White paperJune 2026 · immut.io

The proof problem that compliance leaders don’t talk about

Every digital file can be edited after the fact. Regulators now ask you to prove that compliance evidence was created when you say it was, not merely that it exists. This paper explains the gap, shows where it is already causing real losses, and sets out two ways to close it, step by step.

Read the four-minute summary

In brief

Five things this paper argues

  1. Every digital file can be edited in seconds, with free tools, leaving no visible trace.
  2. You cannot reliably tell whether a client’s, supplier’s, or customer’s records are genuine or backdated.
  3. More regulation raises the cost of compliance without fixing the underlying evidence problem.
  4. The four things you need to provide real compliance evidence.
  5. A public ledger can give a record all four, in seconds, for a fraction of a penny.

The problem

Is any digital file actually trustworthy?

A Word document, a Slack message, an email, a database audit log. Each can be altered in seconds with free tools, leaving no trace visible to a reviewer without forensic access to the original system.

Word and Excel. File metadata, including creation date and last-modified date, can be overwritten with free tools such as ExifTool in seconds. Document contents are trivially editable with no forensic record.

Email. Headers record sending time only on the sending server. Body text and attachments are modifiable by anyone with mailbox access. Export-to-PDF workflows strip the original headers entirely.

Slack and Teams. Editing is a designed feature. Administrative accounts can alter message history. Channel exports carry no cryptographic integrity guarantees.

Databases and cloud storage. Version history and audit logs sit on the same infrastructure as the data itself. A sufficiently privileged administrator can alter both the record and the log that recorded it.

AI as the accelerant. Fabricating a convincing compliance document once required skill and inside access. AI has removed both constraints. Realistic invoices, technical reports, and signed-off records can now be generated in minutes, indistinguishable in appearance from genuine ones.

The exposure

Can you trust the evidence your stakeholders give you?

Three sources of risk face every compliance professional: internal records, supply-chain evidence, and documentation provided by customers.

Internal evidence. Employees facing audit or investigation have an obvious motive to present favourable records. Document, quality, and incident systems all sit on infrastructure the business controls. Without independent anchoring, you cannot tell an original record from a revision made after the fact.

Supply-chain evidence. ISO certification, health and safety documentation, GxP batch records, and R&D technical reports can be supplied by a vendor who generated them retrospectively to satisfy an audit. A client may have done nothing wrong. Their supplier may have provided false records that are indistinguishable from genuine ones.

Customer-supplied evidence. In regulated industries, customers supply documentation the business must treat as reliable: disclosure forms, test results, compliance certificates. Each carries the same vulnerability.

Without independent verification, you are letting every stakeholder mark their own homework. The party with the most to gain from a record is the same party that created it, stored it, and dated it. Nothing outside their control confirms that it is true.

Real cases

It is already happening

Six regulators. Five industries. Three continents. In each case the evidence infrastructure failed in one of two ways: genuine records existed but could not be proved; or fabricated records passed as genuine because they were indistinguishable from the real thing.

ICO enforcement notice for Advanced Computer Software Group Limited, March 2025
Cannot prove · ICO
£3.07m
Advanced Computer Software
UK ICO · NHS supplier · March 2025

Fined not for failing to implement security controls, but for being unable to demonstrate to the regulator that those controls were in active use at the time of an NHS data breach.

ico.org.uk ↗
National Grid Gas fined £4m by HSE, press release 2021
Cannot prove · HSE
£4m
National Grid Gas
UK HSE · 2021 · No harm occurred

Could not produce records showing that gas risers in 769 high-rise buildings had ever been inspected. The fine was entirely for the absence of provable records, not for any safety failure.

energylivenews.com ↗
Boeing agrees to plead guilty to federal felony charge, DOJ press release 2024
Misled regulator · DOJ
$487m
Boeing
US DOJ · 737 MAX · 2024 plea

Boeing agreed to plead guilty to conspiracy to defraud the United States, for misleading the FAA about the 737 MAX flight-control system. The proposed fine was up to $487.2m. What an organisation tells its regulator is only as good as the records behind it.

pbs.org/frontline ↗
Ranbaxy $500m guilty plea, HHS-OIG enforcement 2013
Fabrication · FDA / DOJ
$500m
Ranbaxy
US DOJ / HHS-OIG · GMP · 2013

Fabricated clinical and stability data submitted to the FDA to win drug approvals. The company pleaded guilty to seven federal criminal counts.

oig.hhs.gov ↗
Peter Murrell guilty plea, SNP funds case, May 2026
Fabrication · Criminal
£400k
Peter Murrell / SNP
High Court, Edinburgh · UK · Guilty plea May 2026

False invoices and fabricated expense descriptions used to divert party funds undetected for 12 years. Sentencing: 23 June 2026.

Irish Times ↗
Arup deepfake fraud loss $25.6m, CNN Business May 2024
AI fabrication · Fraud
$25.6m
Arup (victim)
Hong Kong · 2024

A finance employee authorised 15 transfers after a video call with a deepfake CFO and colleagues. Every other participant on the call was AI-generated from real footage.

CNN Business ↗
Bennett Verby Ltd charged under HMRC CCO, Bureau of Investigative Journalism August 2025
Alleged fabrication · HMRC CCO
£16m
Bennett Verby Ltd
HMRC / CCO · UK · Charged 2025

Alleged false R&D tax credit reports, including reports written by English literature graduates for a horse stud farm and a butcher. HMRC’s first corporate prosecution under the Criminal Finances Act 2017. Trial: September 2027.

Bureau of Investigative Journalism ↗

All charges alleged. No pleas or convictions entered.

Solid top border records were fabricated or a regulator was misled, and the deception was not visible in the documents.
Dashed top border genuine records existed but the organisation could not prove it to the regulator.

The response

The regulator’s answer: more rules

Governments have recognised the evidence gap. Their response has been to add specificity, frequency, and enforcement teeth to existing requirements, while the burden of proof shifts onto the organisation.

FrameworkInstrumentEvidence requirementSince
ISO 27001Annex A 8.15 / Clause 7.5Immutable logging of security events; documented information protected against loss of integrity2022 revision
R&D tax credits (UK)HMRC Additional Information Form; Criminal Finances Act 2017Contemporaneous technical evidence for every claim; criminal liability for advisers who fail to prevent facilitation of evasionAugust 2023
Life sciences / GxPFDA 21 CFR Part 11; ALCOA+Records must be attributable, legible, contemporaneous, original, and accurate; at the enforcement peak, 79% of FDA drug GMP warning letters cited data-integrity failures (FY2016)In force
Health and safety (UK)HSE Sentencing FrameworkAbsence of records treated as evidence of inadequate management, not mere administrative oversightIn force

The cost of more regulation on business is not sustainable

69%
of small US businesses spend more per employee on compliance than larger competitors.
US Chamber of Commerce, Q4 2024 [11]
2.65×
Non-compliance typically costs about 2.65 times the cost of compliance itself.
Thomson Reuters, 2023 [12]
€150bn
Estimated total EU administrative compliance burden, per year.
BusinessEurope, January 2025 [13]

More rules raise the cost of compliance. They do not fix the underlying evidence problem. The tools used to produce the evidence, Word, Excel, email, databases, have not changed. The gap between what regulators require and what these tools can prove keeps widening.

The upside

What changes if the evidence can be trusted

Much of the cost in compliance exists to compensate for records that cannot prove themselves. Remove the doubt and the whole cost structure changes.

01

Cheaper audits

Auditors spend less time corroborating what they cannot take on trust. Verification replaces investigation.

02

Less regulation needed

Many rules exist only to compensate for records that cannot prove themselves. Provable records reduce the need for more of them.

03

Lower cost of compliance

Less duplication, less rework, and fewer disputes over what happened and when.

04

Trust across the chain

Every stakeholder can rely on the same record, so relationships rest on proof rather than assurances.

The organisations that adopt verifiable evidence first turn a cost centre into a competitive advantage. Buyers, regulators, and partners prefer a counterparty whose records prove themselves. Early movers set the standard everyone else is later asked to meet.

The standard

What proof actually requires

Before looking at solutions, it is worth being precise. Evidence must have four properties to satisfy a sceptical third party. A document on a company file server has none of them.

01
Contemporaneous
Created at the moment of the activity it describes, not retrospectively. Timestamp accurate to the second. Not creatable after the fact.
02
Tamper-evident
Any change after creation is detectable by anyone, not just by a forensic examiner with access to the original system.
03
Independently verifiable
Verifiable by the challenging party without relying on the organisation that created it, the software used, or any intermediary.
04
Court-ready
Meets the evidentiary standard of the relevant jurisdiction and has been accepted in that jurisdiction’s proceedings.

How to fix it

Two ways to give a record those four properties

The first uses people and coordination. It works in principle and is worth understanding, because it shows what proof really demands. The second achieves the same result automatically.

Method one

The thorough way: independent witnesses

Send a copy of each significant record to several independent parties at the moment of creation. If the record is ever challenged, ask every party to produce their copy at the same time. This mirrors the rule of corroboration in Scots law: no one can be convicted on a single witness alone. Independent agreement between parties with no reason to fabricate the same story is a reliable indicator of truth.

  1. Make the record and copy it
    At the moment the document is created, produce identical copies for several genuinely independent parties: a solicitor, an accountant, a trade association, a client.
  2. Send all copies at once
    Distribute every copy simultaneously, so each custodian receives the same document on the same date.
  3. Each party stores it, unchanged
    Every custodian keeps their copy indefinitely, in a format they can retrieve later, recording the date received.
  4. Reconcile on challenge
    If the record is ever disputed, ask all parties to produce their copies together. If every copy matches, the agreement corroborates that the record has not been altered.
Strengths
  • Conceptually simple and needs no technology.
  • Uses independent parties you may already work with.
Limitations
  • Slow and costly at scale: every document, multiplied by every custodian.
  • Each custodian must store and retrieve it, reliably, indefinitely.
  • Still requires trusting each custodian, the very problem it set out to solve.
Method two

The simple way: anchor it once

The same corroboration principle, achieved automatically. A public blockchain becomes the always-available, always-neutral witness. It cannot be persuaded, pressured, or compromised, and a regulator can check a record against it directly, without going through the company that produced it.

  1. Create a one-way code of the file
    A cryptographic hash, a short code unique to the exact contents of the file, is generated from it. Change one character and the code changes completely. The file itself is never placed on the blockchain. Only this one-way code is.
  2. Record the code on a public blockchain
    The code and a timestamp accurate to the second are written to a public blockchain. That record is permanent and cannot be altered, deleted, or suppressed by anyone, including the company that created it.
  3. Receive the certificate
    A certificate is issued, referencing the permanent on-chain record. The whole process takes under 30 seconds and costs a fraction of a penny.
  4. Anyone can verify, independently
    To check a document, a regulator or any third party re-generates the code from the file and compares it against the blockchain. If the codes match, the file is identical to the one recorded at that date. They never have to take the company’s word for it.
Strengths
  • Seconds per file, at a fraction of a penny.
  • Verifiable by anyone, including a regulator, directly, with no intermediary to trust.
  • The file is never placed on the blockchain, only a one-way code of it.
  • Already accepted as evidence across 88 countries.
Limitations
  • Needs a tool to generate the code and record it.
  • Relies on the public blockchain remaining available, which it is designed to do.

See it against your own framework

If it helps, David Horne will hash a file with you and walk through how the certificate maps to the standard you advise on. Fifteen minutes, no slides. Or prove a file yourself first.

Book a 15-minute walkthrough Try immut free, no credit card

Standing in court

Already accepted as evidence

A blockchain-anchored timestamp is not a novelty awaiting a test case. Courts across three legal traditions have accepted it, and an immut certificate is recognised across 88 countries and 171 jurisdictions.

  • China Internet Courts. Blockchain timestamp evidence accepted since 2018, formalised by the Supreme People’s Court in September 2018.
  • United States v. Sterlingov. US District Court for the District of Columbia, 2024.
  • AZ Factory v. Valeria Moda. Tribunal Judiciaire de Marseille, 20 March 2025. The first European judgment to accept a blockchain timestamp as standalone proof of authorship, recognised across all 27 EU member states under eIDAS Article 41(2).

Public proof. Private work. Your file never goes on the blockchain. Only a one-way code of it does.

The method, in one line

Contact

David Horne · immut

djh@immut.io · +44 (0) 7876 716 098

Book a 15-minute walkthrough Try immut free, no credit card

References

Sources

  1. The Journal and Irish Times, reporting on Peter Murrell’s guilty plea, 25 May to 2 June 2026. Operation Branchform background.
  2. Meridian Discovery, “Date Forgery Analysis: Timestamp Resolution” and “Word Forensic Analysis: Compound File Binary,” meridiandiscovery.com.
  3. US Department of Justice, “Boeing Agrees to Plead Guilty to Federal Felony Charge,” 2024. justice.gov. (737 MAX conspiracy to defraud the FAA; proposed fine up to $487.2m. The plea agreement was later rejected by the court.)
  4. HHS Office of Inspector General, “Generic Drug Manufacturer Ranbaxy Pleads Guilty and Agrees to Pay $500 Million,” 13 May 2013. oig.hhs.gov.
  5. Bureau of Investigative Journalism, “HMRC Charges First Company Ever Under Landmark Tax Evasion Powers,” 7 August 2025. All charges alleged; no convictions entered.
  6. CNN Business and Fortune, reporting on the Arup deepfake loss, Hong Kong, 16 to 17 May 2024.
  7. UK Information Commissioner’s Office, Advanced Computer Software Group Ltd penalty notice, 2025. ico.org.uk.
  8. UK Health and Safety Executive, National Grid Gas plc enforcement, 2021. hse.gov.uk.
  9. LAist and CalMatters, reporting on AI-fabricated citations in US court filings, 2025. Stanford RegLab research on AI hallucinations in legal filings.
  10. Barbara Unger, Unger Consulting Inc., annual analyses of FDA drug GMP warning letters (79% FY2016, 68% 2017, 57% FY2018; compounding-pharmacy letters excluded). pharmaceuticalonline.com. FDA, “Data Integrity and Compliance With Drug CGMP: Questions and Answers, Guidance for Industry,” December 2018. fda.gov.
  11. US Chamber of Commerce, Small Business Index, Q4 2024.
  12. Thomson Reuters, Cost of Compliance Report, 2023.
  13. BusinessEurope, “Mapping of Regulatory Burden,” January 2025.
  14. Criminal Procedure (Scotland) Act 1995; Scottish Law Commission Discussion Paper No. 174, “Corroboration,” 2019.
  15. immut certificates recognised under the UNCITRAL Model Law on Electronic Transferable Records 2017, the UK Electronic Trade Documents Act 2023, and eIDAS Regulation (EU) 910/2014.