Executive Summary
The CPMI-IOSCO 2026 consultation on updated guidance and public disclosures for initial margin introduces specific expectations around how CCPs communicate their margin model override frameworks to the market — a disclosure regime with direct implications for how Risk teams at investment banks assess counterparty transparency, model governance alignment, and CCP dependency risk. We tested AI assistants on the precise disclosure obligations this consultation introduces and found failures on 1 of the questions posed.
The failure centred on modal strength: the AI upgraded a regulatory expectation framed as "should" into a mandatory obligation ("must"), and added specific disclosure sub-elements not present in the consultation text. For Risk teams relying on AI to understand exactly what CCPs are required versus recommended to disclose, this distinction is operationally material — it directly shapes how firms assess CCP compliance, draft internal policy, and challenge counterparties in due diligence.
How AI gets this regulation wrong
On this consultation, the dominant AI failure pattern is confident misstatement of regulatory obligation strength — specifically, hardening conditional guidance into absolute requirements and importing specific sub-elements that the consultation does not actually enumerate. The table below maps how this plays out: an AI that sounds authoritative on the disclosure framework but has quietly rewritten what the regulator actually said.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 1 | Finding#1 |
What that means for your team
For Risk teams at investment banks, the practical consequence of these failures clusters squarely around wrong deliverables — analysis, policy text, or counterparty assessments built on an AI-generated account of what CCPs are obligated to disclose that does not match what the consultation actually says. The table below maps the risk impact dimension: where in the Risk workflow a flawed AI answer would most likely embed itself and what the firm stands to lose when it does.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 1 | Finding#1 |
When this affects your department
Risk teams at investment banks engage with the CPMI-IOSCO initial margin consultation at several distinct points in the regulatory change cycle. The most immediate touchpoint is CCP due diligence and counterparty risk review: as the consultation signals where disclosure requirements are heading, Risk teams need to assess whether existing CCP relationships will satisfy incoming transparency norms and whether current disclosure documentation from clearing counterparties is adequate.
Separately, teams drafting or updating internal margin governance policy — whether for cleared or uncleared exposures — will reference this consultation to understand the regulator's expectations on override frameworks, since that feeds directly into the firm's own model governance standards and its challenge posture when reviewing CCP margin model changes.
A second high-frequency use case is regulatory mapping for new product or clearing venue launches. When a business line proposes moving volume to a new CCP or instrument, Risk is expected to map applicable regulatory requirements rapidly. AI tools get used here under time pressure precisely because the consultation text is dense and the team needs a fast read of what the regime expects.
If the AI conflates a recommended disclosure standard with a mandatory one, Risk may overstate the compliance baseline it expects from the CCP — or, conversely, include obligations in an internal policy memo that the regulator never actually imposed, creating a phantom compliance gap that triggers unnecessary escalation.
The firm-level stakes are concrete. Mischaracterising "should" as "must" in a CCP assessment memo means the firm is assessing counterparty risk against a bar that doesn't exist in the text, potentially flagging compliant CCPs as deficient or structuring internal governance frameworks around invented requirements. When those assessments feed into credit risk limits, collateral management policy, or board-level risk appetite submissions, the error propagates. Equally, if the firm's internal audit or a regulator subsequently reviews the policy rationale and finds it cites obligations that aren't in the source document, that is a governance failure — not just a research error.
The findings at a glance
The table below summarises the finding identified in this cell — the specific question posed, what the AI said, and why it failed.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | CCP override framework disclosure — 'should' vs 'must' | Hallucination | RLB-F-INT-BIS-CPMI-IOSCO-INITIAL-MARGIN-DISCLOSURE-CONSULT-2026-Q005 |
Aggregate impact
The single finding in this cell is representative of a failure mode that is particularly dangerous in consultation-stage documents: the AI hardened discretionary language into mandatory obligation. The CPMI-IOSCO consultation uses "should" — a well-understood term of art in BIS guidance signalling a strong expectation that is not yet legally binding — but the AI rendered this as "must", a word that carries mandatory force. It then added three specific sub-elements to the disclosure requirement that are not in the consultation text.
When challenged on the discrepancy, the AI acknowledged it was not certain of the source — the hallmark of a confident fabrication that only reveals itself under pressure.
For a Risk team, this is structurally worse than an AI that hedges from the outset. An AI that states "must" unequivocally invites the reader to treat the output as authoritative. The error is therefore most likely to embed itself in exactly the work products where the team trusted the output most: a policy position paper, a CCP assessment framework, or a regulatory mapping note circulated to a business line without independent verification of the modal distinction.
The systemic risk to the firm sits at the intersection of counterparty risk and governance integrity. In an international investment banking context, where the firm may be assessing CCPs across multiple jurisdictions against this consultation's disclosure expectations, a "should" vs "must" error applied uniformly could mean the firm's entire CCP framework misstates the compliance standard — a problem that becomes acute once the consultation finalises into binding guidance and the firm's existing positions are stress-tested against the actual regime.
What your team should do
The default position for Risk teams using AI on this consultation should be: treat any AI output on disclosure obligations as a first-pass summary to be verified against the source document, not a citable position. The specific failure here — upgrading "should" to "must" and adding non-existent sub-elements — is not detectable without going back to the consultation text itself. That means any work product that cites this consultation's disclosure requirements needs a human read of the relevant section before it leaves the team.
The practical safeguard is a verification step proportional to downstream use. For a quick internal briefing note, a senior team member spot-checking the modal language ("should" vs "must") against the BIS source is sufficient. For anything that feeds into policy, board papers, CCP framework documentation, or regulatory correspondence, treat the consultation text as the primary source and use AI only for orientation, not drafting.
Pay particular attention to any AI output that enumerates specific sub-elements of a requirement — if the AI lists three or four specific disclosure components and the source uses general language, the specifics are almost certainly inferred rather than sourced.
AI tools are genuinely useful for this regulation on tasks that don't depend on precise obligation framing: building a reading list of related CPMI-IOSCO publications, summarising the broader context of the initial margin reform sequence, or identifying which sections of the consultation are most relevant to a specific CCP relationship.
Where AI is unsafe is in any task that requires the team to be right about exactly what the regulator requires — and on a consultation document where the distinction between expectation and requirement is itself one of the contested questions, that means the AI should not be trusted for the substantive legal-obligations analysis.
How RLB Can Help
RegLeg's published Hallucination Research gives your team a concrete pre-flight reference before placing weight on AI output for regulatory questions. If your desk is using AI tools to interpret capital requirements, margin rules, or cross-border reporting obligations — particularly across multi-jurisdictional frameworks where text is dense and footnote-driven — the research tells you, at the finding level, exactly where those tools have already failed on the same material. That is a faster and more defensible starting point than internal red-teaming from scratch.
Beyond the public findings, we run regulator deep-dives scoped specifically to Investment Banking risk workflows: counterparty credit exposure calculations, SA-CCR / IMM model governance documentation, large-exposure limit interpretation, and derivatives reporting across EMIR, CFTC, and MAS-equivalent regimes. The output is a mapped exposure register — which AI-supported steps in your risk workflow carry material hallucination risk, ranked by consequence if the error reaches a regulatory submission or an internal limit breach. We prioritise by the workflows your team actually runs, not a generic taxonomy.
For firms that already have AI-use policies in place, we will review the policy against our full failure-mode catalogue and return a prioritised remediation list — gaps in the policy's scope, failure categories it does not address, and where current controls would not catch the class of error we have documented. We also produce CPD-aligned training material your team can run internally: scenario-based, grounded in real documented failures, and calibrated for Risk professionals who do not need the basics explained to them.