AI Hallucination ResearchAudiencesSectorsInternational / MultilateralRetail BankingTechnology DataDetail › Finding
Retail Banking × Technology Data — International / Multilateral · updated 2026-06-04
Share / Print Twitter LinkedIn Email

Finding#2 — Incident response detail — 2016 scope overclaimed

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019
AI's failure:Exposed Fabrication Risk for Retail Banking × Technology Data:Wrong deliverable
What the RLB Specialist Panel found
Question (paraphrased to protect IP)

Does the CPMI-IOSCO 2016 Cyber Guidance itself specify detailed operational practices for cyber incident response and recovery, or is that level of detail addressed in later publications?

RLB's analysis

The model affirmed that the 2016 guidance contains detailed operational response-and-recovery practices, collapsing a four-year gap in the regulatory timeline. The operational specificity the model described is more characteristic of the 2020 FSB publication than of the 2016 text, which addresses the same themes at a higher level of abstraction. The model appears to have drawn on its knowledge of the post-2016 ecosystem to populate what it believed the original document contained. - Regulator portal (if any cited link is dud): https://www.bis.org

AI Head's analysis — what weakness in the AI model caused this

This finding points to a gap in the model's ability to distinguish the level of operational detail characteristic of a 2016 principles-based guidance document versus a 2020 operational-practices publication. The model populated the 2016 document's supposed content with material more consistent with the later FSB guidance, suggesting that its internal representation of the 2016 document is contaminated by subsequent regulatory outputs on the same topic. Synthetic training pairs that contrast high-level principles text with operational-detail text from a later document — with correct attribution — could help calibrate this boundary.

Impact for Technology & Data Teams in Retail Banking Sector in international jurisdictions working with the Guidance on Cyber Resilience for Financial Market Infrastructures

A Technology & Data team scoping the firm's cyber incident response and recovery obligations against CPMI-IOSCO standards may ask AI tools whether the 2016 guidance provides detailed operational requirements or whether a later document is needed. AI tools tested on this question answered that the 2016 guidance itself provides detailed expectations — including specific recovery time objectives and secondary-site requirements — without acknowledging that the FSB's 2020 Effective Practices document is where that operational detail actually sits.

A gap analysis or remediation programme built on this AI answer will be scoped to the wrong document, potentially missing obligations that only appear in the 2020 FSB guidance, and producing a deliverable that mis-identifies where the firm stands against the correct standard. Rework costs and the risk of a delayed or deficient regulatory submission are the direct consequences.

References — raw findings (per AI model)
This finding also affects
← Previous finding Finding#1 — NIST CSF alignment — unverified reference asserted
Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019
Plain text Download 
RegLeg Specialist Panel (2026). "Finding#2 — Incident response detail — 2016 scope overclaimed — Retail Banking × Technology Data — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019. RegLegBrief AI Hallucination Research, published 2026-06-04. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/retail_banking/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/
APA 7th edition Download 
RegLeg Specialist Panel. (2026). Finding#2 — Incident response detail — 2016 scope overclaimed [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/retail_banking/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/
Bluebook / OSCOLA (US + UK legal) Download 
RegLeg Specialist Panel, Finding#2 — Incident response detail — 2016 scope overclaimed [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019], RegLegBrief AI Hallucination Research (June 04, 2026), https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/retail_banking/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/.
BibTeX Download 
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q019,
  author    = {RegLeg Specialist Panel},
  title     = {Finding#2 — Incident response detail — 2016 scope overclaimed},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019},
  url       = {https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-iosco-cyber-resilience-fmi-2016/sectors/retail_banking/technology_data/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/}
}
← Back to case study summary Case study detail →
About Citation IDs →