Executive Summary
Compliance teams at Corporate Banking firms operating across international jurisdictions are increasingly turning to AI tools to track ISO 20022 adoption progress — whether assessing counterparty readiness across correspondent networks, scoping their firm's own migration timeline against emerging market benchmarks, or advising business lines on cross-border payment infrastructure gaps. On CPMI's Harmonised ISO 20022 Data Requirements for Enhancing Cross-Border Payments - Updated Report, AI tools produced material factual errors on at least one directly operational question.
The failure we identified is an exposed fabrication: the AI initially delivered a confident, precise-sounding figure, then — when pressed — admitted it had reconstructed that figure and likely conflated distinct statistics across system types and time periods. For a Compliance function, that class of failure is particularly hazardous: the AI does not flag uncertainty upfront; it presents a fabricated synthesis as CPMI-sourced data, leaving the team to discover the problem only if they happen to interrogate it.
How AI gets this regulation wrong
The AI failure on this regulation is a confident conflation: the model collapsed two materially different adoption statistics into a single, clean-looking number, and attributed that number to CPMI monitoring data as if it were a direct citation. The table below maps how that failure mode manifests against the specific question asked — and what the AI's own admission, when challenged, reveals about the reliability of its initial response.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 1 | Finding#1 |
What that means for your team
For Compliance at a Corporate Banking firm, a wrong adoption figure is not merely an academic inaccuracy — it flows directly into deliverables: correspondent network readiness assessments, internal migration gap analyses, and regulatory responses that rely on a correctly calibrated picture of where RTGS infrastructure sits globally. The table below maps where in the Compliance workflow that wrong number would land and what it costs the firm to rely on it.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 1 | Finding#1 |
When this affects your department
Compliance at a Corporate Banking firm consults this regulation across several live workstreams. The most operationally sensitive is correspondent banking due diligence: when your firm needs to assess whether a correspondent's payment infrastructure is ISO 20022-capable — for AML data-field enrichment, sanction screening depth, or cross-border transparency obligations — the baseline adoption picture across RTGS systems globally sets the floor for what you can reasonably expect from counterparties in different jurisdictions.
An inflated RTGS adoption figure leads directly to optimistic assessments of correspondent readiness, which in turn affects remediation timelines, correspondent relationship decisions, and the adequacy of your firm's own compensating controls where gaps exist.
The second high-exposure scenario is internal migration scoping. Senior Compliance ownership of ISO 20022 roll-out typically requires defending a position on where your firm's own RTGS connectivity sits relative to the global curve — to the Board, to the home regulator, and to internal audit. If the benchmark figure the team is working from is materially wrong (overstating RTGS adoption by a wide margin), the firm's timeline looks compliant against a fictional industry standard rather than the actual one.
Regulators with CPMI alignment — and that includes the PRA, FINMA, MAS, and others whose own payment system operators are in active migration — will hold the firm to the actual number.
A third exposure point is business line advisory. Treasury and transaction banking colleagues regularly ask Compliance to sense-check product feasibility questions tied to payment rail capability. If the ISO 20022 RTGS adoption figure fed into a product readiness assessment or a client-facing SLA commitment overstates market penetration, Compliance has signed off on a position the firm cannot operationally defend when it encounters non-ISO-20022-capable RTGS counterparts in the network.
The findings at a glance
The finding below captures the AI failure we identified when testing questions that a Compliance team at a Corporate Banking firm would routinely ask of AI tools when working with this CPMI regulation.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | ISO 20022 RTGS vs FPS adoption rate conflation | Hallucination | RLB-F-INT-BIS-CPMI-ISO-20022-HARMONISATION-UPDATED-2026-Q006 |
Aggregate impact
The single finding on this regulation reveals a failure pattern that is easy to miss precisely because it doesn't look like a failure: the AI produces a precise, plausible percentage figure with an implicit attribution to CPMI monitoring data. The actual CPMI-sourced position — as stated in an Andrew Bailey speech drawing on that monitoring — distinguishes sharply between faster payment systems (more than three-quarters using ISO 20022) and RTGS systems (approaching half).
The AI collapsed those two into one number, "approximately 79% of both," a figure that materially overstates RTGS adoption and misrepresents the asymmetry the CPMI data actually shows.
That asymmetry is not incidental. For Corporate Banking Compliance, RTGS is the operationally dominant rail: large-value cross-border corporate flows, intraday liquidity management, correspondent settlement — all of this runs on RTGS. A figure that implies RTGS is nearly as far along in ISO 20022 adoption as faster payment systems distorts the very comparison the team needs to make when assessing counterparty gaps, timeline realism, and compensating control design.
The actual ~50% RTGS figure leaves a much larger portion of the correspondent network in a pre-ISO-20022 state, which has direct implications for AML data quality and sanctions screening depth on affected payment corridors.
The exposed fabrication failure mode adds a second layer of risk specific to Compliance workflows: the error was only surfaced when the AI was pressed on its source. In a normal Compliance team workflow — drafting a gap analysis, populating a board paper, responding to a regulator's thematic question — the junior analyst is unlikely to challenge a confident, precise-sounding figure that the AI presents as reflecting CPMI data. The AI's own admission that the figure was "reconstructed" and "likely conflated across years" does not appear in its initial response; it takes active interrogation to extract.
Standard quality-assurance controls do not include retesting every AI-provided statistic by adversarial follow-up.
What your team should do
The default position for any CPMI adoption-progress question is: go to the primary source. The BIS website publishes CPMI monitoring reports and committee speeches as open PDFs, and the specific figure at issue here — the differential adoption rates for faster payment systems versus RTGS — appears in a named speech with a precise date. For questions where a single CPMI-cited statistic will be reproduced in a board paper, regulatory response, or correspondent assessment, thirty seconds on bis.org to pull the source document is the only acceptable quality gate.
AI tools should not be the terminal source for regulatory data points that will be attributed to a specific regulator.
Where AI is safe for Compliance on this regulation is in structural and procedural work: mapping data field requirements against your existing payment message specs, drafting internal FAQ language around ISO 20022's structured versus unstructured address fields, or summarising the general architecture of the CPMI harmonisation framework for induction materials. These uses don't hinge on precise adoption figures and don't carry the same risk of a confident fabrication propagating into a deliverable.
The process safeguard for this specific risk class is straightforward: any AI-sourced statistic attributed to a named CPMI publication or speech must be verified against that document before it enters a deliverable. The best way to implement this in a Compliance function is to treat AI-provided regulatory statistics the same way you treat any unverified secondary source: useful for orientation, inadmissible without a primary citation check.
Given that the AI's error here was only exposed under direct challenge — and given that it admitted to reconstructing the figure — teams should not assume that an AI response which sounds authoritative has been drawn from a real source.
How RLB Can Help
RegLeg's published Hallucination Research is available as a free reference that Compliance teams at Corporate Banking firms can use as a pre-flight check before placing reliance on AI-assisted output for regulatory questions. The research maps documented failure modes — misquoted rule text, phantom obligations, outdated supervisory guidance — across the regulatory domains most relevant to corporate banking, giving Compliance practitioners a concrete basis for calibrating how much confidence to place in any AI tool's answer before it feeds into advice, policy, or a regulatory submission.
Beyond the published material, RLB works directly with Compliance functions to produce bespoke regulator deep-dives tailored to the firm's specific operational footprint. These engagements identify which AI-supported workflows within the Compliance function — regulatory horizon-scanning, gap analysis, client due-diligence review, policy drafting — carry the highest hallucination exposure in the jurisdictions where the firm operates, and set out practical controls proportionate to the risk each workflow presents.
RLB can also conduct a confidential review of the firm's existing AI-use policy against the RegLeg failure-mode catalogue, producing a prioritised remediation plan that the Compliance team can action within its normal governance cycle.
For teams building internal capability, RLB develops training material and CPD-aligned content designed for Compliance professionals rather than technologists. The content focuses on recognising hallucination patterns in AI output, applying appropriate verification discipline at each stage of a workflow, and embedding those habits within the team's existing quality-assurance and second-line oversight frameworks. Delivery can be structured to satisfy continuing professional development requirements across the main professional bodies relevant to compliance practice in international corporate banking jurisdictions.