Executive Summary
Compliance teams at Corporate Banking firms operating across international jurisdictions are increasingly turning to AI tools to navigate the CPMI's API harmonisation recommendations — a framework designed to standardise cross-border payment APIs and reduce friction across correspondent banking chains.
Across three aggregated questions put to AI assistants on this regulation, every single one produced a hallucination: AI tools either invented structural claims about a self-assessment toolkit whose contents are not publicly accessible, misidentified which central bank is formally named as CPMI's implementation partner on the pre-validation API recommendation, or fabricated a stakeholder-by-recommendation breakdown that the regulation's own PDF does not support in any accessible form.
The failure pattern is consistent: AI tools filled gaps in their source coverage with confident, plausible-sounding specifics — exactly the kind of material a Compliance analyst would lift directly into an internal policy note or gap analysis without a second check. For a Corporate Banking firm with cross-border payment obligations under this framework, the operational risk is concrete: wrong toolkit structure means a flawed readiness assessment; wrong CPMI partner identification feeds an inaccurate regulatory-engagement memo; and an invented stakeholder map produces a policy scoping document that misaligns internal controls with actual regulatory obligations.
How AI gets this regulation wrong
The failures on this regulation split between two patterns: AI tools that confidently committed to specific structural or scoping claims and then retracted when pressed, and AI tools that flatly invented institutional arrangements that the published record directly contradicts. Both modes are dangerous in a Compliance workflow because the initial confident answer — not the retraction — is what gets copied into the deliverable. The table below shows how those patterns distribute across this regulation's findings.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 2 | Finding#1 · Finding#3 |
| Misstated Rule | 1 | Finding#2 |
What that means for your team
The risk exposures here are concentrated in two areas that sit squarely inside a Compliance function's day-to-day: producing wrong deliverables — gap analyses, readiness assessments, policy scoping documents — built on invented regulatory content, and creating regulatory enforcement exposure where an AI-generated characterisation of the toolkit or stakeholder obligations reaches a regulator before it is verified. The table below maps each finding to its primary risk category through the Corporate Banking compliance lens.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 2 | Finding#2 · Finding#3 |
| Regulatory enforcement | 1 | Finding#1 |
When this affects your department
A Corporate Banking Compliance team reaches for AI assistance on this regulation in at least three distinct workflow contexts. The first is internal readiness assessment: when the business asks Compliance to evaluate how the firm's existing cross-border payment API infrastructure maps against the CPMI recommendations, AI tools are a natural first pass for populating a gap-analysis template or structuring a board-level readiness memo.
The second is stakeholder mapping for implementation planning: correspondent banking relationships span multiple jurisdictions and payment system operators, and Compliance frequently needs to identify which recommendations apply to which counterparty type — commercial bank, payment system operator, central bank — to scope due-diligence requirements and contractual obligations appropriately. The third is regulatory-engagement preparation: when a home or host regulator inquires about the firm's API harmonisation posture, or when the firm is involved in a jurisdiction-specific pilot, the Compliance function is expected to brief senior management with accurate information about CPMI's published positions, named implementation partners, and stated timelines.
What's at stake when the AI answer is wrong depends on which workflow carries the error forward. A fabricated self-assessment toolkit structure — AI asserting that the toolkit is a "self-assessment workbook keyed recommendation-by-recommendation" when the actual toolkit contents are inaccessible to AI — means the firm's readiness assessment is built against a fictional framework. When that assessment is submitted internally or referenced in regulator correspondence, the gap between the firm's documented readiness and actual obligations becomes a supervisory risk.
An invented stakeholder map — AI assigning specific CPMI recommendations to correspondent banks when the actual targeting is in an inaccessible document — means Compliance scopes the firm's obligations incorrectly, potentially excluding requirements that fall on the firm as a commercial bank participant.
And a misidentification of CPMI's named implementation partner on pre-validation APIs is not merely academic: if the firm's regulatory-engagement team is briefing on the CPMI collaboration landscape and references the wrong central bank as CPMI's partner, that error is verifiable against publicly available CPMI publications — an embarrassment that signals shallow due diligence to a regulator evaluating the firm's regulatory culture.
The findings at a glance
All three findings on this regulation produced hallucinations — no finding yielded a correctly calibrated AI response. The table below summarises each finding, the type of failure, and the primary risk it creates for a Corporate Banking Compliance team in international jurisdictions.
Aggregate impact
The errors on this regulation share a common structural cause: the CPMI's primary deliverable — the self-assessment toolkit — is contained in a PDF whose contents AI tools cannot access, while the published landing page confirms the toolkit exists and describes it in broad terms. AI assistants bridge this gap not by declining to answer but by generating plausible-sounding specifics derived from what they know about how similar toolkits are typically structured.
The result is a cluster of failures all touching the same underlying document gap: toolkit structure, stakeholder targeting per recommendation, and implementation partner identification are all questions where the authoritative answer is in inaccessible PDF content, and all three produced hallucinations.
The systemic risk for a Corporate Banking Compliance function is that these are not edge-case questions. Toolkit structure and stakeholder mapping are exactly the questions a Compliance analyst asks when onboarding a new regulatory framework — they form the foundation of an internal policy and the scope of any gap analysis. If those foundational inputs are fabricated, every downstream control, sign-off, and management information item built on that foundation inherits the error invisibly.
The finding on SARB's named role as CPMI's pre-validation implementation partner adds a second dimension: this error is not about an inaccessible document — CPMI Brief No. 9 is publicly available — but about AI tools operating near their training-data cutoff, where recent publications are unreliably surfaced. A Corporate Banking Compliance team advising on a jurisdiction-specific API harmonisation initiative cannot assume AI tools have current knowledge of CPMI's active pilot arrangements.
Taken together, the findings suggest that this regulation sits in a particularly hazardous zone for AI-assisted Compliance work: the core obligations are described in a publicly inaccessible implementation document, the implementation landscape is evolving faster than AI training cycles, and the questions Compliance teams naturally ask about it are precisely the ones AI tools are most likely to fill with confident fabrication rather than an honest acknowledgment of the gap.
What your team should do
The default position for Compliance teams using AI on this regulation should be: treat any AI response about the self-assessment toolkit's contents, structure, or assessment criteria as unverifiable until the team has the PDF directly in hand. The toolkit is the operational core of this framework — it is what a readiness assessment is actually built against — and AI tools demonstrably fill the gap in their toolkit knowledge with invented specifics. Do not use AI-generated toolkit descriptions as inputs to gap analyses or readiness memos. If the PDF is available internally, have the analyst work from the source document.
If it is not, flag the gap explicitly in the deliverable rather than letting an AI-generated description stand in.
For stakeholder mapping — which CPMI recommendations apply to commercial banks versus payment system operators versus central banks — apply the same discipline. The per-recommendation stakeholder targeting is in the inaccessible PDF, not in any accessible summary that AI tools can reliably draw from. AI tools in testing produced category-level stakeholder assignments that go beyond what any accessible source supports. A Compliance team scoping the firm's obligations under this framework should cross-reference the recommendation text in the published report directly, not rely on AI categorisation.
AI tools are safe for lower-risk tasks on this regulation: summarising the ten recommendations at a high level from the published report text, drafting the narrative framing sections of a regulatory engagement briefing, or mapping the regulation's publication timeline. They are also broadly reliable for identifying which jurisdictions have formally engaged with the CPMI API harmonisation agenda — provided the team applies date-awareness discipline and recognises that AI training coverage of CPMI publications from late 2025 onward may be incomplete.
For anything touching the toolkit's internal structure, recommendation-level stakeholder scoping, or active CPMI pilot arrangements, primary source verification is non-negotiable before the output leaves the Compliance function.
How RLB Can Help
RegLeg's published Hallucination Research is available as a free reference that Compliance teams at Corporate Banking firms can use as a pre-flight check before placing reliance on AI-assisted output for regulatory questions. The research maps documented failure modes — misquoted rule text, phantom obligations, outdated supervisory guidance — across the regulatory domains most relevant to corporate banking, giving Compliance practitioners a concrete basis for calibrating how much confidence to place in any AI tool's answer before it feeds into advice, policy, or a regulatory submission.
Beyond the published material, RLB works directly with Compliance functions to produce bespoke regulator deep-dives tailored to the firm's specific operational footprint. These engagements identify which AI-supported workflows within the Compliance function — regulatory horizon-scanning, gap analysis, client due-diligence review, policy drafting — carry the highest hallucination exposure in the jurisdictions where the firm operates, and set out practical controls proportionate to the risk each workflow presents.
RLB can also conduct a confidential review of the firm's existing AI-use policy against the RegLeg failure-mode catalogue, producing a prioritised remediation plan that the Compliance team can action within its normal governance cycle.
For teams building internal capability, RLB develops training material and CPD-aligned content designed for Compliance professionals rather than technologists. The content focuses on recognising hallucination patterns in AI output, applying appropriate verification discipline at each stage of a workflow, and embedding those habits within the team's existing quality-assurance and second-line oversight frameworks. Delivery can be structured to satisfy continuing professional development requirements across the main professional bodies relevant to compliance practice in international corporate banking jurisdictions.