This is the consolidated view of findings. Click the Citation IDs or 'see details →' on any item for the full details for each finding.
A Compliance team that uses AI to structure its API harmonisation self-assessment programme will build an assessment framework around fabricated areas, dimensions, and criteria that have no verified basis in the CPMI toolkit. When that gap analysis is presented to internal audit or to a regulator as evidence of the firm's CPMI alignment posture, the entire evidentiary foundation is compromised. Remediation requires scrapping the AI-generated framework, sourcing the actual toolkit, and re-running the assessment — a material programme delay with direct cost implications and potential supervisory credibility damage if the error surfaces during examination.
AI tools tested on this regulation either denied the existence of the SARB-CPMI pre-validation API collaboration or proposed the Bank of England as the more plausible partner — directly contradicting CPMI Brief No. 9 (November 2025), which explicitly names SARB. A Compliance function conducting regulatory horizon-scanning for a bank with South African correspondent exposure or a local subsidiary will miss a live implementation track that may generate local supervisory requirements flowing from the CPMI-SARB workstream. The gap in horizon-scanning is a control environment deficiency that supervisors conducting thematic reviews of cross-border payment compliance will expect to find documented.
AI produced category-level stakeholder assignments for the ten CPMI recommendations — asserting, for example, that certain recommendation categories exclusively target standards bodies and public authorities rather than commercial banks — without any accessible primary-source basis. A Compliance team that uses this output to scope which recommendations create obligations for its retail bank as a participant, versus those directed at payment system operators or standards bodies, will either over-scope (building unnecessary controls) or under-scope (missing genuine bank-level obligations). Under-scoping in a regulatory mapping exercise that feeds a product launch or correspondent banking onboarding framework creates direct regulatory enforcement exposure.
AI misidentified the publication date of the updated CPMI ISO 20022 data requirements document (February 2026, not April 2026) and fabricated specific data entity breakdowns for its technical annex. A Compliance or technology governance team that references incorrect publication metadata in a regulatory filing, or that designs data mapping controls around fabricated annex content, faces both the direct cost of correcting the record and the reputational risk of submitting inaccurate information to a regulator.
The BIS-CPMI data requirements document sits at the centre of ISO 20022 migration compliance programmes; errors in how it is characterised internally compound across every downstream control that references it.