Executive Summary
This cell covers how AI tools perform when Compliance teams at investment banking firms in international jurisdictions query them on the CPMI-IOSCO 2026 consultation on updated guidance and public disclosures for initial margin — a document that carries direct downstream implications for how CCPs governed by the framework design and communicate their override frameworks, and how dealer firms assess, document, and respond to those disclosures.
Across the single aggregated question tested in this cell, AI tools produced a material misstatement of regulatory obligation strength: upgrading "should" to "must," converting a consultative expectation into a binding requirement that does not exist on the face of the text. The failure mode is not one of ignorance — the AI engaged fluently with the content — but of overconfident assertion, collapsing the consultative register of the document into a hard-obligation framing that a Compliance team relying on it would carry forward unchallenged.
When the AI was subsequently pressed, it walked back its answer, confirming it had fabricated the certainty, not just the detail.
How AI gets this regulation wrong
The failure pattern on this regulation centres on AI tools misrepresenting the binding character of regulatory language — asserting mandatory obligations where the source document uses expectation-level language, and adding specific disclosure elements that are not present in the underlying text. The table below maps the failure mode to the question and the downstream risk it creates for Compliance.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 1 | Finding#1 |
What that means for your team
For Compliance at an investment bank, the dominant risk from AI failures on this regulation is producing the wrong deliverable — a policy assessment, a regulatory gap analysis, or a CCP due-diligence memo that encodes an incorrect obligation standard and circulates internally or to a regulator before the error is caught. The table below maps each finding to the risk impact category most likely to crystallise in the Compliance function's workflow on this text.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 1 | Finding#1 |
When this affects your department
Investment banks in scope for the initial margin framework routinely use their Compliance function to track CPMI-IOSCO consultative developments and translate evolving guidance into internal policy positions, regulatory horizon scanning reports, and input to the broader IM governance programme.
When a new consultation lands — particularly one touching CCP disclosure standards for override frameworks — Compliance teams at dealer firms have legitimate reasons to query it: understanding what CCPs will soon be expected to disclose informs how those firms evaluate CCP practices in their counterparty risk reviews, respond to changes in posted margin mechanics, and draft or update internal policies on acceptable override-framework transparency. AI tools are an increasingly common first-pass tool for exactly this kind of regulatory-language translation exercise.
The specific risk here sits at the intersection of modal language and enforcement posture. The CPMI-IOSCO consultation uses "should" deliberately — it is a consultative document; obligations have not crystallised. A Compliance team that instructs AI to summarise what CCPs "must" disclose, or accepts an AI response that asserts "must" framing unprompted, embeds that mischaracterisation into any memo, horizon-scanning note, or gap analysis it produces.
That output then travels: to the trading desk as regulatory context for IM negotiations, to Legal for product structuring input, to senior management as a regulatory update, or to the bank's own regulators as part of a supervisory submission on the firm's CCP exposure assessment. Each downstream use amplifies the damage of an incorrectly escalated obligation standard.
The second layer of risk is the fabrication of specific disclosure elements. If a Compliance analyst believes — on the basis of an AI response — that the consultation mandates disclosure of "instances warranted, key decision-makers, and permissible adjustments," they will measure CCP disclosure practices against a checklist that does not exist in the source document. A CCP that does not disclose those elements is not non-compliant with the consultation text; but the bank's internal assessment may flag it as deficient, creating a false remediation dialogue with the CCP or a mis-scoped escalation to the bank's own board-level risk committee.
The findings at a glance
The table below summarises the single finding covered in this cell — the question asked, the AI's failure, and the risk it creates for Compliance at an investment banking firm.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | CCP override framework disclosure — 'must' vs 'should' misstatement | Hallucination | RLB-F-INT-BIS-CPMI-IOSCO-INITIAL-MARGIN-DISCLOSURE-CONSULT-2026-Q005 |
Aggregate impact
The finding in this cell is representative of a specific failure pattern that poses particular danger on consultation documents: AI tools conflate the strength of language in a consultative text with that of a final standard, generating "must" assertions from "should" language and adding specificity — explicit lists of disclosure elements — that is not present in the source. This is not random error; it reflects a tendency to produce answers that sound authoritative and complete, which is precisely what makes them hazardous in a Compliance workflow where confidence in the source material is the baseline assumption.
For investment banks with significant CCP exposure across international jurisdictions — clearing through LCH, Eurex, CME, ASX, or JSCC — the practical consequence is that Compliance functions may benchmark CCP override-framework disclosures against a fabricated checklist, creating phantom gaps that drive spurious remediation activity or mis-scoped escalations to CCP relationship managers. More acutely, if the incorrect "must" framing enters a regulatory submission or a formal counterparty assessment, the bank has asserted a legal standard that the regulator did not impose, which creates its own supervisory risk: regulators do not expect firms to misread their consultation language in either direction.
The systemic risk across a Compliance function is compounding: the same AI tool used for horizon scanning will be used for policy drafting and for responding to regulator queries. A "must" misstatement seeded at the horizon-scanning stage persists through each downstream use unless Compliance has a systematic primary-source verification gate — not a spot-check, but a structural workflow control that requires AI-assisted regulatory language to be reconciled against the original text before it enters any formal deliverable.
What your team should do
The default position for Compliance when using AI tools on consultative CPMI-IOSCO documents should be explicit source-modal reconciliation: whenever AI produces a regulatory obligation statement, the team must confirm whether the source document uses "must," "shall," "should," or "may" — and treat any AI response that upgrades the modal as unreliable until verified against the primary text. On a consultation specifically, the working assumption should be that no obligation is binding until a final standard is published; AI tools have a demonstrable tendency to resolve consultative ambiguity into false certainty.
Where AI tools are safe on this regulation: summarising the structural topics the consultation addresses (what categories of disclosure the document discusses, how the override-framework concept fits within the broader margin model governance framework), generating initial question lists for CCP due-diligence conversations, and mapping the consultation's scope to the firm's existing IM policy framework. These uses keep AI in a generative-but-unverified role, which is appropriate — the risk only materialises when AI output is treated as an accurate characterisation of what the regulation requires rather than a starting point for primary-source review.
For Compliance teams that produce written deliverables on this regulation — regulatory gap analyses, CCP assessment reports, senior management horizon-scanning — the practical safeguard is a pre-publication gate: all AI-assisted regulatory language characterisations (particularly obligation-strength statements and specific requirement lists) must be traced to a specific clause in the primary BIS document before the deliverable is finalised.
Given the AI behaviour surfaced in this cell — confident assertion followed by retraction when challenged — junior analysts should be explicitly instructed not to accept AI answers on obligation strength at face value, and to challenge the AI's source before writing the output into any formal document.
How RLB Can Help
RegLeg's published Hallucination Research gives Compliance teams at investment banks a practical pre-flight check before acting on AI-generated regulatory output. Because the research spans regulators across multiple jurisdictions and documents the specific failure modes that occur when AI tools engage with financial services rules, Compliance staff can consult the findings as an independent reference — confirming where AI-assisted research is reliable, and flagging the regulatory domains where confident-sounding output has most frequently proved incorrect.
For firms that want to go further, RegLeg offers bespoke regulator deep-dives scoped to the workflows your Compliance function actually relies on. This means mapping which AI-supported activities — regulatory horizon scanning, policy gap analysis, transaction monitoring guidance, or senior manager accountability queries — carry the highest hallucination exposure in your specific operating environment, and prioritising attention accordingly. Where an investment bank is subject to a regulator whose track record in the published research gives cause for caution, that context is built into the engagement from the outset.
RegLeg also works with Compliance teams on a confidential review of existing AI-use policies, assessing them against a structured failure-mode catalogue drawn from the research. The output is a prioritised remediation plan that identifies gaps in current oversight controls and suggests practical adjustments — including escalation triggers, secondary-verification requirements, and human sign-off thresholds suited to a regulated institution. Firms that have completed the review have used the findings directly as the basis for CPD-aligned internal training, giving Compliance staff the working knowledge they need to apply appropriate scepticism to AI tools without abandoning the efficiency gains they provide.