This is the consolidated view of findings. Click the Citation IDs or 'see details →' on any item for the full details for each finding.
An AI tool told the Compliance team the 2016 CPMI-IOSCO Cyber Resilience Guidance 'has not been formally revised or superseded' — when CPMI-IOSCO had published a consultative document for updated guidance just 22 days earlier. Any internal policy review, board risk report, or FMI counterparty assessment that relied on this response would proceed on the assumption that the 2016 text is the settled, current standard — not one under active public consultation.
For an investment bank operating across international jurisdictions, this creates direct regulatory enforcement exposure: supervisors who are themselves engaged with the consultation process will expect counterparts to be aware of the revision, and a firm that signals otherwise in regulatory correspondence or due-diligence submissions risks appearing inattentive to a systemic risk category that CPMI-IOSCO has flagged for update.
A second AI tool, tested independently, gave the same incorrect answer: the June 2016 CPMI-IOSCO guidance 'remains the operative primary international standard' and 'has not been formally revised or replaced.' The convergence of two AI tools on the same hallucination compounds the risk for a Compliance team that might treat agreement between tools as validation. Any downstream work product — a regulatory mapping, a supplier risk assessment, an internal training deck — that cites this AI response as authority will embed the same error.
The firm's exposure is not limited to a single document: the 2016 guidance underpins how the bank assesses its FMI counterparties, how it responds to supervisory cyber resilience questionnaires, and how it frames its own cyber risk appetite. Remediation after the error is identified requires re-running each of those processes against the correct regulatory baseline.