Executive Summary
The CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures sets out the international baseline that corporate banking compliance functions use to assess their firms' cyber-resilience posture against the standards FMIs and their critical participants are expected to meet. When AI tools were tested against questions about this regulation, every query produced a hallucination — AI assistants presented outdated information as if it were current, specifically asserting that the 2016 guidance remains the operative and unrevised international standard when, as of May 2026, CPMI-IOSCO had published a consultative document signalling the guidance is under active revision.
The uniform nature of the failure — every AI tool tested returned the same incorrect answer on the same question — points to a systemic gap that affects any compliance team relying on AI assistance to track the regulatory landscape governing FMI cyber resilience. For corporate banking firms with material exposure to FMIs, acting on this error could mean framing internal policies, regulatory gap analyses, and board-level reporting against a standard that is no longer authoritative.
How AI gets this regulation wrong
Across the questions tested on this regulation, AI assistants made the same kind of mistake: presenting outdated regulatory information as if it remained current and unchanged. In each case, the AI responded with apparent confidence that the 2016 CPMI-IOSCO guidance had not been revised, despite a recent CPMI-IOSCO consultative document signalling exactly the opposite — a gap between what the AI reported and what the regulator had actually published.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Outdated | 1 | Finding#1 |
What that means for your team
The risks that flow from these errors fall squarely in the regulatory enforcement category — the consequences most feared by compliance functions and most visible to supervisors across jurisdictions. For corporate banking firms operating internationally, acting on stale regulatory intelligence about FMI cyber-resilience standards can translate directly into misdirected policy work, flawed supervisory submissions, and exposure to enforcement scrutiny at precisely the point where the regulator expects firms to be tracking an evolving standard.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Regulatory enforcement | 1 | Finding#1 |
When this affects your department
Corporate banking compliance teams routinely turn to AI assistants when mapping their firms' obligations under international cyber-resilience frameworks. That may happen when drafting or updating the firm's cyber-resilience policy, benchmarking internal controls against the standards that clearing houses, payment systems, and other FMIs are expected to meet, conducting due diligence on FMI counterparties or critical third-party service providers, preparing regulatory submissions or board risk reports, or briefing business lines on the cyber-resilience expectations that apply to the FMIs they rely on for settlement and clearing.
In each of these contexts, the compliance team is likely to ask AI tools directly whether the regulation it is working from is still the operative standard — precisely the question that produced incorrect answers in this assessment.
If the team treats an AI response as reliable and proceeds on the basis that the 2016 CPMI-IOSCO guidance is the final, unrevised word, it may build internal frameworks anchored to requirements that are materially in flux. The firm could submit regulatory attestations or gap analyses to supervisors that reference an outdated baseline, exposing it to findings of insufficient regulatory awareness.
Because CPMI-IOSCO guidance feeds into the supervisory expectations of central banks and securities regulators across multiple jurisdictions simultaneously, a single misdirected AI query can propagate through multiple work-streams — policy documents, audit responses, counterparty correspondence — before the error is caught.
The stakes are heightened for corporate banking firms because of their indirect but material dependency on FMIs. Clearing banks, custodians, and firms with large payments volumes are expected by their own regulators to understand the cyber-resilience standards that the FMIs they use are subject to, and to reflect those standards in their own vendor-risk and operational-resilience frameworks. An AI-generated assertion that the regulatory landscape is static, when it is actually in transition, undermines the firm's ability to anticipate supervisory expectations and get ahead of compliance obligations before they harden into final guidance.
The findings at a glance
The table below summarises each finding — the question asked, what the AI asserted, and the risk it creates for a compliance team at a corporate banking firm. Both findings stem from the same underlying gap: AI tools did not register a significant regulatory development that had occurred in the weeks immediately before the assessment date.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | Current operative status of 2016 CPMI-IOSCO guidance | Hallucination | RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022 |
Aggregate impact
Both findings in this cell are variations of the same error, produced by different AI tools on closely related questions about the current status of the CPMI-IOSCO 2016 Cyber Resilience Guidance. In both cases, the AI asserted that the guidance remains the operative, unrevised international standard — an answer that was already contradicted by a CPMI-IOSCO consultative document published for public comment on 6 May 2026.
The fact that multiple AI tools made the identical mistake suggests this is not an isolated quirk of a single system but a structural limitation: AI assistants whose knowledge does not yet extend to very recent regulatory publications will confidently report the pre-publication position as if it were current, with no indication of uncertainty.
The error clusters tightly around a single, high-stakes question — the operative status of the regulation itself. This is precisely the kind of threshold question a compliance team asks at the start of any regulatory mapping exercise. An incorrect answer here does not merely corrupt one data point in a larger analysis; it can invalidate the framing of the entire exercise.
If the team proceeds on the assumption that the 2016 guidance is still final and unrevised, every downstream output — the gap analysis, the policy refresh, the regulatory submission — may be calibrated against a baseline that the regulator has already signalled is changing.
For corporate banking compliance teams operating across international jurisdictions, the systemic risk is compounded by the multi-jurisdictional reach of CPMI-IOSCO guidance. Supervisors in different countries who have adopted or reference the CPMI-IOSCO framework will update their own supervisory expectations as the revision process progresses.
A firm that has built its FMI-related cyber-resilience framework on the 2016 guidance — believing it to be current on the strength of an AI response — may find itself out of step with emerging supervisory expectations across several jurisdictions simultaneously, a position that is costly to remediate and difficult to explain to regulators who expect horizon-scanning to be part of the compliance function's standing obligations.
What your team should do
The default position for compliance teams at corporate banking firms should be to treat any AI-generated response about the current status of an international regulatory standard as a starting point for human verification, not a definitive answer. This is especially important for CPMI-IOSCO guidance, where the distinction between a current standard and one under active revision has material consequences for how the firm frames its regulatory obligations.
No AI tool reliably reflects regulatory developments that occurred in the weeks immediately before a query is submitted, and a compliance team that does not know the AI's knowledge boundary has no way to judge whether the answer it receives is current.
Practical safeguards for working with AI on this regulation should include: cross-checking the current status of CPMI-IOSCO guidance directly against the BIS publications page (bis.org) before finalising any regulatory mapping work; building a standing review of CPMI-IOSCO press releases and consultation publications into the team's quarterly regulatory horizon-scanning calendar; and flagging any AI response on regulatory status for human sign-off before it is incorporated into a board paper, regulatory submission, or policy document.
Where AI is used to draft summaries or explain the substantive content of the 2016 guidance — the structure of its seven cyber-resilience components, how they interact, or what they imply for a firm's internal control framework — those outputs carry lower risk, because the underlying provisions are stable and can be verified against the published document. The risk concentrates specifically in questions about whether the guidance is still operative and what the current supervisory baseline is.
AI assistants can add genuine value for compliance teams working on this regulation in contexts where the answer does not depend on real-time regulatory intelligence: explaining the architecture of the 2016 guidance, mapping its components to internal risk taxonomies, helping draft board-level briefings on FMI cyber-resilience expectations, or preparing staff training materials grounded in the published text. These are tasks where the content is stable and the AI's contributions can be checked against the source document.
The appropriate posture is targeted use with human verification applied at the point where regulatory currency matters most — which, for this regulation in mid-2026, means any question that turns on whether the 2016 standard is still the final, operative word.
How RLB Can Help
RegLeg's published Hallucination Research is available as a free reference that Compliance teams at Corporate Banking firms can use as a pre-flight check before placing reliance on AI-assisted output for regulatory questions. The research maps documented failure modes — misquoted rule text, phantom obligations, outdated supervisory guidance — across the regulatory domains most relevant to corporate banking, giving Compliance practitioners a concrete basis for calibrating how much confidence to place in any AI tool's answer before it feeds into advice, policy, or a regulatory submission.
Beyond the published material, RLB works directly with Compliance functions to produce bespoke regulator deep-dives tailored to the firm's specific operational footprint. These engagements identify which AI-supported workflows within the Compliance function — regulatory horizon-scanning, gap analysis, client due-diligence review, policy drafting — carry the highest hallucination exposure in the jurisdictions where the firm operates, and set out practical controls proportionate to the risk each workflow presents.
RLB can also conduct a confidential review of the firm's existing AI-use policy against the RegLeg failure-mode catalogue, producing a prioritised remediation plan that the Compliance team can action within its normal governance cycle.
For teams building internal capability, RLB develops training material and CPD-aligned content designed for Compliance professionals rather than technologists. The content focuses on recognising hallucination patterns in AI output, applying appropriate verification discipline at each stage of a workflow, and embedding those habits within the team's existing quality-assurance and second-line oversight frameworks. Delivery can be structured to satisfy continuing professional development requirements across the main professional bodies relevant to compliance practice in international corporate banking jurisdictions.