Executive Summary
Compliance teams at Retail Banking firms operating across international jurisdictions are increasingly consulting AI tools to parse the CPMI's October 2024 API harmonisation recommendations — a framework that directly shapes how correspondent banking networks, payment system operators, and commercial banks are expected to structure and interoperate their APIs for cross-border payments.
Across four questions put to AI assistants on this regulation, every single response produced a hallucination: AI tools either fabricated detailed structural content about the self-assessment toolkit that no accessible public source supports, misidentified which central banks are formally partnering with CPMI on specific implementation tracks, or invented stakeholder-targeting breakdowns for the ten recommendations. The failure pattern is not random — it concentrates on precisely the operational detail that Compliance functions need: toolkit structure for internal gap analysis, named pilot partners for jurisdictional scoping, and stakeholder-obligation mapping for correspondent banking chains.
A Compliance team that uses these AI responses to brief senior management, scope API governance programmes, or draft regulatory submissions will carry structurally incorrect information into consequential internal work products.
How AI gets this regulation wrong
AI tools failed on this regulation in two distinct ways: confidently committing to invented structural detail about documents they could not access, and stating rules or named relationships that simply do not exist in the official record. In both cases the failure was not flagged by the AI — responses were delivered with authority, and errors only surfaced when challenged directly or cross-checked against primary sources.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 2 | Finding#1 · Finding#3 |
| Misstated Rule | 2 | Finding#2 · Finding#4 |
What that means for your team
The errors cluster into two risk categories that are live concerns for Compliance at any retail bank with cross-border payment exposure: regulatory enforcement risk where AI-sourced guidance feeds regulatory submissions or control frameworks built on fabricated obligations, and wrong-deliverable risk where internal assessments or vendor briefs are built on a misreading of which institutions bear which obligations under the CPMI framework. Both categories translate into rework, reputational exposure with regulators, and in the enforcement scenario, direct supervisory scrutiny of the control environment.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Regulatory enforcement | 2 | Finding#1 · Finding#4 |
| Wrong deliverable | 2 | Finding#2 · Finding#3 |
When this affects your department
Compliance functions at retail banks with cross-border payment activity interact with this regulation at several concrete junctures. The self-assessment toolkit is the most immediate: teams running API governance gap analyses — whether to satisfy internal audit, a regulatory request, or a correspondent banking due-diligence exercise — will reach for AI to structure the assessment criteria and dimensions before they've obtained a primary-source read of the toolkit.
Similarly, when a payments product team or technology architect brings a new API-connected service to Compliance for regulatory mapping, the Compliance lead will often use AI to quickly establish which of the ten CPMI recommendations apply to the bank as a participant versus those directed at payment system operators or standards bodies — getting that boundary wrong means scoping the wrong controls.
Jurisdictional specificity is a second pressure point. Retail banks with international correspondent networks need to know which jurisdictions are piloting or implementing specific CPMI recommendations in order to anticipate local regulatory requirements that will flow downstream. The SARB-CPMI collaboration on payment pre-validation APIs is a direct example: a bank's Africa-facing correspondent banking team, or its South Africa-licensed subsidiary's Compliance function, needs to know that pre-validation is an active implementation track, not a theoretical future initiative.
If AI tools deny that named central bank partnerships exist when they do, the bank's regulatory horizon-scanning misses a live regulatory development, with supervisory consequences if the gap surfaces in examination.
The downstream cost of these errors in Compliance work products is not confined to reputational risk. Regulatory submissions — responses to consultation, SREP questionnaires, recovery and resolution plan annexes — that contain fabricated obligations or wrong stakeholder-attribution will require formal correction. Where an error has shaped a control framework or policy document that has been presented to an internal audit or supervisory body, remediation runs to full evidence trails and management attestations.
For a retail bank already under scrutiny on cross-border payment controls, an AI-sourced error in this space is not a minor inaccuracy — it is a control environment failure.
The findings at a glance
All four findings on this regulation were hallucinations — each AI response asserted specific, actionable detail that is either unverifiable against any public source or directly contradicted by the official record.
Aggregate impact
The four findings on this regulation share a structural pattern: AI tools failed most severely where the underlying regulatory document is technically inaccessible for direct extraction, and compensated by generating plausible-sounding detail drawn from inference, analogous documents, or third-party aggregators rather than the primary text. The self-assessment toolkit findings are the clearest example — AI responses committed to four-area structures, assessment dimensions, and step-by-step usage processes that have no verifiable basis in any public source, because the toolkit itself exists as a non-extractable PDF and no authoritative third-party commentary describes its internal architecture.
This is not a one-off hallucination: two separate AI tools independently fabricated structured toolkit content, suggesting the failure mode is systematic rather than idiosyncratic.
The SARB-partnership finding adds a second dimension: this error was produced by AI tools mishandling documents published at or near their training data horizon. CPMI Brief No. 9 (November 2025), which explicitly names the South African Reserve Bank as the collaboration partner for the pre-validation API recommendation, was either not surfaced in initial responses or actively contradicted — with one tool instead proposing the Bank of England as the closest analogue.
For Compliance teams conducting jurisdictional scoping across markets with emerging API regulatory frameworks, this error class is particularly acute: the official record has moved, the AI's answer reflects an earlier or incomplete state of it, and the confident framing offers no signal that the answer requires verification.
Together, the findings cluster on the operational detail layer — toolkit mechanics, named institutional partnerships, and per-recommendation stakeholder obligations — that Compliance teams need most when translating a BIS-level framework into bank-level controls. The high-level narrative of the CPMI recommendations (improve interoperability, reduce friction in cross-border payments) is not where AI fails; it is in the specific structural and jurisdictional detail required to build a credible internal compliance programme that will withstand regulatory or audit challenge.
What your team should do
The default position for Compliance work on this regulation should be: AI is not a substitute for primary-source read of the CPMI documentation, and specifically not for the self-assessment toolkit. The toolkit is the operative instrument for gap analysis — its structure, assessment dimensions, and scoring criteria are not reliably recoverable from AI and should be taken directly from the BIS-published PDF. Any gap analysis workstream that relies on an AI-generated description of the toolkit's architecture is building on a foundation that has no verified connection to the document's actual content.
Before scoping the internal assessment programme, a team member with direct regulatory reading experience should confirm the toolkit structure against the primary text and document that confirmation in the programme workpapers.
For jurisdictional horizon-scanning — specifically tracking which central banks are piloting or implementing specific recommendations — the team should maintain a standing practice of verifying against CPMI's own publication feed (bis.org/cpmi) rather than using AI as a first-pass filter. CPMI Brief No. 9 and similar implementation-track updates are exactly the category of document that sits at or beyond AI training data horizons; AI tools tested on this regulation either missed or contradicted Brief No. 9's explicit SARB-CPMI partnership disclosure.
For a bank with South African correspondent exposure or a local subsidiary, the failure to capture that development in regulatory horizon-scanning represents a gap in the ongoing regulatory change management process that supervisors will expect to find documented.
AI tools are reasonably safe for orientation-level work on this regulation: summarising the high-level purpose of the ten recommendations, explaining why API harmonisation matters for cross-border payment efficiency, or generating an outline for a training session for business lines. The risk concentrates at the detail layer — toolkit internals, stakeholder-obligation mapping per recommendation, named implementation partners, and technical annex specifics of supporting documents like the ISO 20022 data requirements update.
Apply the same rule your team would apply to a junior analyst's first draft: AI output on this regulation requires primary-source verification before it enters any document that will be seen by regulators, senior management, or the firm's internal audit function.
How RLB Can Help
RegLeg's published Hallucination Research functions as a pre-flight check for Compliance teams that are already using AI tools on regulatory questions — not a theoretical caution, but a documented record of where AI assistants have produced confident, wrong answers on the exact categories of rules your team works with daily: consumer protection obligations, cross-border disclosure requirements, AML/CFT thresholds, and prudential reporting standards.
Before your team relies on AI output to inform a regulatory position, an enforcement response, or a policy gap assessment, the research lets you see what failure patterns have already been observed on comparable regulatory material — so you know which outputs warrant independent verification and which carry lower risk.
For firms where AI-supported workflows are already embedded in the Compliance function — regulatory horizon scanning, policy-to-rule mapping, RFI drafting, training gap analysis — RegLeg can run a bespoke regulator deep-dive scoped specifically to your jurisdiction set and product lines. That work maps your highest-exposure workflows against the failure modes we've catalogued: not generic risk categories, but the specific question types and regulatory domains where AI assistants have demonstrably and repeatedly miscalibrated. The output gives your team a prioritised view of where human review is non-negotiable and where AI-assisted drafting carries manageable residual risk.
If your firm has an existing AI-use policy covering the Compliance function, RegLeg can review it confidentially against our failure-mode catalogue and return a prioritised remediation list — gaps in scope, untested assumptions about AI accuracy on regulatory content, and disclosure or escalation triggers that are absent or underspecified.
We can also develop training material and CPD-aligned content your team can use internally: scenario-based, grounded in real failure examples from the research, and calibrated for practitioners who don't need the 101 but do need documented evidence to support governance conversations with the board, internal audit, or regulators asking how AI risk is being managed in the Compliance function.