This case study examines AI hallucinations identified in the Risk function at Investment Banking firms operating in Singapore, focusing on MAS Notice 637 (Capital Adequacy for Banks). Across two aggregated findings, AI assistants produced incorrect or unverifiable responses when asked about the scope and content of specific technical annexes within the consolidated Notice. The errors identified are not minor ambiguities — they concern the structural architecture of a core prudential regulation that underpins capital calculation, risk-weighted asset reporting, and valuation frameworks central to Risk team operations.
For firms that have begun incorporating AI tools into regulatory research, compliance support, or internal knowledge management, these findings represent a concrete and testable exposure.
Risk teams at Investment Banking firms in Singapore consult AI tools on MAS Notice 637 in a wide range of day-to-day workflows. These include drafting or updating internal capital adequacy policies, preparing briefing notes for senior management or board risk committees, onboarding new joiners to Singapore's prudential framework, and supporting front-office or product teams that need a rapid read on how a new instrument or structure will be treated under the standardised approach.
AI tools are also frequently used to scope regulatory mapping exercises when a firm is assessing a new product launch, an acquisition, or a significant change to its balance sheet composition. In all of these contexts, the Risk team treats an AI-generated summary as a reliable starting point — and in the absence of a counter-check policy, that starting point can silently become the endpoint.
The corporate use-cases that sit on top of accurate annex-level knowledge of MAS Notice 637 are material. Capital ratio calculations, risk-weighted asset schedules, leverage ratio reporting, and fair value adjustment frameworks all trace back to specific annex-level requirements in the Notice. Errors about which annex governs which instrument type — or what a given annex excludes from its scope — can propagate into internal policy documents, training materials, and ultimately into regulatory submissions or management reporting.
A junior analyst producing a briefing using an AI tool, or a senior risk officer using AI to cross-check a vendor's interpretation, may not have the annex text open alongside the AI output to catch a mismatch.
If the AI's answer is wrong and the error goes undetected, the firm faces concrete downstream costs. MAS has supervisory powers that extend to capital adequacy findings, and a firm whose internal policies or reporting rest on a mischaracterised annex could face remediation requirements, additional supervisory scrutiny, or — in more serious cases — enforcement action. Beyond the regulatory dimension, operational processes built on incorrect rule assumptions may require expensive retrospective correction.
The Risk team and its leadership carry institutional accountability for the accuracy of capital-related frameworks; the individual employee who consulted an AI tool is not a defence against that accountability.
Both findings in this case study share a common failure pattern: AI assistants, when asked about the content of specific technical annexes within MAS Notice 637, produced characterisations that were not grounded in the actual regulatory text. In one case the AI assigned an annex to the wrong part of the framework — attributing a credit risk annex to the leverage ratio framework — and then flagged its own uncertainty in a caveat rather than correcting the primary response.
In the other, the AI produced a detailed and confident-sounding description of an annex's content without any source passage to support it, drawing instead on inferred parallels to the broader Basel III structure. The common thread is confident surface fluency masking an absence of verified regulatory grounding. Neither error was flagged as a definitive hallucination by the AI itself at the point of output.
Both findings cluster on a single regulation — MAS Notice 637 — and specifically on the annex-level architecture of that Notice. This is a predictable exposure point. MAS Notice 637 is a long, technically complex instrument that has been amended and consolidated over time. Its annexes are numbered and referenced internally in ways that do not correspond to widely-circulated secondary commentary, which means AI tools drawing on general financial regulatory training data are likely to interpolate rather than retrieve.
Firms that rely on AI for annex-level precision are therefore operating in exactly the zone where the risk of a plausible-sounding but incorrect answer is highest.
The systemic risk to the firm compounds quickly when a single incorrect AI answer enters a workflow. A wrong characterisation of an annex's scope, if it appears in an internal policy, could affect how the policy is applied across multiple business lines or asset classes. If that policy then feeds into training material, management reporting, or a regulatory submission, the cost of correction escalates at each stage.
In a Risk function where capital and valuation frameworks are under ongoing MAS supervision, the downstream cost of a single undetected annex-level error is not hypothetical — it is proportionate to the complexity and size of the exposures governed by the misidentified rule.
2 findings in this case study. Click any to see its full evidence card.
The default position for Risk teams at Investment Banking firms in Singapore should be that AI tools are a starting point for orientation, not a primary source for annex-level regulatory detail. MAS Notice 637 is a technically complex instrument and the findings in this case study show that AI assistants can produce confident, plausible-sounding descriptions of specific annexes that are either wrong or unverifiable.
Any internal policy, briefing note, or work-product that turns on the precise scope or content of a Notice 637 annex should be cross-checked against the current text on the MAS portal before it is circulated or relied upon.
At the firm level, the Risk function should consider three practical safeguards. First, a regulatory-verification policy that explicitly identifies MAS Notice 637 annex-level content as an area where AI output requires primary-source confirmation before use in any firm work-product. Second, an audit trail requirement for AI-assisted regulatory research — when AI output influences a policy, model assumption, or management report, the verification step and its outcome should be recorded.
Third, sign-off requirements before AI-generated regulatory summaries enter firm-wide use: a subject-matter owner should attest that the annex-level characterisation has been checked against the live MAS text, not just the AI's rendering of it. These controls are proportionate to the supervisory environment and do not require banning AI tools from the workflow.
There are areas of the Risk workflow where AI remains genuinely useful without the same level of primary-source exposure. Drafting non-regulatory internal communications, generating first-draft questions for a regulatory research exercise, summarising long discussion papers the team then reads in full, and producing formatted templates for regulatory mapping tables are all tasks where an AI error is more easily caught and less likely to propagate undetected. Confining AI's role to those upstream tasks — and requiring human verification before the output touches anything that references a specific annex, rule number, or regulatory threshold — substantially reduces the firm's exposure.
RegLeg's published hallucination research gives Risk teams at Investment Banking firms a free and immediately usable reference point before relying on any AI answer in MAS Notice 637 or related capital adequacy rule areas. The research identifies which specific regulatory questions, annexes, and topic areas have produced incorrect AI responses in testing — so that a Risk team member who has just received an AI-generated answer on a Notice 637 annex can check whether that type of question is a known exposure before acting on the response.
This does not require a formal engagement; the published findings are available as a standing resource for the team's own internal verification process.
For firms that want to go further, RegLeg offers bespoke regulator deep-dives tailored to the Investment Banking Risk function in Singapore. These map which AI-supported workflows in the firm's specific operating context — capital ratio monitoring, RWA reporting, valuation framework maintenance, new product approvals — carry the highest hallucination exposure, and which regulatory instruments within that workflow are most vulnerable to the inference-from-structure errors observed in this case study. The output is a prioritised risk register the Risk team can take directly into its AI-use governance framework.
RegLeg can also provide a confidential review of the firm's existing AI-use policy against our failure-mode catalogue, with prioritised recommendations for where verification controls are most needed and where the current policy may have gaps specific to MAS Notice 637 and related prudential instruments. Alongside that, we produce CPD-aligned training content that Risk teams can use internally — helping staff distinguish between the AI tasks where fluent output is usually reliable and the annex-level regulatory questions where it is not.
We work collaboratively with the team rather than as an external auditor, and our goal is to help the firm get the most from its AI tools without the compliance exposure those tools currently carry in this rule area.