Retail Banking × Compliance — International / Multilateral · published 2026-05-28 · methodology v2.1

Current status of the CPMI-IOSCO 2016 Cyber Resilience Guidance

RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022

What the RLB Specialist Panel found

1. Current status of the CPMI-IOSCO 2016 Cyber Resilience Guidance

Question (paraphrased to protect IP): Is the CPMI-IOSCO 2016 Cyber Resilience Guidance still the operative international standard for FMI cyber resilience, or has it been revised or updated?
Source regulation: Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016) (Regulator portal: https://www.bis.org)
What AI assistants typically say: Multiple AI tools gave similar incorrect responses, each asserting that the June 2016 CPMI-IOSCO Cyber Resilience Guidance remains the operative primary international standard for FMI cyber resilience and that it has not been formally revised or superseded. The responses were stated with confidence and without qualification about potential knowledge limitations.
What the regulator actually says: As confirmed by a BIS press release of 6 May 2026, CPMI-IOSCO published a consultative document for public comment on updated guidance; the 2016 guidance is under active revision as of May 2026.
Why the AI went wrong: The AI tools' knowledge did not extend to the May 2026 consultative publication, and rather than acknowledging uncertainty about recent developments, they stated the outdated position as current fact. This reflects a general tendency for AI tools to present their most recent training-data view of a regulatory question as definitively settled, without flagging that the regulatory landscape may have moved.
Cited source(s):

Impact for this audience

A Retail Banking firm whose Compliance team relies on an AI tool to confirm the operative status of the CPMI-IOSCO 2016 Cyber Resilience Guidance risks embedding a materially incorrect regulatory position into internal policies, board papers, supplier due-diligence frameworks, and any regulatory submissions that reference international FMI cyber resilience standards. If that position is presented to a regulator — for example, in response to a thematic review of the firm's FMI-related cyber controls — the firm faces the cost of correction, potential regulatory scrutiny for having relied on an unverified AI answer, and the reputational exposure of having mischaracterised the current regulatory landscape. The BIS and CPMI-IOSCO do not have direct sanctioning powers over Retail Banking firms, but domestic regulators drawing on the 2016 guidance as a benchmark will treat a firm's misunderstanding of that guidance's current status as a governance failing. Remediation costs — including audit of all downstream work-products incorporating the incorrect position — are likely to exceed the cost of the original verification step many times over.

References — raw findings (per AI model)

RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Opus47 Claude Opus 4.7 (web search on)
RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022-Sonnet46 Claude Sonnet 4.6 (web search on)

This finding also affects

Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

Plain text

RegLeg Specialist Panel (2026). "Current status of the CPMI-IOSCO 2016 Cyber Resilience Guidance — Retail Banking × Compliance — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022. RegLegBrief AI Hallucination Research, published 2026-05-28. https://reglegbrief.com/audiences/sectors/int/retail_banking/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/

APA 7th edition

RegLeg Specialist Panel. (2026). Current status of the CPMI-IOSCO 2016 Cyber Resilience Guidance [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/audiences/sectors/int/retail_banking/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/

Bluebook / OSCOLA (US + UK legal)

RegLeg Specialist Panel, Current status of the CPMI-IOSCO 2016 Cyber Resilience Guidance [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022], RegLegBrief AI Hallucination Research (May 28, 2026), https://reglegbrief.com/audiences/sectors/int/retail_banking/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/.

BibTeX

@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q022,
  author    = {RegLeg Specialist Panel},
  title     = {Current status of the CPMI-IOSCO 2016 Cyber Resilience Guidance},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q022},
  url       = {https://reglegbrief.com/audiences/sectors/int/retail_banking/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-022/}
}

← Back to case study summary Case study detail →

About Citation IDs →