Executive Summary
Risk teams at Corporate Banking firms operating across international jurisdictions consult CPMI's API Harmonisation recommendations to scope cross-border payment exposure, benchmark internal fast-payment infrastructure assessments, and contextualise client-facing briefings against the global FPS landscape. Across one aggregated question tested on this regulation, AI tools produced a materially wrong answer — misquoting the authoritative CPMI data on the global population of domestic fast payment systems and the operational breakdown between central bank and privately operated schemes.
The failure mode was confident fabrication: AI tools initially presented an internal survey-sample count as the global universe figure, and when pressed, either retracted or revealed they had silently omitted data that is explicitly in public CPMI source material. For a Risk function preparing market intelligence or supporting new cross-border product builds, a briefing grounded in that error would misrepresent the regulatory and competitive landscape to senior stakeholders and counterparties.
How AI gets this regulation wrong
The failure pattern on this regulation is one of confident misstatement followed by retraction under challenge — AI tools presented internally inconsistent figures as authoritative CPMI data, and only walked them back when questioned directly. In some cases the AI omitted data points that are explicitly available in public CPMI sources, effectively fabricating an absence of information where no gap exists. The table below maps those failures to the specific failure mode categories.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Exposed Fabrication | 1 | Finding#1 |
What that means for your team
For Risk teams at Corporate Banking firms, the dominant exposure here is producing a wrong deliverable — a market briefing, product scoping note, or regulatory landscape summary that carries materially incorrect CPMI data to internal decision-makers or external counterparties. The risk does not materialise as a direct regulatory breach; it materialises as reputational and commercial damage when the firm's stated understanding of the cross-border FPS landscape is contradicted by the public record. The table below maps each finding to its practical impact category.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 1 | Finding#1 |
When this affects your department
Risk teams at Corporate Banking firms reach for CPMI's API Harmonisation Recommendations most commonly when scoping the firm's cross-border payments strategy — assessing whether the global fast-payment infrastructure is mature enough to underpin new product builds, pricing corridors, or correspondent banking rationalisation decisions. That scoping work feeds directly into first-line risk opinions, NPA submissions, and the market-context sections of board-level payments strategy papers.
If the CPMI data underpinning that context is wrong, the risk opinion is built on a false premise — and the business line or product owner relying on it has no easy way to check it without going back to the primary source.
A second common touchpoint is regulatory horizon scanning. In international jurisdictions, Risk teams are expected to map emerging CPMI standards against the firm's existing cross-border payment infrastructure and flag where gaps could attract supervisory scrutiny or generate client disputes. The cross-border linkage count — how many domestic FPS have already enabled cross-border exchanges, and how many plan to within five years — is exactly the kind of statistic that ends up in regulatory gap analyses, supervisory dialogue submissions, and risk committee MI packs.
An AI tool that substitutes a survey-sample count for the global universe figure will cause that MI to understate the scale of the shift already underway.
The operational stake is sharpest when a junior Risk analyst is tasked with drafting the landscape section of a client-facing briefing or a new-product risk assessment on a tight timeline. They will query an AI tool, get a confident numerical answer with an apparently credible source attached, and incorporate it without cross-checking the primary CPMI speech. That briefing then circulates to the client or to the investment committee. The correction, when it surfaces, requires a reissue — with the reputational cost that carries for a function whose credibility rests on getting the regulatory facts right.
The findings at a glance
The table below shows each question tested on this regulation, what AI tools said, and the outcome — use it to see exactly where the failure occurred and what a Risk team member would have taken away if they had not checked the primary source.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | CPMI global FPS count and operator-type breakdown | Hallucination | RLB-F-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q010 |
Aggregate impact
The single finding on this regulation reveals a failure pattern that is particularly dangerous in a Risk function context: AI tools conflated two distinct CPMI data constructs — the survey-sample size and the global universe count — and presented the former as the latter with full apparent confidence. The CPMI November 2023 speech by Tara Rice is explicit: 70+ domestic fast payment systems are currently operational globally; 14 have already enabled cross-border exchanges; 24 are planning linkages within five years; and the operational split is 40% central bank, 35% private.
An AI tool that substitutes "57 systems surveyed" for "70+ operational globally" is not making an ambiguous inference — it is presenting the wrong number for a well-documented statistic that sits in public CPMI material.
The second dimension of the failure compounds the first. One AI tool correctly reproduced the 70+, 14, and 24 figures — but then falsely asserted that the central bank/private operator split was unavailable in public CPMI sources. That is not a gap in the record; it is a gap the AI tool created by scoping its search incorrectly and then reporting the absence as fact.
For a Risk team member assembling a landscape brief, this is the more insidious failure: the first half of the response appears correct and builds trust, so the second half — with its fabricated unavailability claim — is likely to pass unquestioned.
Taken together, the pattern points to a specific systemic risk for Corporate Banking Risk teams: AI tools perform unreliably on CPMI statistical landscape data, particularly when the question spans multiple data points from a single authoritative source. A Risk function that uses AI tools to populate market context sections of regulatory deliverables without mandatory primary-source verification will intermittently circulate materially wrong CPMI figures — and the error will often not be visible without going back to the speech or report itself.
What your team should do
The default position for Risk teams on CPMI statistical landscape data should be: AI tools are not a reliable primary source for CPMI quantitative metrics, and any figure that comes out of an AI query on fast payment system counts, cross-border linkage status, or operator type breakdowns must be verified against the CPMI speech or report directly before it enters a deliverable. That is not a general "AI can be wrong" caveat — it is a specific instruction based on observed failure: AI tools have been tested on this exact question type and produced wrong numbers.
The BIS website (bis.org) and the CPMI speeches and monitoring reports published there are the authoritative check.
Practical safeguard: treat AI output on CPMI landscape statistics the same way the function treats unverified broker research — useful for framing and direction, but not citeable until checked. For market briefings, regulatory gap analyses, and NPA submissions that reference the global FPS landscape, build a one-step verification step into the drafting workflow: the analyst who uses an AI tool to draft the landscape section must pull the specific CPMI publication cited and confirm each statistic matches.
Where the AI tool asserts that data is "unavailable" or "not enumerated in public sources", treat that as a flag to search harder, not as confirmation of a gap — the failure pattern here is precisely AI tools asserting data absence where the data exists.
Where AI tools remain useful in this regulation's context: drafting the analytical framing around confirmed statistics, summarising the structural recommendations in the API Harmonisation Toolkit for internal policy purposes, and identifying which sections of the CPMI report are most relevant to a specific product or corridor question. The risk is concentrated in quantitative landscape claims — not in the qualitative architecture recommendations, which are less susceptible to this type of misstatement. Use AI to navigate the document and frame the analysis; use primary sources to supply the numbers.
How RLB Can Help
RegLeg's published Hallucination Research gives your Risk team a concrete pre-flight check before placing operational weight on AI-generated regulatory analysis. Rather than running blind into a Capital Markets or Credit Risk workflow that quietly relies on a model's confident-but-wrong reading of a prudential standard, you can pull the relevant regulation from our research library and see exactly where AI assistants have misfired on that text — wrong thresholds, inverted scope conditions, attribution to superseded guidance. That's the same class of error that creates real exposure when it lands inside an RWA calculation memo or a counterparty risk exception sign-off.
Beyond the published catalogue, we work directly with Risk teams to map your function's AI-supported workflows against RegLeg's failure-mode taxonomy. Corporate Banking Risk is not a generic use case: the hallucination profile for a Basel III leverage-ratio tool differs materially from one supporting ISDA CSA enforcement or correspondent-banking AML screening. We scope the engagement to the workflows that matter — credit approval chains, regulatory reporting pipelines, internal model validation support — and return a prioritised view of where AI assistance is carrying the highest unverified exposure.
That work is specific enough to feed directly into your control framework, not just a risk register narrative.
We also review your firm's existing AI-use policy against the failure patterns we've documented, with a gap analysis structured around the specific regulatory domains your Risk function operates in across jurisdictions. Where the policy has blind spots — categories of AI-assisted output that aren't subject to human review calibrated to the hallucination risk — we flag and prioritise remediation.
For teams that need to take the findings further internally, we can produce training material and CPD-aligned content calibrated to your Risk team's level: not a primer on what AI is, but a working guide to which failure modes your analysts should be checking for, in the context of the regulatory frameworks they operate under every day.