Executive Summary
Compliance teams at Payment Institutions firms operating internationally engage with PFMI Principle 15 — the general business risk standard — whether their firm is approaching systemic-importance designation thresholds, conducting counterparty due diligence on FMI infrastructure, or preparing submissions to CPMI-IOSCO consultations. AI tools we tested produced hallucinations on all four questions put to them on the November 2025 CPMI-IOSCO Level 3 assessment of Principle 15 general business risk.
Three of the four failures cluster on a single fault line within the rule text: AI models systematically conflated Key Consideration 2 and Key Consideration 3 of Principle 15, either inventing a composite "greater of" dual-track minimum that does not exist in KC3, mislocating the six-month LNAFE floor in the wrong Key Consideration, or flatly denying that KC3 contains the Basel equity carve-out clause — then retracting under challenge. A separate failure produced an incorrect assessment timeline in a regulatory engagement note, placing the assessment's end a year earlier than the published record.
For a Compliance function using AI to brief internal stakeholders, draft policy frameworks, or prepare supervisory submissions that turn on the precise structure of GBR capital standards, these errors would survive multiple internal review cycles without primary-source verification.
How AI gets this regulation wrong
The failures on this regulation fall into two distinct patterns: AI tools invented composite capital tests by merging provisions from separate Key Considerations within Principle 15, presenting the invented tests with confident, technical-sounding language; and separately, delivered stale process facts — the lifecycle end date of the Level 3 assessment — as if they were current and authoritative.
The dominant pattern, covering three of the four findings, involves AI plausibly reconstructing a Principle 15 standard that does not match the rule text: the invented versions are internally coherent and would pass a casual read, which is precisely why they are dangerous in a Compliance drafting context.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 2 | Finding#1 · Finding#2 |
| Outdated | 1 | Finding#3 |
What that means for your team
The dominant exposure for a Compliance team at a Payment Institution is regulatory enforcement risk: internal policies, capital adequacy frameworks, and supervisory submissions that embed a mischaracterised LNAFE standard carry the error through multiple review cycles and into the regulatory record without triggering an obvious flag. A secondary but distinct exposure is producing the wrong deliverable outright — a regulatory engagement note that cites an incorrect assessment timeline creates a credibility problem in direct supervisor contact that no subsequent clarification fully resolves.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Regulatory enforcement | 2 | Finding#1 · Finding#2 |
| Wrong deliverable | 1 | Finding#3 |
When this affects your department
Compliance teams at Payment Institutions engage with PFMI Principle 15 GBR standards in several recurring workflows. Firms operating payment systems that approach or cross systemic-importance designation thresholds run internal PFMI-readiness assessments — Compliance drafts the policy mapping, often querying AI to confirm the precise LNAFE floor, the Basel equity carve-out qualifier, and the KC structure before the framework goes to the Board or to a primary supervisor.
Teams supporting product lines that connect to CCPs, CSDs, or major payment systems conduct counterparty due-diligence that requires understanding what GBR capital standard the FMI is held to, so the firm can assess adequacy and document its conclusions. Regulatory consultation responses — to CPMI-IOSCO or to national regulators transposing PFMI-equivalent standards — require accurate statement of the published standard; a Compliance drafter who uses AI to recall the KC3 text risks submitting a response that misquotes the requirement back to the body that wrote it.
The regulatory engagement workflow creates a separate surface: Compliance teams at trade repositories, payment systems, and large payment processors are expected to brief internal stakeholders on the provenance and scope of Level 3 assessments, often pulling together a methodology note as part of preparation for regulator meetings. A note that mistakes the assessment's lifecycle — misreporting when data collection concluded and when findings were shared with FMIs — understates the recency of the conclusions and misrepresents the engagement process CPMI-IOSCO ran before publication.
What is at stake scales with how the error travels. A mischaracterised LNAFE minimum embedded in an internal capital adequacy policy gets reviewed by Internal Audit and risk functions that may not independently verify the PFMI primary text — the error locks in and becomes the firm's documented position. A regulatory submission that restates KC3 incorrectly puts the firm in a position of publicly mischaracterising the standard it is applying, which supervisors typically treat as a governance concern rather than a drafting error. Either path triggers remediation expenditure that dwarfs the cost of primary-source verification at the drafting stage.
The findings at a glance
The four findings below cover the specific questions on PFMI Principle 15 Key Consideration 3 and the November 2025 Level 3 assessment where AI tools broke down — what was asked, what the regulator's text actually says, and what the AI produced instead.
Aggregate impact
Three of the four findings centre on a single structural fault in how AI tools handle PFMI Principle 15: they cannot reliably maintain the boundary between KC2 and KC3. KC2 is where scenario-analysis sizing of potential general business losses sits; KC3 is where the six-month quantitative floor and the Basel equity carve-out qualifier sit.
AI tools merged these into invented composite structures — inserting KC2's scenario-analysis leg into KC3's minimum as a fabricated "greater of" dual-track test, mislocating the six-month floor in KC2 and treating KC3 as only a segregation clause, or denying the Basel carve-out in KC3 entirely and then retracting under challenge. In every case the AI presented its answer in fluent regulatory language that would read as credible to anyone who had not recently reviewed the PFMI primary text. The tell was invisible without a direct comparison to the BIS source.
The fourth finding follows a different path. AI tools drew on secondary coverage of the 2023–24 data-collection phase as if it described the full assessment lifecycle, dropping the subsequent engagement-and-findings phase that ran through April 2025 from their summary. For a Compliance team preparing a methodology note for regulator engagement, this is not a minor factual slip: it misrepresents how CPMI-IOSCO validated findings with FMIs before publication, which is precisely the process a supervisor would scrutinise in any review of the assessment's methodology.
What makes the aggregate picture concerning for Payment Institutions specifically is that Principle 15 GBR compliance questions arise at inflection points — designation thresholds, product launches into FMI infrastructure, consultation deadlines — where Compliance teams are time-pressured and AI's confident output is most attractive as a shortcut. The errors documented here are the ones that survive that pressure and embed into the record.
What your team should do
The default position for Compliance teams on this regulation is direct: do not allow AI output to characterise the structure or content of PFMI Principle 15 obligations in any work-product without cross-checking the BIS primary text. The KC2/KC3 confusion AI tools exhibited is invisible in their output — the answers are confident, technically fluent, and structurally coherent enough to pass internal review. The error surfaces only when someone runs the AI's version against the verbatim PFMI text.
For any deliverable that will reach a board, a primary supervisor, or be embedded in a policy framework, that check is not optional and cannot be delegated to a secondary source.
Where AI is genuinely useful in this space: mapping the landscape of national regulator adoption of PFMI-equivalent GBR standards, drafting the scaffolding of a regulatory mapping template before the Principle 15 detail is filled in from primary sources, or synthesising the public record of FIA/ISDA consultation submissions for competitive intelligence — tasks that do not turn on the precise KC2/KC3 boundary. The KC3 six-month minimum floor, the Basel equity carve-out qualifier ("where relevant and appropriate to avoid duplicate capital requirements"), and the KC structure within Principle 15 are primary-source-only territory.
Any AI summary of these should be treated as a draft to verify, not a conclusion to rely on.
For the assessment-timeline failure, the safeguard is straightforward: the November 2025 CPMI-IOSCO publication carries its own methodology section describing when the assessment ran, how data was collected, and when findings were shared with FMIs. Any Compliance-drafted regulatory engagement document that summarises process facts should be verified against that section directly — not synthesised from AI recall or secondary commentary. The cost of that check is trivially low; the credibility cost of citing an incorrect timeline in a supervisory meeting is not.
How RLB Can Help
RegLeg's published Hallucination Research gives Compliance teams at Payment Institutions firms a practical pre-flight check before placing reliance on AI-assisted output for regulatory questions. Each research entry documents the specific ways AI tools have mis-stated requirements, cited non-existent provisions, or conflated obligations across jurisdictions — giving your team a structured basis for calibrating confidence rather than discovering errors after the fact.
Beyond the published research, RegLeg works with Compliance functions to map which AI-supported workflows carry the highest hallucination exposure for a Payment Institutions firm specifically. Licensing and authorisation timelines, safeguarding and prudential thresholds, cross-border passporting conditions, and AML/CFT obligations each present distinct failure patterns. A bespoke regulator deep-dive surfaces where those patterns are most acute for your operating footprint, so resource and oversight effort is directed where the actual risk sits.
RegLeg can also conduct a confidential review of your firm's existing AI-use policy against our failure-mode catalogue, producing a prioritised remediation plan aligned to the regulatory obligations your Compliance team is already accountable for.
For teams building internal capability, RegLeg develops training material and CPD-aligned content that translates the research into practical guidance — covering how to read AI output critically, what hallucination signals to look for in a regulatory context, and how to document reliance decisions in a way that will withstand supervisory scrutiny. The aim is to leave your Compliance function better equipped to use AI tools responsibly, with the institution's own risk tolerance and regulatory relationships intact.