Source-Credit Fabrication and Stakeholder Taxonomy Fabrication on the CPMI API harmonisation recommendations for cross-border payments. Two frontier AI models tested by the RLB Specialist Panel produced regulator-fluent answers on CPMI's October 2024 d224 report that the panel was able to bind, line-by-line, to regulator-issued source text the AI subjects did not match. The pattern recurs across 2 substrate-bound findings on named partnerships, per-recommendation stakeholder taxonomy, ISO 20022 update language and fast payment system statistics.

The pattern in one line

For legal teams at corporate banking firms, the audit pattern is consistent: the AI subjects answer CPMI questions in the same fluent, structured register they use for verified facts, even when the underlying CPMI source the answer cites was never actually retrieved. The wrong number, the wrong availability claim, the wrong named partnership, and the fabricated date-and-format mandate all arrive in the same prose voice as the AI's correctly-sourced output.

There is no surface signal in the answer that tells the reader which paragraphs are bound to a CPMI publication and which are constructed from category names and adjacent training data. The failure pattern is therefore not primarily a prompt-engineering issue; it is a verification-process issue, and it sits upstream of any tone or formatting fix that legal teams at corporate banking firms apply at the AI drafting stage.

How the RLB Specialist Panel tested this

Questions are prepared by the RLB Specialist Panel based on real practical AI usage in the workflows legal teams at corporate banking firms use AI for. Each question is bound to verbatim regulator-issued source text held as primary substrate before the question is ever issued to a model. The Panel issued each question to two frontier AI models with web search enabled, recorded the answer verbatim with timestamp and model identity, and then bound the answer against the regulator-stated text from CPMI's primary publications.

The primary substrate for this regulation includes the October 2024 d224 report (the master CPMI API harmonisation recommendations and toolkit), CPMI Brief No. 9 (November 2025) on the pre-validation API recommendation and the SARB collaboration, and CPMI speech sp231115 (Tara Rice, November 2023) on the global fast payment system landscape statistics. Findings are only published where the AI answer fails the substrate-binding check against one or more of these primary CPMI publications. Positive observations (correctly-sourced answers, well-calibrated refusals) are not published as findings; only substantive regulator-contradicting errors enter the public audit record.

What the models got wrong

Claude Opus 4.7: SARB-CPMI pre-validation partnership hedged out of existence

Claude Opus 4.7 with web search told the user it was 'plausible' but unverified that the South African Reserve Bank is partnered with CPMI on the payment pre-validation API recommendation. The answer is recorded verbatim and cited as RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q007-Opus47, bound to the regulator's actual text:

CPMI Brief No. 9 (November 2025) records: 'The CPMI, in collaboration with the South African Reserve Bank (SARB), has been advancing the API recommendation on payment pre-validation by conducting interviews with market stakeholders.'

The substantive consequence: An advisor or counsel acting on the AI's hedge drops SARB from the CPMI-counterparty watch list, mis-scopes Africa-corridor regulatory engagement, and risks an examiner asking why CPMI Brief No. 9 was not in the regulatory horizon scan.

Claude Opus 4.7: Per-recommendation stakeholder taxonomy fabricated

Claude Opus 4.7 with web search returned a structured taxonomy assigning ISO, BIAN, SWIFT and other named bodies to specific groupings of the 10 recommendations, without retrieving the regulator's recommendation text first. The answer is recorded verbatim and cited as RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q008-Opus47, bound to the regulator's actual text:

The CPMI report sets stakeholder language inside each recommendation, e.g. Recommendation 1 (open API standards): 'All stakeholders in API standardisation, but especially jurisdictional authorities and standards organisations, should actively support the development of cross-border payment API standards that are voluntary, open and consensus-based.' Recommendation 2 (existing harmonisation initiatives): 'Jurisdictional authorities (eg central banks, relevant government agencies, and regulatory bodies) and standards organisations should leverage the experience of existing API harmonisation initiatives.'

The substantive consequence: A scoping document, internal product map or correspondent-banking impact assessment built on the AI taxonomy carries fabricated stakeholder assignments into a deliverable, with no signal that the underlying primary-source extraction never happened.

Why this matters for legal teams at corporate banking firms

A legal opinion that hedges the SARB pre-validation partnership as 'plausible but unverified' embeds a verifiable factual error into a partner-signed deliverable. An advisory memo that adopts the AI's per-recommendation stakeholder taxonomy carries fabricated assignments into the firm's scoping process. A legal-function horizon scan that misses the SARB-CPMI workstream positions the firm one step behind a regulator-bilateral programme the supervisor will reasonably expect in-house counsel to track. The factual gap, once it enters a deliverable that legal teams at corporate banking firms produce, is durable.

It travels into firm-level institutional records, into client-facing collateral, into supervisory horizon scans and into engagement-letter knowledge bases. It is hard to walk back without quietly issuing a correction, and the supervisory cost of the correction is often higher than the original verification effort would have been.

The regulator's actual position

The regulator-stated positions, drawn verbatim from CPMI's primary publications (d224 October 2024, CPMI Brief No. 9 November 2025, speech sp231115 November 2023), read as follows.

CPMI Brief No. 9 (November 2025) records: 'The CPMI, in collaboration with the South African Reserve Bank (SARB), has been advancing the API recommendation on payment pre-validation by conducting interviews with market stakeholders.'

The CPMI report sets stakeholder language inside each recommendation, e.g. Recommendation 1 (open API standards): 'All stakeholders in API standardisation, but especially jurisdictional authorities and standards organisations, should actively support the development of cross-border payment API standards that are voluntary, open and consensus-based.' Recommendation 2 (existing harmonisation initiatives): 'Jurisdictional authorities (eg central banks, relevant government agencies, and regulatory bodies) and standards organisations should leverage the experience of existing API harmonisation initiatives.'

Each of these passages is held inside the RLB primary substrate against which the AI answer was bound. Where the AI answer states a partnership, a stakeholder assignment, a dated commitment or a numeric figure that contradicts the verbatim regulator text above, the discrepancy is recorded as a substantive finding with an immutable RLB Citation ID.

What this tells us about AI for legal teams at corporate banking firms

Legal teams should read the audit as a verification-process finding rather than a general AI critique. The models are answering in the same fluent doctrinal register on regulator-stated facts and on fabricated ones. The verification step has to be explicit: a junior associate or in-house lawyer reading an AI-drafted opinion cannot tell which sentences are regulator-bound and which are generated. A legal function that builds an explicit primary-source verification pass into the AI drafting workflow controls the exposure. One that does not signs partner-level opinions on AI-generated facts.

The taxonomy lens for this audience is straightforward: treat the AI's regulator-quoting prose as a draft to be verified, not as a sourced deliverable to be word-smithed. The verification step has to be explicit, separate from the AI drafting step, and run against a named CPMI publication rather than against general web search.

The four substantive CPMI failure modes documented in this audit (named partnership denial, per-recommendation stakeholder fabrication, ISO 20022 structured-address mandate fabrication, FPS count and operator-split misstatement) are now publicly logged, so the verification step does not need to be open-ended: it can run against the known failure list as a starting point.

What the RLB Specialist Panel is doing about it

The RLB Specialist Panel records each CPMI finding with an immutable RLB Citation ID and binds it to the regulator-issued primary source. The CPMI API Harmonisation for Cross-Border Payments hub at https://reglegbrief.com/regulators/j1/int/bis-cpmi/cpmi-api-harmonisation-cross-border-2024/ is the live record of substrate-bound CPMI AI failure modes that legal teams at corporate banking firms can lift directly into firm-level AI-use risk registers, into client-deliverable verification checklists, and into supervisory horizon scans. The Panel partners with firms, agencies and standards bodies that use AI on CPMI deliverables, surfacing new failure modes against the firm's own actual deliverable types as the CPMI issues further briefs and speeches.

Partnership engagement gives a firm or agency early access to flagged AI failure modes against its own deliverable templates, and a documented audit trail showing that the firm has tested for the failure pattern before a supervisor asks about it.

What legal teams at corporate banking firms teams should do

The action items below are framed for legal teams at corporate banking firms specifically and map onto the four documented failure modes:

• Build a CPMI-specific primary-source verification pass into the in-house legal AI-drafting workflow before any AI-drafted memo, opinion or board-paper section is partner-signed.
• Maintain a verified CPMI source list (d224 October 2024, CPMI Brief series including Brief No. 9 November 2025, Tara Rice speech sp231115 November 2023) and reconcile every AI-drafted CPMI claim against that list.
• Brief in-house counsel on the SARB pre-validation partnership specifically, so that the named workstream is in the legal-function institutional knowledge base.
• Update legal-function AI-use guidance to record the four documented CPMI failure modes as known exposures and route any AI-drafted opinion touching those areas through a senior reviewer.
• Mark AI-drafted legal commentary with a sourcing stamp identifying primary-source-verified paragraphs and AI-asserted-but-unverified paragraphs.
• Engage with the RLB Specialist Panel partnership track to receive flagged CPMI AI failure modes against the legal function's actual deliverable types.

Each action is operationally lightweight at the unit-deliverable level and compounds across the function as a control standard. The cost of building the verification step into the AI drafting workflow is consistently lower than the cost of issuing a correction on an AI-drafted deliverable that has already entered firm or supervisory records.

Right of Reply

These findings and associated work have been put up in public with a view of the greater good for the development of a safer AI ecosystem. Any party reading this or any finding on reglegbrief.com may contact us and have an unconditional right of reply; the Specialist Panel will publish any factual correction or contextual response alongside the original finding, with no editorial gatekeeping. Researchers, regulators, and compliance teams with questions on methodology or specific findings can reach the Specialist Panel via the same channel.

Source & Methodology Standards

RegLeg Brief is operated by Verdus Technologies Pte. Ltd. (UEN 201616982R), incorporated in Singapore. The RLB Specialist Panel, with an aggregate of over 60 years of public-policy and industry experience, documents only confirmed hallucination findings, under a methodology that requires a verbatim regulator excerpt for every documented claim. All findings, citation IDs, model outputs, regulator excerpts, and methodology notes are open-access.

Primary source verified: CPMI Report d224, Harmonised application programming interfaces for enhancing cross-border payments (October 2024) · Substrate documents: cpmi-d224-api-harmonisation-2024.pdf, p_05_GUIDELINE_d218___d230_update__what_changed_from_or_d223.htm · CPMI portal: bis.org/cpmi

Citation IDs referenced:

• RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q007-Opus47
• RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q008-Opus47