← Take me back to my Compliance × Investment Banking (INT) overview
AI on Guidance on Cyber Resilience for Financial Market Infrastructures for Compliance teams at Investment Banking firms in international jurisdictions
Executive Summary
The CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures (2016) is the foundational international standard that sets cyber resilience expectations for financial market infrastructures — and, by extension, shapes the compliance obligations of investment banks that interact with or are themselves subject to FMI-equivalent oversight across international jurisdictions. Compliance teams routinely consult AI tools to understand whether this guidance remains current, what it requires, and how it aligns with domestic regulatory expectations. Across the 2 questions put to AI tools on this regulation, AI tools produced a hallucination in every case. Both failures followed the same pattern: AI tools confidently stated the 2016 guidance remains the operative, unrevised international standard — when in fact CPMI-IOSCO published a consultative document for updated guidance in May 2026, placing the 2016 text under active revision. A Compliance team acting on these responses would be working from a materially outdated regulatory baseline at precisely the moment the standard is changing.
How AI gets this regulation wrong
Every failure on this regulation shares the same root: AI tools presented outdated information as current fact, treating the 2016 guidance as a settled, unrevised standard when the regulatory landscape had materially changed. The table below breaks down how that pattern of presenting outdated information played out across the questions tested on this regulation.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| AI gave outdated information as if it were current | 2 | Finding#1 . Finding#2 |
What that means for your team
For a Compliance team at an investment banking firm operating across international jurisdictions, the risk here is concentrated in regulatory enforcement exposure: acting on an AI-supplied answer that misrepresents the currency of the applicable standard means internal policies, board-level reporting, and counterparty assessments could all be calibrated to a version of the rule that regulators no longer regard as current. The table below maps the risk impact categories across this regulation's findings.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Regulatory enforcement | 2 | Finding#1 . Finding#2 |
When this affects your department
Compliance teams at international investment banks encounter the CPMI-IOSCO Cyber Resilience Guidance in several operational contexts. They use it to benchmark internal cyber resilience frameworks against international expectations, to assess the cyber risk posture of FMI counterparties (central counterparties, trade repositories, payment systems) that the bank relies upon for clearing and settlement, and to respond to regulatory enquiries from home and host supervisors who treat the CPMI-IOSCO standard as the authoritative reference. When a new product or market is being assessed — for instance, a new jurisdiction's central clearing infrastructure — the Compliance function is expected to advise whether that jurisdiction's FMI meets internationally accepted cyber resilience standards. In each of these contexts, the team may use AI tools as a first-pass research resource to confirm whether the 2016 guidance remains current and what its key requirements are.
If the AI tool's answer is wrong — specifically if it states the guidance is settled and unrevised when the regulatory body has in fact opened a public consultation on updated guidance — the downstream consequences are tangible. Internal cyber risk frameworks calibrated to the 2016 text may not reflect incoming expectations. Board risk appetite statements and regulatory attestations that reference the "current CPMI-IOSCO standard" become misleading if the standard is in the process of being replaced. Due-diligence assessments of FMI counterparties will be conducted against a benchmark that is actively under revision. In international jurisdictions where local regulators transpose or reference the CPMI-IOSCO guidance, supervisory conversations will proceed on a false premise about the stability of the applicable standard.
The reputational and regulatory stakes are heightened precisely because this is a cyber resilience standard: supervisors regard it as a foundation of systemic stability, not merely a technical compliance matter. An investment bank that signals — through its submissions, policies, or counterparty assessments — that it does not know the standard is under active revision risks being seen as inattentive to a category of risk that regulators are actively re-examining. Remediation, once identified, requires re-running due diligence, revising internal policies, and potentially re-engaging with counterparties — all at significant cost.
The findings at a glance
The table below summarises each finding on this regulation — what the AI tool was asked, what it said, and what the regulator's position actually is.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | Currency of 2016 CPMI-IOSCO cyber resilience standard | Hallucination | RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022 |
| 2 | Active revision of 2016 CPMI-IOSCO cyber resilience guidance | Hallucination | RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022 |
Aggregate impact
Both findings on this regulation cluster around a single, high-consequence question: is the 2016 CPMI-IOSCO guidance still the live standard? That both AI tools tested — independent of each other — gave the same incorrect answer underscores that this is not an isolated failure. Each tool stated with confidence that the guidance "has not been formally revised or superseded." The BIS press release announcing a consultative document for updated guidance was published on 6 May 2026 — 22 days before the assessment date. AI tools did not capture this development, and neither flagged any uncertainty about whether the guidance might have been updated recently.
For a Compliance team at an international investment bank, the systemic risk is that the firm's entire cyber resilience compliance posture — including its assessment of FMI counterparties and its engagement with international supervisors — could be anchored to a standard the relevant committee has publicly signalled it is revising. The confidence with which AI tools delivered the incorrect answer is particularly hazardous: a response that says "I am uncertain whether this has been revised recently" invites verification; a response that says "it has not been formally revised" forecloses it.
The concentration of all failures on a single topic — the currency of the standard itself — means this is not a diffuse risk spread across multiple provisions of the guidance. It is a targeted risk that strikes at the most fundamental question a Compliance team would ask when picking up this regulation: is this the document I should be working from? The answer AI tools gave is wrong, and acting on it would cause the firm to proceed on a false baseline across every downstream use of the regulation.
Findings
Hallucinations (2)
Finding#1 — Currency of 2016 CPMI-IOSCO cyber resilience standard
- Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022
- AI's failure: AI gave outdated information as if it were current
- Risk for Compliance at Investment Banking: Direct supervisory finding against the compliance function; section-166-style skilled person review possible
- see this finding →
Finding#2 — Active revision of 2016 CPMI-IOSCO cyber resilience guidance
- Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022
- AI's failure: AI gave outdated information as if it were current
- Risk for Compliance at Investment Banking: Direct supervisory finding against the compliance function; section-166-style skilled person review possible
- see this finding →
What your team should do
The default position for Compliance teams at international investment banks should be: never use AI tools as the sole source of truth for whether an international standard remains current. Standards bodies such as CPMI-IOSCO publish press releases, consultation papers, and revised guidance directly on the BIS website (bis.org). A direct check of the relevant section of the BIS website — which takes minutes — is the appropriate first step before any compliance work is anchored to a document like the 2016 cyber resilience guidance. The findings here demonstrate that even AI tools with web-search capability failed to surface a press release published only weeks before the assessment.
For substantive questions about the content of the guidance — what the seven principles require, how FMIs are expected to demonstrate compliance, how the guidance maps to domestic regulatory frameworks — AI tools can serve as a useful starting point for orientation. The guidance is a long, technically detailed document, and AI tools can help identify which sections are most relevant to a specific operational question. That preliminary orientation work carries lower risk than questions about the document's regulatory status, because the substance of the 2016 text is stable and has been widely analysed. The risk is concentrated specifically in questions about whether the document is still current, whether amendments have been issued, and what supplementary guidance has been published.
Practical safeguards for this regulation: (1) Before any board-level attestation, regulatory submission, or FMI counterparty assessment references the CPMI-IOSCO cyber resilience framework, verify directly on bis.org that no consultative or revised document has been published. (2) Set a calendar reminder to check for updates at least quarterly — international standard-setting bodies can open consultations with relatively short notice periods. (3) When AI tools are used for scoping or drafting, include a verification step that the foundational documents cited have been confirmed as current from the primary source. (4) Where supervisors or counterparties reference the CPMI-IOSCO standard in correspondence, confirm you are reading the same version before responding.
How RLB Can Help
RegLeg's published Hallucination Research gives Compliance teams at investment banks a practical pre-flight check before acting on AI-generated regulatory output. Because the research spans regulators across multiple jurisdictions and documents the specific failure modes that occur when AI tools engage with financial services rules, Compliance staff can consult the findings as an independent reference — confirming where AI-assisted research is reliable, and flagging the regulatory domains where confident-sounding output has most frequently proved incorrect.
For firms that want to go further, RegLeg offers bespoke regulator deep-dives scoped to the workflows your Compliance function actually relies on. This means mapping which AI-supported activities — regulatory horizon scanning, policy gap analysis, transaction monitoring guidance, or senior manager accountability queries — carry the highest hallucination exposure in your specific operating environment, and prioritising attention accordingly. Where an investment bank is subject to a regulator whose track record in the published research gives cause for caution, that context is built into the engagement from the outset.
RegLeg also works with Compliance teams on a confidential review of existing AI-use policies, assessing them against a structured failure-mode catalogue drawn from the research. The output is a prioritised remediation plan that identifies gaps in current oversight controls and suggests practical adjustments — including escalation triggers, secondary-verification requirements, and human sign-off thresholds suited to a regulated institution. Firms that have completed the review have used the findings directly as the basis for CPD-aligned internal training, giving Compliance staff the working knowledge they need to apply appropriate scepticism to AI tools without abandoning the efficiency gains they provide.