Executive Summary
Technology & Data teams at Software & SaaS firms operating across international jurisdictions use the CPMI API harmonisation recommendations and toolkit to scope API design requirements, evaluate cross-border payment infrastructure choices, and advise product and engineering on where ISO 20022-aligned interfaces create regulatory expectations. Across two questions put to AI assistants on this regulation, both produced hallucinations — not ambiguous answers, but confidently wrong ones that fabricated toolkit structure and misstated publication dates of updated regulatory documents.
The failures cluster on the parts of the regulation that matter most to a technical implementation team: what the self-assessment toolkit actually covers, and what the February 2026 ISO 20022 data requirements update changed relative to its predecessor. In both cases, AI tools either invented detailed structures that have no basis in any accessible source, or cited third-party aggregator dates in place of the primary BIS publication record — and retracted their errors only when pressed.
How AI gets this regulation wrong
The failures AI assistants produced on this regulation split across two patterns: inventing detailed regulatory content that cannot be verified anywhere in public sources, and citing incorrect versioning information sourced from third-party aggregators rather than the primary BIS record. Both failure types share a common structure — the AI presents invented or misattributed content with the fluency and specificity that makes it look like authoritative regulatory knowledge, then partially walks it back only when challenged directly.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 1 | Finding#1 |
| Misstated Rule | 1 | Finding#2 |
What that means for your team
Both findings in this cell carry the same operational risk for a Technology & Data team: a wrong deliverable lands in an internal or external work-product before anyone checks the source. Whether that deliverable is a readiness assessment structured around a fabricated toolkit, or a technical briefing citing an incorrect document version, the downstream exposure is the same — rework, credibility loss, and in partner-facing or regulator-facing contexts, potential liability.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 2 | Finding#1 · Finding#2 |
When this affects your department
A Technology & Data team at a Software & SaaS firm touches this regulation most heavily in three moments: evaluating whether their payment API design aligns with CPMI harmonisation expectations (particularly for clients operating in jurisdictions that have adopted or are adopting the recommendations), preparing technical input for product launches that sit in cross-border payment flows, and responding to enterprise clients or financial institution partners who ask whether the firm's API stack conforms to the harmonised standard.
In each of these moments, the team is likely to reach for AI tools to get a fast read on what the regulation actually requires — especially for the self-assessment toolkit, which is the operationally actionable part of the publication.
The damage from a wrong AI answer varies by context. In an internal readiness review, a technology architect who builds a gap analysis around a fabricated four-area toolkit structure will produce a document that confidently maps the firm's API capabilities against assessment criteria that do not exist — and that document will circulate through product, legal, and potentially into partner due diligence packs before anyone pulls the primary source.
In a versioning context, a technical briefing that describes the February 2026 ISO 20022 data requirements update using an incorrect publication date and fabricated technical annex breakdowns will be wrong in ways that matter: ISO 20022 migration timelines, annex-referenced data entity obligations, and the scope of "updated" versus "new" requirements all depend on accurate version attribution.
For a SaaS firm whose product is infrastructure or tooling for payment operators, both failure modes carry partner and commercial risk beyond internal rework. If the firm's API harmonisation positioning — in sales materials, partner onboarding documentation, or RFP responses — is built on AI-generated content that mischaracterises what the toolkit covers or what the 2026 update changed, a sophisticated counterparty will catch it. That catch will surface in a technical review or procurement process, not in a quiet internal correction.
The findings at a glance
The two findings below cover the questions most likely to reach a Technology & Data team's desk when scoping API harmonisation compliance — what the self-assessment toolkit actually contains, and what the 2026 ISO 20022 data requirements update changed.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | Fabricated CPMI API self-assessment toolkit structure | Hallucination | RLB-F-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q005 |
| 2 | Misstated ISO 20022 update version and fabricated annex content | Hallucination | RLB-F-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q009 |
Aggregate impact
Both findings hit the same part of the Technology & Data workflow: implementation scoping. The self-assessment toolkit question and the ISO 20022 update delta question are not general interest queries — they are the specific technical inputs a team needs before it can scope engineering work, write a gap analysis, or commit to a roadmap item. AI failures at exactly this point are operationally expensive because the output of these queries feeds directly into deliverables that have internal sign-off chains and external visibility.
The failure pattern on the toolkit question is particularly instructive. The AI did not hedge — it produced a named four-area structure with labelled assessment dimensions and a six-step usage process, citing "public summaries" that do not exist. When challenged, it acknowledged uncertainty without withdrawing the structure. This is the failure mode that propagates furthest: a junior team member running a readiness exercise builds around the AI's framework, produces a formatted deliverable, and that deliverable gets reviewed by people who also have not read the primary BIS document.
The error compounds because the AI's output looks exactly like what a real toolkit description would look like.
The versioning failure on the ISO 20022 update is a different risk vector — not fabricated structure but misattributed provenance. The AI cited a third-party aggregator publication date (April 2026) over the correct BIS record (February 2026) and simultaneously fabricated specific data entity breakdowns for the technical annex. For a Technology & Data team tracking ISO 20022 migration obligations, publication date matters: it anchors when the "updated" requirements became operative, which affects implementation timelines and the scope of any transitional provisions.
Getting this wrong in a technical briefing to engineering or product means the team is working to the wrong version of the obligation.
What your team should do
The default position for this regulation is: treat AI output on the toolkit and on the ISO 20022 data requirements update as a starting point for a primary-source lookup, not as a source in its own right. The BIS publication page for this regulation is the only place the toolkit contents and the February 2026 update's scope are authoritatively described.
AI tools have demonstrated they will fill the gap with plausible-looking fabricated content when the primary document is inaccessible or not in their training data — and they will do so with enough structural specificity that the output passes casual review.
For the toolkit specifically: before any readiness exercise is scoped, verify that whoever is running it has read the actual toolkit document, not an AI summary of it. If the primary PDF is inaccessible via the BIS portal, escalate the access question before building a gap analysis. Any readiness framework that does not trace back to the toolkit's actual assessment dimensions is a liability in a partner review or an internal audit.
The same applies to the ISO 20022 update: version attribution in technical documentation should always cite the BIS primary record with the February 2026 date — not a third-party article, not an AI summary.
Where AI tools remain useful in this workflow: regulatory landscape orientation (which jurisdictions have adopted or signalled adoption of CPMI recommendations), summarising the high-level recommendation structure from the report's executive summary (which is publicly accessible), and drafting internal communications that explain the regulation's purpose to non-technical stakeholders. These uses do not depend on accurate reproduction of toolkit content or annex-level data entity breakdowns, so the failure modes documented here do not apply. The line to hold is: AI for orientation and drafting, primary source for anything that will drive an engineering decision or appear in an external-facing document.
How RLB Can Help
RegLeg's published Hallucination Research gives Technology & Data teams a concrete pre-flight check before embedding AI tools into any regulatory workflow — compliance monitoring, data localisation mapping, cross-border licensing scoping, or vendor-contract review. The findings are already public: run the relevant regulation through the research before your engineers build a dependency on AI output that will be wrong in specific, documented ways. That is not a process overhead; it is the same due-diligence step you would apply to any third-party data feed before wiring it into production logic.
For teams that need more than the published set, RegLeg conducts bespoke regulator deep-dives scoped to the actual AI-assisted workflows your Technology & Data function runs — not a generic risk register. That means mapping which points in your SaaS delivery pipeline, data-residency compliance cycle, or API-governance programme carry the highest hallucination exposure for the specific regulators you operate under. The output is a prioritised, workflow-level breakdown your architects and compliance engineers can act on directly, without translation through a generalist legal layer.
Where a firm already has an AI-use policy in place, RegLeg can run a confidential review against our failure-mode catalogue — identifying the gaps between what the policy assumes AI tools can reliably do and what the research shows they actually get wrong under regulatory questioning. That review feeds into remediation guidance ranked by operational exposure, and can be packaged as CPD-aligned training material your Technology & Data team can use internally — something that holds up to scrutiny from both the engineering org and whatever regulatory-affairs or legal function has sign-off on your AI governance stack.