AI Hallucination on Promoting the Harmonisation of Application Programming Interfaces to Enhance Cross-Border Payments: Recommendations and Toolkit for Compliance teams at Retail Banking firms in international jurisdictions

Retail Banking Compliance teams: documentation and reporting gaps possible from AI reading of CPMI Cross-Border API Harmonisation 2024

Compliance officers at retail banks supporting cross-border consumer payments on the CPMI API harmonisation programme are increasingly relying on AI to update onboarding checklists, generate consumer-facing CPMI disclosure language, prepare regulatory horizon scans on the SARB pre-validation workstream, update sanctions and AML programme appendices on the 10 CPMI recommendations, and verify ISO 20022 address-format commitments against regulator-issued source text. The RLB Specialist Panel tested how that AI usage performs against the regulator's own primary text on CPMI's October 2024 d224 report and the related CPMI Brief and speech series.

The audit surfaced four substantive failure modes that the AI subjects delivered with regulator-fluent confidence.

Source-Credit Fabrication, Stakeholder Taxonomy Fabrication and Fabricated Date-and-Format Commitment on CPMI API Harmonisation for Cross-Border Payments. Two frontier AI models tested by the RLB Specialist Panel returned confident, citable answers across the panel's CPMI substrate-bound question set on the October 2024 d224 report and the related CPMI Brief and speech series. The panel binds each AI finding to verbatim regulator-issued source text held as primary substrate.

Across the 3 findings in this Compliance teams at Retail Banking firms briefing, the AI subjects downgraded a regulator-stated named partnership to a speculative hedge; built a recommendation-by-recommendation stakeholder breakdown from category names rather than the regulator's actual recommendation text; introduced a specific November 2026 cutover commitment for structured ISO 20022 addresses that does not appear in the regulator's text.

A regulatory horizon scan that records 'no jurisdictional partner identified' on the CPMI pre-validation workstream when SARB is in fact the named partner is a verifiable factual error in a supervisory deliverable. A consumer-facing CPMI disclosure that records a November 2026 structured-ISO-20022 cutover as a CPMI mandate quotes a regulator commitment that does not exist. A correspondent-onboarding stakeholder mapping built on AI taxonomy outputs carries fabricated assignments forward into the firm's onboarding pipeline.

The findings are published with immutable RLB Citation IDs: RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q007-Opus47, RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q008-Opus47, RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q009-Sonnet46. The full audit is published at the CPMI API Harmonisation for Cross-Border Payments hub on RegLegBrief.com.

Compliance leads in retail banking touch CPMI material when the consumer-protection lens lands on a cross-border or remittance product: which corridors are about to see a regulator-led pre-validation rail, which d224 obligations actually bind the retail bank versus the system operator the bank integrates with, and how ISO 20022 address fields change for sanctions and travel-rule screening.

Three AI-generated answers tested against d224 and the CPMI brief series were confidently wrong on those three operational signals: Opus 4.7 denied the SARB partnership documented in CPMI Brief No. 9, Opus 4.7 invented a per-recommendation stakeholder taxonomy, and Sonnet 4.6 manufactured a November 2026 ISO 20022 cutover the d230 text does not state. Each error lands inside a compliance deliverable the supervisor, the conduct regulator or the consumer-protection committee will eventually read.

What the AI got wrong, and why it matters here

All three failures share the same pattern: confident output on regulator-source detail that the AI could not actually retrieve, written in the same surface tone as a verified retrieval.

Finding 1: SARB pre-validation partnership denied

Opus 4.7 denied any public CPMI statement names SARB as the pre-validation pilot partner. CPMI Brief No. 9 (November 2025) names SARB outright. Quoted into a South-Africa-corridor remittance fairness memo or a supervisor thematic response, the denial misses a documented regulator workstream.

Citation: RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q007-Opus47.

Finding 2: Invented per-recommendation stakeholder taxonomy

Opus 4.7 returned a clean stakeholder taxonomy across d224's 10 recommendations, built from category labels rather than the recommendation text. A retail-bank compliance scoping memo written off that taxonomy misallocates obligation between the bank and the FPS scheme operator.

Citation: RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q008-Opus47.

Finding 3: Fabricated November 2026 ISO 20022 cutover

Sonnet 4.6 committed to a hard November 2026 structured-address-only cutover for ISO 20022 cross-border payment messages. The d230 source describes only generalised standardisation and regulatory developments since 2023 and a separate technical annex. A remittance product disclosure review or sanctions-screening recalibration that quotes the AI line schedules work against a non-existent deadline.

Citation: RLB-H-INT-BIS-CPMI-API-HARMONISATION-CROSS-BORDER-2024-Q009-Sonnet46.

When this hits the retail-bank compliance calendar

Retail-bank compliance pulls CPMI material on the remittance product fairness review, the consumer-protection horizon scan, the supervisor TR-7-style thematic response, and the periodic financial-promotions review.

Standing item	Where the AI risk surfaces	Failure mode
Remittance product fairness review	All three	All three
Consumer-protection horizon scan	Pilot-partner naming	Finding 1
Supervisor TR-7-style thematic response	Obligation mapping	Finding 2
Periodic financial-promotions review	ISO 20022 cutover commitments	Finding 3

Aggregate impact on the team

The three failures spread across the supervisor-facing paper, the obligation-mapping memo and the remittance product review. The downside is supervisory and conduct-regulator exposure on factual error.

Risk Impact	Count	Affected findings
	0
	0

What this team should do

Treat AI output naming a CPMI pilot partner, mapping d224 recommendations to retail-bank obligations, or asserting an ISO 20022 cutover date as draft material requiring verification against the primary regulator text (CPMI brief by number, d224 recommendation text, d230 source).

Detection patterns to add to AI-review

Pilot-partner naming must trace to a numbered CPMI brief.
Obligation mapping on d224 must be verified against the recommendation text.
ISO 20022 cutover dates against d230 must be verified against the d230 text.

How RLB can help

RLB tracks AI failures on d224, d230 and the CPMI brief series and refreshes the catalogue against live AI subjects on rotation. Retail-bank compliance can wire the catalogue into the AI-draft review step so these three failure shapes are caught before the language ships to the supervisor or the consumer-protection committee.

Every finding on this page compares an AI subject's account of the rule against the regulator's verbatim text from the regulator's own portal. Both are linked. Each delta, its root causes, and impact analysis are documented and published with immutable Citation IDs.