AI Hallucination ResearchAudiencesSectorsInternational / MultilateralPayment InstitutionsTechnology DataDetail › Finding
Payment Institutions × Technology Data — International / Multilateral · updated 2026-05-28 · methodology v2.1
Share / Print Twitter LinkedIn Email

Operational detail for cyber incident response in the 2016 guidance versus later documents

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019
AI's failure:Exposed Fabrication Risk for Payment Institutions × Technology Data:Wrong deliverable
What the RLB Specialist Panel found
Question (paraphrased to protect IP)

Does the CPMI-IOSCO 2016 Cyber Guidance itself specify detailed operational practices for cyber incident response and recovery, or is that level of detail addressed in later publications?

RLB's analysis

The model affirmed that the 2016 guidance contains detailed operational response-and-recovery practices, collapsing a four-year gap in the regulatory timeline. The operational specificity the model described is more characteristic of the 2020 FSB publication than of the 2016 text, which addresses the same themes at a higher level of abstraction. The model appears to have drawn on its knowledge of the post-2016 ecosystem to populate what it believed the original document contained. - Regulator portal (if any cited link is dud): https://www.bis.org

AI Head's analysis — what weakness in the AI model caused this

This finding points to a gap in the model's ability to distinguish the level of operational detail characteristic of a 2016 principles-based guidance document versus a 2020 operational-practices publication. The model populated the 2016 document's supposed content with material more consistent with the later FSB guidance, suggesting that its internal representation of the 2016 document is contaminated by subsequent regulatory outputs on the same topic. Synthetic training pairs that contrast high-level principles text with operational-detail text from a later document — with correct attribution — could help calibrate this boundary.

Impact for Technology & Data Teams in Payment Institutions Sector in international jurisdictions working with the Guidance on Cyber Resilience for Financial Market Infrastructures

A Technology & Data team that asks AI whether the CPMI-IOSCO 2016 guidance provides detailed operational incident-response requirements — and receives the answer 'Yes, with specific expectations including 2hRTO and secondary site use' — may conclude that the guidance alone is sufficient to anchor their incident response framework design.

The actual regulatory landscape requires the team to look beyond the 2016 guidance to the FSB's 2020 Effective Practices document, which contains the operational depth that the 2016 guidance only frames at a high level. A Technology & Data team working from the AI's answer may deliver an incident response plan or control library that appears to satisfy the 2016 guidance but fails to meet the fuller operational standard that international supervisors would apply — producing a wrong deliverable that requires rework at significant cost when the gap is discovered in a supervisory review.

References — raw findings (per AI model)
This finding also affects
← Previous finding Origin of the phrase 'secure the periphery, protect the core'
Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019
Plain text Download 
RegLeg Specialist Panel (2026). "Operational detail for cyber incident response in the 2016 guidance versus later documents — Payment Institutions × Technology Data — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019. RegLegBrief AI Hallucination Research, published 2026-05-28. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/
APA 7th edition Download 
RegLeg Specialist Panel. (2026). Operational detail for cyber incident response in the 2016 guidance versus later documents [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/
Bluebook / OSCOLA (US + UK legal) Download 
RegLeg Specialist Panel, Operational detail for cyber incident response in the 2016 guidance versus later documents [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019], RegLegBrief AI Hallucination Research (May 28, 2026), https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/.
BibTeX Download 
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q019,
  author    = {RegLeg Specialist Panel},
  title     = {Operational detail for cyber incident response in the 2016 guidance versus later documents},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019},
  url       = {https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/}
}
← Back to case study summary Case study detail →
About Citation IDs →