Executive Summary
The Principles for Financial Market Infrastructures (PFMI), issued by the Bank for International Settlements' Committee on Payments and Market Infrastructures (CPMI) jointly with IOSCO, sets the international standards governing financial market infrastructures — including payment systems, central securities depositories, securities settlement systems, and central counterparties — to which statutory boards and agencies in international jurisdictions are often directly subject or responsible for overseeing. Compliance teams at these organisations routinely consult AI tools to navigate the PFMI's technical annexes, assessment methodologies, and cross-referenced guidance documents. Across three aggregated findings, AI tools failed on every question tested against this regulation.
The failures took two distinct shapes: in one case an AI tool confidently misidentified a foundational CPMI document — misstating which publication addressed oversight of critical service providers — and then, when pressed, conceded it had been relying on incomplete recall; in two further cases, AI tools with web search enabled were still unable to retrieve verbatim content from key PFMI-related PDFs, including a Level 3 assessment published in November 2025 and the IOSCO co-published version of the disclosure framework. Every failure carried the same downstream risk: a compliance team acting on an AI-generated answer would produce a wrong deliverable.
How AI gets this regulation wrong
AI tools struggle with the PFMI framework in two distinct ways: they sometimes invent or misattribute document content with apparent confidence, only retreating when directly challenged, and they frequently cannot retrieve the actual text of CPMI-IOSCO publications even when internet search is available. The table below shows how these patterns break down across the findings tested against this regulation — covering everything from misidentified source documents to wholesale inability to access current assessment methodology PDFs.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Blind Spot | 2 | Finding#2 · Finding#3 |
| Exposed Fabrication | 1 | Finding#1 |
What that means for your team
For compliance teams at statutory boards and agencies, every finding in this cell carries the same category of consequence: a wrong deliverable — an internal memo, a gap analysis, a policy position, or a regulatory submission built on information the AI got wrong. The table below maps each finding to the downstream work-product risk it creates for a compliance function operating under, or responsible for administering, the PFMI framework.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 3 | Finding#1 · Finding#2 · Finding#3 |
When this affects your department
Compliance teams at statutory boards and agencies engage with the PFMI across a wide range of practical tasks. They map the 24 Principles against their organisation's own rules and operational arrangements, draft internal policies on topics such as liquid net asset requirements and critical service provider oversight, and produce gap analyses when CPMI-IOSCO issues updated assessment methodologies or Level 3 thematic reviews. They also support business lines and operational teams in understanding how a regulatory interpretation applies to a planned change — a new settlement arrangement, a change in third-party service provider, or a shift in risk management practice.
In international jurisdictions, where a statutory board or agency may itself be a designated financial market infrastructure or a body charged with supervising one, the accuracy of compliance advice carries direct regulatory weight.
When a compliance team turns to AI tools for research support on the PFMI, the questions they ask are precisely the kind that produced failures in our findings: what does a particular annex or supplementary methodology document say, how does a CPMI publication relate to the core Principles text, and what are the specific findings of a recent CPMI-IOSCO thematic assessment. If the AI's answer is wrong — whether because it misidentifies a source document or because it cannot access the relevant PDF — the error propagates into the team's work product.
A policy paper citing the wrong CPMI document, or a gap analysis that omits findings from the most recent Level 3 assessment because the AI could not retrieve them, creates a compliance position that does not reflect what the regulator has actually published.
The consequences for the firm are material. A statutory board or agency that submits a regulatory return, responds to a supervisory enquiry, or publishes a compliance disclosure based on inaccurate PFMI guidance faces the risk of supervisory challenge from CPMI-IOSCO assessment bodies and from domestic regulators who apply the Principles. Remediation — correcting a filed position, reopening a completed gap analysis, or retraining staff — is costly and reputationally damaging for organisations whose role is itself to uphold regulatory standards.
The findings at a glance
The table below summarises each finding tested against the PFMI for this audience, covering the question area, what the AI produced, and the resulting risk category.
Aggregate impact
All three findings in this cell sit in the same risk category — wrong deliverable — but they arrive there by different routes. The first finding shows AI tools making a confident factual error about the PFMI's supporting document architecture: an AI tool misidentified which CPMI publication addresses oversight expectations applicable to critical service providers, assigning a document number to the wrong report. The error only surfaced when the AI was directly challenged, at which point it acknowledged uncertainty it should have flagged at the outset.
This pattern — confident assertion followed by retreat — is particularly hazardous because it means a compliance team that does not challenge the AI's initial answer receives a plausible but wrong citation, and one that does challenge it may still leave the conversation without a reliable answer.
The second and third findings reveal a different structural problem: even with web search enabled, AI tools were unable to access the verbatim content of key PFMI-related PDFs. This affected both a recent CPMI-IOSCO Level 3 assessment (published November 2025, examining FMI compliance with the six-month liquid net assets standard) and the IOSCO co-published version of the PFMI disclosure framework and assessment methodology.
In both cases the AI tools correctly declined to fabricate verbatim text — a commendable caution — but the practical result for a compliance team is the same as if the AI had refused entirely: no usable content from documents that are central to PFMI compliance work.
The clustering of failures across document-specific questions is significant. The PFMI framework is not a single text — it is a core Principles document supported by a layered architecture of assessment methodologies, thematic reviews, annexes, and co-published IOSCO versions, each carrying its own authority and its own citation requirements in compliance work. AI tools appear to have reliable knowledge of the framework's broad structure and headline principles, but fail systematically when compliance teams need to go one level deeper: which specific document says what, and what does the verbatim text actually provide.
For statutory boards and agencies whose compliance obligations are calibrated to that level of detail, this is precisely where AI assistance breaks down.
What your team should do
The default position for compliance teams at statutory boards and agencies should be straightforward: do not use AI-generated responses as the primary source for any work product that cites, quotes, or relies on a specific CPMI or IOSCO publication. This includes assessments against the PFMI's annexes and supplementary methodologies, gap analyses referencing Level 3 thematic reviews, and policy documents that turn on the precise content of the disclosure framework. The PFMI document architecture is detailed and version-sensitive, and AI tools have demonstrated that they can misattribute documents within it even while sounding authoritative.
Practical safeguards for compliance workflows on this regulation should include, at minimum, direct verification of every document reference an AI tool produces. When an AI tool names a CPMI publication number in connection with a particular topic, verify that number independently against the BIS publication list at bis.org before using it. When an AI tool summarises a thematic assessment or Level 3 review, locate the source PDF and confirm the summary against the actual text — particularly for quantitative thresholds, defined terms, and cross-references, which are the elements most likely to have been garbled or omitted.
For documents published after mid-2025, assume that AI tools — including those with web search — may not be able to retrieve verbatim content, and go directly to the regulator's portal.
AI tools can legitimately support PFMI compliance work at a higher level of abstraction: explaining the general structure of the 24 Principles, describing the relationship between CPMI and IOSCO's joint governance of the framework, identifying which Principles are likely relevant to a given operational question, or drafting first-pass outlines for internal training materials on topics where the compliance team will apply its own expert review before use. The boundary to maintain is between using AI as a starting-point orienter and using it as a document source. On the PFMI, where regulatory exposure turns on precise document text, that boundary matters.
How RLB Can Help
RegLeg's published Hallucination Research gives Compliance teams at Statutory Boards and Agencies a practical pre-flight check before placing weight on AI-assisted output for regulatory questions. Because the research is openly available, it can be incorporated into existing review workflows without additional licensing or procurement — teams can consult the relevant failure-mode findings at the point where AI tools are being used to interpret obligations, draft submissions, or assess enforcement exposure, and adjust their reliance accordingly.
Where published research is not granular enough for a specific operating context, RLB offers bespoke regulator deep-dives tailored to the Compliance function's actual workflow. These engagements map the AI-supported tasks that carry the highest hallucination exposure for a Statutory Board or Agency — typically areas such as multi-jurisdictional obligation mapping, condition-of-licence interpretation, and regulatory correspondence drafting — and produce a prioritised picture of where human verification effort should be concentrated.
RLB also conducts confidential reviews of a firm's existing AI-use policy against RegLeg's failure-mode catalogue, identifying gaps and producing a prioritised remediation roadmap that the Compliance team can action within its normal governance cycle.
To support capability building within the team, RLB develops training material and CPD-aligned content that Compliance staff can use internally. This content is designed to be delivered by the team's own leads rather than requiring ongoing external facilitation, and is calibrated to the regulatory environment and AI tools already in use at the firm. The aim is to leave the Compliance function better equipped to make its own informed judgements about AI reliability — not dependent on external sign-off each time a new workflow is introduced.