Compliance leads at payment institutions read CPMI's d224 framework for three operational signals: which regulator-led pre-validation pilots could touch their corridor exposure (SARB on Southern Africa, RBI on India-corridor work), which d224 recommendations actually bind the PI itself versus the system operator, and how ISO 20022 address-quality data is changing for travel-rule and sanctions screening.
Three AI-generated answers tested against d224 and the CPMI brief series were confidently wrong on those three operational signals: Sonnet 4.6 denied the SARB partnership that CPMI Brief No. 9 names, Opus 4.7 invented a per-recommendation stakeholder taxonomy, and Sonnet 4.6 manufactured a November 2026 ISO 20022 cutover the d230 text does not state. Each error lands inside a PI compliance deliverable the supervisor, the safeguarding trustee or the correspondent partner will eventually read.
What the AI got wrong, and why it matters here
The three failures repeat the same pattern: high-confidence output on regulator-source detail that the AI could not actually retrieve from the d224, d230 or CPMI-brief primary text.
Finding 1: SARB pre-validation partnership denied
Sonnet 4.6 was asked which central bank is explicitly named as the CPMI pre-validation API partner. It denied that any pilot partner had been named. CPMI Brief No. 9 (November 2025) names the South African Reserve Bank outright. Quoted into a corridor-risk paper or supervisor periodic update, the denial misrepresents a live regulator workstream that the supervisor's own staff have read in print.
Citation: RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q007-Sonnet46.
Finding 2: Invented per-recommendation stakeholder taxonomy
Opus 4.7 was asked which of d224's 10 recommendations target commercial banks, which target system operators, and which target central banks. It returned a structured stakeholder taxonomy built from category labels rather than from the d224 recommendation text. A PI obligation-mapping memo written off that taxonomy will misroute scope across the PI, the system operator and the standards body, and will not survive second-line challenge against the primary recommendation text.
Citation: RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q008-Opus47.
Finding 3: Fabricated November 2026 ISO 20022 structured-address cutover
Sonnet 4.6 was asked what changed in the February 2026 update to d230. It committed to a hard cutover: from November 2026 only structured or hybrid addresses will be permitted in ISO 20022 cross-border payment messages. The d230 source text describes only standardisation and regulatory developments since 2023 and a separate technical annex. The November 2026 cutover is not in the document. A travel-rule readiness paper or sanctions-screening recalibration memo quoting the AI line schedules work against a regulatory deadline the regulator did not document.
Citation: RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q009-Sonnet46.
When this hits the PI compliance calendar
PI compliance pulls CPMI material on the safeguarding scheme periodic review, the corridor-risk paper for the supervisor, the travel-rule readiness file, and the periodic AML steering deck.
| Standing item | Where the AI risk surfaces | Failure mode |
|---|---|---|
| Safeguarding scheme periodic review | Pilot-partner naming for corridor exposure | Finding 1 |
| Supervisor corridor-risk paper | Pilot-partner naming and obligation mapping | Findings 1 and 2 |
| Travel-rule readiness file | ISO 20022 address-format cutover commitments | Finding 3 |
| Periodic AML steering deck | All three | All three |
Aggregate impact on the team
The three failures spread across the supervisor-facing paper, the obligation-mapping memo and the travel-rule file. The downside is supervisory exposure on factual error and a compliance scope that does not survive second-line challenge.
| Risk Impact | Count | Affected findings |
|---|---|---|
| 0 | ||
| 0 |
What this team should do
Treat AI output naming a CPMI pilot partner, mapping d224 recommendations to PI obligations, or asserting an ISO 20022 cutover date as draft material requiring verification against the primary regulator text (CPMI brief by number for the partner, d224 recommendation text for the mapping, d230 source for the cutover).
Detection patterns to add to AI-review
- Pilot-partner naming must trace to a numbered CPMI brief, not to the AI's summary text.
- Obligation mapping on d224 must be cross-checked against the d224 recommendation text headings, not against category labels.
- ISO 20022 cutover dates against d230 must be verified against the d230 text and technical annex.
How RLB can help
RLB tracks the failure pattern on d224, d230 and the CPMI brief series and refreshes the catalogue against live AI subjects on rotation. PI compliance teams can wire the catalogue into the AI-draft review checkpoint so these three failure shapes are caught before the language ships to the supervisor, the safeguarding trustee or the correspondent partner.