Executive Summary
Risk teams at US investment banks are actively mapping the CFTC's December 2025 digital asset collateral framework — the no-action relief and accompanying staff guidance from the Market Participants Division — into their FCM oversight programs, counterparty margin policies, and capital charge controls. Across the two aggregated questions tested against this regulation, AI tools failed on both: every answer contained a material error. The failures are not ambiguous edge-cases — they go to the operative mechanics of the framework, inverting which obligations continue after the initial onboarding phase and fabricating a collateral haircut rule that does not exist.
A Risk team relying on AI output to set internal policy on either point would build controls around the wrong legal baseline from day one.
How AI gets this regulation wrong
The failures on this regulation split between two distinct patterns: AI tools that confidently asserted wrong answers and, when challenged, acknowledged they had conflated multiple obligations without reading the enumerated conditions; and AI tools that invented a governing rule for a haircut calculation scenario that the framework does not actually address that way. Both patterns produce answers that sound authoritative and are wrong in the specific direction most likely to create compliance gaps.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 1 | Finding#1 |
| Misstated Rule | 1 | Finding#2 |
What that means for your team
Both findings carry regulatory enforcement exposure — the risk category where the CFTC's enforcement toolkit is most directly in play. For a Risk function at a US investment bank, that means the downstream consequences land on FCM program oversight, collateral eligibility controls, and the firm's ability to demonstrate to its clearing operations teams and internal audit that its digital asset margin policy was built on an accurate read of the relief conditions.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Regulatory enforcement | 2 | Finding#1 · Finding#2 |
When this affects your department
Risk teams at US investment banks are consulting AI tools on this framework in at least three concrete contexts: scoping the firm's FCM-related exposure as digital asset collateral acceptance becomes a live business question; drafting or reviewing the internal policy that will govern how the firm's clearing clients post margin under the relief; and responding to requests from business lines — prime brokerage, futures execution, swap dealing — that want a quick read on what the CFTC's conditions actually require. In each case, the AI's answer feeds directly into a work product that will sit inside the firm's control framework.
The obligation-inversion error in Finding 1 is particularly dangerous in this workflow. A junior analyst or associate drafting the FCM margin policy section on "Phase 1 vs. ongoing obligations" would reasonably treat the AI's answer as a starting point, document it with the AI's apparent confidence, and pass it up for senior sign-off.
The error — that weekly digital asset holdings reporting ceases after three months when it in fact continues — would embed itself in the policy and in any training materials built off it, surfacing only when a CFTC examination or a routine internal audit challenge asks the team to trace the policy back to the letter's enumerated conditions.
The haircut calculation error in Finding 2 is the kind of gap that lives quietly inside a collateral eligibility model. If the firm's Risk function designs the multi-DCO haircut logic using only the 20% floor — ignoring the highest-haircut-across-accepting-DCOs rule — the model will systematically under-haircut customer collateral in any scenario where a DCO applies a rate above 20%. That's not a hypothetical: it's the operative gap the CFTC's rule is specifically designed to close, and getting it wrong exposes the firm to examination findings on collateral adequacy and, depending on scale, potential enforcement referral.
The findings at a glance
The table below summarises the two findings tested against this regulation, the type of AI failure each represents, and its risk classification for Risk teams at US investment banks.
Aggregate impact
Both findings sit squarely in the operational mechanics of the December 2025 framework — not in its broad policy intent, but in the specific numbered conditions and haircut calculation rules that determine whether the firm is actually in compliance day to day. That's a significant pattern: the parts of the framework that most require precise reading of the relief letter's enumerated text are exactly the parts where AI tools produce wrong answers with the highest apparent confidence.
The obligation-lifecycle error (Finding 1) and the haircut-rule omission (Finding 2) are also connected in a structural sense. Both involve AI tools treating the framework as though its operative logic can be inferred from general principles — "early-stage conditions tend to be temporary," "a floor rate governs margin calculations" — rather than from the specific enumerated text. The CFTC's relief letter was designed with precisely that distinction in mind: some conditions are explicitly time-limited, some are not, and the letter names them separately. AI tools collapsed that distinction.
For a Risk function, the aggregate exposure is: if the team builds its FCM oversight framework, collateral eligibility model, and reporting calendar using AI-assisted policy drafts without verifying against the letter's enumerated conditions directly, the firm is likely carrying at least two material compliance gaps simultaneously — one under-reporting ongoing obligations to senior management and one under-haircut-ing customer collateral in multi-DCO scenarios. Neither gap announces itself; both would surface under examination.
What your team should do
The default position for this regulation should be: treat AI output as a drafting accelerator for the parts of the framework that are contextual or well-settled, not as a source of truth for the enumerated conditions in the relief letter itself. The two failure patterns here both stem from AI tools inferring operative rules rather than reading the letter's specific numbered lists.
Any work product that turns on which conditions are time-limited and which persist — policy sections, reporting calendars, FCM oversight matrices — needs to be traced directly to the letter's enumerated conditions paragraph, not to an AI summary of it.
For the haircut calculation specifically, the multi-DCO rule is the kind of provision that AI tools systematically under-specify because it requires reading the letter with attention to a scenario the tool may not anticipate the questioner is asking about. When scoping the collateral eligibility model, Risk should treat AI output as a prompt to read the source, not a substitute for it. The question to ask the AI is: "what does the letter say about DCO haircut rates?" — then verify that answer against the actual text.
If the AI produces only the 20% floor without the highest-haircut rule, the gap is detectable immediately.
AI tools are genuinely useful on this regulation for framing internal communications, mapping the framework's scope across the firm's business lines, and drafting the non-operative sections of FCM policy (background, purpose, definitions). Where they are not safe — and these findings make this concrete — is in determining which specific numbered conditions govern ongoing obligations versus time-limited ones, and in specifying the operative calculation rule for any scenario involving multiple DCOs.
Those answers require reading the relief letter, and they require someone who will notice when the AI has filled in a plausible-sounding rule that the letter does not actually contain.
How RLB Can Help
RegLeg's published Hallucination Research gives your team a concrete pre-flight check before placing weight on AI-generated output in regulatory analysis. For a Risk function at a US investment bank, that means stress-testing the AI tools your analysts, quant risk, and compliance-adjacent teams are already using against a documented catalogue of failure modes — not hypothetical edge cases, but patterns observed across real regulatory texts including capital, margin, derivatives, and conduct frameworks that your desk is operating under.
Before a model-generated interpretation of a Fed or SEC rule lands in a stress test assumption, a credit risk framework, or a counterparty exposure memo, you can verify whether that regulatory scope is one where AI assistants have already been shown to hallucinate in material ways.
Beyond the published research, RLB can run a bespoke regulator deep-dive scoped to your specific AI-supported workflows — mapping which regulatory questions your Risk team is actually asking AI tools to answer, and where in that workflow the hallucination exposure is highest. For an investment bank, that typically surfaces around capital adequacy interpretation, cross-border margin rules, large-exposure thresholds, and model-risk overlays where the regulatory text is dense, frequently amended, and carries significant asymmetry between a correct and an incorrect read.
The output is a prioritised exposure map, not a generic AI risk framework — calibrated to your firm's jurisdictional footprint and the actual regulatory questions your function depends on getting right.
RLB also works directly with Risk teams on two further workstreams: a confidential review of your firm's existing AI-use policy against the failure-mode catalogue, identifying where current controls are under-specified for the hallucination patterns we've documented, with a prioritised remediation roadmap; and the development of training and CPD-aligned material your team can use internally — content written at the right technical register for senior risk professionals, grounding AI governance obligations in specific, documented failure patterns rather than abstract model-safety concepts. Both workstreams are built collaboratively with your team, with findings staying inside the firm.