Executive Summary
The CPMI's harmonised ISO 20022 data requirements sit at the operational core of cross-border payment reform, and Company Secretaries advising payment system participants, correspondent banks, or multi-currency settlement entities routinely need accurate, attribution-grade answers about the governance structures behind this work. In testing across this regulation, AI tools produced verified errors — misidentifying the central bank that chairs the CPMI working group that developed the requirements, and fabricating a named individual in that leadership role.
The failure is not a peripheral data point: getting the institutional attribution wrong corrupts the governance narrative in board-level presentations, regulatory submissions, and any analysis of how the CPMI's recommendations were developed and by whom. For Company Secretaries operating across multiple jurisdictions, the risk is compounded — they are the ones expected to get these institutional relationships precisely right.
How AI gets this regulation wrong
On this regulation, the characteristic AI failure is misattribution — confidently citing real public sources while asserting facts those sources do not support, or that directly contradict what they say. The table below breaks down where this manifests: AI tools substituted one central bank for another as the chair of the relevant CPMI workstream, and invented a named official in that seat, all while presenting the answer as source-grounded.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Misattributed | 1 | Finding#1 |
What that means for your practice
For Company Secretaries, the dominant risk here is producing a wrong deliverable — advice, a board paper, or a governance note that misrepresents the institutional record. The table below maps the impact: a misattributed workstream chair is not a footnote-level slip, it is the kind of error that surfaces in board minutes, regulatory correspondence, or due diligence materials where accuracy of institutional attribution is a professional obligation, not a nicety.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 1 | Finding#1 |
When this affects Company Secretaries
Company Secretaries touch this regulation most directly when advising boards or senior management at payment system operators, large-value settlement participants, or correspondent banking groups on the provenance and governance weight of the ISO 20022 harmonisation requirements. That typically means drafting board briefings that contextualise why these requirements carry the authority they do, scoping regulatory engagement strategies where knowing which central bank drove the standard matters for relationship mapping, or onboarding new directors who need accurate background on how the CPMI's cross-border payments programme was assembled.
In each of those contexts, the governance lineage — which institution led the work, under whose authority — is load-bearing information, not decorative colour.
The liability exposure is sharpest when a Company Secretary produces a governance note, board paper, or regulatory submission that assigns workstream leadership to the wrong institution. In the international payment space, central banks are not interchangeable: the Reserve Bank of Australia chairing the messaging workstream has specific implications for how a firm should position its engagement with that workstream versus how it would engage with the Federal Reserve system.
Misidentifying the chair substitutes a different regulatory relationship, a different jurisdiction lens, and a different set of relevant officials — all of which can embarrass the firm and the practitioner when the error surfaces in a board or regulatory context.
Practitioners are most likely to reach for AI tools at the scoping stage — when they need a quick governance orientation before drafting, or when a junior is preparing the background note that the Company Secretary will sign off. That is precisely where the risk concentrates: the AI answer looks authoritative (it cites sources), the junior treats it as reliable, and the error propagates into the deliverable that carries the practitioner's professional endorsement.
The findings at a glance
One finding was confirmed on this regulation — an institutional attribution error that produced a wrong and internally contradicted governance answer. The table below gives the detail.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | CPMI workstream chair misattributed to wrong central bank | Hallucination | RLB-F-INT-BIS-CPMI-ISO-20022-HARMONISATION-UPDATED-2026-Q004 |
Aggregate impact
The single confirmed finding on this regulation illustrates a category of AI failure that is particularly hazardous for Company Secretaries work: source-laundering misattribution. The AI tools tested cited what appeared to be legitimate public-record sources while asserting facts those sources contradict. The effect is that the error carries false credibility — a junior conducting due diligence might locate a referenced source, see that it exists, and treat the AI's characterisation of it as verified without reading it against the AI's specific claim.
The error here — wrong central bank as workstream chair, fabricated named official — is exactly the kind of fact that gets embedded into board papers and stays embedded because no one goes back to check an apparently sourced assertion.
For practitioners operating across international jurisdictions, the governance structures behind BIS/CPMI outputs have particular weight. The CPMI does not issue binding regulation in the conventional sense, but its working group outputs carry the institutional authority of the member central banks who produced them. Which central bank led which workstream is directly relevant when a Company Secretary needs to advise on which regulator a firm should engage, or when mapping the authoritative source for a given technical requirement back to its institutional origin.
Confusing the Reserve Bank of Australia with the Federal Reserve Bank of New York is not an adjacent error — these are distinct regulatory counterparts in different jurisdictions, with different supervisory relationships to the firms that Company Secretaries in international practices advise.
The systemic risk is that errors of this type are self-hiding. An AI that cites sources appears more reliable than one that does not, and a practitioner working under time pressure is likely to spot-check less carefully precisely when the answer looks well-grounded. The correct response is not to distrust AI categorically on governance attribution questions, but to treat any AI-provided institutional claim as unverified until the primary source — the actual press release, working group terms of reference, or BIS publication — has been read directly.
What your team should do
The default position for your team should be that AI tools are not reliable for governance attribution questions on BIS/CPMI outputs — specifically, who chaired what, who held named roles, and which institution exercised formal leadership over a given workstream or deliverable. These are exactly the facts that AI tools misattribute with apparent confidence, and they are exactly the facts that carry the most professional risk when wrong. Treat any AI-provided attribution claim on this regulation as a research prompt, not a research result.
The practical safeguard is straightforward: for any deliverable that names an institutional chair, co-chair, or named official in connection with the CPMI's ISO 20022 harmonisation work, require primary source verification before the draft leaves your team. The authoritative record here is the RBA press release of 18 October 2023 confirming Michele Bullock as former Co-Chair of the CPMI Messaging Workstream — a short document that resolves the question definitively. Building this into a standard preflight check for international payment governance briefs is the proportionate response; it is one verification step that eliminates the failure mode entirely.
Where AI tools are genuinely useful for this regulation is in the structural and technical framing that is not attribution-sensitive: synthesising the data element requirements across the three payment message categories, mapping the implementation timeline against a firm's existing ISO 20022 migration programme, or drafting the plain-language summary of what harmonisation means operationally for a board audience. The underlying technical content is stable and well-documented; the institutional governance layer — who did what, who leads what — is where the models produce plausible-sounding errors that primary source checks will catch.
How RLB Can Help
RegLeg's published Hallucination Research gives Company Secretaries a practical pre-flight check before acting on AI-generated answers to regulatory questions. Each research entry documents the specific ways AI tools have misrepresented a regulation — wrong thresholds, fabricated obligations, outdated requirements presented as current — so that a Company Secretary can cross-reference those documented failure modes against any AI output before it reaches a board paper, a filing, or a governance record.
The research is freely accessible and structured around the failure types most relevant to secretarial practice: misstatement of procedural deadlines, incorrect attribution of disclosure obligations, and confusion between jurisdictional variants of the same rule.
For firms where multiple Company Secretaries work across a shared regulatory portfolio, RegLeg offers bespoke regulation deep-dives tailored to the specific instruments in scope. These engagements go beyond the published research to examine the precise provisions your team relies on most heavily, map the failure modes that carry the greatest secretarial risk for your firm, and produce a reference document your team can embed in its own AI-use workflow. The output is designed to be updated as regulations are amended, giving your team a living resource rather than a one-off snapshot.
RegLeg also develops training material and CPD-aligned content that equips Company Secretaries to recognise AI failure modes independently — not just to distrust AI output, but to interrogate it intelligently. Separately, RegLeg can conduct a confidential review of a firm's existing AI-use policy against its failure-mode catalogue, identifying where current controls adequately address known hallucination patterns and where gaps exist. Both services are delivered collaboratively, working alongside your governance and legal teams rather than as an external audit imposed on them.