This is the consolidated view of findings. Click the Citation IDs or 'see details →' on any item for the full details for each finding.
A Lawyer who relies on this response may advise a client that the CPMI-IOSCO guidance explicitly endorses the NIST Cybersecurity Framework — a claim that cannot be confirmed from the source document and may be entirely fabricated. If the client then structures its compliance program around a claimed CPMI-IOSCO/NIST alignment, and a regulator or counterparty checks the source text, the Lawyer's advice is exposed as unsupported. The additional frameworks named by the AI (COBIT, ISO/IEC 27001) compound the risk: a Lawyer repeating these as confirmed citations has no textual basis for doing so.
The phrase 'secure the periphery, protect the core' originates in a 2018 BIS speech by Benoît Cœuré — not in a CPMI wholesale payments fraud document as the AI stated. A Lawyer attributing the phrase to the wrong CPMI publication in an opinion or regulatory submission introduces a traceable factual error: the two 2018 CPMI documents have different subject matters, and the misattribution is verifiable by any reader who checks. The risk is direct reputational damage if the error is caught by a well-informed regulator or opposing counsel.
The 2016 guidance sets a high-level framework; the operational detail for incident response and recovery was added by FSB guidance published four years later in 2020. If a Lawyer advises a client that the 2016 document provides 'detailed expectations' for incident response — including the specific 2-hour RTO and secondary-site requirements as described by the AI — the client may believe its compliance obligations are exhausted by meeting the 2016 standard, without appreciating that the FSB's 2020 operational guidance introduced additional expectations. The consequence is a compliance gap that the Lawyer's advice failed to surface.
A Lawyer advising on definitional alignment between the CPMI-IOSCO guidance and the FSB Cyber Lexicon needs to know that the relationship between the two documents' definitions is uncertain — the Lexicon postdates the guidance by two years and may not match how the 2016 text used key terms. The AI presented the two as 'aligned and broadly consistent', removing the genuine uncertainty that a Lawyer must convey to a client. An opinion that asserts definitional consistency without flagging this caveat misstates the state of the regulatory landscape.
Beyond asserting consistency (which is unconfirmed), this AI response went further: it stated that the FSB Cyber Lexicon 'explicitly drew on' the CPMI-IOSCO definition — fabricating a specific derivation relationship. A Lawyer who repeats this claim in an opinion or comparative analysis has no source to cite and will be unable to defend it if challenged. The AI also fabricated the specific text of the 2016 definition itself, meaning a Lawyer quoting that text would be citing language that does not appear in the document.
This is the most immediately consequential error in the cell. A Lawyer who is told that the 2016 guidance 'has not been formally revised or superseded' and advises an FMI client accordingly is giving advice that is factually wrong as of May 2026: CPMI-IOSCO published a consultative revision document for public comment on 6 May 2026. Clients who needed to begin preparing for the forthcoming update — adjusting governance frameworks, engaging in the consultation, or flagging the revision timeline to senior management — will have received advice that understated the urgency and materiality of regulatory change.
This finding duplicates the currency error from the parallel AI tool, confirming it is not an isolated failure. Two independent AI assistants both stated that the 2016 guidance is the unrevised operative standard, and both were wrong for the same reason: their training data predated the May 2026 consultative document. A Lawyer using either tool to check the currency of the guidance would receive the same incorrect answer with equal confidence.
The implication for practice is that no AI tool should be trusted for currency checks on international regulatory standards — only direct source verification on the regulator's website is reliable.