AI Hallucination ResearchAudiencesSectorsInternational / MultilateralPayment Institutions › Compliance
Payment Institutions × Compliance — International / Multilateral · published 2026-05-30 · methodology v2.3

AI Hallucinations Affecting Compliance Teams at Payment Institutions Firms in international jurisdictions

AI Hallucinations Affecting Compliance Teams at Payment Institutions Firms in international jurisdictions

This page aggregates AI hallucination findings affecting Compliance teams at Payment Institutions firms in international jurisdictions across 2 regulation(s).

Findings overview

| Regulation | Hallucinations | Blind spots | Total |

|---|---|---|---|

| Guidance on Cyber Resilience for Financial Market Infrastructures | 8 | 0 | 8 |

| Principles for Financial Market Infrastructures (PFMI) | 2 | 5 | 7 |

| Total | 10 | 5 | 15 |

Guidance on Cyber Resilience for Financial Market Infrastructures

See Detailed Case Study →

Hallucinations (8)

NIST CSF alignment — unverified awareness claim

A Compliance team that uses this AI response to draft a regulatory mapping asserting that its cyber resilience framework aligns with both the CPMI-IOSCO Guidance and NIST CSF simultaneously will embed an unverified cross-reference claim into a formal compliance document. If that document is reviewed by a regulator, an FMI counterparty, or an external auditor who checks the primary source, the absence of a confirmed NIST citation in the 2016 guidance undermines the policy's stated basis and may require remediation. For a Payment Institutions firm, the risk is compounded by the guidance's FMI-facing scope: misrepresenting alignment with this standard in counterparty due-diligence responses or regulatory submissions carries both regulatory and commercial exposure.

see this finding →

NIST CSF explicit citation — fabricated cross-reference

This AI response went further, asserting that the CPMI-IOSCO Guidance explicitly references NIST CSF alongside the ISF Standard of Good Practice, COBIT, and ISO/IEC 27001. A Compliance team that drafts a gap analysis or controls mapping presenting these as confirmed citations from the guidance will produce a document with multiple fabricated cross-references. Any regulator or auditor who asks the firm to point to the source text supporting those citations will find them absent. For a Payment Institutions firm operating under international prudential supervision, fabricated normative cross-references in a compliance document constitute a governance failure — not merely an inaccuracy — and can attract supervisory scrutiny of the Compliance function's research process.

see this finding →

Phrase origin — wrong 2018 source document

A Compliance team using AI to trace the provenance of regulatory phrases for briefing notes, training materials, or right-of-reply submissions will obtain a confident but incorrect attribution. The AI attributed the phrase to a different 2018 CPMI publication on wholesale payments fraud and endpoint security, rather than the correct source, a 2018 BIS speech by Benoît Cœuré. If that misattribution appears in a client-facing or regulator-facing document, the firm's credibility on regulatory detail is at risk. More practically, a training programme or internal briefing built around an incorrect source attribution will mislead staff about the guidance's scope and strategic intent, generating rework costs when the error is identified.

see this finding →

Incident response detail — operational depth overclaimed

A Compliance team preparing cyber incident response protocols by asking AI what operational detail the CPMI-IOSCO 2016 Guidance specifies will receive an answer that overclaims the document's depth. The AI characterised the 2016 guidance as providing detailed operational expectations for incident response, when in fact the FSB's Effective Practices for Cyber Incident Response and Recovery (2020) addresses the level of operational detail that the 2016 guidance leaves open. A Payment Institutions firm that stops at the 2016 guidance — relying on AI's assurance that it is operationally detailed — and does not incorporate the 2020 FSB document will have an incomplete incident response framework. This gap could become material during a supervisory review, a significant cyber event, or a counterparty assessment of the firm's operational resilience.

see this finding →

FSB Cyber Lexicon alignment — uncertain presented as confirmed

A Compliance team that accepts AI's assertion that the 2016 Guidance and the FSB Cyber Lexicon definitions are broadly aligned may use that claim to justify not conducting a formal reconciliation between the two documents in a controls framework or gap analysis. In practice, the two documents were produced two years apart and whether their definitions were designed to correspond is uncertain. If a regulator asks the firm to map its programme to both standards and the definitions diverge materially, the firm's inability to demonstrate that it conducted the reconciliation — relying instead on an unverified AI claim — represents a gap in its compliance process. The risk is especially acute for Payment Institutions firms seeking to demonstrate regulatory equivalence across multiple international frameworks.

see this finding →

FSB Cyber Lexicon derivation — explicit lineage fabricated

This AI response compounded the uncertainty by asserting not only that the two definitions are consistent but that the FSB Cyber Lexicon explicitly drew on the CPMI-IOSCO definition — a specific derivation claim that cannot be verified from the source material. A Compliance team that includes this fabricated lineage in a regulatory mapping or regulator-facing correspondence is making a statement about the history and intent of a BIS/FSB publication that has no confirmed basis. For a Payment Institutions firm operating under regulatory relationships with multiple international bodies, inaccurate assertions about the provenance of international standards in formal documents carry both reputational and regulatory risk.

see this finding →

Guidance currency — May 2026 active revision missed

A Compliance team told by AI that the 2016 guidance has not been revised or superseded will not know to monitor the CPMI-IOSCO consultative process that opened in May 2026. For a Payment Institutions firm with FMI-facing operations, missing an active consultation on the operative international cyber resilience standard means the firm cannot engage with the process, cannot brief the board on pending regulatory change, and cannot begin planning for updated requirements before finalisation. When revised guidance is issued and a regulator asks what steps the firm took to track the change, reliance on AI that provided an incorrect answer is not a defensible compliance process.

see this finding →

Guidance currency — May 2026 consultation not detected

This finding mirrors the preceding currency finding, with a second AI tool independently producing the same outdated claim on the same question. Both AI tools stated the 2016 guidance remains unrevised despite an active CPMI-IOSCO public consultation having launched 22 days prior. For a Compliance team that uses multiple AI tools as a cross-check — a reasonable risk-management practice — this finding demonstrates that independent AI checks do not protect against shared training-data blind spots on recent regulatory developments. The firm faces the same regulatory planning risk as the preceding finding, and the agreement between two tools makes the error more likely to pass internal review unchallenged.

see this finding →

Principles for Financial Market Infrastructures (PFMI)

See Detailed Case Study →

Hallucinations (2)

Critical service providers annex — misidentified methodology document

When a Compliance team at a Payment Institutions firm asks AI tools about the relationship between PFMI Annex F and the CPMI assessment methodology for critical service providers, the AI we tested misidentified the methodology document — substituting a publication on a different subject and presenting the error with apparent confidence. If the team uses this response to map the firm's obligations regarding critical third-party dependencies, internal policy documentation will reference the wrong publication, and any gap analysis or board report constructed on that basis will be factually incorrect. If the error is presented to an oversight authority as part of a supervisory submission or self-assessment, the firm risks a finding of inadequate understanding of its regulatory framework — with attendant remediation requirements and potential enforcement exposure under the CPMI-IOSCO oversight expectations applicable to payment institutions.

see this finding →

Principle 2 board governance — fabricated risk committee citation

When a Compliance team asks AI tools about the specific governance requirements PFMI Principle 2 imposes on FMI boards — and in particular whether a risk committee is mandatory — the AI we tested presented a specific key consideration number and a verbatim passage it had not verified and could not have verified from training data. The fabricated citation language and the conditional framing ('should consider') were both presented as direct quotations from the Principles. If the Compliance function uses this response to draft board governance documentation or advise the firm's own governance arrangements on PFMI-aligned expectations, the resulting documentation will assert a regulatory position based on text that does not exist. A regulator conducting an assessment of the firm's governance framework against the PFMI would identify the discrepancy, and the firm would face both reputational consequences and the cost of corrective remediation across any governance documentation that incorporated the fabricated standard.

see this finding →

Blind spots (5)

CCP resilience report (August 2016) — verbatim content inaccessible

When a Compliance team asks AI tools for specific thresholds, cross-references, or verbatim content from the August 2016 CPMI-IOSCO consultative report on CCP resilience and recovery, the AI tools we tested correctly declined to fabricate content they could not verify — but were unable to provide the answer the Compliance function needed. If the team requires the actual thresholds or assessment criteria from this document to support a regulatory mapping, vendor due-diligence framework, or board briefing on CCP-related exposures, they will need to go directly to the source publication. The practical risk is that a team under time pressure may accept the AI's general-level summary as sufficient and not retrieve the primary document — leaving the work product incomplete and potentially inconsistent with the actual regulatory standard.

see this finding →

Level 3 general business risk assessment (November 2025) — post-cutoff blind spot

When a Compliance team asks AI tools about the specific findings in the November 2025 CPMI-IOSCO Level 3 assessment on general business risks — particularly regarding FMI compliance with the six-month liquid net assets standard — the AI tools we tested were unable to access the document's content and declined to fabricate verbatim text. This is the correct response, but it means the AI cannot assist with any task that requires knowledge of this assessment's findings. For a Payment Institutions firm operating in jurisdictions where regulators reference CPMI-IOSCO Level 3 assessments in their own supervisory guidance, the inability of AI tools to summarise or cite this report accurately means that compliance monitoring and internal reporting on the firm's general business risk framework must be built from the primary BIS publication — not from AI-generated summaries, which will be incomplete or absent.

see this finding →

Stablecoin guidance press release (July 2022) — verbatim text inaccessible

When a Compliance team asks AI tools for verbatim text from the BIS press release announcing the July 2022 CPMI-IOSCO stablecoin guidance, AI tools we tested were unable to retrieve the specific content of the press release and declined to quote it. If the team needs to reference the official announcement — for example when advising the business on the regulatory status of stablecoin arrangements under PFMI-aligned frameworks, or preparing a regulatory update briefing — the AI cannot provide accurate verbatim material. Relying on an AI-generated paraphrase of the announcement risks omitting or misrepresenting the scope or caveats of the guidance, which could result in an internal briefing that misstates the regulatory position on stablecoin-related payment obligations.

see this finding →

IOSCO co-published PFMI — binary PDF inaccessible

When a Compliance team asks AI tools for specific verbatim text, thresholds, or cross-references from the IOSCO co-published version of the PFMI, the AI tools we tested correctly declined to fabricate paragraph-level content from the binary PDF — but were unable to provide the precise text. For a Compliance function that needs to cite the IOSCO version specifically (as distinct from the BIS version) in a regulatory submission, cross-border mapping document, or correspondence with an IOSCO-member regulator, AI tools cannot substitute for direct access to the publication. Any internal document that cites 'the IOSCO PFMI' without checking the actual text risks misrepresenting the co-published standard in contexts where the distinction between the BIS and IOSCO versions is material to the regulator.

see this finding →

IOSCO disclosure framework and assessment methodology — binary PDF inaccessible

When a Compliance team asks AI tools for verbatim content from the IOSCO version of the PFMI disclosure framework and assessment methodology, the AI tools we tested were unable to access the PDF and declined to fabricate paragraph-level content. The disclosure framework and assessment methodology is a core reference for Compliance functions conducting self-assessments or preparing for external assessments under the PFMI — it contains the specific assessment criteria against which each Principle is evaluated. AI tools that cannot retrieve this document's content cannot assist with any task that requires quoting or applying the specific assessment criteria, meaning the team must source this material directly from the BIS or IOSCO publication. A self-assessment built on AI-generated summaries of the assessment methodology criteria risks omitting or mischaracterising the specific benchmarks regulators use to evaluate compliance.

see this finding →

Other sectors / departments in international jurisdictions

← Other sector case studies in International / Multilateral