Compliance officers at software and SaaS firms building cross-border payments platforms aligned to the CPMI API harmonisation programme are increasingly using AI to draft customer-facing CPMI alignment statements, generate regulatory-horizon-scan summaries for client compliance teams, prepare board-paper compliance annexes on the SARB pre-validation workstream, update product-level CPMI mapping documents against the 10 recommendations, and validate ISO 20022 address-format commitments against regulator-issued source text. The RLB Specialist Panel tested how that AI usage performs against the regulator's own primary text on CPMI's October 2024 d224 report and the related CPMI Brief and speech series.
The audit surfaced four substantive failure modes that the AI subjects delivered with regulator-fluent confidence.
Stakeholder Taxonomy Fabrication and Fabricated Date-and-Format Commitment on CPMI API Harmonisation for Cross-Border Payments. Two frontier AI models tested by the RLB Specialist Panel returned confident, citable answers across the panel's CPMI substrate-bound question set on the October 2024 d224 report and the related CPMI Brief and speech series. The panel binds each AI finding to verbatim regulator-issued source text held as primary substrate.
Across the 2 findings in this Compliance teams at Software & SaaS firms briefing, the AI subjects built a recommendation-by-recommendation stakeholder breakdown from category names rather than the regulator's actual recommendation text; introduced a specific November 2026 cutover commitment for structured ISO 20022 addresses that does not appear in the regulator's text.
A customer-facing CPMI alignment statement that records a November 2026 structured-ISO-20022 cutover as a CPMI mandate gives the customer's procurement and compliance team a regulator commitment that does not exist. A product-level CPMI mapping document built on AI per-recommendation stakeholder taxonomy carries fabricated assignments into the platform's roadmap and into customer-facing collateral.
The findings are published with immutable RLB Citation IDs: RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q008-Opus47, RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q009-Sonnet46. The full audit is published at the CPMI API Harmonisation for Cross-Border Payments hub on RegLegBrief.com.
This is the consolidated view of findings. Click the Citation IDs or 'see details →' on any item for the full details for each finding.
SaaS payments and AML compliance teams (the people writing the vendor SOC 2 control narrative, the customer-facing regulatory-applicability statement, and the security questionnaire responses for bank buyers) lean on d224's stakeholder structure to scope which of the 10 recommendations a payments-API SaaS actually carries as a vendor obligation versus which fall to the bank customer. Opus 4.7 returns a clean stakeholder taxonomy reconstructed from category labels. A SOC 2 narrative or customer-applicability statement written off that taxonomy assigns the vendor obligation the regulator did not assign, and the assignment is exactly what bank-customer counsel will flag at procurement review.
SaaS payment APIs sold to PSPs and banks ship roadmap commitments on ISO 20022 schema and address-format support to customer success and account teams as part of every standing roadmap update. Sonnet 4.6 commits to a November 2026 structured-address-only cutover that does not appear in d230. A SaaS compliance team that lifts the AI line into the customer roadmap commitment, the SOC 2 change-management note or the published regulatory-readiness statement is committing the product to a regulator deadline that does not exist.
Every finding on this page compares an AI subject's account of the rule against the regulator's verbatim text from the regulator's own portal. Both are linked. Each delta, its root causes, and impact analysis are documented and published with immutable Citation IDs.