Executive Summary
The Principles for Financial Market Infrastructures (PFMI), published by the Bank for International Settlements through the Committee on Payments and Market Infrastructures (CPMI), sets the international baseline for how payment institutions and other financial market infrastructures must manage operational, legal, and systemic risk. For Technology & Data teams at Payment Institutions firms operating in international jurisdictions, PFMI compliance is not background knowledge — it shapes infrastructure design decisions, vendor oversight obligations, and the firm's engagement with supervisory bodies across multiple regulatory regimes.
In the testing documented here, AI assistants produced at least one confirmed hallucination when queried on specific PFMI provisions, and when directly challenged, the AI acknowledged it had been working from incomplete or incorrect recall. Even a single confidently-stated but wrong answer about a PFMI annex or related assessment methodology document is consequential when it feeds into internal policy drafts, regulatory gap analyses, or supplier risk frameworks.
How AI gets this regulation wrong
The table below shows how AI assistants go wrong when answering questions about the PFMI. The dominant pattern in this regulation is confident misidentification: the AI asserts specific details about named documents or annexes that turn out to be incorrect, and only acknowledges the error if pressed — leaving teams who accept the first answer with a false picture of what the regulation says and what guidance materials exist.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 1 | Finding#1 |
What that means for your team
The table below maps the AI failures in this cell to the practical risk categories they create for Technology & Data teams at Payment Institutions firms. When AI tools mischaracterise PFMI documents and their relationship to oversight obligations, the most direct exposure is regulatory: firms may design or document controls against the wrong standard, and supervisors applying the actual PFMI framework will find gaps.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Regulatory enforcement | 1 | Finding#1 |
When this affects your department
Technology & Data teams at Payment Institutions firms in international jurisdictions routinely need to map their infrastructure and vendor arrangements against the PFMI. This arises during system design reviews, when onboarding or re-tendering critical technology service providers, when preparing materials for supervisory dialogue, or when a business line needs to understand what PFMI oversight expectations mean in practice for a new product or service.
In all of these situations, the team may turn to AI tools to quickly locate what a specific PFMI annex or related CPMI-IOSCO document says — particularly when the underlying PDF is dense and the relevant passage is hard to locate quickly.
The danger is that the PFMI is supported by a set of numbered CPMI and CPMI-IOSCO publications that form an interconnected framework: annexes, assessment methodologies, disclosure frameworks, and guidance documents each play distinct roles. An AI assistant that confidently misidentifies which numbered document addresses which topic — for example, attributing the content of the assessment methodology for critical service provider oversight to the wrong document — can cause a team to anchor its analysis on a source that simply does not say what the AI claims.
The error may not surface until the document is retrieved and read in full, by which point it may already have shaped internal decisions.
If the team's gap analysis, vendor oversight policy, or regulatory submission carries this error forward, the firm faces real exposure. Supervisors assessing PFMI compliance — whether through self-assessment, peer review, or formal examination — will apply the actual framework, not the AI's version of it. A misalignment between what the firm believes its obligations are and what the regulation actually requires can result in findings, required remediation, and in serious cases, formal supervisory action. For payment institutions operating under multiple international supervisors, any such finding can propagate across jurisdictions.
The findings at a glance
The table below summarises the findings from AI testing on PFMI questions relevant to Technology & Data teams at Payment Institutions firms — showing for each question what the AI got wrong and what kind of failure it represents.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | Misidentification of CPMI document on critical service provider oversight | Hallucination | RLB-F-INT-BIS-CPMI-IOSCO-PFMI-2012-Q011 |
Aggregate impact
The finding documented here clusters on a specific vulnerability: the relationship between the core PFMI text and the supporting library of numbered CPMI and CPMI-IOSCO documents that elaborate its requirements. The AI assistant tested did not simply omit information — it filled in a confident-sounding but incorrect answer about what a specific numbered document covers, effectively substituting fabricated document-identity information for the real one.
This is a particularly hazardous error pattern because the AI's response has the surface form of a precise, citable answer, which is exactly what a Technology & Data team is looking for when it needs to know which document governs a particular area.
For Technology & Data teams at Payment Institutions firms, the risk is compounded by the structure of PFMI oversight. The framework's critical service provider provisions — including the expectations elaborated in the PFMI annexes and the associated assessment methodology — are directly relevant to how firms manage third-party technology risk and justify those arrangements to supervisors. If the team's understanding of which document says what is wrong, its entire framework for scoping and documenting oversight of critical technology vendors can be built on a false premise.
The underlying substantive obligations remain, and supervisors will assess against them regardless of what the firm believed it was complying with.
Across international jurisdictions, this risk is not merely theoretical. Payment institutions subject to PFMI-aligned oversight by multiple authorities — whether central banks, securities regulators, or combined supervisory bodies — cannot rely on AI-assisted regulatory mapping as a substitute for retrieving and reading the source documents. The AI's failure mode here, where it acknowledged uncertainty only when challenged, means teams that accept first answers without verification are most exposed.
What your team should do
The default position for Technology & Data teams at Payment Institutions firms should be to treat AI-generated answers about specific PFMI documents — especially numbered CPMI or CPMI-IOSCO publications, their titles, scope, and relationship to the core PFMI — as unverified starting points only. The BIS publishes its full CPMI document library at bis.org, with each publication assigned a document number. Before using any AI-provided characterisation of what a numbered document covers, the team should retrieve the actual document and confirm the title, publication date, and scope independently.
This is a low-cost verification step that eliminates the class of error observed here.
AI tools remain useful in the PFMI context for tasks that do not depend on precise document identification: drafting background summaries of broad PFMI principles for internal training, generating initial checklists of areas the regulation covers, or helping structure a gap analysis template that a qualified team member will then populate from primary sources. These are areas where an error is quickly visible and correctable before it has downstream effect.
The riskier uses — mapping specific annex provisions to internal controls, identifying which CPMI guidance document applies to a particular vendor oversight scenario, or characterising the relationship between different parts of the PFMI framework — require direct engagement with the source documents.
Where AI assistance is used to support regulatory submissions, supervisor-facing materials, or board-level risk reports touching on PFMI compliance, the team should establish a review step at which a qualified team member confirms the regulatory references against the primary sources before sign-off. This is not a counsel of perfection — it reflects the straightforward lesson from the failure documented here: AI assistants can misidentify the content of specific regulatory documents while sounding entirely authoritative, and the error only surfaces if someone checks.
How RLB Can Help
RegLeg's published Hallucination Research gives Technology & Data teams at payment institutions a practical pre-flight check before placing reliance on AI-assisted output for regulatory questions. The research maps the specific ways AI tools misstate regulatory obligations — citing superseded rules, conflating jurisdictions, or fabricating supervisory guidance — so that teams can calibrate their review processes and governance controls accordingly, rather than discovering failure modes after a compliance decision has already been made.
Where a firm's Technology & Data function is deploying or evaluating AI tools to support activities such as data governance, cyber resilience reporting, change management, or third-party technology due diligence, RLB can undertake bespoke regulator deep-dives that identify which of those workflows carry the highest hallucination exposure. That work produces a prioritised map of risk points specific to the payment institution context — informing both the firm's AI-use controls and its engagement with regulators on technology risk.
RLB also works with Technology & Data teams on a confidential review of their existing AI-use policies, assessing them against RegLeg's failure-mode catalogue and producing a structured, prioritised remediation plan. Alongside that, RLB can develop training materials and CPD-aligned content that the team can use internally — equipping engineers, data leads, and compliance-facing technologists with a shared working understanding of where AI tools are reliable, where they are not, and how to document that judgement in a way that stands up to regulatory scrutiny.