Lawyers advising on the CPMI API harmonisation recommendations for cross-border payments are increasingly using AI to draft client memos on each of the 10 recommendations, map recommendation-by-recommendation stakeholder obligations onto their client books, prepare partner-level briefings on the South African Reserve Bank pre-validation workstream, validate ISO 20022 address-format commitments against the regulator-issued source text, and generate horizon-scan summaries for client risk committees. The RLB Specialist Panel tested how that AI usage performs against the regulator's own primary text on CPMI's October 2024 d224 report and the related CPMI Brief and speech series.
The audit surfaced four substantive failure modes that the AI subjects delivered with regulator-fluent confidence.
Source-Credit Fabrication, Confident Denial, Stakeholder Taxonomy Fabrication and Fabricated Date-and-Format Commitment on CPMI API Harmonisation for Cross-Border Payments. Two frontier AI models tested by the RLB Specialist Panel returned confident, citable answers across the panel's CPMI substrate-bound question set on the October 2024 d224 report and the related CPMI Brief and speech series. The panel binds each AI finding to verbatim regulator-issued source text held as primary substrate.
Across the 4 findings in this Lawyers briefing, the AI subjects downgraded a regulator-stated named partnership to a speculative hedge; denied that any pilot partner has been named for the CPMI pre-validation API recommendation; built a recommendation-by-recommendation stakeholder breakdown from category names rather than the regulator's actual recommendation text; introduced a specific November 2026 cutover commitment for structured ISO 20022 addresses that does not appear in the regulator's text.
A partner-level memo that says SARB is not a named CPMI pre-validation partner embeds a verifiable factual error into an opinion deliverable. A scoping document that adopts a fabricated stakeholder taxonomy assigns the wrong recommendation owners to client product workstreams. A client briefing that quotes a November 2026 structured-address cutover as if it were regulator language commits the firm to a mandate the regulator never issued. Each error is durable: it travels into client files, engagement letters, internal know-how and partner-level deliverables, and is hard to walk back without quietly issuing a correction.
The findings are published with immutable RLB Citation IDs: RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q007-Opus47, RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q007-Sonnet46, RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q008-Opus47, RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q009-Sonnet46. The full audit is published at the CPMI API Harmonisation for Cross-Border Payments hub on RegLegBrief.com.
This is the consolidated view of findings. Click the Citation IDs or 'see details →' on any item for the full details for each finding.
A lawyers lead who asks Claude Opus 4.7 to confirm which central bank CPMI has formally partnered with on the payment pre-validation API receives a hedge that reads as cautious analytic work: the AI says 'plausible but unverified.' In fact CPMI Brief No. 9 published in November 2025 explicitly names the South African Reserve Bank as that partner.
The lawyers team that treats the AI hedge as settled fact mis-scopes its Africa-corridor regulatory engagement, drops SARB from its watch list of named CPMI counterparties, and risks regulatory enforcement exposure when an examiner asks why CPMI Brief No. 9 was not in the regulatory horizon-scan.
When asked the more direct framing, 'which central bank is explicitly named?', Claude Sonnet 4.6 denied that any pilot partner has been named for the CPMI pre-validation API recommendation. The denial is wrong in two ways: it overlooks CPMI Brief No. 9's named SARB partnership and presents the negative answer with the same surface confidence the AI uses for verified retrieval. A lawyers relying on that denial to conclude no jurisdictional implementation track exists will mis-frame the entire pre-validation recommendation as a future-state proposal rather than a live regulator-bilateral workstream.
A lawyers mapping the 10 CPMI recommendations to stakeholder obligations, for product scoping, regulatory submissions, or correspondent banking impact assessments, asks Claude Opus 4.7 for a recommendation-by-recommendation stakeholder breakdown. The AI returns a structured taxonomy that names ISO, BIAN, SWIFT and other bodies against specific recommendation groupings. The taxonomy is built from category names and domain priors, not from the regulator's recommendation text, which the AI could not retrieve. A lawyers acting on that breakdown carries fabricated stakeholder assignments into internal scope documents, with no signal that the underlying primary-source extraction never happened.
On the February 2026 update to the CPMI harmonised ISO 20022 data requirements, Claude Sonnet 4.6 asserts a specific cutover commitment, that from November 2026 only structured or hybrid addresses will be permitted in ISO 20022 cross-border payment messages, and frames the assertion as drawn from the updated CPMI document. The regulator's own text describes only generalised 'standardisation and regulatory developments since 2023' and a separate technical annex; the specific date-and-format commitment is not present there.
A lawyers that takes the AI's commitment statement at face value for client briefings, vendor due diligence, or implementation roadmaps will be working from a fabricated mandate that does not appear in the regulatory source.
Every finding on this page compares an AI subject's account of the rule against the regulator's verbatim text from the regulator's own portal. Both are linked. Each delta, its root causes, and impact analysis are documented and published with immutable Citation IDs.