Payment Institutions × Compliance — International / Multilateral · updated 2026-06-04

Finding#3 — Incident response detail — operational depth overclaimed

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019

AI's failure:Exposed Fabrication Risk for Payment Institutions × Compliance:Wrong deliverable

What the RLB Specialist Panel found

Question (paraphrased to protect IP)

Does the CPMI-IOSCO 2016 Cyber Guidance itself specify detailed operational practices for cyber incident response and recovery, or is that level of detail addressed in later publications?

RLB's analysis

The model affirmed that the 2016 guidance contains detailed operational response-and-recovery practices, collapsing a four-year gap in the regulatory timeline. The operational specificity the model described is more characteristic of the 2020 FSB publication than of the 2016 text, which addresses the same themes at a higher level of abstraction. The model appears to have drawn on its knowledge of the post-2016 ecosystem to populate what it believed the original document contained. - Regulator portal (if any cited link is dud): https://www.bis.org

AI Head's analysis — what weakness in the AI model caused this

This finding points to a gap in the model's ability to distinguish the level of operational detail characteristic of a 2016 principles-based guidance document versus a 2020 operational-practices publication. The model populated the 2016 document's supposed content with material more consistent with the later FSB guidance, suggesting that its internal representation of the 2016 document is contaminated by subsequent regulatory outputs on the same topic. Synthetic training pairs that contrast high-level principles text with operational-detail text from a later document — with correct attribution — could help calibrate this boundary.

Impact for Compliance Teams in Payment Institutions Sector in international jurisdictions working with the Guidance on Cyber Resilience for Financial Market Infrastructures

A Compliance team preparing cyber incident response protocols by asking AI what operational detail the CPMI-IOSCO 2016 Guidance specifies will receive an answer that overclaims the document's depth. The AI characterised the 2016 guidance as providing detailed operational expectations for incident response, when in fact the FSB's Effective Practices for Cyber Incident Response and Recovery (2020) addresses the level of operational detail that the 2016 guidance leaves open.

A Payment Institutions firm that stops at the 2016 guidance — relying on AI's assurance that it is operationally detailed — and does not incorporate the 2020 FSB document will have an incomplete incident response framework. This gap could become material during a supervisory review, a significant cyber event, or a counterparty assessment of the firm's operational resilience.

References — raw findings (per AI model)

RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019-Sonnet46 Claude Sonnet 4.6 (web search on)

This finding also affects

← Previous finding Finding#2 — Phrase origin — wrong 2018 source document Next finding → Finding#4 — FSB Cyber Lexicon alignment — uncertain presented as confirmed

Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019

Plain text Download

RegLeg Specialist Panel (2026). "Finding#3 — Incident response detail — operational depth overclaimed — Payment Institutions × Compliance — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019. RegLegBrief AI Hallucination Research, published 2026-06-04. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/

APA 7th edition Download

RegLeg Specialist Panel. (2026). Finding#3 — Incident response detail — operational depth overclaimed [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/

Bluebook / OSCOLA (US + UK legal) Download

RegLeg Specialist Panel, Finding#3 — Incident response detail — operational depth overclaimed [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019], RegLegBrief AI Hallucination Research (June 04, 2026), https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/.

BibTeX Download

@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q019,
  author    = {RegLeg Specialist Panel},
  title     = {Finding#3 — Incident response detail — operational depth overclaimed},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019},
  url       = {https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/}
}

← Back to case study summary Case study detail →

About Citation IDs →