Executive Summary
Operations teams at Payment Institutions firms running cross-border payment corridors have direct implementation exposure to the CPMI API harmonisation framework — from aligning internal API standards to the CPMI recommendations, through to validating connectivity against partner infrastructure using the self-assessment toolkit. Across the two questions tested against this regulation, AI assistants produced wrong answers on both — a 100% failure rate on material operational content.
The failures split between an AI that fabricated a detailed internal structure for the self-assessment toolkit (content that is not publicly accessible) and an AI that misstated the publication date and technical annex contents of the updated ISO 20022 data requirements document, then retracted the date error only when pressed. Both failures produce wrong deliverables: the first corrupts any self-assessment exercise built on AI-supplied toolkit structure; the second poisons version-control decisions about which ISO 20022 data model your infrastructure is actually implementing against.
How AI gets this regulation wrong
The failures on this regulation fall into two distinct patterns: an AI that invented a detailed internal structure for inaccessible reference material and held to it confidently before backing down under challenge, and an AI that fabricated specific technical content and misstated a publication date — relying on a secondary aggregator article rather than the primary source, a retraction it only surfaced when pushed. Both patterns are high-risk precisely because the AI's initial confidence is indistinguishable from accuracy to anyone who does not independently verify against the source document.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 1 | Finding#1 |
| Misstated Rule | 1 | Finding#2 |
What that means for your team
Both failures in this regulation land in the same risk bucket: a wrong deliverable. For an Operations team at a Payment Institution, that means internal documentation, readiness assessments, or architecture sign-offs that look complete but are built on fabricated foundations — errors that propagate silently through implementation cycles until a regulator, auditor, or correspondent bank surfaces the discrepancy.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 2 | Finding#1 · Finding#2 |
When this affects your department
Operations teams at Payment Institutions reach for AI most heavily at two pressure points in the CPMI API harmonisation lifecycle: the self-assessment phase, when someone needs to scope what the toolkit actually asks and design an internal gap-analysis exercise against it; and the ISO 20022 data model update cycle, when a technical change request arrives from a correspondent bank or scheme operator and the team needs to confirm which version of the data requirements document governs the new spec.
Both are time-sensitive, both involve translating a technical standard into an internal action — and both are exactly where the failures in this regulation were observed.
If the team uses an AI-supplied description of the self-assessment toolkit's structure to design their readiness programme, the programme is built on fabricated criteria. A Board-level attestation that the firm has completed a CPMI API harmonisation self-assessment — a common output at Payment Institutions operating multi-corridor infrastructure — is then unsupported by any work that maps to the actual toolkit. When that comes up in an audit or a regulatory engagement, the Operations team has no defence: the toolkit the firm assessed against does not exist.
The ISO 20022 version confusion is operationally acute for Payment Institutions running Swift-connected or scheme-connected corridors where data model alignment is a contractual prerequisite. An Operations lead who takes the AI's April 2026 publication date and fabricated technical annex breakdown at face value may sign off a change-management artefact that references the wrong version of the standard, creating a gap between what the firm's systems implement and what the updated data requirements document actually specifies.
In environments where correspondent banks and scheme operators validate ISO 20022 field population against the updated model, that gap produces transaction failures or compliance exceptions — the kind of break that gets escalated to the regulator, not quietly resolved.
The findings at a glance
The two findings below cover the self-assessment toolkit's internal structure and the updated ISO 20022 data requirements document — the two areas where AI tools produced confidently wrong answers on this regulation.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | Self-assessment toolkit structure fabricated | Hallucination | RLB-F-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q005 |
| 2 | ISO 20022 update: wrong date and fabricated annex contents | Hallucination | RLB-F-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q009 |
Aggregate impact
The two failures cluster on the same underlying dynamic: AI tools generating detailed, structured technical content about CPMI documents that are either not publicly accessible or are only partially described in secondary sources. In both cases the AI produced outputs that look like authoritative reference material — numbered areas, structured dimensions, specific publication metadata — and in both cases that content was fabricated. This is not a pattern of AI being vague or overly hedged; it is a pattern of AI producing false precision on exactly the kind of structured reference content that Operations teams use to build internal programmes.
For Payment Institutions specifically, the systemic risk is that this category of error is the hardest to catch in a fast-moving implementation cycle. A junior operations analyst tasked with scoping a CPMI API harmonisation readiness review, or with confirming the ISO 20022 version governing a new correspondent bank integration, is unlikely to go back to the BIS primary source when the AI returns a structured, detailed, apparently confident answer. The error gets embedded in a gap analysis template, a change request, or a board attestation — artefacts that circulate and accumulate sign-offs before anyone verifies the underlying source.
The regulatory exposure for a Payment Institution is not trivial. Supervisors in the FSB-member jurisdictions where these firms operate increasingly reference the CPMI API harmonisation framework in their own guidance; an incorrect self-assessment that misses actual toolkit criteria, or a version-management failure on the ISO 20022 data model, can surface as a finding in a regulatory review or an independent audit — with the added reputational dimension that the firm's Operations team produced a formal deliverable against criteria that don't exist.
What your team should do
The default position for Operations teams on this regulation should be: AI is not a substitute for the primary BIS source document, and on the self-assessment toolkit in particular, it should not be used at all for structural content until the PDF is directly accessible and verified. The toolkit is a discrete published artefact with a specific internal structure — any AI description of that structure that cannot be traced to an extractable, accessible version of the PDF should be treated as fabricated by default, not trusted as a working reference.
For the ISO 20022 data requirements document, the practical safeguard is version control with primary-source verification as a standing control. Every change request, integration spec, or change-management artefact that references the CPMI ISO 20022 data model should carry a citation to the specific BIS publication — document title, month and year of publication — and that citation should be verified against the BIS website directly before the artefact is signed off.
AI tools are prone to sourcing publication metadata from secondary aggregator articles rather than the primary publication page, and in a fast-moving standards environment that produces date errors that look superficially reasonable. A two-minute cross-check against bis.org eliminates this class of failure entirely.
Where AI tools are genuinely useful for Operations teams on this regulation is in orientation and contextualisation: understanding the high-level structure of the CPMI recommendations, mapping recommendation topics to internal workstreams, drafting the narrative framing for a Board or ExCo briefing. For that kind of background summarisation — where the team already knows the source material and is using AI to speed up drafting rather than derive facts — the failure risk is much lower. The boundary is clear: AI for drafting support, primary source for anything that will be used as a reference in an internal or external deliverable.
How RLB Can Help
RegLeg's published Hallucination Research gives your team a concrete pre-flight check before trusting AI output on regulatory questions. If your Operations function is already using AI assistants to interpret settlement finality rules, cross-border transfer restrictions, or safeguarding obligations under multiple licensing regimes, the research tells you exactly where those tools have demonstrably failed on comparable material — wrong thresholds, inverted obligations, fabricated regulatory references — so you can calibrate which outputs warrant a primary-source check before they feed into a procedure or a control narrative.
For firms carrying higher AI exposure — multi-jurisdiction licensing stacks, complex correspondent arrangements, or frequent regime changes from post-implementation guidance — we run bespoke deep-dives scoped specifically to your Operations workflows. That means mapping your AI-assisted processes against the failure modes most relevant to payment institutions: misread e-money versus payment institution treatment distinctions, hallucinated capital or safeguarding figures, compressed or conflated notice periods across regulators. The output is a prioritised risk register your Head of Operations and compliance function can act on directly, not a generic AI risk framework.
We also work with Operations teams on two practical follow-ons: a confidential review of your existing AI-use policy against our failure-mode catalogue — identifying gaps in your escalation logic, human-review triggers, and record-keeping for AI-assisted regulatory interpretation — and CPD-aligned training material your team can use internally to build calibrated judgement on AI output quality in high-stakes regulatory contexts. Both are designed to be integrated into your existing governance structure rather than run as standalone programmes.