Executive Summary
Compliance teams at statutory boards and agencies operating across international jurisdictions are increasingly using AI tools to track the implementation landscape of CPMI's API harmonisation recommendations — mapping which central banks are advancing specific workstreams, and at what pace.
On the pre-validation API recommendation, which is a priority for cross-border payment corridors involving multiple emerging market jurisdictions, AI assistants we tested produced a clear and consequential error: both tools failed to identify that CPMI Brief No. 9 (November 2025) explicitly names the South African Reserve Bank as CPMI's named collaboration partner for advancing the pre-validation API recommendation through market stakeholder interviews.
One AI tool hedged — stating it could not find any public CPMI statement naming a specific partner — while a second positively misidentified the Bank of England as the closest analogue, citing a fabricated source URL to support that claim. For a Compliance function advising business lines or regional offices on cross-border payment strategy, regulatory engagement planning, or correspondent banking due diligence, either version of this response produces a wrong deliverable — and the fabricated citation compounds the risk by lending false credibility to a factually incorrect answer.
How AI gets this regulation wrong
The failure pattern on this regulation centres on AI tools inventing facts about which central banks are named in CPMI's implementation work — either declining to confirm what the published record states, or actively substituting a different institution. The table below breaks down where that tendency surfaces across the questions tested on this regulation.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Misstated Rule | 1 | Finding#1 |
What that means for your team
When AI gives a Compliance team the wrong picture of which regulatory bodies are actively implementing CPMI API workstreams, the immediate exposure is a wrong deliverable — internal briefs, engagement strategies, or regulatory mapping documents built on a factual error that will not be caught by a downstream reviewer who assumed the AI had checked the primary source. The table below maps that risk to the specific workflows where a Compliance function at a statutory board or agency is most exposed.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 1 | Finding#1 |
When this affects your department
Compliance functions at statutory boards and agencies with cross-border payment mandates are regular consumers of AI-assisted regulatory intelligence on the CPMI API harmonisation framework. Practical touchpoints include: briefing senior leadership on the implementation status of specific CPMI recommendations before engagement with CPMI working groups or FSB forums; scoping technical compliance programmes for correspondent banking relationships or payment infrastructure upgrades that reference specific API recommendation tracks; and drafting internal policy notes or regulatory horizon-scanning reports that map which jurisdictions and central banks are leading implementation of particular recommendations.
In any of these contexts, a Compliance team member querying AI on which central bank CPMI has formally identified as a partner on a specific recommendation is doing a routine, legitimate task — and the risk of acting on a wrong answer is proportional to how far downstream that answer travels before anyone checks the source.
The pre-validation API recommendation is a live workstream with direct implications for cross-border payment corridor compliance in multiple jurisdictions, including corridors involving sub-Saharan Africa. If a Compliance team produces a briefing note asserting that no central bank has been named by CPMI as a partner on this track — or that the Bank of England holds that position — and that note informs engagement strategy, due diligence sign-off, or a response to a business unit seeking regulatory clearance for a new payments product, the error propagates without a natural correction point.
The regulatory record is unambiguous; the AI's output was not.
The additional risk here is citation laundering. When an AI assistant supports a wrong factual claim by citing a source URL, a compliance professional or junior analyst who does not independently verify the citation may treat the AI's answer as sourced and therefore reliable. A fabricated URL pointing to a non-existent Bank of England document compounds the original factual error: the deliverable now carries false provenance, and any internal challenge has to unwind both the wrong fact and the wrong citation simultaneously.
The findings at a glance
The table below summarises the finding tested on this regulation for Compliance teams at statutory boards and agencies, including the type of AI failure and the regulatory record that contradicts it.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | SARB misidentified as unnamed; Bank of England fabricated as partner | Hallucination | RLB-F-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q007 |
Aggregate impact
The single finding on this regulation reveals a failure mode that is structurally significant for any Compliance team that relies on AI tools to stay current with fast-moving CPMI implementation workstreams. CPMI Brief No. 9 was published in November 2025 — at or beyond the training cutoff for most general-purpose AI models.
The practical consequence is that AI tools tested on questions requiring awareness of that brief either went silent (declining to confirm what the published record states) or filled the knowledge gap with a plausible-sounding substitution: the Bank of England, positioned as the most likely candidate based on its visible CPMI participation, rather than the SARB, which CPMI Brief No. 9 explicitly names. Both failure modes — false negative and false substitution — produce a wrong deliverable.
For a statutory board or agency with cross-border payment oversight responsibilities, this is not an abstract risk. Engagement calendars, correspondence with CPMI working groups, and internal briefings on implementation obligations are all time-sensitive products where getting the named partner institution right matters. A briefing note that omits or misidentifies SARB's role in the pre-validation API track will be factually wrong when it reaches any reader familiar with the brief — and given that CPMI Brief No. 9 was widely circulated through central bank and FSB channels, that includes many likely reviewers.
The fabricated citation identified in this finding adds a further dimension: the AI tool did not simply give a wrong answer, it provided a source reference that does not exist to support it. For Compliance functions that treat sourced outputs as more reliable than unsourced ones — a reasonable heuristic in most contexts — this is a direct exploit of that heuristic. The appropriate control is not to assume AI citations are real; it is to verify every source URL before it enters a document that will be signed off or shared externally.
What your team should do
The default position for any Compliance team using AI tools on CPMI implementation questions should be: AI is a starting point for orientation, not a source for named institutional facts. Questions about which central bank is advancing which recommendation, in what capacity, and under which formal arrangement are precisely the type of question where training-data recency matters most — and where the gap between what is in the AI's training corpus and what is in the current published record is widest for recent CPMI Briefs.
Treat any AI response on implementation partners, named bilateral arrangements, or pilot jurisdictions as requiring primary source verification before it enters any deliverable.
The practical safeguard is a short mandatory step: before any Compliance output that references a specific central bank's role in CPMI workstreams is signed off, verify the claim directly against the relevant CPMI Brief or working group document on the BIS website. This is a ten-minute check that eliminates the failure mode identified here. The same applies to any cited URL the AI provides in support of an institutional claim — verify the URL resolves and contains the claimed content.
A URL that does not resolve is not a minor formatting issue; it is evidence that the AI fabricated the citation, which should prompt re-verification of the underlying factual claim as well.
AI tools remain useful for Compliance work on this regulation in contexts that do not depend on post-2024 implementation intelligence: explaining the architecture of the API harmonisation recommendations, mapping the recommendation categories against a firm's existing payments infrastructure, or drafting initial language for internal policy frameworks that a specialist will then calibrate against the current regulatory position. For regulatory intelligence that turns on which institutions are currently named as CPMI partners or pilots — including anything that will inform an engagement strategy or a regulator-facing document — go to the BIS website directly.
How RLB Can Help
RegLeg's published Hallucination Research gives Compliance teams at Statutory Boards and Agencies a practical pre-flight check before placing weight on AI-assisted output for regulatory questions. Because the research is openly available, it can be incorporated into existing review workflows without additional licensing or procurement — teams can consult the relevant failure-mode findings at the point where AI tools are being used to interpret obligations, draft submissions, or assess enforcement exposure, and adjust their reliance accordingly.
Where published research is not granular enough for a specific operating context, RLB offers bespoke regulator deep-dives tailored to the Compliance function's actual workflow. These engagements map the AI-supported tasks that carry the highest hallucination exposure for a Statutory Board or Agency — typically areas such as multi-jurisdictional obligation mapping, condition-of-licence interpretation, and regulatory correspondence drafting — and produce a prioritised picture of where human verification effort should be concentrated.
RLB also conducts confidential reviews of a firm's existing AI-use policy against RegLeg's failure-mode catalogue, identifying gaps and producing a prioritised remediation roadmap that the Compliance team can action within its normal governance cycle.
To support capability building within the team, RLB develops training material and CPD-aligned content that Compliance staff can use internally. This content is designed to be delivered by the team's own leads rather than requiring ongoing external facilitation, and is calibrated to the regulatory environment and AI tools already in use at the firm. The aim is to leave the Compliance function better equipped to make its own informed judgements about AI reliability — not dependent on external sign-off each time a new workflow is introduced.