In designing central bank digital currency (CBDC), central banks face a trade-off between satisfying legitimate user preferences for privacy and mitigating financial integrity risk. Physical cash protects privacy because it is anonymous, but it also facilitates criminal financial transactions such as money laundering, financing of terrorism, corruption, and tax evasion.

A CBDC that gives authorities access to user identity and their transaction data would provide obvious financial integrity oversight benefits. However, such fully transparent CBDC might raise concerns around digital surveillance with CBDC potentially being instrumentalized against users, especially in jurisdictions where trust in public institutions is low. Also, such CBDC might disadvantage those without access to identification, which could impair financial inclusion efforts.

On the other hand, a fully opaque CBDC that hides users and their transactions from authorities, could introduce significant financial integrity risks, notably due to the ease and speed with which transactions can be performed and their potential global reach. Privacy preferences are not driven only by the desire to conduct illicit transactions but also to mitigate spamming and identity theft, and of being stalked or robbed (Kahn and others, 2005).

But there are many dimensions of anonymity and privacy with different CBDC design implications.

Dimensions of CBDC Anonymity and Privacy

Brookings (2020) and R3 (2021) specify two dimensions of privacy – anonymity and transaction privacy. Anonymity means that it is impossible to link transactions or activity to the sender or recipient. Under the EU General Data Protection Regulation (GDPR) identity data is considered personal data, i.e., any piece of information that relates to an identifiable person. This can range from pseudonymous keys or metadata (e.g., location data or online identifier) to personally identifiable information, like government ID numbers. A transaction is private if related metadata (e.g., whether it occurred, its amount, between who and when, whether the two parties have transacted before) is not revealed.

Then there is the question of who and how identity and transaction data is shared with. Bech and Garratt (2017) specify two types of financial anonymity – counterparty and third-party anonymity. Counterparty anonymity means that a payor need not reveal their identity to the recipient. Third-party anonymity means that the payor’s identity is invisible to all other parties, including the operator of the payment system.

Digital Currency Design Considerations

The Financial Action Task Force (FATF) has issued standards that countries should implement to prevent money laundering and terrorist financing that will impact CBDC design considerations. In most instances, to comply with FATF standards, some information on CBDC users and transactions would need to be collected and, on a when-necessary basis, made available to competent authorities. However, some form of proportionality could be applied to reduce data requirements on low value transactions to foster adoption and usability, provide a more ubiquitous access to CBDC, and assuage data privacy concerns. For example:

• Brookings (2020) suggests that the central bank could delegate account and identity management to one or more payment service providers (PSPs) who verify and record specific identity information, while the central bank sees only pseudonymous public keys. In this business model, individuals are at least pseudonymous with respect to the central bank and the transactions it processes if the PSPs adequately protect this identity information. However, the PSP can disclose the identity associated with a suspicious account to address regulatory compliance and anti-money laundering. See the table below for three examples of this type of business model in action.
• The European Central Bank tested out “anonymity vouchers” in a proof of concept (ECB, 2019). These non-transferrable vouchers allow users to anonymously transfer a limited amount of CBDC over a defined period whereby a user’s identity and transaction history cannot be seen by the central bank or counterparties other than those chosen by the user. Hence, anonymous CBDC transfers can be enforced without recording the amount of CBDC that a user has spent, thereby protecting users’ privacy.
• China’s eCNY design includes “controllable anonymity” in its design. Although the central bank will be privy to the identity of its users and their transaction data, users will have the ability to control what information they expose to counterparties (Qian, 2018). It aims to keep the degree of anonymity within a controllable range by requiring the disclosure of transaction data only to the central bank (Fan, 2020).
• A stored value CBDC hardware solution that takes the form of a card or a mobile wallet app on which prepaid values are stored locally opens the possibility of almost complete anonymity. Such a wallet could conceivably be as anonymous and private as physical cash, although the central bank may require identification to enforce a one wallet per person policy or holding and/or transaction size limits to mitigate financial integrity risk. A couple of vendors (BitMint and WhisperCash) offer this CBDC platform option.

	Holding/Transaction Limit Structures	Data Access
Central Bank of the Bahamas Sand Dollar	Physical/email address, phone number and photo for low-limit access (B$500 holding and B$1,500/month transaction). Plus, government-issued photo ID for higher limits (B$8,000 holding and B$10,000/month).	Transaction transparency to enable CB to monitor suspicious transactions and stop accounts. Pseudonyms ensure user anonymity. CB maintains ledger and server is encrypted.
Eastern Caribbean Central Bank DCash	Physical/email address, phone number, photo and birth date/place for low limit access (EC$1,000 to EC$2,700/month transaction depending on risk profile). Plus, full name and bank account for higher limits (EC$3,000 to EC$20,000/day).	CB can see anonymized transaction data and outstanding CBDC in each digital wallet. Registered financial institutions can fully observe the identity of payers and payees and the purpose of transactions.
Central Bank of Uruguay e-Peso	Physical/email address, SIM card and national ID for low limit access (UYU30,000 wallet maximum). No higher limits except for businesses (UYU200,000).	User data is segregated across different databases. Transaction data per (anonymous) digital wallet can be decrypted to reveal the user’s identity under very restrictive conditions – e.g., a competent authority prosecuting someone that has probable cause to access the transaction data.
People’s Bank of China eCNY	SIM card for low limit access (¥10,000 holding,  ¥2,000/transaction and ¥5,000/day). Plus, full name, address, phone number and bank account for higher limits (¥500,000 holding, ¥50,000/transaction and ¥100,000/day).	Controllable anonymity: The PBOC will be privy to the identity of its users as they are required to provide their real identities when they first sign up. However, users will have the ability to control what information they expose to counterparties

Digital currency privacy tradeoffs have sparked intense debate with seemingly irreconcilable differences of opinion. On the one hand, authorities do not want to allow anonymous CBDC because of potential financial integrity risks. Others don’t believe it’s possible to design a fully anonymous currency that’s resistant to double spending attacks. On the other hand, law-abiding users consider privacy an intrinsic non-negotiable right and nobody should have full oversight over their transactions. However, the choice between user anonymity and transparency doesn’t need to be black and white. For example, the recent digital euro public consultation found that, although potential users place a high value on transaction privacy, they don’t support full anonymity. Ultimate design choices will depend on the motivation for CBDC issuance, country specific circumstances and user preferences.

This post was co-written by Sonja Davidovic and the Kiffmeister