Executive Summary
The CPMI-IOSCO Level 3 assessment on general business risk is a procedurally complex publication: a multi-year engagement spanning data collection, follow-up rounds, and a formal findings-sharing phase with participating FMIs before the November 2025 report was released. When Company Secretaries rely on AI tools to characterise the assessment's timeline — for board packs, regulatory engagement summaries, or client advice on how BIS-supervised entities participated — the AI's account of when the assessment ran, and therefore what the findings represent, is demonstrably wrong.
The single finding documented here shows AI tools conflating the data-collection phase of the assessment with the full assessment lifecycle, presenting a truncated timeline as if it were the definitive scope. For a Company Secretary whose deliverable is a board-level or counterparty-facing methodology note, that error is not cosmetic: it misrepresents the procedural basis on which the BIS concluded its findings and introduces factual inaccuracies into governance documentation.
How AI gets this regulation wrong
On this regulation, AI tools failed by presenting outdated or partially correct information as authoritative — specifically, compressing the full assessment timeline into an earlier, narrower window and treating that compression as the definitive characterisation. The failure is especially difficult to catch because the shortened timeline is not invented from nothing: it reflects a real phase of the assessment that secondary commentary had already circulated, and AI tools reproduce that shorthand without surfacing the distinction between the data-collection window and the complete lifecycle.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Outdated | 1 | Finding#1 |
What that means for your practice
For Company Secretaries, the risk here sits entirely in the wrong-deliverable category: work product that is factually incorrect about the procedural and temporal basis of a BIS assessment, delivered with sufficient confidence that it clears an internal review and reaches a board, client, or counterparty. The table below maps that exposure by impact type, showing how a single mistaken timeline claim cascades through governance documentation, client-facing summaries, and any regulatory correspondence where procedural accuracy is not a nicety but a substantive requirement.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 1 | Finding#1 |
When this affects Company Secretaries
Company Secretaries at FMIs, trade repositories, or firms with BIS-supervised counterparties are most likely to encounter this regulation when preparing regulatory engagement summaries, board reports on supervisory activity, or internal briefings ahead of an IMSG engagement or follow-up. A Company Secretary drafting a methodology note on a BIS Level 3 assessment — even a one-pager contextualising the findings for a board risk committee — is doing exactly the kind of task where an AI-assisted first draft looks credible until it doesn't.
The problem sharpens at international firms, where Company Secretaries often serve as the procedural anchor for regulatory correspondence across multiple jurisdictions: they are the ones who check that the dates, scopes, and procedural representations in board papers and counterparty disclosures are accurate. If the AI supplies a compressed or outdated timeline for when the CPMI-IOSCO assessment ran, and that timeline makes its way into a board pack or a regulatory submission without independent verification, the Company Secretary has — inadvertently — certified a factual error about a BIS supervisory process.
The specific risk here is procedural misrepresentation: a document that states the assessment "ran during 2023 to 2024" when the primary publication confirms the lifecycle ran through to April 2025 is not just imprecise — it materially misstates the scope and completeness of the findings. In a regulatory context where the procedural legitimacy of how findings were derived and validated matters (and where FMIs were actively engaged through multiple rounds into 2025), getting that timeline wrong in a client or counterparty-facing document is a substantive error, not a drafting inelegance.
The findings at a glance
The table below summarises the finding documented on this regulation, showing the question area, the nature of the AI's error, and the risk category it creates for Company Secretaries work.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | Assessment timeline truncated — 2023-24 stated instead of 2023-25 | Hallucination | RLB-F-INT-BIS-CPMI-IOSCO-PFMI-L3-GENERAL-BUSINESS-RISK-2025-Q005 |
Aggregate impact
The single finding on this regulation represents a narrow but high-consequence failure mode: an AI tool presenting a condensed version of a multi-phase supervisory process as if it were the complete one. The error is not a fabrication — the "2023 to 2024" characterisation is traceable to secondary commentary on the data-collection phase — but that provenance makes it more dangerous, not less. It has a surface plausibility that resists casual challenge, and AI tools that self-retract when pressed may not flag the error in a first-draft workflow.
For Company Secretaries the systemic implication is specific: this is a regulation where the procedural history is load-bearing. The CPMI-IOSCO Level 3 methodology requires that findings be shared with, and validated by, participating FMIs before publication. That engagement ran through April 2025. Any document that closes the timeline at 2024 — board pack, methodology note, regulatory letter — implicitly suggests the findings were not subject to that final validation round, which is both factually wrong and potentially misleading about the rigour of the assessment.
In international practice, where Company Secretaries routinely draft governance documents that will be reviewed by multiple competent authorities across jurisdictions, a procedural error of this kind is not easily corrected after the fact. The document has circulated. The timeline has been cited. Reliance on AI-generated first drafts for this class of procedural detail — when the authoritative source is a 2025 primary publication and AI training data skews toward earlier secondary commentary — is a structurally predictable source of exactly this error.
What your team should do
The default position for Company Secretaries using AI on this regulation should be: AI-assisted drafting is acceptable for structural scaffolding and boilerplate framing, but every procedural date, phase reference, or lifecycle characterisation must be verified against the primary BIS publication before the document is finalised. The November 2025 report is the controlling source; secondary summaries and commentary that circulated earlier are unreliable for procedural detail precisely because the assessment's final engagement phase ran into April 2025.
In practice, the safeguard is simple but must be explicit in your team's workflow: any first draft that characterises when this assessment ran, when data was collected, when findings were validated, or how many FMIs participated should carry a verification flag until a team member has checked those specifics against the BIS publication. For junior team members, the risk is that an AI-generated timeline looks authoritative — it cites reasonable dates, uses correct terminology, and reads fluently — without any visible marker that it is wrong.
Build the verification step into your drafting checklist rather than relying on the AI to flag its own limitations.
AI tools are more safely used on this regulation for tasks that do not depend on procedural accuracy: summarising the conceptual framework for Principle 15 general business risk, identifying which categories of FMI are in scope, or drafting the regulatory context section of a board paper using well-established background. The failure mode documented here is specific to timeline and process characterisation — the kind of detail that sits at the top of a methodology note and, if wrong, undermines everything that follows it.
How RLB Can Help
RegLeg's published Hallucination Research gives Company Secretaries a practical pre-flight check before acting on AI-generated answers to regulatory questions. Each research entry documents the specific ways AI tools have misrepresented a regulation — wrong thresholds, fabricated obligations, outdated requirements presented as current — so that a Company Secretary can cross-reference those documented failure modes against any AI output before it reaches a board paper, a filing, or a governance record.
The research is freely accessible and structured around the failure types most relevant to secretarial practice: misstatement of procedural deadlines, incorrect attribution of disclosure obligations, and confusion between jurisdictional variants of the same rule.
For firms where multiple Company Secretaries work across a shared regulatory portfolio, RegLeg offers bespoke regulation deep-dives tailored to the specific instruments in scope. These engagements go beyond the published research to examine the precise provisions your team relies on most heavily, map the failure modes that carry the greatest secretarial risk for your firm, and produce a reference document your team can embed in its own AI-use workflow. The output is designed to be updated as regulations are amended, giving your team a living resource rather than a one-off snapshot.
RegLeg also develops training material and CPD-aligned content that equips Company Secretaries to recognise AI failure modes independently — not just to distrust AI output, but to interrogate it intelligently. Separately, RegLeg can conduct a confidential review of a firm's existing AI-use policy against its failure-mode catalogue, identifying where current controls adequately address known hallucination patterns and where gaps exist. Both services are delivered collaboratively, working alongside your governance and legal teams rather than as an external audit imposed on them.