Executive Summary
Legal teams at Payment Institutions firms operating across international jurisdictions rely on accurate, current intelligence about which regulators and central banks are actively driving CPMI's API harmonisation agenda — because those partnerships directly shape which implementation timelines and bilateral arrangements your firm needs to track for cross-border product and compliance scoping. Across two questions put to AI tools on the CPMI Promoting the Harmonisation of APIs for Cross-Border Payments recommendations, AI assistants produced incorrect answers on both.
One failure involved AI confidently asserting that no central bank was publicly named as CPMI's partner on the payment pre-validation API recommendation — citing the Bank of England as the closest analogue — when CPMI Brief No. 9 (November 2025) explicitly names the South African Reserve Bank as that partner; a fabricated Bank of England source was offered in support. The second failure saw AI commit to a detailed stakeholder-assignment breakdown across CPMI's ten recommendations — allocating specific categories of actor to specific recommendation clusters — when no accessible public source supports that granularity.
Both failures produce wrong deliverables: compliance matrices, regulatory horizon scans, and jurisdictional coverage memos built on these AI outputs carry material errors into Legal's work product before any human check catches them.
How AI gets this regulation wrong
The failures AI tools produced on this regulation split between two distinct patterns: inventing institutional facts that do not exist — including fabricating a supporting source — and committing to granular implementation detail that goes beyond anything in accessible public documentation, then retreating when pressed. Both types present a specific danger for Legal workflows because the outputs are internally coherent and surface-plausible, exactly the kind of answer a junior analyst forwards without flagging.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 1 | Finding#2 |
| Misstated Rule | 1 | Finding#1 |
What that means for your team
Both findings in this regulation converge on the same risk category for Legal teams: wrong deliverable. Whether the error originates in a fabricated institutional partnership or in an overconfident stakeholder-mapping exercise, the downstream consequence is the same — a Legal work product (regulatory horizon note, jurisdictional coverage memo, internal compliance matrix) that encodes incorrect information and propagates it to business lines, board packs, or external counsel before the error surfaces.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 2 | Finding#1 · Finding#2 |
When this affects your department
Legal teams at Payment Institutions firms reach for AI assistance on the CPMI API harmonisation framework most often during regulatory horizon scanning — specifically when mapping which jurisdictions are actively piloting specific recommendations and therefore likely to transpose requirements into national rulebooks affecting your firm's cross-border corridors. An incorrect answer about which central bank is running the pre-validation API pilot does not stay abstract: it shapes which bilateral arrangements your Legal team treats as imminent compliance obligations, which jurisdictional legal opinions you commission, and which product launch timelines you advise the business to pressure-test against incoming regulation.
The second scenario is supplier and partner due-diligence for API integration agreements. When a correspondent bank, technology vendor, or PSP is negotiating API connectivity arrangements, Legal needs to know which CPMI recommendations apply to which actor class — standards bodies, payment system operators, central banks, commercial banks — to draft appropriate contractual representations and condition precedents. AI tools that produce confident but unsupported stakeholder-assignment breakdowns push that drafting in the wrong direction.
A correspondent banking API agreement drafted on the basis that a given CPMI recommendation cluster does not target commercial banks — when in fact the accessible primary text is ambiguous and the full per-recommendation breakdown is not publicly confirmed — creates documentation risk that sits in your transaction files.
Both failure modes surface most sharply when Legal is supporting a new product launch or market entry into a corridor where CPMI's pre-validation or API standardisation recommendations are being actively implemented. The jurisdictional intelligence that informs that launch advice — which regulator is running which pilot, which recommendation applies to which counterparty class — is precisely where AI tools are producing unreliable outputs on this regulation.
The findings at a glance
The table below summarises both findings from our testing of AI tools on this regulation, showing the question area, the AI's error, and the documented CPMI position each AI response contradicted.
Aggregate impact
The two findings on this regulation share a structural feature: both errors arise in the space between what CPMI has formally published in accessible documents and what AI tools infer or extrapolate to fill that gap. CPMI Brief No. 9 (November 2025) — which explicitly names the South African Reserve Bank as the collaboration partner on the pre-validation API recommendation — sits at or just beyond the training window of current AI assistants.
That timing mismatch is not the whole story, though: one AI tool not only got the answer wrong, it fabricated a Bank of England source to support its incorrect claim. That is a categorically different failure from a simple knowledge cutoff — it is the AI constructing a citation to make a wrong answer appear authoritative.
The stakeholder-breakdown failure follows a different pattern but produces equivalent harm. Here the AI committed to detailed category-level assignments across CPMI's ten recommendation clusters — specifying which actor classes each cluster targets — when the granular per-recommendation breakdown is not confirmed in any accessible public document. Crucially, the AI's answer was coherent and internally structured, organised under clear category headings, which is precisely what makes it dangerous: Legal analysts who receive a well-formatted breakdown have no immediate signal that the underlying mapping lacks textual support.
For Legal teams operating across multiple international corridors, the aggregate risk is concentrated in the horizon-scanning and jurisdictional intelligence work that feeds board-level and regulatory reporting. A regulatory tracker or jurisdictional coverage memo that incorrectly identifies the active implementation partners, or that mis-assigns obligation categories across CPMI's recommendation set, propagates those errors into decisions about product launches, correspondent banking arrangements, and regulator engagement — all before the error has any opportunity to be caught.
What your team should do
The default position for Legal on this regulation is: treat any AI-generated claim about which central bank or authority is actively partnering with CPMI on a specific recommendation as unverified until you have pulled the relevant CPMI Brief or working paper directly from the BIS publications portal. CPMI produces numbered Briefs and consultation reports that name collaboration partners explicitly — those documents are the authoritative source, not AI summaries of them. This matters acutely for any corridor-level analysis touching sub-Saharan Africa, where the SARB–CPMI pre-validation partnership is live and directly relevant to cross-border product scope.
For stakeholder-mapping work across the ten recommendations, the practical safeguard is to anchor to what CPMI's published documents actually say at the level of specificity you need. If the per-recommendation stakeholder breakdown your team requires is not in an accessible public document, treat that gap as a gap — not as an invitation for AI to extrapolate. When the business needs a recommendation-by-recommendation actor-class breakdown for contracting or product structuring purposes, that analysis should be built from the primary CPMI text and, where the accessible text is silent, flagged as a documented uncertainty rather than filled with AI inference.
AI tools remain useful in this regulatory area for initial orientation — mapping the broad architecture of CPMI's cross-border payments programme, identifying which G20/FSB workstreams the API harmonisation work connects to, and surfacing prior CPMI publications for a research queue. The failure zone is precisely where AI moves from structural orientation into institutional specifics: named partners, named implementations, named recommendation-to-actor assignments. That is where the errors in this cell occurred, and that is where Legal sign-off must require a primary-source citation before the output leaves the team.
How RLB Can Help
RegLeg's published Hallucination Research gives the Legal team at a Payment Institutions firm a free, ready-to-use pre-flight check before placing weight on AI-generated output for regulatory questions. Each research entry documents the specific ways AI tools have misrepresented rules, cited non-existent provisions, or conflated requirements across payment frameworks — giving your team concrete, evidenced failure patterns rather than abstract caution. Running that check takes minutes and can prevent the kind of reliance on plausible-sounding but incorrect regulatory positions that carries real compliance and reputational risk.
Beyond the published research, RegLeg offers bespoke regulator deep-dives scoped to the workflows your Legal function actually uses. For Payment Institutions operating across multiple jurisdictions, that typically means mapping AI-supported tasks — licence condition reviews, regulatory correspondence drafts, horizon-scanning, and cross-border equivalence analysis — against the hallucination failure modes most prevalent in each relevant framework. The output is a prioritised exposure map your team can act on directly: knowing which tasks benefit most from AI assistance and which require tighter human review before outputs are relied upon.
For firms with an existing AI-use policy, RegLeg can conduct a confidential review against our failure-mode catalogue, identifying gaps and producing a prioritised remediation plan aligned to your current workflows and governance structure. We also develop training materials and CPD-aligned content tailored for Legal teams — practical, case-grounded sessions that build the critical fluency your lawyers need to work productively with AI tools without inadvertently accepting flawed regulatory analysis.