This case study examines how AI tools perform when Operations teams at Corporate Banking firms in international jurisdictions consult them on regulatory obligations. It draws on findings from testing against the Guidance on Cyber Resilience for Financial Market Infrastructures published jointly by CPMI and IOSCO in 2016 — a foundational international standard that informs how financial market infrastructures and their corporate banking counterparts design and test their cyber resilience programmes. Across the question tested, AI assistants produced materially incorrect responses, overstating the specificity and detail of the 2016 guidance while failing to flag the gap-filling role of subsequent regulatory documents.
For Operations teams whose work touches incident response planning, operational resilience frameworks, or vendor and correspondent-bank due diligence, errors of this kind can quietly undermine the accuracy of internal policies and regulatory submissions.
Operations teams at Corporate Banking firms engage with cyber resilience frameworks regularly — not only as recipients of group-wide IT policy, but as active participants in building the operational controls that those frameworks require. When the Operations function is drafting or refreshing an internal incident response plan, scoping a new correspondent-banking relationship, reviewing a critical service provider's resilience standards, or responding to a business line that needs to understand its recovery time obligations under international guidance, it is entirely natural to consult an AI tool as a first step.
The speed and apparent authority of AI-generated responses make them attractive precisely in these time-pressured compliance contexts.
The corporate use-cases that sit on top of this topic area are substantial. An Operations team may be building out a regulatory mapping for a new payments product, preparing training materials for business continuity staff, conducting a gap analysis ahead of a supervisory review, or drafting the firm's formal response to a regulator's questionnaire on operational resilience. Each of these workflows creates downstream work-products — policy documents, training decks, regulatory submissions, board risk reports — that will carry forward any inaccuracy in the AI's answer without further interrogation of the source.
The firm bears the full cost when those work-products are wrong. Where an Operations team relies on AI-generated characterisations of a regulatory standard and builds internal frameworks around an overstated or incomplete picture of what that standard actually requires, the firm is exposed to regulatory findings, enforcement action, and the cost of remediation. Supervisory bodies assessing cyber resilience and operational continuity expect firms to demonstrate accurate, current knowledge of applicable standards.
A defence that the Operations team used an AI tool in good faith offers no regulatory safe harbour, and the reputational and financial consequences — fines, public censures, mandated remediation programmes — fall on the firm, its leadership, and the affected business lines.
The finding in this case study illustrates a recurrent pattern in how AI tools handle layered regulatory frameworks: when a foundational document has been supplemented or elaborated by a later publication, AI assistants tend to attribute the full combined body of expectations to the earlier document, effectively collapsing the regulatory timeline into a single, artificially detailed source. In this instance, AI tools described the 2016 CPMI-IOSCO Cyber Resilience Guidance as containing granular operational expectations that were not, in fact, articulated until the FSB published its Effective Practices for Cyber Incident Response and Recovery in 2020.
The AI's answer was confidently structured and cited plausible-sounding specifics, which makes it harder for an Operations professional to identify the overclaim without going back to the primary source.
The error concentrates on a single regulation and regulator — the BIS CPMI-IOSCO 2016 framework — but its impact on Operations workflows is disproportionate to its apparent simplicity. Questions about incident response and recovery planning are not peripheral; they sit at the heart of operational resilience governance for corporate banking operations with cross-border payment and settlement exposures.
An Operations team that accepts the AI's characterisation of the 2016 guidance as already comprehensive may not seek out the 2020 FSB practices, may not incorporate the later document's more granular expectations into its own incident response framework, and may present an incomplete picture of regulatory compliance to internal governance bodies or external supervisors.
The systemic risk compounds quickly. A single incorrect AI answer about what the 2016 guidance requires can propagate through multiple work-products: an internal gap analysis, a policy refresh, a training module, a supplier assurance questionnaire, and a board-level risk report may all carry the same foundational error forward. Each downstream work-product adds credibility to the inaccuracy without adding independent verification.
For an Operations function operating across international jurisdictions — where supervisory expectations may be calibrated to the full stack of CPMI-IOSCO and FSB guidance — the gap between what the firm believes it has addressed and what regulators expect it to address can translate directly into material findings.
1 finding in this case study. Click any to see its full evidence card.
The default position for Operations teams at Corporate Banking firms should be that AI tools are a starting point for orientation, not a primary source for regulatory requirements. When the question concerns what a specific document says — its scope, its detail level, its relationship to later standards — AI-generated answers must be verified against the primary text before any work-product is built on them.
This is particularly important for layered international frameworks such as the CPMI-IOSCO and FSB guidance stack, where the operational content that matters most may sit in a later document that the AI has silently merged with an earlier one.
At the firm level, practical safeguards should be built into Operations workflows before AI output influences any regulatory-facing material. A written policy naming AI as an unreliable source for regulatory detail in these areas — and requiring verification against the primary text — gives teams a clear standard and creates a documented basis for the firm's assurance processes. Audit trails should capture where AI tools contributed to a work-product, so that if an error surfaces later the firm can demonstrate what human review was applied.
Sign-off requirements before AI output enters firm-wide use — whether a policy document, a training module, or a supplier questionnaire — create a verification checkpoint that does not rely on the individual contributor to catch every error. Where material is regulatory-facing, "AI-drafted" and "AI-summarised" content should be clearly distinguished from content that has been independently verified.
There are areas within the Operations workflow where AI tools add genuine value at lower risk. Drafting non-regulatory internal communications, generating a first-draft structure for a document the team will then populate with verified content, summarising long primary-source documents that the team can then read directly, or producing initial questions for further research — these are uses where AI assistance accelerates work without the team placing unverifiable regulatory claims into downstream processes.
The discipline is not to ban AI tools from the workflow, but to maintain a clear line between what the AI has helped draft and what the firm has actually verified.
RegLeg's published hallucination research gives Operations teams at Corporate Banking firms a free, immediately usable reference before they rely on any AI-generated answer in these rule areas. Where the research has already identified that AI tools systematically mischaracterise a particular document — its scope, its detail level, or its relationship to the regulatory framework around it — the team can check that finding before building any work-product on an AI response. That pre-check costs nothing and can prevent the kind of compounding error that propagates silently through a firm's compliance documentation.
For firms that want a more structured view of their exposure, RegLeg offers bespoke regulator deep-dives that map which AI-supported workflows in a Corporate Banking operations function carry the highest hallucination risk. The CPMI-IOSCO and FSB cyber resilience guidance stack is one example of a layered international framework where the gap between what AI tools say and what regulators expect is both material and non-obvious.
A targeted analysis of the firm's specific workflow — incident response planning, supplier assurance, cross-border payment obligations, operational resilience mapping — allows the Operations team and its leadership to prioritise verification effort where the regulatory cost of an error is greatest.
RegLeg also offers a confidential review of the firm's existing AI-use policy against our failure-mode catalogue, with prioritised recommendations for where existing controls are sufficient and where gaps remain. For teams that need to build internal capability, we can provide training material and CPD-aligned content that the Operations function can use to embed regulatory-verification habits across the team — not as a one-off exercise, but as a durable part of how the firm manages AI-assisted compliance work going forward.