Is the CPMI-IOSCO 2016 Cyber Resilience Guidance still the operative international standard, or has it been updated or put out for revision?
The model produced a definitive, unqualified assertion about the current regulatory status of a document whose status had changed after its training data was collected. The web-search step did not surface the May 2026 CPMI-IOSCO consultation, leaving the model to report a training-era understanding as if it were current fact. No hedge or currency caveat was offered. - Regulator portal (if any cited link is dud): https://www.bis.org
This finding directly implicates the web-search tool's failure to surface a publicly announced BIS press release from May 2026. The model's training-era prior — that the 2016 guidance is the operative standard — was not overridden by retrieval, suggesting either that the search query did not return the relevant press release or that the model did not weight recent retrieval results against a strong training prior. This is a measurable failure of the retrieval-augmentation loop on a query type (current regulatory status of a named document) that is both common and high-stakes in financial-services deployments.
Has the CPMI-IOSCO 2016 Cyber Resilience Guidance been revised or updated since its publication, and what is its current status as an international standard?
The model asserted the unchanged operative status of the 2016 guidance without qualification, despite having web-search tools available. The May 2026 CPMI-IOSCO consultation — a publicly announced BIS press release — was not surfaced or reflected in the response. The model's answer reprises its training-era understanding of the document's status as if it were a statement of current fact, with the phrase "as of the date of this response" adding an unwarranted precision to an outdated claim. - Regulator portal (if any cited link is dud): https://www.bis.org
Like the analogous Opus 4.7 finding, this result implicates the web-search integration's failure to surface recent regulatory announcements that would override a training-era prior. The phrase 'as of the date of this response' in the model's output is particularly significant: it signals that the model is attempting to hedge on currency but does so without actually checking — suggesting the hedging behaviour is a learned linguistic pattern rather than an operationally grounded check. A retrieval step that actively queries for amendment or consultation activity on named regulatory documents before answering status questions would address this gap directly.
When a Technology & Data team asks AI whether the CPMI-IOSCO 2016 Cyber Resilience Guidance remains the current international standard and receives a confident 'Yes — it has not been formally revised or superseded,' the team may proceed to design, certify, or report compliance against a baseline that is in the process of being updated.
As of 6 May 2026, CPMI-IOSCO published a consultative document signalling active revision of the 2016 standard. A Payment Institutions firm that misses this development cannot engage with the consultation, cannot begin assessing how proposed changes affect its internal controls, and risks having to conduct an emergency compliance review once the revised guidance is finalised — along with potential regulatory exposure if supervisors expect firms to have been actively monitoring developments in the standards they rely on.
Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.
RegLeg Specialist Panel (2026). "Finding#3 — Guidance status: incorrectly stated as current and unrevised — Payment Institutions × Technology Data — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022. RegLegBrief AI Hallucination Research, published 2026-06-04. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/
RegLeg Specialist Panel. (2026). Finding#3 — Guidance status: incorrectly stated as current and unrevised [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/
RegLeg Specialist Panel, Finding#3 — Guidance status: incorrectly stated as current and unrevised [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022], RegLegBrief AI Hallucination Research (June 04, 2026), https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/.
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q022,
author = {RegLeg Specialist Panel},
title = {Finding#3 — Guidance status: incorrectly stated as current and unrevised},
year = {2026},
publisher = {RegLegBrief AI Hallucination Research},
note = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022},
url = {https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/payment_institutions/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/}
}