AI on Guidance on Cyber Resilience for Financial Market Infrastructures for Technology & Data teams at Retail Banking firms in international jurisdictions

Executive Summary

Technology & Data teams at Retail Banking firms operating across international jurisdictions routinely look to the CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures (2016) when benchmarking their own cyber programmes against the standards applied to the market infrastructure — clearing houses, payment systems, and settlement facilities — on which their operations depend. Across three aggregated questions put to AI tools on this regulation, AI assistants produced incorrect answers in every case.

The failures share a common pattern: AI confidently asserted facts about the document's content and cross-references that could not be verified from the text itself, and when pressed, acknowledged the uncertainty it had originally concealed. Two of the three findings carry direct regulatory enforcement risk; the third risks directing teams toward a deliverable that misrepresents the level of operational detail the 2016 guidance actually provides.

How AI gets this regulation wrong

Across the findings on this regulation, AI tools repeatedly converted genuine uncertainty into confident assertions — stating as fact things that the underlying document either does not say or does not say with the specificity claimed. In each case, when the AI's answer was tested further, it conceded it had been overstating its confidence, demonstrating that the initial response had masked a knowledge gap rather than resolved one.

What that means for your team

For Technology & Data teams at Retail Banking firms, the risk categories that emerge from these findings fall into two distinct buckets: regulatory exposure from relying on mischaracterised cross-references in compliance mapping work, and wasted effort from commissioning or circulating deliverables built on a false picture of how detailed the 2016 guidance actually is. The table below breaks down which findings carry which category of risk for this audience.

When this affects your department

Technology & Data teams at international Retail Banking firms encounter the CPMI-IOSCO Cyber Resilience Guidance most often when they need to understand the cyber expectations their financial market infrastructure (FMI) counterparties — central counterparties, payment systems, and settlement utilities — are operating under, and to assess whether their own connectivity and dependency arrangements meet comparable standards.

This arises during supplier due-diligence reviews of FMI relationships, during regulatory mapping exercises that align the bank's internal cyber framework with the frameworks its critical third parties are expected to follow, and when drafting internal policy papers that assert equivalence between the bank's controls and internationally recognised guidance. Teams also consult this document when preparing for multi-jurisdictional regulatory engagement, because the guidance is a J1-level BIS/CPMI publication that several national regulators reference or incorporate by cross-reference.

If AI tools produce inaccurate answers about this regulation in those contexts, the downstream consequences can be significant. A compliance mapping document that incorrectly characterises the CPMI-IOSCO guidance as explicitly endorsing the NIST Cybersecurity Framework — when that link is unconfirmed — may mislead internal stakeholders about the prescriptive force of an alignment the bank claims to maintain, and expose it to challenge from a regulator or external auditor who has read the source text.

Similarly, a scoping document that describes the 2016 guidance as providing detailed operational expectations for incident response and recovery — when the operational detail was only added in a later FSB publication — will produce a misaligned gap analysis, directing remediation effort at a gap that does not exist in the 2016 document or, equally damaging, failing to identify that a separate 2020 document sets the bar the bank should actually be assessing against.

The findings at a glance

The table below summarises each finding — the question area, the nature of the AI error, and the risk category it carries for Technology & Data teams at Retail Banking firms.

Aggregate impact

The three findings on this regulation cluster around a single underlying dynamic: AI tools fill gaps in their knowledge of the CPMI-IOSCO 2016 guidance by drawing on structurally similar material — the NIST Cybersecurity Framework, the FSB's later cyber incident guidance — and presenting that borrowed content as if it were directly stated in the 2016 document.

Two of the findings concern the same question (whether the guidance explicitly references NIST), and two different AI tools produced the same category of error independently, which indicates this is not an idiosyncratic model failure but a systematic tendency when the underlying source text is ambiguous or the question touches a cross-reference that AI tools would expect to be present.

For Technology & Data teams at Retail Banking firms, the practical significance is that all three errors are of the type that would pass an informal plausibility check. A bank's cyber framework referencing NIST CSF, and NIST CSF being structurally similar to the CPMI-IOSCO guidance categories, makes an explicit alignment claim feel reasonable — which is precisely why the AI's confident assertion is dangerous.

Equally, it is entirely plausible that a 2016 guidance document on cyber resilience would address incident response and recovery in detail, so a claim that it does will not prompt scepticism unless the reviewer independently knows that the FSB only added that layer in 2020.

The aggregate risk for the firm is therefore concentrated in the credibility of its compliance mapping and gap-analysis work. Documents that cite AI-generated characterisations of this regulation, without verification against the source text, will embed errors that could surface during a regulatory review, a third-party audit, or an internal challenge from a risk function that has reviewed the primary source independently.

What your team should do

The default position for Technology & Data teams should be that AI tools are not reliable for establishing what a specific regulatory document does or does not reference. The CPMI-IOSCO 2016 Cyber Resilience Guidance is a short, principles-based document, and the questions most likely to arise from it — which external frameworks it endorses, how much operational detail it provides, how it relates to subsequent FSB publications — are precisely the questions where AI answers tend to overstate the document's prescriptive specificity.

Any compliance mapping claim that rests on what this document references, or what level of detail it reaches, should be verified against the BIS-published source text directly before the claim enters an internal policy paper, a board-level risk report, or an external submission.

AI tools are, however, reasonably well suited to the preparatory and structural work around this regulation: summarising its five guidance categories at a high level, identifying the relevant CPMI-IOSCO publication history, or explaining why FMI cyber resilience standards are relevant to a retail bank's third-party risk programme. They are also useful for drafting internal training materials that explain the regulation's purpose and scope, provided those materials are reviewed by someone who has read the source text and are not used as a substitute for it.

The practical safeguard is a two-step rule: use AI to generate a working draft or a list of questions to verify, then cross-check any specific factual claim — particularly any claim about cross-references to NIST, ISO, FSB, or other external standards, and any claim about the operational depth of specific sections — against the BIS source document before the claim is relied upon.

For questions about what the FSB's 2020 Cyber Incident Response and Recovery guidance adds beyond the 2016 CPMI-IOSCO document, treat those as two distinct documents requiring separate verification, since AI tools have shown a tendency to conflate their content.

How RLB Can Help

RegLeg's published Hallucination Research gives Technology & Data teams at retail banking firms a ready-made pre-flight check before relying on AI-generated output for regulatory questions. The research catalogues, by regulation, the specific failure modes AI tools have exhibited — including where they have misread rule text, fabricated cross-references, or confidently stated requirements that do not exist — so your team can calibrate which query types warrant human review rather than discovering the gaps in production.

Beyond the public research, RegLeg offers bespoke regulator deep-dives scoped to the Technology & Data function specifically. These map the AI-supported workflows your team is most likely running — from data governance gap assessments to regulatory change screening and systems-documentation review — against the hallucination exposure patterns observed for the regulators and regulations that govern your firm. The output is a prioritised exposure register your team can use when setting AI-use guardrails or briefing risk and compliance stakeholders.

For firms that already have an AI-use policy in place, RegLeg can conduct a confidential review of that policy against its accumulated failure-mode catalogue, identifying provisions that may be under-specified for the risks Technology & Data teams actually face and returning a prioritised remediation note. RegLeg also produces training material and CPD-aligned content that Technology & Data professionals can use internally — building working literacy around AI hallucination risk in a regulatory context, without requiring staff to engage with raw research outputs directly.