Frontier AI models denied or rewrote CPMI's own public record on API harmonisation, regulatory-research panel finds

Two frontier AI models, with web search enabled, refused to surface published CPMI partner names and operational statistics, and in one case manufactured a regulatory deadline that does not exist, on the October 2024 CPMI report on API harmonisation for cross-border payments. The RegLeg Brief Specialist Panel calls the pattern "Source-Blindness in Cross-Border Payments Harmonisation" and warns that AI-assisted research and market-briefing workflows configured around these outputs would carry both denials of CPMI public data and at least one fabricated deadline.

SINGAPORE, June 12, 2026. Two frontier artificial-intelligence models generated denials, substitutions, and one outright fabrication on the Bank for International Settlements' Committee on Payments and Market Infrastructures (BIS-CPMI) report on harmonising application programming interfaces for cross-border payments, according to a white paper released today by RegLeg Brief, a regulatory-research outfit operated by Singapore-incorporated Verdus Technologies Pte. Ltd.

The findings, six in total and published with immutable RLB Citation IDs, concern the October 2024 CPMI document d224 on API harmonisation, the follow-on CPMI Brief No. 9 of November 2025, the d230 update to the harmonised ISO 20022 data requirements, and the November 2023 speech by Tara Rice on the global fast payment system landscape. Both Anthropic's Claude Opus 4.7 and Claude Sonnet 4.6 were tested with web search active, mirroring how payments-research analysts, central-bank policy desks, and correspondent-banking compliance teams actually use the models today.

The pattern in one line

On every question where the regulator's own public record contains a named partner, a published statistic, or a defined scope, both frontier models either refused to surface the published material or substituted a wrong-but-plausible alternative. One Sonnet response also fabricated a future regulatory deadline that does not exist in any CPMI document.

How the testing worked

The Specialist Panel posed six operational questions any payments-research analyst, central-bank policy desk, or correspondent-banking compliance team would credibly ask of an AI assistant working on cross-border payments harmonisation. Each question targeted information that is in fact published by CPMI: a named pilot partner, a stakeholder breakdown for a specific recommendation, the content of the February 2026 ISO 20022 data-requirements update, and the operator-mix statistics for the global fast payment system population. Both Claude Opus 4.7 and Claude Sonnet 4.6 were given access to web search.

Every answer was then compared against the matched CPMI source text, with the Specialist Panel quoting the regulator's verbatim phrasing on each finding card.

What the models got wrong

The six findings group cleanly into three themes.

Theme 1: Denial of a named CPMI partnership. Asked which central bank CPMI explicitly names as a collaborating partner on the payment pre-validation API recommendation, both Opus 4.7 (RLB Citation Q007-Opus47) and Sonnet 4.6 (RLB Citation Q007-Sonnet46) declined to identify the South African Reserve Bank. CPMI Brief No. 9, published November 2025, states: "The CPMI, in collaboration with the South African Reserve Bank (SARB), has been advancing the API recommendation on payment pre-validation by conducting interviews with market stakeholders." Both models, with web search, were unable or unwilling to surface that sentence.

The result reads as a confident absence of information rather than the presence of a clearly published partnership. A research-desk briefing built on this output would mis-state the structure of CPMI's implementation track.

Theme 2: Denial of CPMI-published operator-mix statistics. Asked for the share of fast payment systems globally operated by central banks versus private entities, Opus 4.7 (Citation Q010-Opus47) responded with the 2025 monitoring survey's system count (57) but offered no operator-mix breakdown.

Sonnet 4.6 (Citation Q010-Sonnet46) was asked for the same breakdown after correctly citing 70+ systems, 14 already cross-border, and 24 planning links, and responded that "a precise percentage breakdown of central bank vs. privately operated FPS is not enumerated in the public Brief 10 summaries available." The November 2023 speech by then-Head of Secretariat Tara Rice gives the figures verbatim: "70+ domestic fast payment systems currently operational globally; 14 fast payment systems already enabling cross-border exchanges; 24 systems planning linkages within five years; 40% operated by central banks; 35% by private entities." The 40/35 split is on the CPMI record.

Both models told the user, with confidence, that it was not.

Theme 3: Fabrication of a future regulatory deadline and a scope reshape. Sonnet 4.6 (Citation Q009-Sonnet46) was asked what the February 2026 update to the CPMI harmonised ISO 20022 data requirements (d230) changed relative to the October 2023 original. It answered: "From November 2026 onwards, only structured and hybrid addresses will be permitted in ISO 20022 cross-border payment messages, the fully unstructured address format is being phased out.

This is being driven by the SWIFT/CBPR+ community and is reflected in d230's updated requirements." The d230 update itself describes its scope considerably more modestly: it "takes into account standardisation and regulatory developments since 2023, provides clarification where market participants had sought further guidance, and sets out the updated and expanded data model in a separate technical annex." The "November 2026" cut-off date is not present in d230. The Sonnet response packages a specific future deadline as a CPMI fact when no such deadline appears in the CPMI text.

Opus 4.7 (Citation Q008-Opus47), asked for a recommendation-by-recommendation stakeholder breakdown across the ten harmonisation recommendations, reshaped Recommendation 1's stakeholder scope. The model framed Recommendation 1 as "primarily targeted at API standards-setting bodies (ISO, BIAN, Swift, regional/sectoral bodies), CPMI itself, and public authorities coordinating global governance; secondarily at payment-system operators...

Not specifically at correspondent banks." The d224 text frames Recommendation 1 differently: "All stakeholders in API standardisation, but especially jurisdictional authorities and standards organisations, should actively support the development of cross-border payment API standards that are voluntary, open and consensus-based." The regulator's "all stakeholders ... especially jurisdictional authorities and standards organisations" is materially broader than the model's narrower standards-body-plus-public-authority casting. A stakeholder map built on the Opus answer would understate the role CPMI assigns to jurisdictional authorities in API standardisation.

Why this matters for cross-border payments harmonisation

The CPMI's API harmonisation programme is implementation-stage, not consultation-stage. Central banks, payment-system operators, correspondent banks, and the standards community are sequencing operational work, partnership decisions, and pilot participation against named recommendations, named partners, and named statistics in the CPMI public record. A research-briefing layer that denies the existence of those named partners or those published statistics introduces specific operational risk:

• Market-intelligence work product circulated to internal investment committees and senior policy staff that states no operator-mix breakdown is published, when CPMI's own Head of Secretariat gave one in 2023.
• Stakeholder-mapping briefings that omit jurisdictional authorities from the scope of Recommendation 1, when d224 names them explicitly.
• Implementation-tracking research that declines to credit SARB as the CPMI's named pilot partner on the pre-validation API recommendation, when CPMI Brief No. 9 names the collaboration in one sentence.
• Regulatory-readiness work configured against a "November 2026" structured-address deadline that does not exist in the CPMI text.

Each failure mode is the kind of detail-level error that a senior reviewer would catch on the verbatim CPMI record but that a downstream operational consumer of the AI output would not.

The regulator's actual position

The Specialist Panel anchors each finding to the regulator's own published phrasing. On the SARB collaboration: CPMI Brief No. 9 (November 2025) is the source, and the language is unambiguous. On the operator mix of the global fast payment system population: the November 2023 CPMI speech by Tara Rice is the source, with the 40% / 35% figures explicit.

On the stakeholder scope of Recommendation 1: d224 itself frames the recommendation as targeting "all stakeholders in API standardisation, but especially jurisdictional authorities and standards organisations." On the d230 update: the CPMI's own update text scopes the changes as standardisation-and-regulatory-development incorporation, clarification, and a separate technical annex, with no November 2026 phase-out language.

The pattern is not that CPMI material is hard to find. It is that web-search-enabled frontier models, asked to assist research and briefing work, returned outputs that either denied the public record or substituted a more confidently shaped alternative.

What this tells us about AI under regulatory query

The Specialist Panel reads the six findings together as a calibration problem in retrieval-augmented generation when the substrate is a corpus of central-bank publications, supporting briefs, and speeches. The model's prior about how cross-border payments standards work appears to dominate the retrieved CPMI text in cases where the published material is the more specific, more recent, and more authoritative answer.

Two diagnostic features stand out. First, both models defaulted to confident denials of the existence of published figures and named partners, rather than to caveated uncertainty about a specific document or source. A correctly calibrated response on Q010 would have been: "the operator-mix breakdown appears in the November 2023 CPMI speech by Tara Rice." Instead, both models told the user the figures were unavailable.

Second, the Sonnet fabrication on Q009 packaged a specific date and a specific regulatory mechanism (the November 2026 unstructured-address phase-out) as a CPMI fact, when in reality that timeline belongs to the SWIFT/CBPR+ programme, not to the d230 update. The model collapsed two adjacent but distinct regulatory tracks into one.

What RegLeg is doing about it

The RegLeg Brief Specialist Panel documents all six findings open-access, with no paywalls, no registration walls, and no licensing fees. Each finding carries an immutable RLB Citation ID linking the verbatim model output, the matched CPMI excerpt, and the Specialist Panel diagnosis. The Panel runs adversarial Specialist Panel application-style questions against frontier models on regulator-portal-hosted documents and panel-retained versions of the same documents, with the goal of surfacing the failure modes that would surface in real operational use.

AI labs and model developers named in any published finding have an unconditional right of reply. The Specialist Panel documents any factual correction or contextual response alongside the original finding, with no editorial gatekeeping. Researchers, regulators, and payments-industry teams with questions on methodology or specific findings can reach the Panel through the same channel.

Implications for AI labs

Because RegLeg Brief conducts its own original research and adversarial analysis against frontier AI models, the detail in each published finding is precise enough to enable a targeted hallucination-mitigation response. Directions an AI lab might consider, drawing on the six CPMI findings, include:

• Targeted correction pairs that match CPMI's verbatim phrasing on named partnerships, named operator-mix statistics, and named recommendation scopes against the wrong-but-plausible reconstructions documented in each finding, suitable for direct ingestion into a training-data pipeline.
• Embedded eval cycles that test retrieval-augmented generation specifically on central-bank speeches, briefs, and follow-on publications, where the model's prior about how standards bodies work tends to dominate the retrieved source text.
• Pre-release evaluation against the documented failure shapes (denial of published partnerships, denial of published operator-mix statistics, fabrication of future regulatory deadlines, reshape of recommendation scope) before capability releases touching payments infrastructure or cross-border regulatory content reach customers.
• Post-release monitoring on regulator-specific failure surfaces as new central-bank publication tranches enter the model's live deployment footprint, with regression tracking on previously documented failure modes.

The six findings sit within the broader Specialist Panel work documenting how frontier AI models behave when asked operational questions about recently issued central-bank and standards-body material. The pattern they document is structural, not incidental.

Primary sources verified: BIS-CPMI d224 (October 2024) · CPMI Brief No. 9 (November 2025) · CPMI d230 ISO 20022 data requirements (February 2026 update) · CPMI speech sp231115 by Tara Rice (November 2023).

Right of Reply

These findings and associated work have been put up in public with a view of the greater good for the development of a safer AI ecosystem. Any party reading this or any finding on reglegbrief.com may contact us and have an unconditional right of reply; the Specialist Panel will publish any factual correction or contextual response alongside the original finding, with no editorial gatekeeping. Researchers, regulators, and compliance teams with questions on methodology or specific findings can reach the Specialist Panel via the same channel.

Source & Methodology Standards

RegLeg Brief is operated by Verdus Technologies Pte. Ltd. (UEN 201616982R), incorporated in Singapore. The RLB Specialist Panel, with an aggregate of over 60 years of public-policy and industry experience, documents only confirmed hallucination findings, under a methodology that requires a verbatim regulator excerpt for every documented claim. All findings, citation IDs, model outputs, regulator excerpts, and methodology notes are open-access.

Primary source verified: CPMI Report d224, Harmonised application programming interfaces for enhancing cross-border payments (October 2024) · Substrate documents: cpmi-d224-api-harmonisation-2024.pdf, p_05_GUIDELINE_d218___d230_update__what_changed_from_or_d223.htm, p_10_GUIDELINE_Tara_Rice_speech_Nov_2023___FPS_statisti_d230.htm · CPMI portal: bis.org/cpmi

Citation IDs referenced:

• RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q007-Opus47
• RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q007-Sonnet46
• RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q008-Opus47
• RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q009-Sonnet46
• RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q010-Opus47
• RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q010-Sonnet46