AI Hallucination ResearchAudiencesSectorsInternational / MultilateralPayment InstitutionsOperationsDetail › Finding
Payment Institutions × Operations — International / Multilateral · published 2026-05-28 · methodology v2.1

Operational detail in the 2016 CPMI-IOSCO cyber resilience guidance

RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019
What the RLB Specialist Panel found

1. Operational detail in the 2016 CPMI-IOSCO cyber resilience guidance

  • Question (paraphrased to protect IP): Does the CPMI-IOSCO 2016 Cyber Guidance specify detailed operational practices for cyber incident response and recovery, or is that level of detail addressed by a later document?
  • Source regulation: Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016) (Regulator portal: https://www.bis.org)
  • What AI assistants typically say: AI tools confirmed that the 2016 guidance contains detailed operational expectations for cyber incident response and recovery, listing specific elements such as incident response planning, recovery time objectives, secondary site requirements, and communication protocols — presenting the 2016 document as a self-sufficient operational reference for those topics.
  • What the regulator actually says: The FSB published "Effective Practices for Cyber Incident Response and Recovery" in October 2020 — four years after the 2016 CPMI-IOSCO Cyber Resilience Guidance. This later publication contains operational detail for the Response and Recovery phase that goes beyond what the 2016 guidance specifies.
  • Why the AI went wrong: The AI treated the 2016 guidance as comprehensive on a topic it addresses only at a high level, failing to recognise that a later document was specifically published to fill the operational gap. The result was a confident but overstated characterisation that suppressed awareness of the more prescriptive 2020 FSB material.
  • Cited source(s):
Impact for this audience

An Operations team that accepts the AI's characterisation of the 2016 CPMI-IOSCO guidance as operationally detailed may design or certify the firm's cyber incident response and recovery framework without reference to the FSB's 2020 effective practices publication. Internal documents built on this basis — including the firm's incident response plan, recovery time objective documentation, and regulatory self-assessment submissions — will reflect an incomplete view of current international expectations. If a supervisory review or a live cyber incident exposes the gap, the firm faces remediation costs across multiple operational documents simultaneously, potential supervisory findings about the adequacy of its resilience framework, and reputational exposure with counterparties and correspondent banks who assess operational resilience as part of their own due diligence.

References — raw findings (per AI model)
This finding also affects
Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

Plain text 
RegLeg Specialist Panel (2026). "Operational detail in the 2016 CPMI-IOSCO cyber resilience guidance — Payment Institutions × Operations — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019. RegLegBrief AI Hallucination Research, published 2026-05-28. https://reglegbrief.com/audiences/sectors/int/payment_institutions/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/
APA 7th edition 
RegLeg Specialist Panel. (2026). Operational detail in the 2016 CPMI-IOSCO cyber resilience guidance [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/audiences/sectors/int/payment_institutions/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/
Bluebook / OSCOLA (US + UK legal) 
RegLeg Specialist Panel, Operational detail in the 2016 CPMI-IOSCO cyber resilience guidance [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019], RegLegBrief AI Hallucination Research (May 28, 2026), https://reglegbrief.com/audiences/sectors/int/payment_institutions/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/.
BibTeX 
@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q019,
  author    = {RegLeg Specialist Panel},
  title     = {Operational detail in the 2016 CPMI-IOSCO cyber resilience guidance},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q019},
  url       = {https://reglegbrief.com/audiences/sectors/int/payment_institutions/operations/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-019/}
}
← Back to case study summary Case study detail →
About Citation IDs →