Executive Summary
Legal teams at Statutory Boards & Agencies firms operating across international jurisdictions are increasingly consulting AI tools to map the cross-border payments regulatory landscape — including which central banks have active implementation commitments under the CPMI API harmonisation framework.
Across the single aggregated question we put to AI tools on this regulation, the AI got it wrong: it denied the existence of a CPMI document that explicitly names the South African Reserve Bank as CPMI's named collaboration partner on the payment pre-validation API recommendation, and in one instance substituted the Bank of England as the closest analogue, supported by a fabricated source URL.
The failure is not a matter of nuance or contested interpretation — the CPMI Brief No. 9 (November 2025) is unambiguous — but the AI produced a response that would send a Legal team's research in the wrong direction. For an SBA with any cross-border exposure into African markets or multilateral payment infrastructure, a briefing paper, regulatory mapping note, or supplier due-diligence record built on that AI response would misstate the implementation landscape in a way that cannot be corrected by standard review if the reviewer also trusts the AI's fabricated citation.
How AI gets this regulation wrong
On this regulation, AI tools failed by inventing facts about the implementation landscape — specifically, by asserting that no central bank is publicly identified as CPMI's named partner on the payment pre-validation API recommendation when the record explicitly says otherwise, and by substituting a different central bank backed by a fabricated citation. The table below shows how that failure mode maps across the findings in this cell.
| AI's Failure Mode | Count | Affected findings |
|---|---|---|
| Misstated Rule | 1 | Finding#1 |
What that means for your team
For Legal at an SBA, the dominant risk from AI failures on this regulation is producing the wrong deliverable: a briefing, mapping note, or due-diligence record that presents a materially incorrect picture of the cross-border API implementation landscape. The table below breaks down where in your function that risk lands.
| Risk Impact | Count | Affected findings |
|---|---|---|
| Wrong deliverable | 1 | Finding#1 |
When this affects your department
Legal teams at SBAs reach for AI on this regulation most commonly in three scenarios: scoping the cross-border payment API landscape for a new product or service that will touch multiple jurisdictions; preparing regulatory mapping notes that need to reflect which central banks have active commitments under specific CPMI recommendations; and advising business lines or senior leadership on which implementation tracks are live and which jurisdictions are already partnering with international standard-setters.
The payment pre-validation API recommendation sits at the intersection of all three — it is the recommendation most directly relevant to SBAs whose mandate touches cross-border correspondent banking, FMI connectivity, or multilateral payment infrastructure.
Where the AI failure bites hardest is in the second and third scenarios. If a Legal team's regulatory landscape briefing names the Bank of England as the central bank most closely associated with CPMI's pre-validation API work — and omits the South African Reserve Bank entirely — any downstream strategy document, board paper, or regulatory submission built on that briefing will carry a material factual error.
For SBAs with operational presence in or payment corridors into African markets, the omission of SARB is not a footnote error: it misidentifies the primary live implementation partner on the specific API recommendation most relevant to their infrastructure planning.
The fabricated source URL compounds the exposure. A Legal reviewer checking citations in a briefing note would follow the link, find it does not resolve or does not contain the claimed text, and face a credibility problem that goes beyond the substantive error. In the context of a regulatory submission, a policy paper shared with the board, or a due-diligence record that forms part of a supplier assessment, a fabricated citation creates a paper trail that is hard to explain and harder to remediate once it has circulated.
The findings at a glance
The table below summarises each finding in this cell — the question area, the type of AI failure, and the risk category it maps to for Legal teams at SBAs in international jurisdictions.
| # | Finding title | Type | Citation ID |
|---|---|---|---|
| 1 | SARB misidentified as Bank of England on pre-validation API | Hallucination | RLB-F-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q007 |
Aggregate impact
The single finding in this cell points to a specific structural weakness in how AI tools handle recently published CPMI guidance: documents issued at or near the edge of their training data are not simply unknown to the AI — they are actively misrepresented. The AI did not say "I don't have data on CPMI Brief No. 9." It said, with apparent confidence, that no public CPMI statement names a specific central bank as the pre-validation API partner, and it volunteered an alternative (the Bank of England) with a fabricated citation to support it.
That is a different failure mode from a knowledge gap, and it is far more dangerous for a Legal team's workflow because there is no obvious signal of uncertainty to trigger a manual check.
For SBAs operating across international jurisdictions, the systemic risk is that AI tools consistently underweight or deny the role of non-G7 central banks in CPMI implementation work — defaulting to the Bank of England, Federal Reserve, or ECB as the named actors — even when the CPMI record explicitly names a central bank from the Global South or an emerging market jurisdiction.
This is not a random error: it reflects a training-data distribution bias that will reliably produce wrong answers on questions about which jurisdictions are actively implementing which CPMI recommendations, and it will do so with false confidence rather than acknowledged uncertainty.
For a Legal team maintaining a regulatory horizon-scanning register or advising on cross-border product expansion, a single wrong answer of this type — substituting one central bank for another on a specific implementation track — can distort the entire jurisdictional risk picture for a new product or corridor. The remediation cost is not just fixing the document: it is tracing every downstream artefact that relied on it.
What your team should do
The default position for Legal at an SBA on this regulation is: treat AI-generated answers about implementation partners, named pilot programmes, and specific central bank commitments as unverified until cross-checked directly against the CPMI's own publication record on bis.org. The CPMI Brief series, technical progress reports, and the API Harmonisation Toolkit itself are the authoritative sources; for the payment pre-validation recommendation specifically, CPMI Brief No. 9 (November 2025) is the record of named partners.
AI tools do not reliably index recently issued CPMI Briefs, and they will substitute more familiar central banks when the actual named partner is one they have less training data on.
The practical safeguard is a standing instruction to any team member using AI for regulatory landscape research on this regulation: before relying on any AI-generated statement about which central banks are involved in which CPMI implementation tracks, verify against the CPMI publication index directly. This is not a general instruction to "double-check AI outputs" — it is specific to the pattern observed: AI tools on this regulation will deny the existence of explicit CPMI statements and substitute plausible-sounding alternatives with fabricated citations. If a citation cannot be verified on bis.org, it should be treated as fabricated until proved otherwise.
Where AI tools are genuinely useful for Legal on this regulation is in understanding the structural architecture of the harmonisation recommendations — the seven recommendation areas, the toolkit structure, the general cross-border payment challenge framing — none of which is publication-date-sensitive. AI is also serviceable for initial drafting of internal policy summaries that will be reviewed against the primary text before circulation. The failure zone is narrow but high-stakes: any question about which specific jurisdictions, central banks, or institutions are named as partners, pilots, or implementation leads in a specific CPMI recommendation should go directly to the source.
How RLB Can Help
RegLeg's published Hallucination Research functions as a pre-flight check for Legal teams before relying on AI output on any regulatory question touching statutory mandates, enabling legislation, or delegated authority frameworks. Where your team is using AI tools to brief counsel, draft statutory interpretations, or review delegated legislation, the research tells you — by regulation, by failure mode — exactly where those tools have demonstrably fabricated obligations, misidentified the empowering statute, or inverted the scope of a regulatory carve-out. That is a concrete input to your sign-off process, not a general caveat.
Beyond the published research, RLB works with Legal functions at Statutory Boards and Agencies to map which AI-supported workflows carry the highest hallucination exposure in your specific context. The failure patterns in international statutory settings are not uniform: cross-jurisdictional treaty obligations, hybrid regulatory-legislative mandates, and delegated instruments with conditional commencement provisions are consistently high-risk surfaces. A bespoke deep-dive identifies where your team's existing AI use intersects those surfaces and which question types to quarantine from unsupervised AI output.
Where you already have an AI-use policy in place, RLB conducts a confidential review against the full failure-mode catalogue — not a compliance tick-box, but a prioritised remediation list that your General Counsel can act on directly.
For teams building internal capability, RLB develops training material and CPD-aligned content calibrated to Legal's actual workflow in statutory settings — not generic AI literacy content, but module-level material anchored in documented failure cases relevant to your regulatory perimeter. The goal is a Legal team that can interrogate AI output critically, not one that defers to it or avoids it entirely.