Executive Summary
Technology & Data teams at Payment Institutions firms operating under international jurisdictions use the CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures — published in 2016 by the Bank for International Settlements — as the authoritative international framework for FMI cyber resilience requirements. Across five aggregated questions put to AI assistants on this regulation, every question produced a hallucination: AI tools either invented confident answers they later could not substantiate when challenged, or presented information that was materially out of date as if it were current.
The failures clustered around two distinct problems: AI tools fabricated affirmative claims about the guidance's relationship to the NIST Cybersecurity Framework and about the level of operational detail it contains, and AI tools failed to account for the active revision of the 2016 guidance signalled by a CPMI-IOSCO consultative document published in May 2026. For a Technology & Data team using AI to inform regulatory mapping, gap assessments, or internal standards work, these errors carry direct risk of misinforming compliance decisions at a time when the underlying standard itself is in flux.
How AI gets this regulation wrong
AI assistants we tested on this regulation made two distinct types of errors: confidently asserting facts that cannot be verified from the guidance's text — and then backing away when pressed — and presenting the 2016 guidance as current and unrevised when it is in fact under active international revision as of May 2026. Both failure modes are likely to surface in exactly the kinds of foundational questions Technology & Data teams ask before committing to a compliance programme design, making them particularly consequential. The table below maps these failure patterns to the specific questions where AI tools went wrong.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 2 | Finding#1 · Finding#2 |
| Outdated | 1 | Finding#3 |
What that means for your team
The errors identified in this regulation translate most directly into regulatory enforcement risk — where a Payment Institutions firm acts on AI-generated characterisations of its obligations under an international standard that turns out to be either misstated or superseded — and into wrong-deliverable risk, where internal outputs built on AI responses misrepresent what the guidance actually requires at the operational level. Both risk categories are acute for Technology & Data teams whose work products inform board reporting, supervisory submissions, and control design. The table below shows how these risk categories distribute across the findings for this regulation.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Regulatory enforcement | 2 | Finding#1 · Finding#3 |
| Wrong deliverable | 1 | Finding#2 |
When this affects your department
Technology & Data teams at Payment Institutions firms regularly turn to AI assistants for rapid orientation when working on cyber resilience compliance. Common use cases include mapping internal technology controls against international standards, drafting or reviewing cyber resilience policies and procedures, scoping assessments for new payment infrastructure or third-party technology arrangements, and briefing non-technical stakeholders on what international guidance requires. When those questions touch the CPMI-IOSCO Cyber Resilience Guidance, the risk of acting on a flawed AI answer is acute: the team's outputs typically feed directly into internal governance documents, regulatory returns, and supplier due-diligence frameworks.
The framework-alignment question — how the 2016 guidance relates to widely used standards such as the NIST Cybersecurity Framework — is precisely the kind of context a Technology & Data team needs when producing a regulatory mapping or gap analysis. If the AI asserts a normative alignment that cannot be verified in the actual text, that assertion can propagate into internal policy documents, board-level reporting, or external assessments, creating a false impression of framework coverage that regulators or auditors may later challenge.
Similarly, if the team relies on AI to characterise the 2016 guidance as providing detailed operational incident-response requirements, they may fail to identify that a later FSB document fills the operational gap — leaving their incident response planning short of what regulators would expect when comparing across the international standards landscape.
The status-of-the-guidance question carries particular urgency as of May 2026. CPMI-IOSCO has published a consultative document signalling active revision of the 2016 standard, and AI tools we tested failed to reflect this, stating the guidance remains unrevised and operative. A Technology & Data team that accepts this answer risks designing or certifying a compliance programme against requirements that are mid-revision, missing the opportunity to engage with the consultation or to alert business leadership that the regulatory baseline is shifting.
For Payment Institutions firms subject to oversight by CPMI-IOSCO member regulators, these are not hypothetical risks — they are the kinds of gaps that surface in supervisory reviews and prudential assessments.
The findings at a glance
The five findings below capture the specific questions on the CPMI-IOSCO Cyber Resilience Guidance where AI assistants produced inaccurate or misleading answers, along with the nature and risk category of each error.
Aggregate impact
All five findings in this cell are hallucinations — there are no blind spots, only cases where AI assistants answered incorrectly. Three of the five cluster on a single conceptual pair: the relationship between the 2016 guidance and the NIST Cybersecurity Framework, and the level of operational detail the guidance itself contains. AI tools consistently treated structural similarity as confirmed cross-reference, asserting that the guidance explicitly cites or normatively adopts NIST CSF when the actual text does not confirm this.
That the guidance's five categories parallel the NIST CSF five functions is real; that this reflects a formally documented relationship is not established by the guidance text. For a Technology & Data team using this AI output to justify a framework-mapping decision, the distinction is material — regulators assess what documents actually require, not what they structurally resemble.
Two further findings reveal a different but equally serious pattern: AI tools presented the 2016 guidance as current and unrevised at a time when it is demonstrably under active revision. Both AI tools tested told users that the guidance "has not been formally revised or superseded" — a statement that was materially incorrect as of 6 May 2026, when CPMI-IOSCO published a consultative document proposing updated guidance for public comment. The tools' web searches did not capture this very recent development.
For a Payment Institutions firm with obligations under international cyber resilience standards, operating on a regulatory baseline that is mid-revision without knowing it creates both compliance and strategic risk, particularly if the firm has ongoing supervisory dialogue in which awareness of regulatory developments is implicitly expected.
Taken together, the findings show that AI errors on this regulation are not random: they concentrate on two questions that any competent Technology & Data function is likely to encounter when scoping a compliance programme — "how does this guidance relate to other frameworks we use?" and "is this guidance still the operative standard?" Both are foundational orientation questions asked before downstream work begins.
The systemic risk is that the errors most likely to do lasting damage are embedded at the start of the compliance workflow, propagating into policies, mappings, and governance documents before anyone thinks to verify the AI's assumptions.
What your team should do
The default position for Technology & Data teams at Payment Institutions firms should be to treat AI-generated answers about the CPMI-IOSCO Cyber Resilience Guidance as drafts requiring primary-source verification before any internal or external use. This is particularly important for any claim about what the guidance explicitly states, cites, or requires — as distinct from AI-assisted summarisation of content the team has already confirmed against the source.
The BIS website (https://www.bis.org) is the authoritative source for the current text and any revision or consultation documents; checking it directly takes minutes and eliminates the category of error seen in four of the five findings in this cell.
For framework mapping and gap assessments, teams should pull and compare the actual CPMI-IOSCO guidance text against the relevant NIST CSF, ISO/IEC 27001, or COBIT documentation directly, rather than relying on AI to characterise the relationship between them. Where AI is used to accelerate this work — for example, to generate a first-pass mapping table — the output should be reviewed against both source documents before it enters any deliverable. Internal policy documents and board-level reporting that characterise the regulatory framework should carry a citation to the primary text, not to an AI summary.
For incident response planning specifically, teams should also review the FSB's 2020 Effective Practices for Cyber Incident Response and Recovery alongside the 2016 CPMI-IOSCO guidance, since the two documents together define the operational expectations that international supervisors apply.
Given that CPMI-IOSCO published a consultative document in May 2026 placing the 2016 guidance under active revision, Technology & Data teams should add a regulatory-monitoring step to their compliance calendar: check the BIS website for the finalised updated guidance and assess how changes affect existing internal standards, controls, and certifications. AI assistants can be useful for drafting commentary or comparing provisions once a human has located and confirmed that consultation documents exist and what they contain — but they should not be the first or only source for determining whether a regulatory standard remains in force.
Building a short manual check into every AI-assisted regulatory query — "when was this guidance last updated?" — is the most efficient safeguard against the class of outdated-information errors seen in this cell.
How RLB Can Help
RegLeg's published Hallucination Research gives Technology & Data teams at payment institutions a practical pre-flight check before placing reliance on AI-assisted output for regulatory questions. The research maps the specific ways AI tools misstate regulatory obligations — citing superseded rules, conflating jurisdictions, or fabricating supervisory guidance — so that teams can calibrate their review processes and governance controls accordingly, rather than discovering failure modes after a compliance decision has already been made.
Where a firm's Technology & Data function is deploying or evaluating AI tools to support activities such as data governance, cyber resilience reporting, change management, or third-party technology due diligence, RLB can undertake bespoke regulator deep-dives that identify which of those workflows carry the highest hallucination exposure. That work produces a prioritised map of risk points specific to the payment institution context — informing both the firm's AI-use controls and its engagement with regulators on technology risk.
RLB also works with Technology & Data teams on a confidential review of their existing AI-use policies, assessing them against RegLeg's failure-mode catalogue and producing a structured, prioritised remediation plan. Alongside that, RLB can develop training materials and CPD-aligned content that the team can use internally — equipping engineers, data leads, and compliance-facing technologists with a shared working understanding of where AI tools are reliable, where they are not, and how to document that judgement in a way that stands up to regulatory scrutiny.