Unmasking Cybercrime Strengthening Digital Identity Verification against Deepfakes 2026

Institutions (programme and governance layer) Institutions govern the broader risk management framework and ensure vendor compliance. The following governance- oriented recommendations are advised: 1. Risk-based deployment – Prioritize control rollouts for high-risk use cases such as account onboarding, account recovery or high-value transactions. Phased deployment based on exposure helps deliver rapid risk reduction with minimal customer impact. 2. Privacy and retention controls – Enforce minimal data retention, limited access and comprehensive audit trails for biometric and liveness data. These guardrails for responsible use reduce privacy and compliance risks while maintaining detection capabilities. 3. Customer transparency – Provide simple explanations about liveness prompts and lighting effects to reduce confusion and improve user experience. 4. Vendor procurement standards – Require vendors to deliver features such as virtual camera detection, compressed-stream scoring and explainable outcomes as part of procurement contracts. 5. Governance documentation – Maintain clear operational guidelines, thresholds and appeal mechanisms. This documentation and these operational guardrails ensure that decisions remain consistent, auditable and defensible. 6. Staff training and playbooks – Implement concise operational guides for customer support and escalation handling to ensure consistent responses and reduce errors. 7. Red team testing cadence – Conduct periodic simulation exercises to benchmark defences against evolving real- time face swap tools. 8. Layered verification models – Combine multiple verification signals (e.g. liveness, document validation, behavioural biometrics) to create a defence-in-depth architecture. 9. Government-condoned intelligence sharing – In the interest of public safety and national resilience, companies are permitted to share intelligence on tools or related information with government agencies and peer organizations (provided such disclosures are proportionate, purpose-specific and aligned with lawful exemptions to privacy legislation). 10. Wider implementation of government legislation to protect “right to identity” – Laws granting individuals copyright over their own face, voice and body could strengthen protections against face-swapping technologies and other deepfake threats, such as Denmark’s proposed “right to identity” law. Unmasking Cybercrime 18