Short answer: Deepfake and fraud risk should be handled as an everyday operating-control issue. Firms need clear verification steps, secure mailboxes, sensible access controls, and a simple way to capture concerns before they become bigger client or reputation problems.
What this helps you check
Use this as a practical starting point for a calmer internal review.
- Sensitive client instruction verification
- Mailbox controls that fraud often abuses
- First-hour escalation for impersonation risk
On 30 June 2026, the Financial Markets Authority - Te Mana Tatai Hokohoko released its second annual Financial Conduct Report for 2026/27. Reporting on the release, DLA Piper noted four cross-sector themes: conflicts from remuneration structures, product design, complaints, and fraud detection and prevention.
The FMA has also been publishing consumer-facing material on investment scams, including a 27 May 2026 article explaining how deepfakes can be used to make false investment promotions look or sound credible.
This article does not interpret the FMA report and does not give legal, financial, regulatory, privacy, or compliance advice. The EQIQ angle is narrower: if fraud and impersonation tactics are becoming more convincing, professional services firms should make sure their technology and internal workflows support slower, safer decisions when money, identity, confidential information, or client instructions are involved.
The current NZ signal
The FMA's recent deepfake guidance explains that scammers can use AI-generated video, image, or audio to copy a person's face, voice, and mannerisms. It warns that these tactics are being used to promote investment scams through social media, online ads, messaging apps, emails, and websites.
The 2026/27 Financial Conduct Report signal is broader. Fraud detection and prevention, complaints handling, and the reliable delivery of products and services are all operational issues. They depend on people, process, and the systems that carry the work.
For many New Zealand firms, those systems are Microsoft 365, Teams, SharePoint, practice-management tools, finance systems, phones, identity controls, and shared mailboxes.
1. Slow down unusual instructions
A convincing message is not the same as a verified instruction. Firms should have a simple rule for payment changes, urgent fund transfers, bank-account changes, credential requests, document release, and unusual client instructions.
Use a trusted second channel before acting. That might mean calling a known number already held on file, checking with a second authorised person, or using an agreed approval workflow. Do not rely only on the contact details inside the suspicious message.
2. Check the mailbox controls that fraud often abuses
Fraud attempts often pass through email before anyone sees the wider pattern. Review mailbox forwarding rules, hidden inbox rules, shared mailbox delegates, external forwarding, legacy authentication, MFA coverage, and administrator accounts.
For firms using Microsoft 365, these are practical controls. They help reduce the chance that a compromised account can quietly redirect conversations, hide warnings, or change payment instructions.
3. Treat complaint capture as an early-warning system
Complaints are not only a client-service matter. They can be an early signal that a process, communication, system, or third-party interaction is not working as intended.
Keep the capture process simple enough that staff use it. A shared register or case workflow should record what happened, who owns the response, whether technology was involved, and whether the same pattern has appeared before.
4. Keep client files and finance folders tightly permissioned
If a fraudster gains access to an account, broad file permissions make the incident worse. Review who can access finance folders, client files, HR records, archived matters, and leadership documents.
Old sharing links, unmanaged guest users, and broad Teams membership can quietly undermine otherwise sensible controls. This matters even more as AI-connected tools become better at finding information users already have permission to access.
5. Make AI use visible and approved
AI tools can help staff summarise public guidance or draft checklists, but they should not be used casually with confidential client information, personal information, payment details, or sensitive firm records.
Firms should know which AI tools are approved, what data can be entered, who can use them, and how outputs are reviewed before they are relied on. Safe AI is part policy, part access control, and part training.
6. Practise the first hour
A short incident exercise is often more useful than a long document. Pick a scenario: a partner receives a deepfake voice message, a client asks to change bank details, a shared mailbox appears compromised, or a staff member clicks a suspicious investment link.
Then test the basics. Who is called first? Who disables access? Who checks mailbox rules? Who contacts the client? Who records decisions? Who decides whether external advice is needed?
Common questions
Is this article fraud, legal, financial, regulatory, or compliance advice?
No. It is general information about technology risk and operational controls. Firms should take appropriate professional advice for their own obligations and circumstances.
Why should professional services firms care about deepfake scams?
Deepfake and impersonation tactics can affect client instructions, payment requests, investment conversations, and staff decision-making. Firms should have clear verification steps before acting on sensitive requests.
What systems should firms check first?
Useful starting points include Microsoft 365 mail rules, MFA, administrator roles, shared mailboxes, payment approval workflows, complaint capture, and incident escalation records.
Source note
This article is based on FMA material and reputable New Zealand legal commentary: FMA Financial Conduct Report 2026/27 materials published 30 June 2026, DLA Piper's summary of the FMA Financial Conduct Report 2026/27 published 30 June 2026, and the FMA article Deepfakes published 27 May 2026.
Compliance note: This article is general information only. It is technology-risk and operational-readiness guidance, not legal advice, financial advice, regulatory advice, privacy advice, fraud advice, or compliance advice. Firms should take appropriate professional advice for their own obligations and circumstances.
Book a Conversation
