AI Hallucinations Affecting Risk Teams at Payment Institutions Firms in international jurisdictions

This page aggregates AI hallucination findings affecting Risk teams at Payment Institutions firms in international jurisdictions across 1 regulation(s).

Findings overview

| Regulation | Hallucinations | Blind spots | Total |

|---|---|---|---|

| Guidance on Cyber Resilience for Financial Market Infrastructures | 4 | 0 | 4 |

| Total | 4 | 0 | 4 |

Guidance on Cyber Resilience for Financial Market Infrastructures

See Detailed Case Study →

Hallucinations (4)

Cyber resilience definition alignment with FSB Lexicon

• AI's failure: AI confidently answered incorrectly; when challenged, it admitted it didn't really know — right or wrong

• Risk for Risk at Payment Institutions: Risk appetite statement, ICAAP, or operational-risk return rests on a misstated rule

A Risk team using AI to build or review its cyber resilience policy framework may ask how the guidance's core definitions align with the FSB Cyber Lexicon, expecting the answer to settle whether the firm's terminology matches current international standards. When the AI asserts that the two documents are aligned and broadly consistent — without flagging that this alignment has not been formally confirmed — the team is likely to embed that assumption in its deliverable without further verification.

If a regulatory review or external audit later surfaces a definitional inconsistency, the firm faces remediation of policy documents and potentially an explanation to its supervisor of how an unverified alignment claim entered its compliance framework. The exposure is highest in jurisdictions where supervisors explicitly cross-reference both the CPMI-IOSCO guidance and the FSB Cyber Lexicon as parallel expectations.

see this finding →

Cyber resilience definition alignment with FSB Lexicon

• AI's failure: AI confidently answered incorrectly; when challenged, it admitted it didn't really know — right or wrong

• Risk for Risk at Payment Institutions: Risk appetite statement, ICAAP, or operational-risk return rests on a misstated rule

In this instance the AI went further than asserting consistency — it claimed the FSB Cyber Lexicon explicitly drew on the CPMI-IOSCO definition, converting an unconfirmed relationship into a stated derivation. A Risk team that records this claimed derivation in a regulatory mapping document, a supervisory submission, or a senior management briefing has introduced a fabricated claim into a formal document.

If a counterparty, auditor, or regulator challenges the assertion, the firm cannot point to a supporting source. Remediation requires reviewing and correcting every downstream document that relied on this claim, with associated costs to team time and potential reputational impact with the supervisor. The risk is compounded in internationally active firms where the same policy document may be submitted across multiple jurisdictions.

see this finding →

2016 guidance currency and active revision status

• AI's failure: AI gave outdated information as if it were current

• Risk for Risk at Payment Institutions: Capital add-on or variation-of-permission in the Payment Institutions business if framework relied on a fabricated rule

A Risk team that asks whether the 2016 guidance is still operative before beginning a regulatory mapping exercise, a vendor due-diligence framework, or a supervisory engagement receives a confident affirmative — without any caveat about a possible pending revision. If the team proceeds on that basis and later discovers that CPMI-IOSCO published a consultative document for updated guidance in May 2026, the firm must assess whether its mapping exercise, submissions, or vendor assessments should be revised.

More materially, a firm that did not engage with the CPMI-IOSCO consultation — because its Risk function was not aware it was open — may face questions from its supervisor about whether it adequately tracks developments in the international standards applicable to its operations. Supervisory credibility is difficult to restore once a firm is seen as failing to monitor a material regulatory development that was publicly available.

see this finding →

2016 guidance currency and active revision status

• AI's failure: AI gave outdated information as if it were current

• Risk for Risk at Payment Institutions: Capital add-on or variation-of-permission in the Payment Institutions business if framework relied on a fabricated rule

The same failure pattern as the preceding finding: the AI confirmed the 2016 guidance as the unrevised operative standard, missing the May 2026 consultative revision entirely. For a Payment Institutions firm, any regulatory-mapping work, supervisory submission, or internal policy update produced using the 2016 guidance as a static baseline may need to be revisited once the revised guidance is finalised.

Supervisors in key international jurisdictions treat engagement with CPMI-IOSCO consultations as part of a firm's expected regulatory engagement. A firm that was not tracking the revision process — because its AI-assisted research missed a development published three weeks earlier — may find itself having to explain its non-participation retroactively, with limited ability to demonstrate that its oversight was reasonable.

see this finding →

Related case studies

Other sectors / departments in international jurisdictions

• Compliance at Corporate Banking

• Operations at Corporate Banking

• Technology & Data at Corporate Banking

• Compliance at Investment Banking

• Governance & Company Secretarial at Investment Banking

• Operations at Investment Banking

• Technology & Data at Investment Banking

• Compliance at Payment Institutions

• Governance & Company Secretarial at Payment Institutions

• Internal Audit at Payment Institutions

• Legal at Payment Institutions

• Operations at Payment Institutions

• Technology & Data at Payment Institutions

• Compliance at Retail Banking

• Compliance at Statutory Boards & Agencies

• Technology & Data at Statutory Boards & Agencies