Executive Summary
Compliance teams at Retail Banking firms operating across international jurisdictions routinely reference the CPMI-IOSCO Cyber Resilience Guidance when mapping third-party FMI connectivity obligations, benchmarking internal cyber frameworks against international standards, and responding to cross-border supervisory requests.
Across the two questions tested on this regulation, AI assistants returned confident, unqualified answers on a point of immediate regulatory significance — whether the 2016 Guidance remains the operative international standard — and both were wrong in the same direction: each stated the document had not been revised or superseded, when CPMI-IOSCO had in fact published a consultative revision document for public comment on 6 May 2026. Both failures are Contradictory findings, directly contradicted by a BIS press release issued 22 days before the AI responses were recorded.
For a Compliance function that relies on AI-assisted horizon-scanning or regulatory-currency checks, this failure pattern means that internal assessments, senior management briefings, or supervisory responses built on those AI answers would carry a materially incorrect statement of the standard's current status.
How AI gets this regulation wrong
Every failure recorded on this regulation belongs to a single mode: AI assistants presenting outdated information as current fact, without qualification or caveat. The table below shows how that failure manifested — AI tools asserting the 2016 Guidance remains unrevised and operative, directly contradicting a published CPMI-IOSCO consultative document that placed the standard under active revision.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Outdated | 1 | Finding#1 |
What that means for your team
Because both failures concern regulatory currency — whether a named international standard is still live and operative — the downstream risk lands squarely in regulatory enforcement exposure. The table below maps where in the Compliance workflow that exposure crystallises for a Retail Banking firm relying on these AI outputs.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Regulatory enforcement | 1 | Finding#1 |
When this affects your department
Compliance teams at Retail Banking firms engage with the CPMI-IOSCO Cyber Resilience Guidance most intensively at the intersection of FMI connectivity and cross-border supervisory obligations — when mapping the firm's dependency on payment systems, CCPs, or securities settlement infrastructure; when benchmarking the firm's own cyber controls against the international standard during DORA implementation, local cyber frameworks, or group-level policy refresh; and when preparing regulatory responses or supervisory submissions where a host or home regulator asks the firm to characterise its alignment with international FMI cyber standards.
The question of whether the Guidance is still operative, or whether a revision is in train, is not abstract in that context — it determines whether the firm's compliance gap analysis is framed against a living standard or a document that regulators are actively rewriting.
The practical hazard is that a junior compliance analyst or a business-line partner drafting a Board-level cyber risk report or a supervisory self-assessment will ask an AI assistant to confirm the current status of the CPMI-IOSCO framework, receive a confident and unqualified assertion that the 2016 document remains the operative standard, and include that statement in formal documentation without a secondary check.
For a Retail Banking firm whose supervisors — whether the PRA, ECB, MAS, HKMA, or FINMA — are themselves engaged in the CPMI-IOSCO consultation process, filing a submission that treats a standard under active revision as settled and unchanged is a credibility and accuracy problem, not a minor drafting slip.
The timing dimension compounds the risk. The consultative revision document was published on 6 May 2026. The AI failures recorded here occurred within weeks of that publication. Any Compliance team relying on AI for regulatory horizon-scanning — rather than direct monitoring of BIS/CPMI-IOSCO press releases — would have missed this development entirely, and their forward-looking work programme (policy refresh timelines, gap assessments, supervisory engagement calendars) would have been built on a false baseline.
The findings at a glance
Both findings recorded on this regulation concern the same factual question about regulatory currency, with each AI assistant returning the same incorrect answer — a pattern that underscores the systemic nature of the failure rather than an isolated response anomaly. The table below summarises each finding and its classification.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | 2016 Guidance currency: revision status misstated | Hallucination | RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022 |
Aggregate impact
The two findings here are not independent errors — they are the same error produced by two different AI tools responding to variants of the same question. Both AI assistants stated that the 2016 CPMI-IOSCO Cyber Resilience Guidance had not been revised or superseded, when a CPMI-IOSCO consultative revision document had been publicly released 22 days earlier. Neither response included any temporal caveat, any acknowledgment that the document's status could have changed, or any prompt to verify against BIS primary sources.
Both are classified Contradictory: the AI's assertion is directly refuted by a BIS press release that was publicly available at the time of the response.
The significance for Compliance teams is that this failure is structurally invisible in normal AI use patterns. A Compliance officer asking about an international standard's current status expects — and receives — a definitive-sounding answer. The AI's confident framing ("remains the operative primary international standard — it has not been formally revised or replaced") gives no signal that the answer might be stale. There is no hedge, no "as of my training data," no pointer to the CPMI-IOSCO website. A team that treats that response as a research endpoint, rather than a starting prompt, will not catch the error.
For a Retail Banking firm in an international jurisdiction, the aggregate impact concentrates in two places: first, any internal compliance mapping or gap analysis framed against the 2016 Guidance as a fixed baseline, when the forthcoming revision may shift the standard materially; second, any supervisory interaction where the firm's characterisation of the international cyber framework's current state is tested against what the regulator — who is actively engaged in the consultation — knows to be true.
The reputational cost of appearing to have missed a significant regulatory development that was prominently announced by the BIS is disproportionate to the ease with which a direct source check would have caught it.
What your team should do
The default position for a Compliance team using AI tools on the CPMI-IOSCO Cyber Resilience Guidance should be: AI is useful for navigating the content of the 2016 document — explaining its seven components, working through the detailed expectations on identification, protection, detection, response and recovery — but it is not a reliable source for questions about the document's current regulatory status or any post-publication developments.
That distinction matters because the question that generated both failures here is precisely the kind of status-check question that a junior analyst would treat as a quick lookup rather than a research task requiring primary source verification.
The practical safeguard is straightforward: any time a Compliance workflow requires a statement about whether an international standard is current, operative, or under revision — in a board pack, a supervisory submission, a policy sign-off memo, or a gap analysis preamble — that statement must be verified directly against the relevant standard-setter's website. For CPMI-IOSCO, that means the BIS publications page, not an AI assistant's summary. The BIS press release announcing the May 2026 consultative document is publicly available and would have been found in under two minutes.
The AI tools tested did not find it, despite being configured for web search.
Where AI tools remain genuinely useful in this workflow: drafting commentary on the substance of the existing 2016 Guidance (its scope, its expectations on recovery time objectives, its treatment of cyber incident reporting to authorities), generating first-pass training materials on the seven principles, or helping the team structure a gap analysis template against the Guidance's framework. These tasks draw on stable document content that the AI handles well.
The failure mode documented here is specific to regulatory-currency questions — whether the document has moved — and those questions should always be resolved by direct source check, with AI output treated as background context at most.
How RLB Can Help
RegLeg's published Hallucination Research functions as a pre-flight check for Compliance teams that are already using AI tools on regulatory questions — not a theoretical caution, but a documented record of where AI assistants have produced confident, wrong answers on the exact categories of rules your team works with daily: consumer protection obligations, cross-border disclosure requirements, AML/CFT thresholds, and prudential reporting standards.
Before your team relies on AI output to inform a regulatory position, an enforcement response, or a policy gap assessment, the research lets you see what failure patterns have already been observed on comparable regulatory material — so you know which outputs warrant independent verification and which carry lower risk.
For firms where AI-supported workflows are already embedded in the Compliance function — regulatory horizon scanning, policy-to-rule mapping, RFI drafting, training gap analysis — RegLeg can run a bespoke regulator deep-dive scoped specifically to your jurisdiction set and product lines. That work maps your highest-exposure workflows against the failure modes we've catalogued: not generic risk categories, but the specific question types and regulatory domains where AI assistants have demonstrably and repeatedly miscalibrated. The output gives your team a prioritised view of where human review is non-negotiable and where AI-assisted drafting carries manageable residual risk.
If your firm has an existing AI-use policy covering the Compliance function, RegLeg can review it confidentially against our failure-mode catalogue and return a prioritised remediation list — gaps in scope, untested assumptions about AI accuracy on regulatory content, and disclosure or escalation triggers that are absent or underspecified.
We can also develop training material and CPD-aligned content your team can use internally: scenario-based, grounded in real failure examples from the research, and calibrated for practitioners who don't need the 101 but do need documented evidence to support governance conversations with the board, internal audit, or regulators asking how AI risk is being managed in the Compliance function.