Executive Summary
Compliance teams at Payment Institutions firms operating across international jurisdictions are actively mapping their obligations under the CPMI API harmonisation framework — identifying which of the 10 recommendations apply to their firm as a PSP, how to use the accompanying self-assessment toolkit, and which central banks are driving implementation pilots that will shape regulatory expectations in their operating corridors.
Across four tested questions on this regulation, AI assistants produced hallucinations in every case: fabricating the internal structure of the self-assessment toolkit wholesale, denying a documented central bank partnership that CPMI itself named in a published brief, inventing stakeholder targeting assignments per recommendation category, and misstating the publication date and technical contents of the companion ISO 20022 data requirements update. The failure pattern is not random — it clusters on document content that the public landing page announces but the underlying PDF does not expose, and on developments published close to or just after AI training cutoffs.
For a Compliance function that relies on AI for regulatory horizon-scanning, gap analysis, or implementation scoping, any one of these errors embedded in an internal deliverable creates a chain of downstream risk: governance frameworks built against non-existent criteria, jurisdictional engagement strategies based on wrong partnership intelligence, and technical compliance timelines anchored to fabricated publication data.
How AI gets this regulation wrong
AI assistants testing this regulation failed in two distinct ways: inventing specific structural and factual content for documents they could not access, then conceding ignorance when pressed; and asserting rules or facts — named central bank partnerships, technical document timelines, recommendation-by-stakeholder mappings — that directly contradict what CPMI's own published materials say. Both patterns are dangerous precisely because the initial AI response carries enough surface plausibility to pass a junior reviewer's check.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 2 | Finding#1 · Finding#3 |
| Misstated Rule | 2 | Finding#2 · Finding#4 |
What that means for your team
The risk consequences for Compliance at a Payment Institution split evenly between direct regulatory exposure — gap analyses and implementation attestations built on fabricated criteria — and wrong deliverables that poison the underlying work product before it reaches senior management or the regulator. For a function responsible for scoping multi-jurisdictional API harmonisation obligations, the wrong-deliverable risk is particularly acute: a stakeholder mapping or jurisdictional brief that a business line acts on cannot easily be recalled once it has entered project plans or regulatory correspondence.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Regulatory enforcement | 2 | Finding#1 · Finding#4 |
| Wrong deliverable | 2 | Finding#2 · Finding#3 |
When this affects your department
Payment Institutions Compliance teams turn to AI on this regulation in at least three recurring scenarios: scoping which of the 10 CPMI recommendations impose obligations on the firm as a PSP versus those directed at system operators, central banks, or standards bodies; running or commissioning API harmonisation self-assessments using the published toolkit as the reference framework; and monitoring which central banks and regulators are actively piloting specific recommendations to anticipate where supervisory expectations will crystallise first.
Each scenario is a live compliance workflow, not a research exercise — the output feeds internal governance documentation, product-launch regulatory mapping, or direct engagement with supervisors.
The self-assessment toolkit question is particularly high-stakes. When the CPMI framework lands and a board or senior risk committee asks Compliance to report on the firm's API harmonisation readiness, the self-assessment toolkit is the obvious structured starting point. If the AI's description of the toolkit's areas, dimensions, and criteria is fabricated, the entire assessment is conducted against non-existent benchmarks.
A gap analysis of that kind will not survive contact with the actual document — or with any counterpart at a correspondent bank, payment system operator, or regulator who has read it — and the reputational cost of presenting a materially wrong self-assessment to a governance body is significant.
The jurisdictional intelligence question is equally operational. For a Payment Institution with exposure to multiple emerging-market corridors, knowing which central banks are actively partnering with CPMI on specific recommendations — particularly pre-validation APIs, which have direct implications for payment routing and sanctions screening workflows — is input to the regulatory engagement calendar, not background reading.
Receiving incorrect intelligence from an AI tool (here, a flat denial that SARB was named, accompanied by a fabricated Bank of England URL) can result in the firm deprioritising engagement with the very regulator that is shaping the next phase of implementation requirements in its operating markets.
The findings at a glance
The table below summarises each tested question, the AI failure produced, and the compliance workflow where that failure would surface.
Aggregate impact
The failures across these four findings share a structural root: the CPMI API harmonisation framework's public landing page signals the existence of detailed, structured content — 10 recommendations, a self-assessment toolkit, a stakeholder targeting rationale, a companion ISO 20022 update — but the underlying PDF is not publicly extractable. AI assistants fill that gap with invented structure rather than signalling the limit of their knowledge. The toolkit fabrications (finding 1) and the per-recommendation stakeholder assignments (finding 3) follow exactly this pattern: the AI knows the regulation exists, knows it contains structured content, and generates plausible-sounding structure rather than stopping.
The retraction only appears under challenge — meaning a Compliance analyst who accepts the first response without probing walks away with fabricated criteria embedded in their work product.
The two "invented rule" failures (findings 2 and 4) expose a different but complementary problem. CPMI Brief No. 9 (November 2025) explicitly names SARB as CPMI's collaboration partner on pre-validation APIs — a fact that AI tools either missed entirely or actively contradicted, with one generating a fabricated Bank of England URL as a substitute source. The d230 publication date error (April vs February 2026) originated in an AI tool's reliance on a third-party aggregator article rather than the BIS primary page.
Both failures stem from AI tools treating secondary sources, or the absence of a recently published primary source in training data, as equivalent to the authoritative record. For a Compliance function whose work product is expected to be traceable to primary regulatory sources, that equivalence is not acceptable.
The systemic risk for Payment Institutions operating across international jurisdictions is that these errors compound. A Compliance team that has wrong stakeholder mapping (finding 3), wrong partnership intelligence (finding 2), and wrong technical timelines (finding 4) is working from a fractured picture of where the regulation is heading and who will enforce what, when. Individual errors are correctable; a consistent pattern of AI over-confidence on this regulation's inaccessible content means Compliance must treat every AI response on the CPMI API harmonisation framework as a hypothesis requiring primary-source verification before any internal or external use.
What your team should do
The default position for Compliance teams at Payment Institutions on this regulation is straightforward: treat AI output on any content that resides in the inaccessible PDF — toolkit structure, per-recommendation stakeholder assignments, technical annex specifications — as a hypothesis that requires primary-source verification before it enters any internal document. That means going to BIS.org directly, not accepting an AI summary of what the document contains. The regulator publishes; the AI does not have access to the full document and will not reliably tell you that.
For jurisdictional monitoring — tracking which central banks are advancing specific recommendations — the authoritative source is the CPMI Briefs series, not AI retrieval. CPMI Brief No. 9 (November 2025) is the controlling document on SARB's pre-validation API role; AI tools either lacked it in training or actively contradicted it. Build the regulatory engagement calendar from the Briefs directly. AI is useful for drafting the internal briefing note once you have the facts — it is not a reliable source for identifying the facts themselves when those facts were published in late 2025 or 2026.
For ISO 20022 implementation planning tied to d230, always verify publication dates and technical annex contents against the BIS primary page, not against secondary or aggregator sources. A two-month date error may seem minor, but when it propagates into a project milestone, a vendor contract milestone, or a regulatory attestation, correction requires re-opening completed workstreams.
AI tools are useful on this regulation for structuring horizon-scan documents around the 10 recommendation headlines, drafting stakeholder communication on the high-level cross-border payments rationale, and summarising the relationship between API harmonisation and ISO 20022 migration at a conceptual level — where the content is sufficiently well-established in the public domain and not dependent on the inaccessible document's specific criteria or the most recent CPMI operational updates.
How RLB Can Help
RegLeg's published Hallucination Research gives Compliance teams at Payment Institutions firms a practical pre-flight check before placing reliance on AI-assisted output for regulatory questions. Each research entry documents the specific ways AI tools have mis-stated requirements, cited non-existent provisions, or conflated obligations across jurisdictions — giving your team a structured basis for calibrating confidence rather than discovering errors after the fact.
Beyond the published research, RegLeg works with Compliance functions to map which AI-supported workflows carry the highest hallucination exposure for a Payment Institutions firm specifically. Licensing and authorisation timelines, safeguarding and prudential thresholds, cross-border passporting conditions, and AML/CFT obligations each present distinct failure patterns. A bespoke regulator deep-dive surfaces where those patterns are most acute for your operating footprint, so resource and oversight effort is directed where the actual risk sits.
RegLeg can also conduct a confidential review of your firm's existing AI-use policy against our failure-mode catalogue, producing a prioritised remediation plan aligned to the regulatory obligations your Compliance team is already accountable for.
For teams building internal capability, RegLeg develops training material and CPD-aligned content that translates the research into practical guidance — covering how to read AI output critically, what hallucination signals to look for in a regulatory context, and how to document reliance decisions in a way that will withstand supervisory scrutiny. The aim is to leave your Compliance function better equipped to use AI tools responsibly, with the institution's own risk tolerance and regulatory relationships intact.