Executive Summary
Compliance teams at Payment Institutions firms operating across international jurisdictions are actively working through the CPMI's harmonised ISO 20022 data requirements — mapping their message flows, updating correspondent relationships, and interpreting CPMI guidance on adoption timelines and governance structures. Across the two questions we tested AI tools on for this regulation, AI assistants produced wrong answers on both. The failures span misattributing institutional governance roles to the wrong central bank — with a fabricated named individual inserted for credibility — and conflating two materially distinct adoption-rate statistics into a single invented figure.
Both errors produce wrong deliverables: internal briefings, regulatory horizon-scanning summaries, or business-line responses that carry authoritative-sounding misinformation straight into firm decision-making.
How AI gets this regulation wrong
The AI failures on this regulation fall into two distinct patterns: citing real authoritative sources while misrepresenting what those sources actually say, and collapsing separate statistics into a single invented composite figure. Both modes are particularly dangerous because the responses read as well-sourced and specific — the kind of confident, precise answer a junior analyst would pass straight into a regulatory briefing without a second look.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 1 | Finding#2 |
| Misattributed | 1 | Finding#1 |
What that means for your team
Both findings map to a single risk category — delivering a wrong work product to an internal or external audience — but the downstream consequences vary: one wrong deliverable misrepresents the regulatory governance chain, the other misrepresents the state of market-wide ISO 20022 adoption in a way that directly distorts a firm's own readiness benchmarking. For a Payment Institutions Compliance team, both failures hit workflows where accuracy is load-bearing: regulatory horizon-scanning, business-line briefings, and correspondent due-diligence.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 2 | Finding#1 · Finding#2 |
When this affects your department
Compliance teams at international Payment Institutions consult AI tools on the CPMI ISO 20022 harmonisation work most often when building or refreshing regulatory horizon-scanning decks, briefing the business on the global state of adoption, scoping correspondent network reviews against CPMI data-field expectations, or responding quickly to a business-line question about where a particular jurisdiction stands in the implementation timeline.
The governance question — who chairs the CPMI working group — arises in contexts like drafting regulatory engagement briefings, populating compliance registers that map internal workstreams to external counterpart bodies, or preparing materials for board-level regulatory updates where attribution errors embarrass the firm in front of senior stakeholders.
The adoption-rate question is more operationally consequential. When Compliance builds a readiness benchmark or supports Treasury's correspondent-bank due-diligence against a "where is the market" baseline, the difference between more than three-quarters of faster payment systems versus approaching half of RTGS systems is not cosmetic — it tells a firm whether its RTGS counterparts are outliers or the norm. Collapsing both rates into a single 79% figure leads a firm to overestimate RTGS adoption across its network, potentially deprioritising pressure on correspondent banks that are, in reality, still materially behind the curve.
The risk is not hypothetical compliance theatre. Payment Institutions operating internationally face regulatory expectations from multiple bodies simultaneously, and their Compliance teams are routinely asked to produce authoritative-sounding briefings under time pressure. AI tools fill that gap fast — but when the output carries wrong institutional attribution or materially wrong market statistics, the firm's credibility with regulators, correspondent banks, and internal governance bodies is on the line.
The findings at a glance
The two findings below cover distinct question types — one on regulatory governance, one on market adoption statistics — but both produced wrong outputs that would land in firm deliverables unchallenged without source verification.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | Wrong central bank named as CPMI workstream chair | Hallucination | RLB-F-INT-BIS-CPMI-ISO-20022-HARMONISATION-UPDATED-2026-Q004 |
| 2 | ISO 20022 RTGS and FPS adoption rates conflated into single figure | Hallucination | RLB-F-INT-BIS-CPMI-ISO-20022-HARMONISATION-UPDATED-2026-Q006 |
Aggregate impact
The two findings in this cell cluster around different knowledge categories — institutional governance and market statistics — but share a common failure signature: AI tools on this regulation produce specific, citation-adjacent responses that are wrong in ways that are not immediately visible to the reader. Neither error is vague or hedged in the AI output; both read as confident, authoritative, and sourced. That is what makes them systematically dangerous for a Compliance team under time pressure.
On governance, the error is a clean misattribution — the wrong central bank named, reinforced by the insertion of a named individual in that role. The Reserve Bank of Australia chairs the CPMI messaging workstream; the AI placed that role with the Federal Reserve Bank of New York and fabricated a named co-lead. For a Compliance team producing a regulatory engagement briefing or an internal governance map, this is the kind of error that gets cited at a senior committee and only surfaces when a counterpart with first-hand knowledge of the CPMI structure pushes back.
On market statistics, the error is a data conflation that flatters the market's readiness. The CPMI's own monitoring data reports more than three-quarters of faster payment systems and approaching half of RTGS systems using ISO 20022 — two materially different rates reflecting the well-understood lag in RTGS migration. The AI collapsed both into a single 79% figure for both system types.
For a Payment Institutions Compliance team benchmarking its correspondent network or advising business lines on realistic adoption timelines, overstating RTGS adoption by approximately 30 percentage points is not a rounding error — it is a misjudgement of where the market actually is.
What your team should do
The default position for Compliance teams using AI tools on this regulation should be: AI is useful for orienting to document structure, summarising publicly available CPMI policy papers, and drafting initial frameworks — but every institutional attribution and every statistic must be sourced back to the primary CPMI document or the relevant central bank's public record before it appears in any deliverable. That is not a counsel of perfection; it reflects the specific failure pattern these findings expose.
The errors are not in nuanced interpretive territory — they are in factual claims that have authoritative primary sources that take seconds to check.
For governance questions, the single reliable source is the CPMI's own published documentation and the RBA's public communications confirming its role chairing the messaging workstream. If a Compliance team is building a regulatory engagement register or preparing senior committee materials, the named individual holding a CPMI co-chair role should be verified against the RBA's current public record, not taken from an AI response. Personnel in those roles change; AI training data does not update in real time, and — as this finding shows — the AI may have the wrong institution entirely.
For market adoption statistics, the CPMI's monitoring reports and senior CPMI official speeches are the primary sources. Andrew Bailey's March 2026 speech provides the specific two-figure breakdown — more than three-quarters of faster payment systems, approaching half of RTGS systems — and that distinction matters operationally for a firm benchmarking its correspondent network. AI tools are appropriate for flagging that CPMI publishes monitoring data and directing the team to where to look, but the figures themselves should come from the source document.
The CPMI data is publicly available; the verification cost is low relative to the cost of mis-scoping a correspondent review or over-assuring a board that the RTGS landscape is further ahead than it is.
How RLB Can Help
RegLeg's published Hallucination Research gives Compliance teams at Payment Institutions firms a practical pre-flight check before placing reliance on AI-assisted output for regulatory questions. Each research entry documents the specific ways AI tools have mis-stated requirements, cited non-existent provisions, or conflated obligations across jurisdictions — giving your team a structured basis for calibrating confidence rather than discovering errors after the fact.
Beyond the published research, RegLeg works with Compliance functions to map which AI-supported workflows carry the highest hallucination exposure for a Payment Institutions firm specifically. Licensing and authorisation timelines, safeguarding and prudential thresholds, cross-border passporting conditions, and AML/CFT obligations each present distinct failure patterns. A bespoke regulator deep-dive surfaces where those patterns are most acute for your operating footprint, so resource and oversight effort is directed where the actual risk sits.
RegLeg can also conduct a confidential review of your firm's existing AI-use policy against our failure-mode catalogue, producing a prioritised remediation plan aligned to the regulatory obligations your Compliance team is already accountable for.
For teams building internal capability, RegLeg develops training material and CPD-aligned content that translates the research into practical guidance — covering how to read AI output critically, what hallucination signals to look for in a regulatory context, and how to document reliance decisions in a way that will withstand supervisory scrutiny. The aim is to leave your Compliance function better equipped to use AI tools responsibly, with the institution's own risk tolerance and regulatory relationships intact.