Executive Summary
AI assistants tested against the CFTC's December 2025 digital asset collateral package — Staff Letter 25-40, its reissuance as Staff Letter 26-05, the tokenized asset staff guidance, and associated FAQs — produced incorrect answers on three out of the questions a Compliance team at a U.S. investment banking firm is most likely to bring to an AI tool when implementing this framework.
The failures are not peripheral: they hit the operative conditions for FCM participation in the digital asset margin pilot, the specific carve-outs and sunset provisions that govern ongoing reporting obligations, and the multi-DCO haircut hierarchy that determines how customer-posted digital asset collateral must be valued. In two of the three cases, AI tools invented rules that do not appear in the source letters — most critically, inverting which obligations cease and which persist after the initial three-month onboarding phase, and omitting the OCC Interpretive Letter 1183 cross-reference that grounds national trust bank stablecoin eligibility.
A Compliance team at a U.S. broker-dealer or FCM affiliate that takes these AI answers at face value and encodes them into internal policy, training decks, or regulatory correspondence faces direct enforcement exposure with the CFTC's Market Participants Division.
How AI gets this regulation wrong
The failures on this regulation split between AI tools that invented rules that have no basis in the staff letters and one case where an AI tool stated the wrong answer confidently in its first response — then, when pressed, admitted it had conflated unrelated conditions rather than working from the letter's actual enumerated list. Both patterns are dangerous in a Compliance context, but the invented-rule failures are the harder to catch: the AI's output reads internally consistent, cites the right framework, and gets the top-line question right before drifting into fabricated detail on the specific operative condition.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Misstated Rule | 2 | Finding#1 · Finding#3 |
| Exposed Fabrication | 1 | Finding#2 |
What that means for your team
Every finding in this regulation maps to the same risk category: regulatory enforcement. That concentration reflects the nature of this framework — the CFTC's no-action relief and staff guidance set precise, enumerated conditions for FCM participation, and the compliance obligation is to satisfy each condition exactly as written, not approximately.
For a U.S. investment banking firm with an FCM affiliate in the digital asset pilot, a mis-stated condition in an internal policy memo or a control framework that encodes the wrong haircut hierarchy is not a disclosure or conduct issue — it is a direct failure to comply with the terms under which the CFTC extended relief, and it surfaces when the staff examines whether the firm is operating within those terms.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Regulatory enforcement | 3 | Finding#1 · Finding#2 · Finding#3 |
When this affects your department
Compliance teams at U.S. investment banking firms with FCM affiliates are using AI tools on this framework in several distinct workflows: drafting the internal policy memo that governs whether and how the FCM participates in the digital asset collateral pilot; building the control matrix that maps each staff-letter condition to a responsible owner and a testing cadence; preparing the notice filing and associated disclosure language; and responding to business line questions about which digital assets the FCM can accept, from which counterparties, subject to which haircut.
This is early-stage rule-making where the primary source material is a small cluster of CFTC staff letters and FAQs rather than a codified rule, which makes it exactly the terrain where AI tools are most confidently wrong — the framework is new enough that the AI cannot fall back on an established regulatory baseline, but structured enough that it can generate plausible-sounding detail.
The specific scenario where this bites hardest is the junior compliance analyst who uses an AI tool to map out the FCM's ongoing obligations after the three-month onboarding window closes, then drops that map into a Board or senior management briefing without a line-by-line verification against the source letters. If that briefing drives a decision to wind down weekly digital asset reporting — which at least two AI tools we tested said would sunset — the FCM is now out of compliance with an obligation it believes it discharged.
The CFTC's Market Participants Division is the enforcement body for FCM compliance with these conditions, and a firm that cannot demonstrate it maintained the weekly holdings reporting throughout the pilot period has a factual gap that is very difficult to remediate retroactively.
The stablecoin eligibility question is a parallel risk for the prime brokerage or clearing business: if a client asks whether its USDC or a national-trust-bank-issued stablecoin qualifies as eligible collateral, and the compliance team's answer omits the OCC Interpretive Letter 1183 cross-reference that grounds national trust bank eligibility, the legal analysis is incomplete in a way that could embarrass the firm in client documentation or in a regulatory inquiry.
This is less a binary compliance failure than a work-product quality issue — but in a framework where the CFTC staff has been explicit about the specific legal hooks that justify each eligibility category, a client-facing analysis that misses one of those hooks looks sloppy at best and misleading at worst.
The findings at a glance
The three findings below cover the questions a Compliance team at a U.S. investment banking firm is most likely to bring to an AI tool when onboarding to the digital asset margin pilot — stablecoin eligibility, the post-onboarding obligation sunset schedule, and the multi-DCO haircut hierarchy for customer-posted collateral.
Aggregate impact
All three failures cluster on the technical conditions embedded in the CFTC staff letters rather than the high-level framework: the specific legal cross-reference that grounds an eligibility category, which items on an enumerated conditions list sunset and which do not, and which rule governs haircut calculation when multiple DCOs apply different rates to the same asset. This is a consistent pattern across AI tools on new, structured relief frameworks — the AI correctly identifies the governing document and the general regime, then fills in the operative detail with inference rather than source reading.
The errors are plausible: they fit the internal logic of the framework as the AI understands it, which is exactly why they survive a junior reviewer's first-pass check.
The risk concentration in regulatory enforcement reflects the binary nature of CFTC no-action relief: the FCM is either complying with the enumerated conditions under which relief was granted, or it is not. There is no good-faith-effort defence for an FCM that missed a reporting obligation because its internal compliance policy said the obligation had sunset.
The practical exposure for a U.S. investment banking firm is a compliance breakdown at the FCM-affiliate level that the CFTC's exam staff identifies during a routine review — at which point the question is not just remediation cost but whether the firm can demonstrate it had adequate controls in place when the gap arose.
The multi-DCO haircut finding adds a second exposure vector. An FCM that applies the 20 percent floor in cases where a registered DCO has set a higher haircut is under-valuing the risk it is carrying on customer accounts — a haircut adequacy failure with direct implications for customer protection under CFTC Part 22 and Part 30. This is the kind of control deficiency that can remain invisible until a stress event exposes the shortfall, at which point the compliance team is explaining to the CFTC why its haircut framework was built on an incomplete reading of the staff letter.
What your team should do
The default position for this regulation is: do not use AI tools to establish which specific conditions apply, which sunset, or which legal cross-references ground an eligibility category. The staff letters are short, structured, and enumerated — the source-reading time is minimal, and the cost of an error is a compliance failure at the FCM level. AI tools are useful for orientation (what is this framework about, what is its scope, what are the main categories of obligation) and for drafting first-pass language that a reviewer then maps back to the source.
They are not reliable for the condition-by-condition detail that governs whether the FCM is actually complying.
For the specific gaps identified here, the practical safeguards are straightforward. On the post-onboarding obligation schedule: build an explicit two-column table from the staff letter's enumerated conditions — one column for obligations that cease at the end of month three, one for obligations that continue — and require sign-off from a senior compliance officer before the table is used in any internal policy or training material. Do not let an AI tool populate either column.
On the multi-DCO haircut: confirm directly with the clearing and prime services teams which DCOs accept each digital asset and at what haircut, then apply the highest; the 20 percent floor is a backstop for assets no DCO accepts, not a universal rate. On stablecoin eligibility: any client-facing analysis of whether a specific stablecoin qualifies should reference the full legal chain including OCC Interpretive Letter 1183 for national trust bank issuers — an analysis that omits that cross-reference is incomplete regardless of how it was produced.
Where AI tools genuinely add value in this workflow: summarising the regulatory history (the progression from 25-40 to 26-05 and the nature of the revision), flagging which questions are still open or subject to FAQs, and helping structure the compliance memo template before the operative detail is filled in from the source letters. The framework is new and the primary sources are accessible — a disciplined source-verification step on any AI-drafted condition-level detail takes minutes and eliminates the enforcement exposure that comes from relying on AI inference to substitute for it.
How RLB Can Help
RegLeg's published Hallucination Research gives your team a concrete pre-flight check before relying on AI-generated output on regulatory questions. If your analysts or legal colleagues are using AI tools to interpret SEC or FINRA requirements, assess capital treatment under Basel III, or draft policy justifications, the research identifies exactly where those tools have produced confidently wrong answers on the same regulatory texts — wrong entities, inverted obligations, fabricated thresholds.
That published record is free to access and specific enough to be operationally useful: you can cross-reference it against the regulations your team actually works with before the output reaches a submission, a trade approval memo, or a board paper.
Beyond the public findings, we run bespoke regulator deep-dives scoped to the Compliance workflows that carry the highest hallucination exposure in investment banking specifically. That means mapping AI failure patterns against the places where your team's reliance on AI output creates the sharpest consequence: regulatory capital calculations, trade reporting obligations under CFTC and SEC, conflicts governance, and cross-border rule applicability questions where the gap between what an AI tool asserts and what the regulation actually requires can be both large and invisible.
The output is a prioritised exposure map your team can use to set guardrails, not a generic risk register.
Where you have an existing AI-use policy, we can run a confidential review of it against RegLeg's failure-mode catalogue — the categories of errors the research has documented across regulatory domains — and return a prioritised remediation brief: which policy provisions are underspecified relative to known failure patterns, where human-review checkpoints are missing, and where the policy's assumptions about AI reliability are contradicted by documented evidence.
We can also develop training material and CPD-aligned content your Compliance team can use internally — grounded in real findings from the research, framed for practitioners who already know the regulatory landscape and need to calibrate when and how much to trust AI-assisted work product.