industries is significant. However, the regulatory exposure may be even more consequential. Unlimited fines under ECCTA, combined with board-level accountability, create incentives for organizations to invest in comprehensive deepfake defenses now rather than respond to incidents later.

The message from regulators is clear: deepfakes are no longer a future threat or a curiosity for security researchers. They are a present, material risk that demands board-level attention, documented controls, and cross-functional coordination. Companies that move first to embed deepfake risk management into governance, detection, and culture will be better positioned to comply with emerging regulations and protect their organizations from both financial and reputational harm.