Executive Summary
Legal teams at Payment Institutions firms operating across international jurisdictions are directly exposed when AI tools misrepresent the governance structure of the CPMI harmonised ISO 20022 requirements — a regulation that shapes correspondent banking agreements, payment scheme rulebook obligations, and cross-border data-field compliance programmes. Across our testing of AI tools on this regulation, one aggregated finding emerged: AI confidently misattributed the institutional chair of the CPMI working group that produced these requirements, citing a different central bank and fabricating a named individual in that role.
The failure mode is misattribution — the AI cited sources it claimed were authoritative, but those sources either do not say what the AI claimed or contradict it outright. For Legal teams relying on AI to anchor governance narratives in regulatory mapping documents, briefing notes, or scheme-compliance submissions, that error propagates into work product before anyone realises the attribution is wrong.
How AI gets this regulation wrong
The table below maps how AI tools failed when tested on this regulation. The dominant failure pattern here is source-misattribution: AI tools cited what appeared to be real, named public sources to support factual claims about the regulation's governance — but the sources either do not contain what the AI asserted or directly contradict it. This is a harder failure to catch than an outright invention, because the cited institution exists and the AI's phrasing sounds authoritative.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Misattributed | 1 | Finding#1 |
What that means for your team
The table below maps the risk categories that flow from AI failures on this regulation to the Legal function at a Payment Institutions firm. The central exposure sits in wrong-deliverable risk: when a Legal team builds a regulatory briefing, scheme-compliance map, or internal governance document on an AI-sourced misattribution, the output goes to decision-makers or external counterparties carrying an error that the firm then has to remediate. For internationally active payment institutions, where the same document may anchor positions taken across multiple jurisdictions simultaneously, the correction cost compounds.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 1 | Finding#1 |
When this affects your department
Legal teams at Payment Institutions firms turn to AI on this regulation most commonly at the point of regulatory mapping — when a new product or corridor triggers a review of which CPMI requirements apply, which national competent authorities have adopted the harmonised data fields, and who sits behind the scheme governance. That last question — who actually runs these workstreams — arises in several live workflows: drafting board-level briefings on regulatory change programmes, reviewing SWIFT or payment-scheme contractual changes against CPMI expectations, and preparing regulatory engagement materials when a supervisory authority asks about your ISO 20022 data-quality implementation posture.
The mismatch between AI-generated governance attribution and the actual institutional record creates a specific problem for Legal: regulatory documents and counterparty submissions that name the wrong central bank as the scheme architect. In a cross-border payment context, where the Reserve Bank of Australia's public communications are part of the scheme's authoritative record, sending a briefing note or a due-diligence response that attributes the workstream to the Federal Reserve Bank of New York — and names a fabricated individual as co-lead — exposes the firm to straightforward credibility damage with regulators and scheme operators who know the record.
The correction requires a retraction, internal escalation, and in some cases a re-submission.
For internationally active Payment Institutions with correspondent banking arrangements that reference CPMI harmonisation commitments, the Legal team is also often the function that signs off internal policies governing data-field completeness. AI-assisted drafting of those policies that relies on misattributed governance context embeds the error in documents that may sit untouched for years before a regulatory review surfaces the discrepancy.
The findings at a glance
The table below summarises the finding identified in our testing of AI tools on this regulation from the Legal team's perspective at a Payment Institutions firm in international jurisdictions.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | CPMI workstream chair misattributed to wrong central bank | Hallucination | RLB-F-INT-BIS-CPMI-ISO-20022-HARMONISATION-UPDATED-2026-Q004 |
Aggregate impact
The finding from testing on this regulation clusters on institutional governance attribution — a topic Legal teams encounter less in the day-to-day of data-field compliance and more in the higher-stakes moments: regulatory engagement, scheme-level governance disputes, and internal training materials that position the firm's ISO 20022 programme in its correct international context. The AI error here is not a technical miscoding of a data element; it is a confident, source-supported claim about which central bank chairs the programme — a claim that is simply wrong and contradicted by the publicly available record.
The systemic risk for a Payment Institutions firm is that this type of misattribution is invisible in a standard legal review cycle. A junior lawyer drafting a regulatory briefing will not independently verify which central bank chairs a CPMI sub-workstream — they will cite the AI's answer, which comes with what looks like a legitimate source reference. The error reaches the reader (a regulator, a board member, a correspondent bank's legal counterpart) before anyone has looked at the underlying RBA press release. By that point the firm is in correction mode, not drafting mode.
Across internationally active Payment Institutions, the same briefing or due-diligence template is often adapted for multiple jurisdictions. That means a single AI-originated misattribution can propagate across several markets simultaneously — filed with different competent authorities or shared with multiple correspondent partners — multiplying the remediation burden. The narrow failure identified here points to a broader principle: on questions of institutional governance, treaty-level or standards-body-level attribution, AI tools require direct source verification against the relevant press release or official publication before any use in external-facing or board-facing documents.
What your team should do
The default position for Legal teams at Payment Institutions firms on this regulation should be: AI is useful for structuring analysis of data-field scope, drafting skeleton regulatory mapping documents, and synthesising the technical requirements across multiple jurisdictions — but institutional governance attribution (who chairs what, who signed what, who co-authored what) must always be verified directly against the regulator's own published communications.
The RBA's press release is public and findable; the AI's confident misattribution of the same fact to a different central bank with a fabricated named co-lead is precisely the scenario where a ten-second primary-source check prevents a document-correction exercise.
In practice, Legal teams should build a standing instruction into any AI-assisted workflow on this regulation: whenever a draft references a named institution or individual in a governance or authorship role, the drafter checks the BIS or relevant central bank's published communications before the document leaves the team. That check is not onerous on a regulation with a well-maintained public record at bis.org — the CPMI workstream communications are publicly accessible and the chair attribution appears in press releases.
The standing instruction should be written into the team's AI-use protocol rather than left to individual judgment, because the misattribution is confident enough to pass a surface-level read without triggering doubt.
AI tools remain genuinely useful on this regulation for work that does not hinge on governance attribution: summarising data-field scope across payment corridors, drafting commentary on implementation timelines, mapping the ISO 20022 field requirements to internal data dictionaries, or pulling together a first-draft regulatory Q&A for a business-line query about whether a given payment message satisfies the harmonised requirements. The failure identified here is narrow — but it sits exactly at the point where Legal's external credibility is on the line.
How RLB Can Help
RegLeg's published Hallucination Research gives the Legal team at a Payment Institutions firm a free, ready-to-use pre-flight check before placing weight on AI-generated output for regulatory questions. Each research entry documents the specific ways AI tools have misrepresented rules, cited non-existent provisions, or conflated requirements across payment frameworks — giving your team concrete, evidenced failure patterns rather than abstract caution. Running that check takes minutes and can prevent the kind of reliance on plausible-sounding but incorrect regulatory positions that carries real compliance and reputational risk.
Beyond the published research, RegLeg offers bespoke regulator deep-dives scoped to the workflows your Legal function actually uses. For Payment Institutions operating across multiple jurisdictions, that typically means mapping AI-supported tasks — licence condition reviews, regulatory correspondence drafts, horizon-scanning, and cross-border equivalence analysis — against the hallucination failure modes most prevalent in each relevant framework. The output is a prioritised exposure map your team can act on directly: knowing which tasks benefit most from AI assistance and which require tighter human review before outputs are relied upon.
For firms with an existing AI-use policy, RegLeg can conduct a confidential review against our failure-mode catalogue, identifying gaps and producing a prioritised remediation plan aligned to your current workflows and governance structure. We also develop training materials and CPD-aligned content tailored for Legal teams — practical, case-grounded sessions that build the critical fluency your lawyers need to work productively with AI tools without inadvertently accepting flawed regulatory analysis.