Executive Summary
The Principles for Financial Market Infrastructures (PFMI), jointly published by the Bank for International Settlements' Committee on Payments and Market Infrastructures (CPMI) and IOSCO, is the global benchmark standard for the design, operation, and oversight of systemically important financial market infrastructures — including central counterparties, payment systems, and securities settlement systems. Compliance teams at Corporate Banking firms in international jurisdictions routinely rely on the PFMI to assess counterparty risk exposures, structure internal policies aligned with infrastructure participation requirements, and support business lines that interact with or operate through FMIs.
Across the questions we tested, AI tools produced one aggregated finding on this regulation — a blind spot rather than a fabrication. When asked to retrieve verbatim text, exact thresholds, or cross-references from the IOSCO co-published version of the PFMI, AI assistants were unable to access or reproduce that content, even with web search enabled. The AI tools honestly acknowledged this limitation rather than inventing text, which is notable — but the practical result is the same: a Compliance team relying on AI for verbatim regulatory language from this publication would receive no usable answer.
The risk to the firm lies not in receiving a confidently wrong answer, but in receiving an incomplete one and not realising that the canonical co-published text may contain details — cross-references, specific thresholds, or IOSCO-specific annotations — that differ in material ways from secondary summaries the AI can access.
How AI gets this regulation wrong
The table below maps how AI tools failed when tested against the PFMI. For this regulation, the dominant failure was not invented content but a retrieval gap: AI assistants were unable to access the primary regulatory document in its canonical form, leaving questions about verbatim text unanswered even when the tools attempted web-assisted searches.
Understanding this failure pattern matters for Compliance workflows because a "no answer" outcome can be just as operationally disruptive as a wrong one — particularly when the task requires quoting or cross-referencing the official publication directly.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Blind Spot | 1 | Finding#1 |
What that means for your team
The table below translates the AI failures identified in this cell into operational risk categories for Compliance teams at Corporate Banking firms. For the PFMI, the primary risk is delivering a wrong or incomplete work product — for example, a policy document, regulatory mapping, or due-diligence brief that cannot be verified against the canonical regulatory text because the AI was unable to retrieve it.
This risk is particularly acute in international contexts, where Corporate Banking Compliance teams may be supporting multiple business lines whose FMI-related obligations are calibrated against specific PFMI thresholds and cross-references that must be quoted, not paraphrased.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 1 | Finding#1 |
When this affects your department
Compliance teams at Corporate Banking firms engage with the PFMI across a range of recurring tasks. At the broadest level, teams use the Principles when assessing a firm's direct or indirect participation in financial market infrastructures — central counterparties, payment systems, central securities depositories, and trade repositories — and when mapping the firm's risk management obligations against the standards those infrastructures are required to meet. This is especially relevant for international operations, where the firm may interface with multiple FMIs across different jurisdictions, each supervised against the PFMI framework by their respective national authorities.
More specific engagements include: drafting internal policies governing access to and use of clearing and settlement services; supporting new product approvals that involve routing transactions through an FMI; conducting due diligence on FMI counterparties during onboarding or periodic review; and preparing regulatory mapping documents that link PFMI principles to local implementing rules. Training material development is another common use case — explaining to business line staff what the PFMI requires of the FMIs they rely on, and what that implies for the firm's own risk exposure.
If AI tools cannot accurately retrieve the canonical PFMI text, any of these outputs may be built on an incomplete foundation. A policy document that paraphrases PFMI requirements rather than quoting them precisely can misstate obligations in ways that only become visible during a regulatory examination or an incident. In international jurisdictions, where regulators increasingly benchmark their supervisory expectations directly against PFMI language, a Compliance team that cannot verify its work against the primary source carries a latent gap that could prove costly at examination time.
The findings at a glance
The table below summarises each finding from our testing of AI tools on the PFMI, showing the question area, the type of failure, and the risk it presents for Compliance teams at Corporate Banking firms in international jurisdictions.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | Verbatim PFMI text inaccessible to AI tools | Blind spot | RLB-F-INT-BIS-CPMI-IOSCO-PFMI-2012-Q026 |
Aggregate impact
The single finding in this cell points to a document-access gap rather than a reasoning failure. AI tools tested on the PFMI were unable to retrieve the verbatim contents of the IOSCO co-published version of the document — the primary source for the regulation — even when web search was available. Instead of producing incorrect text, the AI tools correctly recognised their limitation and declined to fabricate.
That honesty, while commendable, does not close the gap: a Compliance team that needs the exact wording of a PFMI principle, a specific threshold, or a cross-reference to an annex cannot use an AI response that simply reports inability to retrieve it.
The risk profile this creates for Corporate Banking Compliance teams in international jurisdictions is concentrated at the point where AI-assisted research is expected to produce a deliverable — a regulatory mapping, an internal policy brief, a due-diligence summary. In each case, if the team cannot verify AI-generated summaries of PFMI requirements against the canonical source, the deliverable may rest on paraphrased or secondary-source language that is subtly inaccurate.
The PFMI is a detailed, technically precise document; the difference between an AI's summary of a principle and the principle's exact text can matter when that text is referenced in a supervisory examination or a contract governing FMI access.
For international teams, this gap compounds because the PFMI has been adopted and transposed differently across jurisdictions. Teams comparing the PFMI's original language against local implementing rules need access to both, and an AI tool that cannot retrieve the primary PFMI text is less useful for the cross-jurisdictional mapping work that is central to international Corporate Banking Compliance.
What your team should do
The default position for Compliance teams at Corporate Banking firms should be to treat AI tools as unsuitable for retrieving or quoting verbatim text from the PFMI's canonical publication. For any work product that requires accurate citation of specific PFMI language — policy documents, regulatory mapping exercises, examination responses — the team should obtain the text directly from the CPMI or IOSCO publication and verify it independently. This is not a temporary workaround; it reflects a structural limitation in how general-purpose AI tools interact with binary PDF documents that are not freely indexable at the paragraph level.
Practical safeguards for this regulation include: maintaining a curated internal reference library that contains the authoritative CPMI-IOSCO publication alongside local transpositions; requiring a source-check step in any compliance work product that cites PFMI principles before the document is finalised; and briefing business line staff that AI-generated summaries of PFMI requirements should not be treated as authoritative without a manual cross-reference to the primary source. For multi-jurisdiction mapping work, the team should build and maintain jurisdiction-specific annexes that link PFMI principles to local rules, updated from primary sources rather than AI outputs.
AI tools remain useful within this workflow for tasks that do not require verbatim accuracy: summarising the conceptual structure of the PFMI, identifying which principles are likely to apply to a given product type, drafting first-pass training material for business line audiences, or generating a list of questions for a subsequent manual research pass. Used at that level of abstraction — as a starting point rather than a source — AI assistants can reduce research time without introducing the risks that arise when their verbatim-access limitations are not recognised.
How RLB Can Help
RegLeg's published Hallucination Research is available as a free reference that Compliance teams at Corporate Banking firms can use as a pre-flight check before placing reliance on AI-assisted output for regulatory questions. The research maps documented failure modes — misquoted rule text, phantom obligations, outdated supervisory guidance — across the regulatory domains most relevant to corporate banking, giving Compliance practitioners a concrete basis for calibrating how much confidence to place in any AI tool's answer before it feeds into advice, policy, or a regulatory submission.
Beyond the published material, RLB works directly with Compliance functions to produce bespoke regulator deep-dives tailored to the firm's specific operational footprint. These engagements identify which AI-supported workflows within the Compliance function — regulatory horizon-scanning, gap analysis, client due-diligence review, policy drafting — carry the highest hallucination exposure in the jurisdictions where the firm operates, and set out practical controls proportionate to the risk each workflow presents.
RLB can also conduct a confidential review of the firm's existing AI-use policy against the RegLeg failure-mode catalogue, producing a prioritised remediation plan that the Compliance team can action within its normal governance cycle.
For teams building internal capability, RLB develops training material and CPD-aligned content designed for Compliance professionals rather than technologists. The content focuses on recognising hallucination patterns in AI output, applying appropriate verification discipline at each stage of a workflow, and embedding those habits within the team's existing quality-assurance and second-line oversight frameworks. Delivery can be structured to satisfy continuing professional development requirements across the main professional bodies relevant to compliance practice in international corporate banking jurisdictions.