Executive Summary
Compliance teams at Software & SaaS firms operating in cross-border payments are directly in scope of CPMI's API harmonisation framework — not as passive observers, but as the technology layer that payment system operators, banks, and PSPs depend on to implement the recommendations. When those teams turn to AI assistants to map out which of the 10 CPMI recommendations apply to their firm versus their banking or operator counterparties, they run into a specific and consequential failure pattern: AI tools that nominally acknowledge the limits of their knowledge but then proceed to make confident, unsupported stakeholder assignments anyway.
Across our testing of this regulation, we identified one aggregated finding — a fabrication where the AI correctly flagged that it could not produce a per-recommendation breakdown but simultaneously committed to category-level stakeholder mappings that no accessible source supports. For a Compliance function whose core deliverable is a scoped obligations register — determining which CPMI recommendations your firm must act on versus which fall to your banking partners or the payment infrastructure layer — this kind of half-refusal/half-fabrication is particularly hazardous because it looks like a reasoned, bounded response when it is not.
How AI gets this regulation wrong
The failure mode surfaced on this regulation is a variant of confident fabrication that is harder to catch than an outright invented rule: the AI hedges at the question level — correctly acknowledging it cannot produce a recommendation-by-recommendation stakeholder map — but then invents confident answers at the category level, committing to stakeholder assignments that go materially beyond what any accessible source actually states. The table below shows where that pattern appeared and what the AI asserted versus what the regulation text supports.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 1 | Finding#1 |
What that means for your team
For a Compliance function at a Software & SaaS firm, the primary risk from AI failure on this regulation is not a regulatory penalty triggered directly — it is a wrong deliverable: an obligations register or policy framework scoped against the wrong set of recommendations, misdirecting engineering and legal resource toward requirements that don't apply to your firm while missing those that do. The table below maps the risk impact categories identified across this regulation's findings to the specific Compliance workflows where that mismapping would land.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 1 | Finding#1 |
When this affects your department
Compliance teams at Software & SaaS firms are most likely to consult AI on this regulation at the scoping stage: when a product manager or payments engineering lead asks which CPMI API harmonisation requirements the firm needs to implement versus which fall on its banking sponsor, correspondent banking partner, or payment system operator. That stakeholder demarcation question is not academic — it determines whether your firm's compliance programme needs to build controls around specific API data field standards, ISO message-type adoption timelines, or governance processes, or whether those obligations sit with the licensed bank your firm routes through.
Getting the mapping wrong at this stage means the entire downstream compliance build — policy drafting, control design, contractual obligations to banking partners, and product roadmap gating — is scoped incorrectly from the outset.
The same question arises in supplier and partner due diligence. When your firm is onboarding a new payment rail, banking-as-a-service provider, or API aggregator in a jurisdiction where the CPMI recommendations are being implemented at a national level, Compliance needs to know which obligations it can rely on the partner to carry and which your firm retains. AI tools are routinely used to shortcut this analysis — producing a first-cut obligations matrix that the Compliance analyst then reviews rather than building from the text.
If the AI's stakeholder assignments at category level are fabricated, that first-cut matrix propagates error into your partner assessment templates and contract schedules. By the time the error surfaces — typically in a first-line control review or an internal audit walkthrough — the cost of remediation is substantially higher than the cost of getting the scoping right at intake.
The findings at a glance
The following table summarises the finding identified in our testing of AI assistants on this regulation, scoped to the questions most relevant to a Compliance function at a Software & SaaS firm operating internationally.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | Fabricated stakeholder mapping across CPMI recommendation categories | Hallucination | RLB-F-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q008 |
Aggregate impact
With one finding in this cell, there is no pattern to average out — the single failure carries full weight, and its character matters. The CPMI regulation explicitly states that its 10 recommendations are "directed at a broad array of stakeholders," but the detailed per-recommendation stakeholder targeting sits in source material that AI tools cannot access.
The failure we documented is not the AI refusing to answer and leaving the analyst with a gap — it is the AI producing a confident, structured category-level stakeholder map (attributing specific recommendation groupings to standards bodies, to central banks and FMI operators, to PSPs) while simultaneously acknowledging it could not produce a per-recommendation breakdown. Those two signals are contradictory, and most Compliance analysts reading a structured, categorised AI output will not notice the contradiction.
For Software & SaaS firms, the systemic risk is that this failure clusters precisely around the questions Compliance is most likely to delegate to AI: the high-level structural questions about who the regulation addresses, which form the foundation of everything that follows. A fabricated category-level stakeholder map is not a one-off error — it is a founding assumption error that propagates through obligations registers, gap analyses, partner diligence questionnaires, and the internal audit evidence pack.
The CPMI's J1 (global/international) jurisdiction level means implementation is being cascaded through national regulators in multiple markets, which compounds the risk: a Compliance team operating across regions may be relying on an AI-generated stakeholder map that is wrong in every jurisdiction simultaneously.
What your team should do
The default position for any AI-assisted work on CPMI's API harmonisation recommendations should be: treat stakeholder scoping and obligations mapping as primary source work only. The specific failure pattern here — where an AI hedges at the detailed level but then commits to confident structural assertions — is difficult to catch without the primary document in hand. For this regulation, "I can't do per-recommendation" followed by confident category-level assignments is not a bounded, reliable answer; it is fabrication wearing the clothes of epistemic humility.
Any Compliance output that relies on AI to determine which recommendations apply to your firm's category of participant must be checked against the primary CPMI text before it progresses past first draft.
In practice, there are areas where AI assistance remains safe for this regulation. Drafting commentary on the general cross-border payments policy context, summarising publicly available CPMI communications about implementation timelines, or drafting stakeholder outreach letters that don't make specific legal obligations claims are all lower-risk uses. AI is also reasonably reliable for formatting and structuring an obligations register once a Compliance analyst has independently determined the correct scope — the risk is in using AI to determine the scope itself.
Training materials that accurately represent the CPMI's broad-stakeholder intent without making specific obligation assignments are another safe use, provided a qualified reviewer signs off before distribution.
The operational safeguard that matters most here is the intake control: every AI-assisted first draft on this regulation should include an explicit flag that stakeholder assignments have not been verified against primary source. That flag should be a mandatory field in whatever workflow your team uses to move a document from AI draft to review-ready — not a note the analyst can choose to add if they remember.
If your firm is using AI to pre-populate partner due diligence questionnaires or obligations matrices for this regulation, those outputs should be treated as requiring fresh verification at each new jurisdictional implementation of the CPMI recommendations, since national-level cascades will modify who carries which obligation locally.
How RLB Can Help
RegLeg's published Hallucination Research gives Compliance teams at Software & SaaS firms a practical pre-flight check before placing weight on AI-generated output in regulatory work. The research surfaces the specific failure modes — confident misstatement of legislative text, stale citation of superseded guidance, jurisdiction-blending — that are most likely to arise when AI tools are applied to compliance questions. Reviewing the relevant findings before deploying AI assistance on a regulatory task is a low-cost step that can materially reduce the risk of acting on flawed output.
For teams that need to go further, RLB offers bespoke regulator deep-dives scoped to the Software & SaaS compliance function. These engagements map the AI-supported workflows your team already relies on — licence condition monitoring, cross-border data-transfer assessments, regulatory change tracking, response drafting — against RegLeg's failure-mode catalogue to identify where hallucination exposure is highest and what mitigating controls are most effective in practice. The output is a prioritised, function-specific risk picture rather than a generic technology assessment.
RLB also conducts confidential reviews of a firm's existing AI-use policy, benchmarking it against documented failure patterns and returning a structured remediation list ordered by materiality so the Compliance team can address gaps in a sequence that reflects actual regulatory risk.
Where teams want to build durable internal capability, RLB can develop training material and CPD-aligned content tailored to a Software & SaaS compliance audience. That content covers how to read and apply hallucination research findings, how to structure human-review checkpoints around AI-assisted regulatory workflows, and how to document AI reliance in a way that satisfies regulator expectations around accountability and audit trail. The aim throughout is collaborative: RLB works alongside your team to embed practical safeguards rather than deliver a report that sits on a shelf.