Compliance leads at payments-API SaaS firms touch CPMI material at three points: the regulatory-applicability statement the sales team uses with bank prospects, the SOC 2 control narrative tied to payments-schema obligations, and the customer-facing roadmap commitment on ISO 20022 readiness. Two AI failures on this regulation hit those exact deliverables. Opus 4.7 returned a per-recommendation stakeholder taxonomy reconstructed from category labels rather than the d224 recommendation text, and Sonnet 4.6 committed to a November 2026 ISO 20022 structured-address cutover the d230 source does not state.
Either error, lifted into a vendor-facing deliverable, hands a bank-customer counsel the exact misallocation they will challenge at procurement review.
What the AI got wrong, and why it matters here
Both failures land on artefacts SaaS compliance teams ship out of the company, not artefacts kept internal. The review window is the customer's procurement counsel, not the SaaS firm's own second line.
Finding 1: Reconstructed stakeholder taxonomy
Opus 4.7 returned a clean stakeholder taxonomy across d224's 10 recommendations, built from category labels rather than the recommendation text. A SaaS regulatory-applicability statement or SOC 2 narrative written off that taxonomy assigns the vendor obligations the regulator did not assign, which procurement counsel at the bank customer will flag.
Citation: RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q008-Opus47.
Finding 2: Fabricated November 2026 ISO 20022 cutover
Sonnet 4.6 committed to a hard November 2026 structured-address-only cutover for ISO 20022 cross-border payment messages. The d230 source describes only standardisation and regulatory developments since 2023 and a separate technical annex; the November 2026 cutover is not there. A customer roadmap commitment quoting the AI line commits the product to a regulator deadline that does not exist.
Citation: RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q009-Sonnet46.
When this hits the SaaS compliance calendar
SaaS compliance pulls CPMI material on three artefacts: the regulatory-applicability statement for the sales pack, the SOC 2 control narrative, and the customer-facing roadmap commitment to ISO 20022 readiness.
| Standing artefact | Where the AI risk surfaces | Failure mode |
|---|---|---|
| Regulatory-applicability statement | Stakeholder-obligation routing | Finding 1 |
| SOC 2 control narrative | Stakeholder-obligation routing and cutover commitments | Findings 1 and 2 |
| Customer roadmap commitment on ISO 20022 readiness | Cutover dates | Finding 2 |
Aggregate impact on the team
Both failures show up in customer-facing deliverables. The downstream risk is procurement-counsel challenge and reputational hit when the misallocation is caught externally rather than internally.
| Risk Impact | Count | Affected findings |
|---|---|---|
| 0 |
What this team should do
Tag the d224 stakeholder taxonomy and the d230 ISO 20022 cutover date as known-failure outputs. Any AI draft headed for a customer-facing deliverable must be returned through a primary-source check (d224 recommendation text and d230 source) before it ships externally.
Detection patterns to add to AI-review
- Stakeholder-obligation mapping on d224 must be verified against the recommendation text.
- ISO 20022 cutover-date assertions against d230 must be verified against the d230 text and technical annex.
How RLB can help
RLB tracks AI failures on d224 and d230 and refreshes the catalogue against live AI subjects on rotation. SaaS compliance teams can wire the catalogue into the customer-deliverable review step so these two failure shapes are caught before the language ships to a bank or PSP customer.