Executive Summary
Legal teams at Corporate Banking firms advising on cross-border payment API connectivity rely on CPMI's 2024 Recommendations and Toolkit to scope obligations, map stakeholder responsibilities across the 10 recommendations, and anchor jurisdictional compliance advice. Across two substantive questions tested on this publication, AI assistants hallucinated on both — a 100% failure rate on material regulatory content.
The failures were not peripheral: AI tools misidentified which central bank CPMI explicitly names as its operational partner on the payment pre-validation API recommendation, substituting a different jurisdiction entirely and fabricating supporting source material, and separately produced confident stakeholder-by-recommendation breakdowns that had no grounding in any accessible regulatory text and which the AI itself could not defend under follow-up challenge.
For a Legal team advising internal business lines or clients with cross-border payment exposures, both failures produce deliverables that are wrong at the point of use — jurisdictional scoping memos, obligation matrices, and counterparty due-diligence assessments that mis-state the regulatory position.
How AI gets this regulation wrong
The AI failures on this regulation fall into two distinct patterns: an AI that invented a factual position about which central bank is named in a specific CPMI publication, and an AI that delivered confident stakeholder assignments across the 10 recommendations with no evidentiary basis — and retracted them under pressure. Both represent failures of direct factual authority, not interpretation: the AI was wrong about what the published text says, and in one case fabricated a source to support the wrong answer. The table below sets out the breakdown.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 1 | Finding#2 |
| Misstated Rule | 1 | Finding#1 |
What that means for your team
Both failures map to the same risk category: a wrong deliverable reaching internal or external stakeholders — a jurisdictional memo that mis-states the CPMI implementation landscape, or an obligation matrix that assigns responsibilities across the 10 recommendations incorrectly. For Legal teams in Corporate Banking, the downstream harm is asymmetric: a wrong-jurisdiction answer on pre-validation API partnerships shapes client advice and counterparty negotiating positions; a wrong stakeholder map shapes the firm's own compliance architecture for cross-border products. The table below maps each finding to its impact category.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 2 | Finding#1 · Finding#2 |
When this affects your department
Legal teams at Corporate Banking firms use CPMI's API harmonisation framework in at least three recurring contexts. First, when a business line wants to launch or expand a cross-border payment product — treasury management, correspondent banking, intra-group FX settlement — Legal maps which of the 10 recommendations bind the firm directly, which bind counterparties (payment system operators, correspondent banks, infrastructure providers), and which are aimed at standards bodies or public authorities.
Getting that stakeholder map wrong means the firm either over-scopes its own compliance obligations or — more dangerously — fails to impose the right contractual obligations on suppliers and counterparties in API connectivity agreements. Second, when the firm is advising a client with regulatory exposure in a jurisdiction that has adopted or is piloting CPMI recommendations, Legal needs to know which central banks are actively implementing specific recommendations and whether any bilateral CPMI collaboration arrangements exist that affect the client's regulatory timeline or obligations.
Third, when supporting internal audit or a regulatory review of the firm's API governance framework, Legal needs to accurately characterise the state of CPMI implementation — including which jurisdictions are in active pilot — to anchor the firm's assessment of its own alignment.
In all three contexts, an AI answer that is wrong at the level of published CPMI text creates a deliverable that cannot be corrected internally before it causes damage. A scoping memo that attributes CPMI's pre-validation API partnership to the wrong central bank shapes client advice that may be wrong about implementation timelines and obligations in that client's home jurisdiction.
A stakeholder matrix built on AI-invented category assignments — rather than the actual recommendation text — produces a compliance architecture with structural gaps: the firm treats itself as a primary obligant where it is not, or fails to impose supplier obligations where it should. Neither error is recoverable from a junior's first-pass AI query without a manual review against the primary source, and Legal teams that have relied on AI-assisted first drafts rarely budget that review as a separate step.
The findings at a glance
Both findings tested on this regulation resulted in hallucinations — the table below sets out the specific question area, the shape of the AI failure, and the risk impact for a Legal team in Corporate Banking.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | SARB pre-validation partnership misidentified | Hallucination | RLB-F-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q007 |
| 2 | Stakeholder map fabricated then retracted | Hallucination | RLB-F-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q008 |
Aggregate impact
Both failures on this regulation are errors of factual authority — not errors of interpretation or judgment. The AI tools were not struggling with ambiguous text or contested regulatory positions; they were wrong about what a published CPMI document explicitly states. That matters for Legal teams because the standard defence against AI error ("we used it as a starting point, not as advice") does not hold when the AI has invented a factual claim about a named regulatory partner and fabricated a supporting source URL, or produced a stakeholder breakdown it cannot substantiate and retracts under challenge.
Neither failure is the kind that a competent junior would flag as obviously uncertain — both were delivered with confidence.
The errors cluster on two areas that Legal teams in Corporate Banking treat as foundational when scoping cross-border payment obligations: who is named in the framework as an implementation partner or pilot jurisdiction, and which stakeholder category bears which recommendation. These are exactly the questions Legal teams outsource to research because the answers appear to be straightforward lookups in a published document.
The compounding risk is that the CPMI Recommendations and Toolkit is a relatively recent publication (2024), meaning AI training data on the detailed implementation landscape — including CPMI Brief No. 9 from November 2025 naming SARB — is at or beyond the boundary of most AI tools' knowledge, producing confidently wrong answers without any flagging of uncertainty.
For a Corporate Banking Legal function advising on cross-border API product launches or correspondent banking infrastructure, the systemic risk is that AI-assisted research accelerates the drafting pipeline while degrading its accuracy on exactly the questions that most need to be right: jurisdictional implementation status and obligation scope.
An obligation matrix built on AI-invented stakeholder assignments, or a client memo that misidentifies the CPMI-SARB partnership as a Bank of England arrangement, does not fail at review — it fails downstream, when the client or counterparty finds the error, or when the regulatory position it was built on turns out to be wrong.
What your team should do
The default position for Legal teams using AI on this regulation should be: do not use AI to establish which central banks or jurisdictions are named as CPMI implementation partners, and do not use AI to produce a stakeholder-by-recommendation breakdown of the 10 recommendations. Both are factual lookups that require the primary source — CPMI Brief No. 9 (November 2025) and the Recommendations and Toolkit text itself — and AI tools have demonstrably failed on both, including fabricating source material to support the wrong answer.
Any memo or matrix that relies on AI for these claims needs a manual primary-source check before it leaves Legal.
The practical safeguard is a two-step protocol for any AI-assisted research on this regulation: first, use AI to identify the relevant CPMI publications and their publication dates; second, read the primary sources directly for any factual claim about named partners, named jurisdictions, or specific recommendation-level obligations. AI is reasonably safe for structural work — summarising the broad architecture of the 10 recommendations, identifying the general categories of stakeholder the framework addresses, or flagging which jurisdictions have adopted similar API harmonisation initiatives in general terms.
It is not safe for precision claims about CPMI's stated implementation partnerships or the specific stakeholder targeting of individual recommendations, both of which have now produced hallucinations in testing.
For teams advising clients with South African, UK, or other G20 jurisdiction exposure, the specific risk is that AI tools may substitute the wrong central bank for SARB in a named CPMI collaboration, or fail to surface the SARB partnership at all — producing advice that is wrong about the jurisdictional implementation status of the pre-validation API recommendation. That error is material if the client's regulatory timeline or API connectivity obligations depend on SARB's active role. Flag this as a known AI blind spot in any research protocol or matter-opening checklist for CPMI API harmonisation work.
How RLB Can Help
RegLeg's published Hallucination Research gives Corporate Banking Legal teams a concrete pre-flight check before placing weight on AI-assisted regulatory analysis. Rather than relying on internal validation alone, you can cross-reference AI output against a documented catalogue of failure modes — specific instances where AI tools have misrepresented scope, inverted obligations, or confabulated enforcement thresholds across the regulatory frameworks your team works with daily.
That's a faster and more defensible due-diligence step than building your own test suite from scratch, and it gives Legal a defined evidentiary basis for where AI output can be trusted and where independent counsel or a primary-source read is non-negotiable.
Beyond the published research, RegLeg works with Corporate Banking Legal functions to map their specific AI-supported workflows against the hallucination risk profile for the regulatory perimeter they operate in — cross-border capital requirements, sanctions screening obligations, loan documentation standards, and the cross-jurisdictional licensing frameworks that sit at the intersection of prudential and commercial regulation. The output is a prioritised exposure map: which workflows carry material hallucination risk, where the failure modes tend to cluster (entity mis-scoping, numeric threshold drift, temporal applicability errors), and which regulatory instruments have the densest documented failure history.
That scoping exercise informs how Legal allocates human review time and where AI reliance caps should sit.
Where a firm already has an AI-use policy in place, RegLeg can run a confidential review against our failure-mode catalogue to surface gaps — particularly around regulatory research, contract review, and compliance sign-off workflows where Legal teams have the most exposure if AI output is wrong. We can also develop training material and CPD-aligned content calibrated for Legal professionals in Corporate Banking: not generic AI literacy, but practitioner-level material on how specific failure modes manifest in regulatory contexts your team actually encounters, and what a sound review protocol looks like when AI is part of the workflow.