Executive Summary
Across five questions about the CPMI October 2024 API harmonisation report and its associated toolkit, AI assistants produced substantively wrong answers on every one. The failures divide between outright fabrication — where AI invented toolkit structures, stakeholder obligation maps, and quantitative statistics that no accessible public source supports — and misattributed rules, where AI misidentified which central banks are named in active implementation work and got publication dates wrong by deferring to secondary aggregators rather than primary BIS sources.
For lawyers advising clients on cross-border payments API frameworks, fintech authorisation, or correspondent banking infrastructure, the risk is concrete: advice built on AI-generated summaries of this report's toolkit, its stakeholder scope, or its implementation partnerships will be factually wrong in ways that survive casual verification, because the errors are delivered with apparent confidence and internal structural consistency. The self-assessment toolkit — precisely the document clients will ask lawyers to interpret for operational readiness purposes — proved entirely beyond AI's reliable reach, with multiple tools producing detailed invented frameworks in place of disclosing that the primary PDF is inaccessible.
How AI gets this regulation wrong
The dominant failure pattern on this regulation is AI inventing specific content — toolkit structures, stakeholder category assignments, implementation partnerships — in place of acknowledging that the primary document is inaccessible. A secondary pattern involves AI substituting third-party aggregator claims or survey-sample figures for primary BIS source data, producing answers that are technically wrong but delivered as if authoritative.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 3 | Finding#1 · Finding#3 · Finding#5 |
| Misstated Rule | 2 | Finding#2 · Finding#4 |
What that means for your practice
The practical risk for lawyers almost uniformly lands on liability and PI exposure: advice grounded in fabricated toolkit contents, invented stakeholder obligations, or misattributed implementation partnerships produces opinions that cannot survive a cross-check against the actual BIS publications. One finding creates a distinct but equally serious exposure — wrong deliverables — where quantitative briefing material sourced from AI misrepresents the global fast payment system landscape in ways that would embarrass any lawyer whose name is on the document.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Liability / PI exposure | 4 | Finding#1 · Finding#2 · Finding#3 · Finding#4 |
| Wrong deliverable | 1 | Finding#5 |
When this affects Lawyers
Lawyers advising payment system operators, correspondent banks, fintech platforms, or central bank clients on cross-border payments infrastructure increasingly encounter this report as a soft-law reference point. The practical entry points are clear: a client receives the CPMI recommendations as a regulatory signal and wants to understand its compliance footprint; a payment system operator is evaluating API harmonisation obligations and wants to know which of the 10 recommendations apply to its category of institution; a fintech seeking authorisation in a CPMI member jurisdiction needs counsel to brief on the self-assessment toolkit before an engagement with the regulator.
In each scenario, a lawyer under time pressure is likely to query an AI assistant as a first step — and in each scenario, the AI will produce wrong answers that look right.
The danger is that the report's most practically important artefact — the self-assessment toolkit — exists in a PDF that AI tools cannot reliably access. AI assistants we tested did not disclose that limitation upfront; instead they produced structured, detailed descriptions of toolkit areas, assessment dimensions, and usage methodologies that look authoritative and are entirely invented. A lawyer who accepts that output as a starting point for a client memo on API readiness, or who hands it to a junior to develop into a readiness assessment, is advising on a framework that does not exist in the form described.
For lawyers advising South African, UK, or other jurisdiction-specific clients on implementation progress under this framework, the findings on named implementation partnerships are equally hazardous. AI tools misidentified the Bank of England — rather than the South African Reserve Bank — as CPMI's named collaboration partner on the payment pre-validation API recommendation, and fabricated a supporting URL.
Any advice grounded in that misattribution — whether scoping a client's engagement with their home regulator or advising on bilateral coordination posture — starts from the wrong factual premise, and the lawyer carrying the sign-off cannot safely rely on AI to surface the correction.
The findings at a glance
The five findings below span the toolkit, stakeholder obligation scope, implementation partnerships, ISO 20022 update history, and the statistical landscape of the global fast payment system — the areas where lawyer and client queries on this framework cluster.
Aggregate impact
The errors in this cell share a structural cause: the primary document — the October 2024 CPMI report and its attached toolkit — is a PDF that AI tools cannot access, and AI tools did not disclose that constraint. Instead, across multiple questions touching different parts of the report, AI assistants confabulated specificity: invented category structures, stakeholder mappings, and assessment dimensions that fill the document's outline with plausible-looking content. The toolkit findings show this most starkly — AI produced four-area frameworks, six-step usage processes, and category-level stakeholder assignments from nothing, then partially or fully retracted under challenge.
For a lawyer's purposes, that eventual retraction offers no protection: the initial output will already have been forwarded, quoted, or acted upon.
A separate cluster of errors involves post-report implementation updates that sit at or just past AI training cutoffs. The sharpest example is the misidentification of CPMI's named implementation partner on the pre-validation API recommendation: CPMI Brief No. 9 (November 2025) explicitly names the South African Reserve Bank, but AI tools either missed the brief or hedged past it, substituting the Bank of England as the "closest" named partner and fabricating a supporting URL.
The ISO 20022 update errors follow the same pattern — AI cited a third-party aggregator article as authority for d230's publication date, getting it wrong by two months, and simultaneously fabricated technical annex entity breakdowns that no accessible source describes.
For lawyers in international jurisdictions, the aggregate implication is that no segment of this regulation is safe to brief from AI output without primary-source verification. The failures are not concentrated in peripheral technical detail — they reach the report's central deliverable (the toolkit), its most operationally significant implementation partnership (SARB/pre-validation), its stakeholder obligation map, its adjacent ISO 20022 data-requirements update, and its statistical landscape.
A lawyer who uses AI to scope a client engagement on this framework will, across these questions, receive confident wrong answers in four out of five attempts, and will not be told that any of them are wrong.
What your team should do
The default position for any lawyer advising on this regulation is that AI output is a hypothesis, not a source. The toolkit — the document clients will most often ask about — is inaccessible to AI tools, and AI assistants do not reliably signal that inaccessibility. Before any client communication references the toolkit's structure, assessment dimensions, or usage methodology, the primary BIS PDF must be reviewed directly. This is not a generic verification caution; it is specific to this report's central practical artefact, where every AI-generated description tested was invented.
For questions about implementation partnerships and progress, the same principle applies with a compounding complication: the most current CPMI work product (Brief No. 9, November 2025; d230, February 2026) sits at the boundary of AI training coverage. AI tools may have partial or no knowledge of these publications and do not consistently disclose when they are operating from incomplete information. Any client advice touching implementation status — particularly concerning SARB's role, the pre-validation recommendation, or ISO 20022 data-requirements updates — must be verified against primary BIS publications before it leaves the firm.
Relying on AI to confirm that a briefing note's implementation facts are current is circular: the AI cannot reliably identify what it does not know.
Where AI is genuinely useful for lawyers working on this regulation: conceptual framing of API harmonisation principles, comparative context across cross-border payment initiatives in different jurisdictions, background on CPMI's institutional mandate and soft-law weight, and initial structuring of client questions. None of the failures in this cell arose from conceptual questions — they arose uniformly from questions about specific, document-dependent content: toolkit structure, named partnerships, publication-specific data, and stakeholder obligation maps.
Keep AI on the conceptual scaffolding and structure, keep primary-source verification on the lawyer, and treat any AI answer that references specific toolkit or annex content as a prompt to go to the BIS portal directly.
How RLB Can Help
RegLeg's published Hallucination Research is available as a free pre-flight check for lawyers working on regulatory matters. Before relying on AI-assisted output — whether for advice, drafting, or due diligence — lawyers can consult the research to understand which failure modes have been observed for the specific regulation in question. This is not a substitute for legal judgement, but it is a structured, independent reference that flags where AI tools have historically misfired, allowing practitioners to focus their human verification effort on the highest-risk points.
For firms where multiple lawyers work across the same regulatory portfolio, RegLeg offers bespoke deep-dive engagements. These go beyond the published research to examine the specific regulations, jurisdictions, and question types most relevant to the firm's practice. The output is a tailored briefing that legal teams can use as a standing reference — updated as the regulatory landscape evolves — giving the whole team a shared, consistent picture of where AI tools should be treated with caution and where they have performed reliably.
RegLeg also works with legal teams on training and CPD-aligned content. This covers the categories of failure lawyers are most likely to encounter — including outdated regulatory text, cross-jurisdictional confusion, and misattributed citations — framed around real regulatory examples rather than abstract AI theory. Separately, RegLeg can conduct a confidential review of a firm's existing AI-use policy, assessing it against the failure-mode catalogue the research has surfaced. The output is a structured gap analysis: which risks the policy already addresses, which it does not, and where practical amendments would strengthen the firm's position.