← Take me back to my Compliance × Payment Institutions (INT) overview
AI on Principles for Financial Market Infrastructures (PFMI) for Compliance teams at Payment Institutions firms in international jurisdictions
Executive Summary
The Principles for Financial Market Infrastructures (PFMI), published jointly by CPMI and IOSCO, is the authoritative global standard governing how payment systems, central securities depositories, central counterparties, and trade repositories must be designed and operated. For a Compliance team at a Payment Institutions firm operating across international jurisdictions, the PFMI is a primary reference when mapping regulatory obligations, advising business lines on system design, and engaging with oversight authorities that apply the Principles directly or through local transposition.
Across seven questions put to AI tools on this regulation, the AI produced wrong or unusable answers in every case. Two questions resulted in confident but incorrect responses — including fabricated document identifiers and invented citation language — while five further questions exposed a consistent inability to access verbatim content from the BIS and IOSCO publications that make up the PFMI framework. The failure pattern is not random: errors cluster on the document architecture of the PFMI corpus itself (annexes, companion methodology papers, co-published IOSCO versions) and on CPMI-IOSCO Level 3 assessment outputs, which are precisely the reference points a Compliance function reaches for when constructing an evidence base or responding to regulatory enquiry. A Compliance team that relies on AI responses for any of these purposes risks producing work product containing unverifiable claims, fabricated citations, or regulatory gaps that only surface under examination.
How AI gets this regulation wrong
AI tools make two distinct kinds of error on the PFMI framework. In some cases they invent specific details — wrong document identifiers, fabricated sub-paragraph references, quoted committee language that does not appear in the source — and present these with a degree of confidence that makes them hard to challenge without checking independently. In others, AI tools cannot retrieve verbatim content from the PDFs and co-published documents that form the PFMI corpus at all, meaning that for the precise threshold values, paragraph cross-references, and quoted text a Compliance function needs, the AI simply cannot answer — even when web search is enabled.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| AI couldn't find the real answer even with web search enabled | 5 | Finding#3 . Finding#4 . Finding#5 . Finding#6 . Finding#7 |
| AI confidently answered incorrectly; when challenged, it admitted it didn't really know — right or wrong | 2 | Finding#1 . Finding#2 |
What that means for your team
For a Compliance team at a Payment Institutions firm, the practical consequences fall into two categories: being handed a wrong deliverable that cannot be used, and relying on an AI-generated answer that carries fabricated regulatory detail into live work product. The dominant exposure on the PFMI is regulatory enforcement risk — errors that, if embedded in internal policies, governance frameworks, or submissions to oversight authorities, could result in findings of non-compliance, remediation requirements, or reputational consequences with the regulators whose assessment methodologies the AI misrepresented.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Regulatory enforcement | 5 | Finding#1 . Finding#2 . Finding#5 . Finding#6 . Finding#7 |
| Wrong deliverable | 2 | Finding#3 . Finding#4 |
When this affects your department
A Compliance team at a Payment Institutions firm in international jurisdictions regularly consults the PFMI when reviewing system design and governance arrangements against global baseline standards, when advising business lines on the requirements that apply to correspondent relationships or clearing arrangements with FMIs, and when preparing for regulatory assessments or self-assessments under PFMI-aligned frameworks. The PFMI is also a foundation reference for drafting internal policies on liquidity risk, general business risk, and critical service provider oversight — all areas where the AI tools we tested produced errors or were unable to answer at all.
When preparing regulatory submissions, responding to supervisory enquiries, or constructing evidence packs for internal governance committees, a Compliance function will typically need exact text from the PFMI and its companion publications — the specific key considerations under each Principle, the thresholds in the disclosure framework, the assessment criteria in the methodology document. AI tools we tested were unable to provide this verbatim content reliably: five of the seven questions produced no usable answer, and two produced answers with specific fabricated details. If a Compliance analyst uses an AI-generated summary to draft policy language or populate a regulatory mapping, the firm faces the risk that the text embeds a requirement, threshold, or governance obligation that does not exist in the actual standard.
The risk is amplified in jurisdictions where national regulators apply the PFMI directly through their own supervisory frameworks. An error in a compliance team's understanding of the PFMI governance requirements — for example, whether a risk committee is mandatory or advisory — could result in a board governance structure that fails assessment, or internal documentation asserting a position the regulator does not accept. The CPMI-IOSCO Level 3 assessment reports, which are used by regulators to benchmark FMI compliance with the Principles globally, compound this exposure: AI tools cannot access the November 2025 assessment on general business risks, and a Compliance team relying on AI-generated summaries of this document would be working from incomplete or speculative information.
The findings at a glance
The table below summarises each question tested on this regulation, the type of AI failure recorded, and the risk category it carries for a Compliance team at a Payment Institutions firm in international jurisdictions.
Aggregate impact
The failures across this regulation's findings cluster almost entirely on the document architecture of the PFMI corpus itself. The PFMI framework is not a single document: it comprises the core publication, a co-published IOSCO version, a companion disclosure framework and assessment methodology, a critical service providers annex, and a series of consultative and assessment reports — each a separate PDF published over more than a decade. AI tools we tested cannot access the binary content of these PDFs at paragraph level, which means that any question requiring exact thresholds, verbatim key considerations, specific cross-references, or quoted annexe text will return either an admission of inability or a fabricated substitute. For a Compliance team that needs to work from the actual regulatory text, this represents a near-total failure of the AI as a research tool for PFMI source material.
The two hallucinations compound the structural blind-spot problem by introducing false specificity. In the first, an AI tool misidentified the publication number of the CPMI assessment methodology for critical service providers — substituting a document on a different subject and presenting this as a confident answer. When challenged, the AI acknowledged uncertainty it had not disclosed initially. In the second, an AI tool presented a specific key consideration sub-number and a verbatim quoted passage to answer a question about board governance requirements — material it had not verified and could not have verified from training data. Both cases produced responses that appear credible and specific enough to be reproduced in internal work product without triggering a verification reflex.
The systemic risk for a Compliance function is that the PFMI is used as a baseline in multi-jurisdictional regulatory mapping, and errors introduced via AI-generated summaries do not stay in one place: they propagate into policy documents, training materials, board papers, and supervisory submissions across the jurisdictions in which the firm operates. A fabricated board committee requirement or a misattributed assessment methodology reference, once embedded in a governance framework, will be reproduced across review cycles until it is caught by an external examiner. Given the CPMI-IOSCO assessment processes that regulators use to evaluate FMI compliance, the probability of detection — and the cost of remediation — is material.
Findings
Hallucinations (2)
Finding#1 — Critical service providers annex — misidentified methodology document
- Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-PFMI-2012-Q011
- AI's failure: AI confidently answered incorrectly; when challenged, it admitted it didn't really know — right or wrong
- Risk for Compliance at Payment Institutions: Direct supervisory finding against the compliance function; section-166-style skilled person review possible
- see this finding →
Finding#2 — Principle 2 board governance — fabricated risk committee citation
- Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-PFMI-2012-Q022
- AI's failure: AI confidently answered incorrectly; when challenged, it admitted it didn't really know — right or wrong
- Risk for Compliance at Payment Institutions: Direct supervisory finding against the compliance function; section-166-style skilled person review possible
- see this finding →
Blind spots (5)
Finding#3 — CCP resilience report (August 2016) — verbatim content inaccessible
- Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-PFMI-2012-Q023
- AI's failure: AI couldn't find the real answer even with web search enabled
- Risk for Compliance at Payment Institutions: Compliance manual, monitoring plan, or attestation rests on a rule that doesn't say what AI claimed
- see this finding →
Finding#4 — Level 3 general business risk assessment (November 2025) — post-cutoff blind spot
- Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-PFMI-2012-Q024
- AI's failure: AI couldn't find the real answer even with web search enabled
- Risk for Compliance at Payment Institutions: Compliance manual, monitoring plan, or attestation rests on a rule that doesn't say what AI claimed
- see this finding →
Finding#5 — Stablecoin guidance press release (July 2022) — verbatim text inaccessible
- Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-PFMI-2012-Q025
- AI's failure: AI couldn't find the real answer even with web search enabled
- Risk for Compliance at Payment Institutions: Direct supervisory finding against the compliance function; section-166-style skilled person review possible
- see this finding →
Finding#6 — IOSCO co-published PFMI — binary PDF inaccessible
- Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-PFMI-2012-Q026
- AI's failure: AI couldn't find the real answer even with web search enabled
- Risk for Compliance at Payment Institutions: Direct supervisory finding against the compliance function; section-166-style skilled person review possible
- see this finding →
Finding#7 — IOSCO disclosure framework and assessment methodology — binary PDF inaccessible
- Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-PFMI-2012-Q027
- AI's failure: AI couldn't find the real answer even with web search enabled
- Risk for Compliance at Payment Institutions: Direct supervisory finding against the compliance function; section-166-style skilled person review possible
- see this finding →
What your team should do
The default position for a Compliance team at a Payment Institutions firm working on PFMI obligations should be that AI tools cannot be relied upon for any task that requires verbatim text, precise key consideration references, specific thresholds, or accurate identification of companion publications within the PFMI corpus. For those tasks — drafting policy language against specific Principles, constructing a regulatory mapping with cited obligations, or verifying what a Level 3 assessment report says about a particular standard — the team should work directly from the BIS and IOSCO source documents. The PFMI and its companion publications are available on the BIS website and do not require specialist access; the cost of downloading and reading the relevant sections directly is low relative to the risk of embedding AI-generated errors in compliance work product.
Practical safeguards for the workflow include: treating any AI-generated reference to a specific document number, key consideration identifier, or verbatim quoted passage as unverified until checked against the original text; establishing a team norm that AI outputs on PFMI questions are used only as orientation (identifying which Principle or publication area is relevant) rather than as source-accurate summaries; and building a local reference set of verified excerpts for the PFMI obligations most frequently consulted by the team. For questions about recently published CPMI-IOSCO assessment reports — particularly those published after mid-2025 — the team should assume AI tools have no reliable access to the content and consult the BIS publications page directly.
There are areas where AI tools remain useful in PFMI-related compliance work. Drafting plain-English explanations of already-verified regulatory positions for internal training materials, summarising the general structure and scope of the PFMI for business-line briefings, and identifying which Principles are most relevant to a new product or system design question are all tasks where AI-generated drafts can accelerate the workflow without creating source-accuracy risk — provided the team treats the output as a starting draft rather than a verified regulatory summary. The key discipline is keeping the boundary clear: AI for orientation and drafting, primary sources for regulatory positions.
How RLB Can Help
RegLeg's published Hallucination Research gives Compliance teams at Payment Institutions firms a practical pre-flight check before placing reliance on AI-assisted output for regulatory questions. Each research entry documents the specific ways AI tools have mis-stated requirements, cited non-existent provisions, or conflated obligations across jurisdictions — giving your team a structured basis for calibrating confidence rather than discovering errors after the fact.
Beyond the published research, RegLeg works with Compliance functions to map which AI-supported workflows carry the highest hallucination exposure for a Payment Institutions firm specifically. Licensing and authorisation timelines, safeguarding and prudential thresholds, cross-border passporting conditions, and AML/CFT obligations each present distinct failure patterns. A bespoke regulator deep-dive surfaces where those patterns are most acute for your operating footprint, so resource and oversight effort is directed where the actual risk sits. RegLeg can also conduct a confidential review of your firm's existing AI-use policy against our failure-mode catalogue, producing a prioritised remediation plan aligned to the regulatory obligations your Compliance team is already accountable for.
For teams building internal capability, RegLeg develops training material and CPD-aligned content that translates the research into practical guidance — covering how to read AI output critically, what hallucination signals to look for in a regulatory context, and how to document reliance decisions in a way that will withstand supervisory scrutiny. The aim is to leave your Compliance function better equipped to use AI tools responsibly, with the institution's own risk tolerance and regulatory relationships intact.