← Take me back to my Compliance × Software & SaaS (INT) overview
AI on Principles for Financial Market Infrastructures (PFMI) for Compliance teams at Software & SaaS firms in international jurisdictions
Executive Summary
The Principles for Financial Market Infrastructures (PFMI), published by the Committee on Payments and Market Infrastructures (CPMI) and IOSCO under the Bank for International Settlements, set the global benchmark for the safe and efficient operation of systemically important financial market infrastructures — including requirements for oversight of critical service providers. For Compliance teams at Software & SaaS firms operating in international jurisdictions, the PFMI matters directly: firms whose technology or platforms are designated as, or supply, critical service providers to financial market infrastructures must map their obligations against these internationally adopted principles. In our testing, AI tools produced at least one confirmed hallucination when asked to explain how specific PFMI annexes and associated assessment methodology documents relate to one another. The failure took the form of an AI confidently misidentifying a foundational CPMI document — only acknowledging uncertainty when pressed — a pattern that, if undetected, could cause a Compliance team to build its regulatory mapping on a factually incorrect foundation. A single misdirected answer about which document governs oversight expectations for critical service providers is sufficient to expose the firm to regulatory enforcement risk in multiple jurisdictions simultaneously.
How AI gets this regulation wrong
The table below shows how AI tools went wrong when tested on this regulation. The dominant pattern here is confident fabrication followed by retreat: the AI stated incorrect information with apparent authority, and only flagged its own uncertainty when directly challenged — meaning teams relying on an initial answer with no follow-up would receive and act on the error unalerted. For a regulatory framework as document-dense and cross-referenced as the PFMI, where the identity and scope of a specific annex or methodology paper can determine an entire compliance obligation, this kind of confident misidentification is particularly consequential.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| AI confidently answered incorrectly; when challenged, it admitted it didn't really know — right or wrong | 1 | Finding#1 |
What that means for your team
The table below maps the AI failures on PFMI to their likely regulatory and business impact for a Compliance function at a Software & SaaS firm. Because the PFMI carries international adoption — incorporated by reference into national and supranational regulatory regimes across the Americas, Europe, and Asia-Pacific — a compliance error originating in one AI-assisted output can propagate across multiple regulatory relationships simultaneously. For firms whose products or platforms touch financial market infrastructure, the dominant risk in this cell sits squarely in regulatory enforcement: regulators with PFMI oversight authority expect documented, accurate self-assessment, and an error in source identification undermines the credibility of that documentation.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Regulatory enforcement | 1 | Finding#1 |
When this affects your department
A Compliance team at a Software & SaaS firm encounters the PFMI most acutely when the firm's technology or services are assessed — or seek to be assessed — as a critical service provider to a financial market infrastructure. This can arise through a formal designation by a national regulator, through contractual due-diligence demands from an FMI client, or through the firm's own pre-launch scoping of a new product or platform intended to serve clearing, settlement, trade repository, or payment system operators. In each of these scenarios the Compliance team may turn to AI tools to orient itself quickly: understanding what the PFMI Annex F oversight expectations require, identifying the correct CPMI-IOSCO assessment methodology document, or drafting internal gap analyses and training materials that explain the regime to business lines. These tasks are plausible, common, and time-pressured — exactly the conditions under which an AI answer is accepted without verification.
The stakes of getting this wrong are high and multi-jurisdictional. Because the PFMI has been adopted by regulators in over 50 jurisdictions, an error in understanding which document establishes the oversight methodology for critical service providers is not a localised compliance failure — it can simultaneously mis-inform submissions to, or self-assessments held by, regulators in the EU, the United Kingdom, the United States, Singapore, Australia, and elsewhere. Firms found to have mischaracterised their obligations under the PFMI framework face enforcement action from the relevant national overseer, remediation demands that may require renegotiating client contracts, and reputational damage with FMI clients for whom regulatory reliability is a baseline procurement criterion.
The findings at a glance
The table below summarises each question put to AI tools in this regulatory area, the type of failure observed, and the risk category it creates for a Compliance team at a Software & SaaS firm. Use it to identify which parts of the PFMI are most hazardous to research using general-purpose AI tools without independent verification.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | PFMI Annex F and critical service provider assessment methodology | Hallucination | RLB-F-INT-BIS-CPMI-IOSCO-PFMI-2012-Q011 |
Aggregate impact
Across the findings in this cell, the error pattern is structurally specific: AI tools struggled not with vague or contested areas of the PFMI but with the bibliographic architecture of the regulatory framework itself — specifically, which numbered CPMI publication corresponds to which substantive obligation. The finding here involves a misidentification of a foundational CPMI-IOSCO document, where the AI confidently assigned the wrong subject matter to a document reference and only surfaced its uncertainty when challenged. This is not a borderline paraphrase or a minor nuance; it is a factual error about a document's title and scope.
The risk this pattern creates for a Compliance team at a Software & SaaS firm is proportionate to how that team uses AI output. If an analyst uses an AI-generated summary to build a regulatory mapping — identifying which CPMI publications govern the firm's critical service provider obligations — the error will be embedded in that mapping, carried into board-level reporting, supplier due-diligence frameworks, and any regulatory submission or self-assessment that references the mapping. Because the PFMI's critical service provider oversight expectations (including those addressed in the assessment methodology document the AI misidentified) are increasingly enforced through direct supervisory engagement with FMIs and their service providers, an inaccurate mapping is not merely an internal compliance shortfall — it becomes a representation made to regulators.
The cluster of findings in this cell is narrow — one aggregated finding — but the systemic risk is not. The PFMI is a living framework with associated technical guidance documents that are updated independently of the core principles. AI tools trained on historical data are structurally ill-equipped to track which document supersedes which, which annex has been supplemented by subsequent CPMI work, and how the assessment methodology has evolved. Every time a Compliance team uses AI to navigate this document ecosystem without verification against the BIS portal directly, it is exposed to the same category of error found here.
Findings
Hallucinations (1)
Finding#1 — PFMI Annex F and critical service provider assessment methodology
- Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-PFMI-2012-Q011
- AI's failure: AI confidently answered incorrectly; when challenged, it admitted it didn't really know — right or wrong
- Risk for Compliance at Software & SaaS: Direct supervisory finding against the compliance function; section-166-style skilled person review possible
- see this finding →
What your team should do
The default position for Compliance teams at Software & SaaS firms using AI tools on the PFMI should be: treat AI output as a starting orientation, not a citable source. The specific failure found here — a confident misidentification of a CPMI publication's subject matter — is difficult to detect without independent verification, because the AI does not spontaneously flag the error. Any internal work product that depends on identifying the correct CPMI or CPMI-IOSCO document (gap analyses, training materials, regulatory submissions, supplier contracts, board-level compliance reports) must be checked against the BIS publication catalogue directly before that work product is finalised or shared.
Practically, this means establishing a two-step norm within the Compliance workflow: AI tools may be used to generate an initial reading list, summarise the general structure of the PFMI, or draft prose around principles whose scope is already understood; but any claim about a specific document number, publication date, title, or the relationship between the core principles and their supporting technical guidance must be verified by a team member against the source. The BIS portal is the authoritative starting point for CPMI and CPMI-IOSCO publications. This is not a high burden — but it must be explicit policy, because absent a clear norm, time pressure will routinely produce AI-assisted work product that bypasses verification.
Where AI tools are safest in this regulatory context is in tasks that do not depend on bibliographic precision: explaining the conceptual logic of the PFMI's tiered approach to financial market infrastructure oversight, helping a business line understand what a critical service provider designation means in general terms, or generating a checklist of questions for a gap analysis that the Compliance team will then answer using verified sources. AI tools are materially less safe for any task that requires accurately naming, dating, or characterising specific CPMI publications — and for any external-facing work product, the safe assumption is that AI-generated references require independent confirmation before use.
How RLB Can Help
RegLeg's published Hallucination Research gives Compliance teams at Software & SaaS firms a practical pre-flight check before placing weight on AI-generated output in regulatory work. The research surfaces the specific failure modes — confident misstatement of legislative text, stale citation of superseded guidance, jurisdiction-blending — that are most likely to arise when AI tools are applied to compliance questions. Reviewing the relevant findings before deploying AI assistance on a regulatory task is a low-cost step that can materially reduce the risk of acting on flawed output.
For teams that need to go further, RLB offers bespoke regulator deep-dives scoped to the Software & SaaS compliance function. These engagements map the AI-supported workflows your team already relies on — licence condition monitoring, cross-border data-transfer assessments, regulatory change tracking, response drafting — against RegLeg's failure-mode catalogue to identify where hallucination exposure is highest and what mitigating controls are most effective in practice. The output is a prioritised, function-specific risk picture rather than a generic technology assessment. RLB also conducts confidential reviews of a firm's existing AI-use policy, benchmarking it against documented failure patterns and returning a structured remediation list ordered by materiality so the Compliance team can address gaps in a sequence that reflects actual regulatory risk.
Where teams want to build durable internal capability, RLB can develop training material and CPD-aligned content tailored to a Software & SaaS compliance audience. That content covers how to read and apply hallucination research findings, how to structure human-review checkpoints around AI-assisted regulatory workflows, and how to document AI reliance in a way that satisfies regulator expectations around accountability and audit trail. The aim throughout is collaborative: RLB works alongside your team to embed practical safeguards rather than deliver a report that sits on a shelf.