← Take me back to my Compliance × Payment Institutions (INT) overview

AI on Guidance on Cyber Resilience for Financial Market Infrastructures for Compliance teams at Payment Institutions firms in international jurisdictions

Executive Summary

For Compliance teams at Payment Institutions firms operating across international jurisdictions, the CPMI-IOSCO Guidance on Cyber Resilience for Financial Market Infrastructures (June 2016) is a foundational international standard setting expectations for the operational and governance cyber resilience of financial market infrastructures and their participants. Across eight aggregated questions testing AI tools on this regulation, every response contained a hallucination — not a single question was answered correctly. The failures divide between AI tools confidently asserting specific technical and cross-reference claims about this guidance that turn out to be unverifiable or wrong, and AI tools presenting the 2016 guidance as the current operative standard when CPMI-IOSCO published a consultative revision document in May 2026, placing the guidance under active revision. Together, these errors create compliance gaps that surface at precisely the moments a Compliance team most needs reliable regulatory intelligence: policy drafting, gap analysis, incident-response framework design, and regulatory change monitoring.

How AI gets this regulation wrong

The errors AI tools produced on this regulation cluster around two distinct failure patterns. Most involve AI confidently asserting detailed cross-reference and technical claims — about which external frameworks this guidance cites, what specific phrases appear in its text, how much operational detail it contains, and how its definitions relate to later international standards — where the actual source material either contradicts the claim or cannot confirm it. The remainder involve AI presenting the 2016 guidance as the current operative international standard without registering an active revision process that was already underway.

What that means for your team

For a Compliance team at a Payment Institutions firm, the errors found on this regulation translate into two categories of practical exposure. Half of the findings point to the risk of producing wrong deliverables — policies, gap analyses, training materials, or regulatory mappings built on AI assertions that misrepresent what this guidance actually says, cites, or requires. The other half expose the firm to regulatory enforcement risk by presenting an outdated understanding of the current international standard as settled, fully operative law.

When this affects your department

Compliance teams at Payment Institutions firms in international jurisdictions consult AI tools on the CPMI-IOSCO Cyber Resilience Guidance in a range of routine situations: drafting or reviewing internal cyber resilience policies that claim alignment with recognised international standards, preparing gap analyses for new product or service launches that interact with or serve FMIs, producing regulatory mapping documents for business lines facing supervisory questions, building training programmes for operational staff, and supporting board or senior management reporting on the firm's cyber resilience posture against internationally recognised benchmarks. Cross-reference questions — which frameworks does this guidance align with, what level of operational detail does it specify, how do its definitions relate to later standards — are exactly the kind of contextual question Compliance teams routinely delegate to AI tools to answer quickly.

The errors found in this research are particularly dangerous in those workflows because the AI responses are plausible and internally coherent. When AI tools assert that this guidance explicitly cites the NIST Cybersecurity Framework, or that the 2016 guidance and the FSB Cyber Lexicon are definitionally consistent, a Compliance team will naturally embed those claims in internal policies and gap analyses. If a regulator, an FMI counterparty, or an external auditor subsequently asks the firm to point to the source text supporting those cross-references, the absence of a confirmed citation in the actual guidance is a compliance programme failure — not merely a drafting error — and may require both remediation and an explanation of the Compliance team's research process.

The currency findings carry a distinct but equally acute risk. A Compliance team relying on AI to confirm that the 2016 guidance is the operative international standard, without knowing that CPMI-IOSCO published a consultative revision document in May 2026, may fail to alert the business to an active regulatory change process. For a Payment Institutions firm with FMI-adjacent operations, missing a consultative window — or failing to track pending regulatory change — affects both the firm's regulatory relationships and its ability to plan for updated requirements in advance of finalisation.

The findings at a glance

The table below summarises each finding: the question asked of AI tools, the category of failure, and the risk it creates for Compliance teams at Payment Institutions firms operating across international jurisdictions.

Aggregate impact

The errors across this regulation's findings are not scattered across unrelated topics. They cluster tightly around two specific areas: the regulatory lineage and cross-referencing of the 2016 guidance (which external frameworks does it formally cite, what phrases does it use, how much operational detail does it specify, how do its definitions relate to later standards), and the question of whether this guidance remains the current operative international standard. Both clusters represent exactly the questions a Compliance team reaches for AI to answer efficiently — contextual and definitional rather than technically arcane — and both produced consistent hallucinations across multiple AI tools.

The cross-reference failures share a structural pattern. AI tools had enough surface-level familiarity with this guidance and its broader regulatory ecosystem to produce answers that sound authoritative and specific. But in each case the AI resolved genuine uncertainty in the source material into false confidence: structural similarity between the guidance's five categories and the NIST CSF five functions became a claimed explicit citation; an uncertain relationship between the 2016 guidance and the 2018 FSB Cyber Lexicon became asserted alignment and fabricated derivation; the 2016 guidance's high-level character on incident response became claimed operational detail. Because these responses are plausible, specific, and internally consistent, they are the category of AI error most likely to pass internal review without challenge and enter compliance documents unchecked.

The currency failures compound the cross-reference risk at the portfolio level. A firm whose Compliance function has built its cyber resilience policy on AI-described cross-references to NIST or FSB frameworks — cross-references that may not exist as described — and has also been told by AI that this guidance is stable and unrevised, faces compounding exposure: the policy rests on incorrect detail in a document whose active revision the firm has not been alerted to track. The fact that two independent AI tools both failed to surface the May 2026 consultation demonstrates that using multiple AI tools as a cross-check does not protect against shared training-data blind spots on recent regulatory developments.

Findings

Hallucinations (8)

Finding#1 — NIST CSF alignment — unverified awareness claim

• Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008
• AI's failure: AI confidently answered incorrectly; when challenged, it admitted it didn't really know — right or wrong
• Risk for Compliance at Payment Institutions: Direct supervisory finding against the compliance function; section-166-style skilled person review possible
• see this finding →

Finding#2 — NIST CSF explicit citation — fabricated cross-reference

• Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q008
• AI's failure: AI confidently answered incorrectly; when challenged, it admitted it didn't really know — right or wrong
• Risk for Compliance at Payment Institutions: Direct supervisory finding against the compliance function; section-166-style skilled person review possible
• see this finding →

Finding#3 — Phrase origin — wrong 2018 source document

• Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014
• AI's failure: AI confidently answered incorrectly; when challenged, it admitted it didn't really know — right or wrong
• Risk for Compliance at Payment Institutions: Compliance manual, monitoring plan, or attestation rests on a rule that doesn't say what AI claimed
• see this finding →

Finding#4 — Incident response detail — operational depth overclaimed

• Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019
• AI's failure: AI confidently answered incorrectly; when challenged, it admitted it didn't really know — right or wrong
• Risk for Compliance at Payment Institutions: Compliance manual, monitoring plan, or attestation rests on a rule that doesn't say what AI claimed
• see this finding →

Finding#5 — FSB Cyber Lexicon alignment — uncertain presented as confirmed

• Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020
• AI's failure: AI confidently answered incorrectly; when challenged, it admitted it didn't really know — right or wrong
• Risk for Compliance at Payment Institutions: Compliance manual, monitoring plan, or attestation rests on a rule that doesn't say what AI claimed
• see this finding →

Finding#6 — FSB Cyber Lexicon derivation — explicit lineage fabricated

• Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q020
• AI's failure: AI confidently answered incorrectly; when challenged, it admitted it didn't really know — right or wrong
• Risk for Compliance at Payment Institutions: Compliance manual, monitoring plan, or attestation rests on a rule that doesn't say what AI claimed
• see this finding →

Finding#7 — Guidance currency — May 2026 active revision missed

• Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022
• AI's failure: AI gave outdated information as if it were current
• Risk for Compliance at Payment Institutions: Direct supervisory finding against the compliance function; section-166-style skilled person review possible
• see this finding →

Finding#8 — Guidance currency — May 2026 consultation not detected

• Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022
• AI's failure: AI gave outdated information as if it were current
• Risk for Compliance at Payment Institutions: Direct supervisory finding against the compliance function; section-166-style skilled person review possible
• see this finding →

What your team should do

The default position for a Compliance team using AI for work on this regulation should be: treat any AI response about which frameworks, standards, or later documents this guidance formally cites, aligns with, or has been superseded by as a starting hypothesis — not an established fact. The research underlying this page found that AI tools consistently resolved uncertain or unconfirmed cross-reference relationships into confident, specific claims. Every such claim should be verified against the text of the 2016 Guidance itself (available at bis.org) and, where the claim involves a later document such as the FSB Cyber Lexicon or the FSB Effective Practices for Cyber Incident Response and Recovery (2020), against that document's own published text. A policy or gap analysis that cites a cross-reference relationship should name the specific source text — not rely on AI's account of it.

On currency, the team should establish a direct monitoring process for BIS and IOSCO publication feeds for updates to this guidance. As of May 2026, a public consultation on revised guidance is underway, and any internal policy or gap analysis referring to the 2016 guidance as the operative standard should note this explicitly. The team should also be tracking the consultative process for material that may require the firm to update its cyber resilience programme in advance of finalisation. Relying on AI to flag active regulatory consultations is not sufficient — as this research demonstrates, AI tools did not surface this development even when directly asked whether the guidance was still current.

AI tools remain useful for Compliance work on this regulation in lower-risk tasks: summarising the five broad guidance categories (Identify, Protect, Detect, Respond and Recover, and Test), drafting first-pass structures for policy frameworks or board briefings, and generating reading lists for regulatory research. The specific risk is concentrated in questions about normative cross-references, definitional consistency with later standards, and regulatory currency — the exact questions where AI appears most helpful but where the research found it most consistently wrong. Use AI to accelerate first-pass exploration; pair any specific normative or cross-reference claim with primary source verification before it enters a compliance deliverable.

How RLB Can Help

RegLeg's published Hallucination Research gives Compliance teams at Payment Institutions firms a practical pre-flight check before placing reliance on AI-assisted output for regulatory questions. Each research entry documents the specific ways AI tools have mis-stated requirements, cited non-existent provisions, or conflated obligations across jurisdictions — giving your team a structured basis for calibrating confidence rather than discovering errors after the fact.

Beyond the published research, RegLeg works with Compliance functions to map which AI-supported workflows carry the highest hallucination exposure for a Payment Institutions firm specifically. Licensing and authorisation timelines, safeguarding and prudential thresholds, cross-border passporting conditions, and AML/CFT obligations each present distinct failure patterns. A bespoke regulator deep-dive surfaces where those patterns are most acute for your operating footprint, so resource and oversight effort is directed where the actual risk sits. RegLeg can also conduct a confidential review of your firm's existing AI-use policy against our failure-mode catalogue, producing a prioritised remediation plan aligned to the regulatory obligations your Compliance team is already accountable for.

For teams building internal capability, RegLeg develops training material and CPD-aligned content that translates the research into practical guidance — covering how to read AI output critically, what hallucination signals to look for in a regulatory context, and how to document reliance decisions in a way that will withstand supervisory scrutiny. The aim is to leave your Compliance function better equipped to use AI tools responsibly, with the institution's own risk tolerance and regulatory relationships intact.

Where to next

• Are other sectors / departments in international jurisdictions also affected? →

• Does this affect Compliance teams in other jurisdictions? →

• What other regulations should my Compliance team worry about in international jurisdictions? →

• Which other sectors / departments are impacted by CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016? →