Executive Summary
Legal teams at Retail Banking firms operating across international jurisdictions have material reasons to engage closely with the CPMI's API harmonisation framework — it shapes how cross-border payment rails, correspondent networks, and product architectures must align as participating jurisdictions move toward standardised interfaces. Across two aggregated questions put to AI tools about this regulation, AI tools produced wrong answers on both — a clean sweep of failures.
The errors concentrated in two distinct ways: one AI tool flatly denied an explicit CPMI collaboration with a named central bank that is documented in published CPMI guidance, while another committed to a stakeholder-by-recommendation breakdown that no accessible source supports. For a Legal team whose work-product — regulatory mapping, advice to product and compliance, regulator-facing submissions — depends on accurate statements about who is implementing what and which institutions are bound by which recommendations, both failure modes carry direct downstream risk.
How AI gets this regulation wrong
AI tools fail on this regulation in two ways: inventing an absence of evidence where published evidence plainly exists, and — when pressed on structural detail the source material doesn't make easily accessible — committing to category-level stakeholder assignments that go beyond what any accessible text supports. Both failure types produce confident output; neither signals uncertainty to a reader scanning for a reliable answer.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 1 | Finding#2 |
| Misstated Rule | 1 | Finding#1 |
What that means for your team
Both findings in this cell resolve to the same risk category: the AI produces a wrong deliverable — advice or analysis that is factually incorrect at the point it would be relied upon. For a Legal team at a Retail Banking firm, wrong deliverables on a CPMI recommendation framework carry liability in two directions: internally, where incorrect regulatory mapping shapes product, compliance, and control design decisions; and externally, where erroneous statements about regulatory scope or central-bank involvement end up in submissions, client-facing documentation, or correspondence with supervisors.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 2 | Finding#1 · Finding#2 |
When this affects your department
Legal teams at Retail Banking firms in international jurisdictions encounter this regulation most acutely when scoping cross-border payment product changes, advising on correspondent banking arrangements, or supporting business lines that need to understand which jurisdictions and institutions are actively implementing harmonised API standards. The jurisdiction-specific dimension matters: a Legal team advising on a South African correspondent relationship, for example, needs accurate intelligence about which central banks are engaged on specific CPMI recommendations — not a general summary of the framework's aspiration.
AI tools that misstate or deny documented central-bank involvement feed directly into that advice, producing a regulatory map that is wrong at the point it is most consequential.
The stakeholder-targeting dimension is similarly high-stakes. When Legal advises on product architecture, new payment-rail integration, or third-party API contracting, understanding which of the 10 recommendations are directed at commercial banks versus payment system operators versus standards bodies determines the firm's direct obligations and compliance exposure. AI tools that confidently assign recommendations to stakeholder categories — without a supportable source — are not producing research drafts for counsel to verify; they are producing outputs that will be treated as reliable by the junior analyst or business-line lead who receives them.
Where this translates into the Legal workflow specifically: regulatory mapping for product launch approvals, internal legal opinions on compliance scope, briefing notes for senior management or board-level governance, and responses to supervisory inquiries that cite regulatory scope. A wrong statement about CPMI's named implementation partners, or a fabricated stakeholder-target breakdown, embedded in any of those documents, creates a reputational and liability exposure that is disproportionate to the apparent simplicity of the question being asked.
The findings at a glance
The two findings below cover AI failures on named-partner identification and stakeholder-targeting structure — both areas where Legal teams at Retail Banking firms are most likely to rely on AI output without an obvious prompt to verify.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | SARB named-partner denial and Bank of England substitution | Hallucination | RLB-F-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q007 |
| 2 | Fabricated recommendation-level stakeholder breakdown | Hallucination | RLB-F-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q008 |
Aggregate impact
Both failures in this cell share a structural cause: the AI tools were asked questions whose accurate answers depend on relatively recent, specific CPMI publications — guidance issued in late 2025 that sits at or just beyond typical AI training data boundaries. That timing creates a predictable failure pattern: the AI either hedges away from a statement that published guidance makes explicit, or fills the gap with plausible-sounding structure that the accessible record does not support. In neither case does the AI's output signal that it is operating beyond its reliable knowledge.
For a Legal team, this pattern is particularly hazardous because the questions involved — which central banks are named partners on specific recommendations, and which stakeholder categories specific recommendations target — are precisely the questions that look answerable. They are factual, bounded, and regulatory in character. A junior lawyer or paralegal using AI to build a regulatory briefing note has no reason to expect confident fabrication on a factual question of this kind.
The failure is not at the level of legal interpretation, where Legal teams are well-trained to treat AI output with caution — it is at the level of factual recall, where the same caution is less reflexively applied.
The aggregate risk exposure for a Retail Banking firm is concentrated in any work-product that cites CPMI implementation status, named-partner arrangements, or recommendation-level stakeholder scope. That includes regulatory mapping for new payment products, internal legal opinions on correspondent banking compliance, and any external submission to a supervisor that references which institutions are engaged on which CPMI workstreams.
A single wrong citation in a regulator-facing document — asserting the Bank of England as CPMI's named pre-validation partner, for example, when published CPMI guidance names the South African Reserve Bank — is the kind of error that undermines credibility in a supervisory relationship in ways that are difficult to repair.
What your team should do
The default position for Legal teams on this regulation should be: AI tools are not reliable for questions about which specific institutions are named in CPMI implementation guidance, or for questions that require a recommendation-by-recommendation structural breakdown from the core text. Both categories require direct engagement with the primary CPMI publications — including the Briefs series, which are published on a rolling basis and may post-date AI training data — rather than delegating fact-finding to an AI assistant.
Practical safeguards for the Legal workflow on this regulation: any regulatory mapping document, legal opinion, or internal briefing that references CPMI implementation status or named partners should cite the specific CPMI publication being relied upon, not an AI-generated summary. The CPMI Briefs series (available at bis.org) is the authoritative source for implementation progress updates; these should be checked directly.
For stakeholder-targeting questions — which recommendations apply to commercial banks, which to payment system operators — Legal teams should work from the full PDF text of the recommendations rather than asking AI tools to reconstruct it; the granular targeting detail is in the document itself, and AI tools will fill gaps in their access with fabricated structure.
Where AI tools are safe for Legal teams on this regulation: general-purpose orientation on the framework's architecture and the G20 cross-border payments roadmap context; drafting support for internal summaries once Legal has confirmed the facts independently; and generating question lists for engagement with supervisors or industry bodies. The boundary is between drafting and research — AI can accelerate the former once reliable facts are in hand, but is not a substitute for the latter on a regulation where the implementation picture is actively evolving and recent publications are material to accurate advice.
How RLB Can Help
RegLeg's published Hallucination Research gives your team a concrete pre-flight check before relying on AI-assisted output on regulatory questions. The findings cover documented instances where AI tools confidently stated the wrong obligation — wrong entity scope, wrong threshold, inverted compliance direction — on regulations your Legal function deals with daily. Before your team routes a licensing query, a product disclosure question, or a cross-border retail conduct issue through an AI tool, the research tells you whether that regulatory domain has already produced failures of the kind that would matter in a legal opinion or board sign-off.
That is a faster, more honest calibration than an internal pilot.
Beyond the published research, RegLeg works with Legal teams directly to map which AI-supported workflows in a retail banking firm's legal function carry the highest hallucination exposure — jurisdiction-by-jurisdiction, workflow-by-workflow. Consumer credit disclosure review in multiple markets, mortgage conduct rule interpretation, deposit protection regime mapping, AML typology guidance: the exposure profile is not uniform, and the remediation priority list your team needs is not the same as the one a Treasury or Compliance team would produce. We scope that mapping to your firm's actual regulatory footprint, not a generic framework.
We also offer a confidential review of your firm's existing AI-use policy against RegLeg's failure-mode catalogue, with prioritised remediation. Most legal AI-use policies we see address hallucination at the level of "verify outputs" — which is operationally inert for a busy team. We can help you translate that into workflow-specific guardrails, escalation criteria, and documented rationale your General Counsel can stand behind.
Alongside that, we can supply training material and CPD-aligned content your Legal team can use internally — grounded in real failure cases, not hypotheticals, and framed for lawyers who already know the regulatory landscape and need to understand specifically where AI tools break under load.