White paperJune 2026 · immut.io

The Data
Integrity Gap

It is easier than ever to backdate or edit evidence. Being able to independently prove authenticity is a competitive advantage

In brief

Five things this paper argues

  1. Regulators have stopped taking records on trust; US financial regulators alone have collected over $3 billion since 2021 for recordkeeping failures.
  2. The records that fail are not wrong, they are unprovable.
  3. AI has collapsed the cost of fabricating convincing records to near zero.
  4. Your exposure does not end at your own records; every supplier document is one they marked their own homework on.
  5. A record anchored to a public blockchain at creation is verifiable by anyone, in seconds, without trusting its producer.

The law does not ask whether you have records. It asks whether you can prove when they existed.

See it in action

The problem, and how immut closes it

A short walkthrough: a worked example of how a record fails, and how anchoring it to a public ledger lets anyone verify it in seconds.

Watch on YouTube: youtu.be/aC4U6utEZfo

The enforcement wave

Data integrity is now the first question

For decades, a record was evidence. Today, a record is a claim, and the regulator’s first question is whether the claim can be proved. The numbers describe a wave that crosses every regulated industry.

SEC + CFTC
$3bn+

in fines for failure to keep required records of business communications, since December 2021. No client losses were required.

sec.gov ↗
PCAOB
46%

of audit engagements inspected in 2023 lacked sufficient appropriate audit evidence. The profession whose product is assurance could not evidence its own work.

pcaobus.org ↗
FDA drug GMP letters, FY2016
79%

of the FDA’s drug GMP warning letters carried data integrity citations at the peak of the enforcement wave.

Unger Consulting ↗
UK HSE
£4m

fine over gas risers in 769 high-rise buildings. No one was hurt and no defect was found. The company could not produce records of inspection.

energylivenews.com ↗

Four regulators. Four industries. One converging question: can you prove it, contemporaneously, to a party that does not trust you?

The scale of this problem

What the FDA’s paper trail shows

The FDA publishes more enforcement detail than any other regulator, which makes pharmaceuticals the clearest window into where every regulated industry is heading.

FDA regulation 21 CFR Part 11 sets the criteria under which electronic records are considered “trustworthy, reliable, and generally equivalent to paper records.” The operating principle, shared with the UK’s MHRA, is ALCOA+. The load-bearing word is contemporaneous. Recorded at the time of the activity. Not approximately. Not later.

The enforcement record shows what happens when that word cannot be proved. The FDA is not mainly catching fraud. It is mainly catching records that cannot defend themselves: quality records in editable spreadsheets, audit trails that do not establish when an entry was made, documentation that asserts a date rather than proving one.

Every regulator is converging on the same standard the FDA wrote down in 2018. ISO auditors now require immutable logging of security events. HMRC requires contemporaneous technical evidence for R&D claims. The ICO and HSE treat the inability to produce records as itself sanctionable.

ALCOA+

Records must be Attributable, Legible, Contemporaneous, Original and Accurate, plus Complete, Consistent, Enduring and Available.

Attributableto the person who created it
Legiblereadable and permanent
ContemporaneousRecorded at the time of the activity
Originalthe first record, or a certified true copy
Accuratefree from error
Complete · Consistent · Enduring · Availablethe “plus”: nothing missing, in sequence, lasting, retrievable
Fabrication · FDA / DOJ
$500m
Ranbaxy
US DOJ / HHS-OIG · GMP · 2013

Fabricated and falsified clinical data, stability data and manufacturing records submitted to the FDA. Pleaded guilty to seven federal criminal counts, at the time the largest drug-safety settlement against a generic manufacturer.

oig.hhs.gov ↗
Fabrication · FDA
Import alert
Intas Pharmaceuticals
US FDA · GMP · 2023

FDA investigators documented an analyst pouring acetic acid over CGMP records, and found a truck of shredded, acid-soaked quality documents. The fabrication was caught because an inspector physically witnessed it. The documents alone would never have revealed it.

fda.gov ↗
470
FDA warning letters analysed across 2025, the full public database.
99%
cited documentation, records or written procedures.
Excel
unvalidated spreadsheets used as quality records, with unrestricted access to modify or delete.

Why this keeps happening

The self-asserted date

The records failing these inspections run on the same tools every regulated business uses, and those tools share one property: the date on a record is whatever the system, or anyone with sufficient access, says it is.

Word and Excel. File metadata, including creation and last-modified dates, can be overwritten with free tools such as ExifTool in seconds. Contents are trivially editable with no visible forensic trace.

Email. Headers record sending time only on the sending server. Body text and attachments can be modified by anyone with mailbox access. Export-to-PDF workflows strip the original headers entirely.

Slack and Teams. Editing is a designed feature. Administrative accounts can alter message history. Channel exports carry no cryptographic integrity guarantees.

Databases, ELNs, QMS platforms and cloud storage. Version history and audit logs sit on the same infrastructure as the records themselves. An administrator with sufficient privilege can alter both the record and the log that recorded it.

Compliance platforms. Evidence platforms disclaim the problem contractually:

“Customer, not Vanta, shall have sole responsibility for the accuracy, quality, integrity, legality, reliability” of customer data.

Vanta Master Subscription Agreement

This is not a flaw in one product. It is an architectural property of self-controlled storage: the party with the most to gain from a record is the same party that created it, stored it and dated it.

And the cost of exploiting that property has just collapsed.

Fabricating a convincing record once required skill, time and inside access. AI has removed all three constraints.

FinCEN alert
In November 2024 the US Treasury’s Financial Crimes Enforcement Network warned that institutions are filing rising numbers of reports describing AI-generated deepfake media used to falsify identity documents and defeat verification controls.
FIN-2024-Alert004, 13 November 2024
$40bn by 2027
Deloitte projects AI-enabled fraud losses in the US will reach $40 billion by 2027, up from $12.3 billion in 2023.
Deloitte Center for Financial Services, 2024

The pivot

Your suppliers mark their own homework too

Everything above describes your records. Now consider the records you rely on. Every regulated organisation sits at the centre of a web of evidence it did not produce, each one a digital record produced by the party it favours, on infrastructure that party controls, carrying a date that party asserted.

Today a buyer has three options, and all three are bad.

Option one

Take it on trust

The supplier sends a certificate PDF and a completed questionnaire. You file it. You have no way to verify when the underlying evidence was created, whether it has been altered, or whether the certificate is even real.

The fact
UKAS maintains a public register of counterfeit certificates; the IAF runs a global database, CertSearch, because fake certificates circulate at scale.
The failure
Counterfeit certification results in “the false assurance that a supplier meets all the required standards.”
Option two

Audit them yourself

On-site supplier audits produce real assurance, and they are expensive, slow and unrepeatable at scale. Suppliers routinely host multiple GxP audits per year from different buyers asking identical questions.

The cost
Licensing a single completed GMP audit report through the Rx-360 shared-audit programme costs $5,000.
The failure
Every buyer pays to re-verify the same evidence because no buyer can trust anyone else’s verification, or the supplier’s own records.
Option three

Absorb the risk

This is what most of the market does by default, and the risk is growing. GDPR Article 28 and NIS2 frame supplier due diligence as ongoing, not one-shot. A buyer that collected a certificate and stopped has, on a plain reading, not evaluated its supplier.

The trend
Verizon’s 2025 DBIR found third-party involvement in breaches doubled in a single year, from 15% to 30%.
The failure
The certificate in your files can become evidence against you.
£3.07m
Cannot prove · ICO · NHS supplier · 2025

A 2022 ransomware attack on Advanced Computer Software, an NHS software supplier, disrupted services including the 111 line and exposed the records of 79,404 people. The ICO fined the supplier £3.07 million, and the penalty notice turned on what the company could demonstrate about its controls at the time of the attack. The NHS asks its thousands of suppliers to self-attest annually through the Data Security and Protection Toolkit, and no buyer, including the NHS, can independently verify a single one of those answers.

The cost of the status quo

You already pay for this problem. None of it fixes the cause.

Add up what the current system charges, on both sides of the contract. More rules and more checking raise the cost of compliance without changing the architecture that makes records unprovable in the first place.

$5k–$25k
to forensically defend a single challenged document’s date or integrity, before any outcome. A multi-document dispute runs $15k to $100k.
EDRM Digital Forensics Pricing Survey, 2025 [21]
2.65×
Non-compliance typically costs around 2.65 times the cost of compliance itself.
Thomson Reuters, Cost of Compliance, 2023 [22]
Re-audited
Verification does not transfer, so every buyer in the chain pays to check the same supplier evidence again. One supplier is audited over and over, by everyone, for the same facts.
Duplicated supplier audit programmes

The standard

What proof actually requires

Be precise about the standard. Evidence that satisfies a sceptical third party has four properties.

01
Contemporaneous
Created at the moment of the activity it describes, not assembled later. The FDA, the MHRA and HMRC all now name this property explicitly.
02
Tamper-evident
Any change to the record after creation is detectable by anyone, not only by a forensic examiner with privileged access.
03
Independently verifiable
Verifiable by a party that does not trust the organisation that created the record, the software it was created in, or any intermediary.
04
Court-ready
Meeting the evidentiary standard of the relevant jurisdiction, with precedent for acceptance.

A document on a company file server has none of the four. A supplier’s PDF attachment has none of them either. That symmetry is the point: the producer’s problem and the buyer’s problem are the same problem.

The fix

Anchor it once

There is a way to give any record all four properties in seconds, without changing the tools that produce it. The file itself never leaves the device and is never placed on any blockchain.

1
Create a one-way code of the file
A cryptographic hash is generated on the producer’s own device, unique to the exact contents of the file. Change one character and the code changes completely.
2
Record the code on a public ledger
The hash and a timestamp accurate to the second are written to the XRP Ledger. That record is permanent and cannot be altered, deleted or suppressed by anyone, including immut.
3
Receive the confirmation
A certificate is issued referencing the permanent on-chain record. The process takes under 30 seconds and costs a fraction of a penny.
4
Anyone can verify, independently
A regulator, auditor, customer or opposing counsel re-generates the code and compares it against the public ledger. A match proves the file existed, in this form, at the recorded time.
As the producer of evidence
Your records carry proof at creation

Your batch records, risk assessments, technical reports, audit logs and board minutes carry proof formed at the moment of creation. When the regulator asks when, the answer does not depend on your infrastructure, your administrators or your word.

As the buyer of evidence
Verification replaces investigation

This is the part the market has not priced in. Make anchored evidence a procurement requirement, and a supplier’s certificate arrives with a public-ledger anchor your team verifies in seconds, at no cost, without trusting anyone. One clause in a supplier contract replaces an audit programme’s worth of unverifiable paperwork. The buyers who require this first set the standard their competitors are later asked to meet.

Standing in court

Already accepted as evidence

A blockchain-anchored timestamp is not a novelty awaiting a test case. Courts across three legal traditions have accepted it.

  • United States. In United States v. Sterlingov (2024), blockchain evidence survived a Daubert challenge in the US District Court for the District of Columbia.
  • European Union. In AZ Factory v. Valeria Moda (Tribunal Judiciaire de Marseille, 20 March 2025), a blockchain timestamp was accepted as standalone proof of authorship, recognised across all 27 EU member states under eIDAS Article 41(2).
  • China. Internet Courts have accepted blockchain-anchored evidence since 2018, formalised by the Supreme People’s Court in September 2018.

An immut certificate is recognised across 88 countries and 171 jurisdictions.

Public proof. Private work. Your file never goes on the blockchain. Only a one-way code of it does.

The method, in one line

Before the question is asked

How confident are you that your suppliers and employees are providing compliant evidence?

See it against your own evidence

David Horne will hash a real file with you and walk through how the certificate maps to the framework you operate under, FDA, ISO, HMRC, HSE or other. Fifteen minutes. No slides.

David Horne · immut · djh@immut.io · +44 (0) 7876 716 098

Book a call with DavidOr try it now, free, no card

Public proof. Private work.

immut.io · the proof layer for digital files

References

Sources

  1. US Securities and Exchange Commission, “SEC Announces Enforcement Results for Fiscal Year 2024,” press release 2024-186, November 2024. sec.gov. Cumulative figures corroborated by Kirkland & Ellis, “Off-Channel Communications,” January 2025.
  2. US Commodity Futures Trading Commission, press release 8762-23, August 2023. cftc.gov.
  3. PCAOB, “Spotlight: Staff Update on 2023 Inspection Activities,” August 2024. assets.pcaobus.org. The 2024 inspection cycle showed improvement on the 2023 peak.
  4. US FDA, “Data Integrity and Compliance With Drug CGMP: Questions and Answers, Guidance for Industry,” December 2018. fda.gov.
  5. Barbara Unger, Unger Consulting Inc., annual analyses of FDA drug GMP warning letters, Pharmaceutical Online: 79% in FY2016, 68% in 2017, 57% in FY2018 (compounding-pharmacy letters excluded). See also Park and Kwon, “Trends in FDA Data Integrity Enforcement Before and After the COVID-19 Pandemic,” Therapeutic Innovation and Regulatory Science, 2025.
  6. UK Health and Safety Executive prosecution of National Grid Gas plc, Liverpool Crown Court, 9 February 2021. Fine £4 million plus costs.
  7. 21 CFR 11.1(a), Electronic Records; Electronic Signatures. ecfr.gov.
  8. UK MHRA, “‘GXP’ Data Integrity Guidance and Definitions,” Revision 1, March 2018, §3.10. assets.publishing.service.gov.uk.
  9. US Department of Justice, “Generic Drug Manufacturer Ranbaxy Pleads Guilty and Agrees to Pay $500 Million,” 13 May 2013. oig.hhs.gov.
  10. US FDA, warning letter 662868 to Intas Pharmaceuticals Limited, 21 November 2023. fda.gov.
  11. QBench, “Inside 470 FDA Warning Letters from 2025: What Labs Need to Know,” 2026. qbench.com/resources. Vendor analysis of the public FDA warning letter database, January to December 2025.
  12. US FDA Office of Pharmaceutical Quality, “Report on the State of Pharmaceutical Quality,” FY2024. fda.gov.
  13. Meridian Discovery, “Date Forgery Analysis: Timestamp Resolution.” meridiandiscovery.com.
  14. Vanta Master Subscription Agreement, customer data clause, retrieved 2026.
  15. US FinCEN, Alert FIN-2024-Alert004, “Fraud Schemes Involving Deepfake Media Targeting Financial Institutions,” 13 November 2024. fincen.gov.
  16. Deloitte Center for Financial Services, “Deepfake Banking Fraud Risk on the Rise,” 2024. deloitte.com/us/en/insights.
  17. UKAS, “Counterfeit Certificates,” ukas.com/accreditation/counterfeit-certificates; IAF CertSearch, iafcertsearch.org.
  18. Rx-360 Joint Audit Program. rx-360.org/jointauditprogram.
  19. Verizon, 2025 Data Breach Investigations Report. verizon.com/about/news/2025-data-breach-investigations-report.
  20. UK Information Commissioner’s Office, penalty notice to Advanced Computer Software Group Ltd, 27 March 2025. ico.org.uk.
  21. EDRM Digital Forensics Pricing Survey, 2025.
  22. Thomson Reuters, Cost of Compliance Report, 2023.
  23. immut certificates recognised under the UNCITRAL Model Law on Electronic Transferable Records 2017, the UK Electronic Trade Documents Act 2023, and eIDAS Regulation (EU) 910/2014.
  24. China Supreme People’s Court, Provisions on Several Issues Concerning the Trial of Cases by Internet Courts, September 2018.
  25. United States v. Sterlingov, US District Court for the District of Columbia, 2024.
  26. Tribunal Judiciaire de Marseille, AZ Factory v. Valeria Moda, RG 23/00046, 20 March 2025.