Why US boards should pay attention to the UK's deepfake governance push

For many companies, the problem of deepfakes is still viewed as a technology or security issue: a more sophisticated version of social engineering, business email compromise or executive impersonation fraud. But recent UK regulatory developments are changing that perception. Increasingly, fake media is becoming a board-level governance concern, particularly where it can enable fraud, undermine disclosure controls or create fast-moving reputational crises.

The UK's evolving approach comes following two significant developments: Provision 29 of the UK Corporate Governance Code and the Economic Crime and Corporate Transparency Act 2023 (ECCTA). Both signal growing expectations around how organizations govern identity, fraud and cyber-security risks.

While these requirements are rooted in the UK regulatory framework, their implications extend well beyond our shores. US boards, executives and risk leaders should be paying close attention.

Weaknesses in traditional controls

Deepfake attacks increasingly blend into normal business processes: a voice message that sounds like a CEO requesting an urgent payment, a video conference that appears to feature senior executives or a fake supplier communication asking for a change to bank details can all bypass controls that rely on trusted communications.

The challenge for boards is that existing assumptions about identity are becoming less reliable. Seeing and hearing a person can no longer be used as proof of authenticity.

As a result, deepfakes are testing whether organizations have effective controls around identity verification, approvals, payments and escalation procedures.

Steve Schlarman, senior director at Archer Integrated Risk Management, told Governance Intelligence the new provision in the UK Corporate Governance Code represents a meaningful shift in board accountability.

'Provision 29, which applies from financial years beginning on or after 1 January 2026, requires boards of in-scope listed companies to explain how they have monitored and reviewed the effectiveness of their risk management and internal control framework,' he said.

Schlarman added that boards must also make 'a declaration on the effectiveness of material controls across financial, operational, reporting and compliance areas'.

For boards preparing a Provision 29 declaration, deepfake scenarios increasingly serve as a test of whether material controls are properly designed and operating effectively.

Focus on fraud prevention

In addition to Provision 29 is the Economic Crime and Corporate Transparency Act 2023, one of the most significant reforms to UK corporate transparency and fraud prevention in decades.

Alongside Companies House reforms and enhanced identity verification requirements, the legislation introduced a new failure to prevent fraud offense for large organizations. The offense came into force in September 2025 and carries the possibility of unlimited fines.

The framework is built around reasonable fraud prevention procedures, placing greater emphasis on documented controls, ongoing monitoring and continuous improvement. This has clear relevance for deepfake-enabled fraud, where organizations are increasingly expected to demonstrate that prevention measures are in place and functioning effectively.

The legislation is also driving stronger identity assurance standards. Identity verification requirements are being introduced in phases and will eventually extend beyond directors and people with significant control to individuals submitting company filings.

Why US companies should pay attention

Although neither Provision 29 nor ECCTA directly applies to most US organizations, the broader governance message is difficult to ignore.

Schlarman described the two regulations as signaling 'a broader shift toward continuous, board-accountable governance that other markets, investors and regulators may increasingly expect'.

'The UK often acts as an influential governance market,' he added, noting that the changes point toward 'a wider convergence toward more explicit, evidence-based oversight rather than periodic, box-ticking compliance'.

For US organizations, that trend may prove more important than the specific rules themselves. Investors, regulators, auditors and boards are increasingly looking for evidence that controls operate effectively in practice rather than relying on periodic assessments or management assurances, Schlarman warned.

Organizations that continue to rely on annual reviews, fragmented control testing and static compliance programs may find it increasingly difficult to demonstrate that controls remain effective in rapidly changing operating environments.

What boards should do now

As deepfake threats continue to mature, boards should consider whether existing governance frameworks adequately address identity-based fraud and synthetic media risks.

Key actions include:

• Updating fraud and payment controls for an environment where voice and video can be fabricated
• Asking management to map deepfake scenarios to principal risks and material controls relevant to Provision 29
• Reviewing cyber-security and identity management controls around privileged access, remote meetings and approvals
• Testing crisis response plans against deepfake-driven market rumors and executive impersonation incidents
• Assessing third-party exposures involving payment providers, customer onboarding vendors and corporate service providers that play a role in identity verification or regulatory filings.

The larger issue is not simply the growth of deepfake fraud. It is the way regulation is transforming identity assurance and fraud prevention into matters of governance, disclosure and board accountability.