Central Bank Digital Currency (CBDC) Privacy and Transparency: Not So Black and White

In designing central bank digital currency (CBDC), central banks face a trade-off between satisfying legitimate user preferences for privacy and mitigating financial integrity risk. Physical cash protects privacy because it is anonymous, but it also facilitates criminal financial transactions such as money laundering, financing of terrorism, corruption, and tax evasion.

A CBDC that gives authorities access to user identity and their transaction data would provide obvious financial integrity oversight benefits. However, such fully transparent CBDC might raise concerns around digital surveillance with CBDC potentially being instrumentalized against users, especially in jurisdictions where trust in public institutions is low. Also, such CBDC might disadvantage those without access to identification, which could impair financial inclusion efforts.

On the other hand, a fully opaque CBDC that hides users and their transactions from authorities, could introduce significant financial integrity risks, notably due to the ease and speed with which transactions can be performed and their potential global reach. Privacy preferences are not driven only by the desire to conduct illicit transactions but also to mitigate spamming and identity theft, and of being stalked or robbed (Kahn and others, 2005).

But there are many dimensions of anonymity and privacy with different CBDC design implications.

Dimensions of CBDC Anonymity and Privacy

Brookings (2020) and R3 (2021) specify two dimensions of privacy – anonymity and transaction privacy. Anonymity means that it is impossible to link transactions or activity to the sender or recipient. Under the EU General Data Protection Regulation (GDPR) identity data is considered personal data, i.e., any piece of information that relates to an identifiable person. This can range from pseudonymous keys or metadata (e.g., location data or online identifier) to personally identifiable information, like government ID numbers. A transaction is private if related metadata (e.g., whether it occurred, its amount, between who and when, whether the two parties have transacted before) is not revealed.

Then there is the question of who and how identity and transaction data is shared with. Bech and Garratt (2017) specify two types of financial anonymity – counterparty and third-party anonymity. Counterparty anonymity means that a payor need not reveal their identity to the recipient. Third-party anonymity means that the payor’s identity is invisible to all other parties, including the operator of the payment system.

Digital Currency Design Considerations

The Financial Action Task Force (FATF) has issued standards that countries should implement to prevent money laundering and terrorist financing that will impact CBDC design considerations. In most instances, to comply with FATF standards, some information on CBDC users and transactions would need to be collected and, on a when-necessary basis, made available to competent authorities. However, some form of proportionality could be applied to reduce data requirements on low value transactions to foster adoption and usability, provide a more ubiquitous access to CBDC, and assuage data privacy concerns. For example:

  • Brookings (2020) suggests that the central bank could delegate account and identity management to one or more payment service providers (PSPs) who verify and record specific identity information, while the central bank sees only pseudonymous public keys. In this business model, individuals are at least pseudonymous with respect to the central bank and the transactions it processes if the PSPs adequately protect this identity information. However, the PSP can disclose the identity associated with a suspicious account to address regulatory compliance and anti-money laundering. See the table below for three examples of this type of business model in action.
  • The European Central Bank tested out “anonymity vouchers” in a proof of concept (ECB, 2019). These non-transferrable vouchers allow users to anonymously transfer a limited amount of CBDC over a defined period whereby a user’s identity and transaction history cannot be seen by the central bank or counterparties other than those chosen by the user. Hence, anonymous CBDC transfers can be enforced without recording the amount of CBDC that a user has spent, thereby protecting users’ privacy.
  • China’s eCNY design includes “controllable anonymity” in its design. Although the central bank will be privy to the identity of its users and their transaction data, users will have the ability to control what information they expose to counterparties (Qian, 2018). It aims to keep the degree of anonymity within a controllable range by requiring the disclosure of transaction data only to the central bank (Fan, 2020).
  • A stored value CBDC hardware solution that takes the form of a card or a mobile wallet app on which prepaid values are stored locally opens the possibility of almost complete anonymity. Such a wallet could conceivably be as anonymous and private as physical cash, although the central bank may require identification to enforce a one wallet per person policy or holding and/or transaction size limits to mitigate financial integrity risk. A couple of vendors (BitMint and WhisperCash) offer this CBDC platform option.

Digital currency privacy tradeoffs have sparked intense debate with seemingly irreconcilable differences of opinion. On the one hand, authorities do not want to allow anonymous CBDC because of potential financial integrity risks. Others don’t believe it’s possible to design a fully anonymous currency that’s resistant to double spending attacks. On the other hand, law-abiding users consider privacy an intrinsic non-negotiable right and nobody should have full oversight over their transactions. However, the choice between user anonymity and transparency doesn’t need to be black and white. For example, the recent digital euro public consultation found that, although potential users place a high value on transaction privacy, they don’t support full anonymity. Ultimate design choices will depend on the motivation for CBDC issuance, country specific circumstances and user preferences.

This post was co-written by Sonja Davidovic and the Kiffmeister

Retail Central Bank Digital Currency (CBDC) Technical Platform Criteria

Central banks that have made the decision to explore retail central bank digital currency (CBDC) issuance are focusing on a common set of key design choices. These include the operating model, the technology platform (centralized versus decentralized database technology, or token-based), degree of anonymity/privacy, availability/limitations, and whether to pay interest. These design decisions are driven by country-specific factors and balance the need to achieve the policy objectives that launched the exploration process and be attractive to users and merchants. (For more detail on these factors and considerations see the 2020 IMF working paper on CBDC operational considerations.)

In this blog I want to talk about the technology platform decision, broadly speaking breaking down into those with centralized or decentralized ledger architectures, and ledger-less offline peer-to-peer stored value platforms. In a traditional centralized ledger (client-server model with no distributed components) transaction processing would entail the payor connecting to the central ledger keeper and initiating a funds transfer to the recipient’s account. The ledger would be updated after the payor has been confirmed as the account holder who has enough funds to carry out the transaction.

Alternatively, the ledger could be run on a distributed ledger technology (DLT) platform, in which the ledger is replicated and shared across several participants. With a DLT platform the central bank could have a centralized, decentralized or partially-decentralized authority for verifying and/or committing transactions. DLT platforms can be “public” (accessible by anyone) or restricted to a group of selected participants (“consortium” or “private”). Ledger integrity can be managed by a selected group of users (“permissioned”) or by all network participants (“permissionless”).

So far, central banks that have reached the proof of concept (PoC) and pilot stages of CBDC explorations have opted platforms that allow for control over platform access and participants, and role-based oversight and visibility of transactions (see table). Such platforms also ensure that the central bank retains full control over money issuance and monetary policy. They include centralized ledger and DLT private permissioned platforms, and digital bearer instrument platforms. Permissionless (decentralized authority) platforms have tended to fall short on scalability, and settlement finality, and financial integrity risk management.

Digital CurrencyPartner FirmPlatform TechnologyPlatform Type
Bahamas Sand DollarNZIANZIA Cortex DLTDLT private permissioned
China e-CNYn/an/aCentralized ledger
ECCB DCashBittHyperledger FabricDLT private permissioned
Uruguay e-PesoRoberto GioriGSMTCentralized ledger
JamaicaeCurrencyDSC3Digital bearer instrument
Sweden e-KronaAccentureR3 CordaDLT private permissioned
Ukraine E-HryvniaStellarStellarDLT private permissioned
Ecuador dinero electrónicon/aMobile moneyCentralized ledger

It has been generally believed that centralized platforms process transactions more quickly. VISA says their network can handle up to 65,000 transactions per second (TPS), while private DLT platforms have tended to be way slower (e.g., 10,000+ TPS).  There is also the issue of “finality” – the point at which transferred funds become irrevocable. Some networks, like Bitcoin and R3 Corda, offer only what is called “probabilistic finality” which won’t cut it for a retail payment system.

Although all the pros and cons of DLT-based versus centralized ledger-based retail payment systems are out of scope of this post, it’s worth mentioning that DLT-based platforms may offer enhanced resiliency by reducing single points of failure. Also, potential data loss at one node can be recovered through replication of the ledger from other nodes when the network comes back online. But DLT-based platforms may experience attacks against the network layer, which includes the consensus mechanism by which database updates are approved, or smart contract exploits. (For more on such pros and cons, see Raphael Auer and Rainer Böhme’s Technology of Retail Central Bank Digital Currency article)

In the table below, I’ve listed what I believe to be the main players in the retail CBDC platform space. My main criterion for inclusion is that the platform has been used in a CBDC or sovereign digital currency pilot or proof of concept or has published something substantive to back up the claim that it offers a viable CBDC platform. I’ve tried to categorize them by whether they’re ledger- or token-based, and if they’re ledger-based, whether the ledger management is centralized or distributed. My plan is to make this a “live” table, and possibly add more columns based on your comments and suggestions. If you have platform suggestions that I’ve missed, please provide links to written material that supports the claim.

PlatformSubstantiationClaimed TPS
NZIAPlatform used for Bahamas Sand Dollar?
HyperLedger FabricPlatform used in ECCB DCash pilot3,500
R3 CordaPlatform used for e-Krona proof of concept and also see R3 landing page?
StellarPlatform used for Ukraine E-Hryvnia CBDC proof of concept?
Hedera Hashgraphhttps://futuremtech.com/central-bank-digital-cash/10,000
Centralized Ledger:  
Roberto GioriPlatform used in Uruguay e-Peso CBDC pilot?
Gnu Talerhttps://www.snb.ch/en/mmr/papers/id/working_paper_2021_0310,000+
eCurrency Platform used for Jamaica pilot and also see white paper ?
G&D Filian/an/a

Central Bank and Sovereign Retail Digital Currency Platforms

Tabulated below are all of the central bank and sovereign retail digital currency launches and pilots I know of that have revealed their technology partners and platforms. I didn’t include the South Korean pilot because they haven’t revealed their technology partners or platforms. Please keep in mind that this is just a first crack and comments and suggestions are welcome.

Digital CurrencyPartner FirmPlatformBlockchain Type
Bahamas Sand DollarNZIANZIA Cortex DLTDLT private permissioned
ECCB DCashBittHyperledger FabricDLT private permissioned
Uruguay e-PesoRoberto Giori CompanyCentralized ledgern/a
JamaicaeCurrencyCentralized ledgern/a
Swedish e-KronaAccentureR3 CordaDLT private permissioned
Ukraine E-HryvniaStellarStellarDLT private permissioned
Marshall Islands SOVAlgorandAlgorandDLT public unpermissioned
Ecuador Dinero Electrónicon/aMobile moneyn/a

Kiffmeister’s Global Fintech Monthly Monitor (April 2021)

Crypto-asset prices spiked to new highs this month with Altcoins leading the way, although prices faded after Coinbase launched on April 14. Bitcoin finished down 3% on the month, and 11% off the all-time high price of $64,863 of April 14. By contrast, Altcoin market capitalization finished up 37% with XRP up 177%, Binance Coin 107% and Ethereum up 45%. The impetus continued to be continuing institutional investor interest in, and popularization of, crypto-assets. Meanwhile, central banks continued to advance their digital currency explorations, with the Bank of Japan launching its proof of concept (PoC) work and the Riksbank wrapping up its first round of PoC work.

Crypto-Asset Markets

Crypto-asset market capitalization increased about 14% from March 31 to $2,158 billion, although  Bitcoin finished down 3% ($57,750) after hitting an all-time high of $64,863 into the mid-April Coinbase listing (see below). Altcoin markets led the way with capitalization up 37%, with Ethereum finishing up 45% possibly bolstered by the mid-April “Berlin” hard fork that reduced costs for certain transaction types, and introduced a new transaction envelope that will make it easier to package multiple transactions into a single transfer. It also paved the way for the “London” upgrade scheduled for the summer of 2021, that aims to reduce transaction costs (“gas fees”) on the network.

Source: https://coin.dance/stats/marketcaphistorical

XRP continues to soar (+177% in April) after Ripple’s motion was granted to keep the financial records of CEO Brad Garlinghouse and his predecessor private from the U.S. Securities and Exchange Commission (SEC) in its lawsuit against the firm. The case hinges on the classification of XRP as a security (i.e., a financial asset from which the investor intends to profit), as opposed to a currency or medium of exchange. By failing to file a securities registration statement or seek special exemption, the SEC is accusing Ripple of violating multiple sections of the Securities Act of 1933. Ripple won another skirmish when it was granted permission to get access to the SEC’s documents related to its exemption of Bitcoin and Ethereum from being given “security” status. Emboldened by these wins, Ripple has filed a motion to dismiss the lawsuit entirely.

Moves towards “popularizing” crypto-assets continue. Venmo’s “Crypto on Venmo” started rolling out on April 20. The service will let its 70 million users buy, hold and sell crypto-assets (BTC, ETH, LTC and BCH) within its mobile app, using funds from their balance with Venmo, or a linked bank account or debit card.  Also, Coinbase’s U.S. customers can now buy crypto on the exchange via debit cards and bank accounts linked to PayPal. Such purchases are limited to $25,000 per day.

Stablecoin market capitalizations continue to increase (see Annex). Almost all are USD-pegged, and Tether’s USDT remains dominant ($51.6 billion), followed by USDC ($14.7 billion), BUSD ($7.6 billion), DAI ($3.7 billion) and UST ($2.0 billion).  Tether released another attestation that shows that its stablecoins are fully backed, to assuage rumors that it was not. However, the report still doesn’t describe how Tether’s reserves are invested. Coinbase started supporting Ethereum blockchain-based (ERC-20) USDT on its Pro platform. The ERC-20 variant comprises almost half of all outstanding USDT, although the TON-based variant is now larger.

Less than a week after the Fei protocol’s April 4 launch, Fei Labs found a vulnerability in the incentive calculation of the Ethereum-backed algorithmic stablecoin. The team patched the vulnerability on April 6, but it did not prevent the stablecoin from losing 30% off its peg. Fei uses a bonding curve to manage supply and demand based upon its collateralization levels and uses a system of ‘direct incentives’ to penalize the withdrawal of liquidity during periods of selling pressure. This caught many investors off-guard as they would have to take a hit when withdrawing their ETH collateral or the supposed dollar-pegged tokens it generated. However, by the end of the month it was closing back in on USD parity.

Coinbase reported first-quarter revenue that soared nearly 900% from $190.6 million in the same period last year, blowing past the $585 million nabbed in the fourth quarter. Meanwhile, the platform’s verified users (those with confirmed identities who are eligible to trade) swelled to 56 million at quarter’s end, compared to 34 million one year prior. Founded in June 2012, Coinbase debuted on Nasdaq on April 14, under the ticker COIN, the price spiking to $430 on opening day, but closing the month at $298.

The U.S. SEC has yet to approve a crypto-asset exchange-traded fund (ETF) although it extended its window to approve (or disapprove) VanEck’s Bitcoin ETF from May 3 to June 17. Also, investment manager Grayscale published a roadmap that implied it planned to convert two of its crypto-asset funds (GBTC and ETHE) into ETFs. Meanwhile, the Ontario Securities Commission has approved four Ethereum ETFs to trade on the Toronto Stock Exchange (TSE); 3iQ Corp, CI Global Asset Management, Purpose Investments, and Evolve Fund Group. And Horizons ETFs Management (Canada) launched the TSE-traded BetaPro Inverse Bitcoin ETF that will allow investors to take short positions on bitcoin futures.  

According to Michael Morell, a former CIA acting director, the broad generalizations about the use of bitcoin in illicit finance are significantly overstated. This flies in the face of the false narratives spun by senior government officials, such as Treasury Secretary Janet Yellen, who issue public warnings about bitcoin’s alleged use by criminals. Morrell’s research concluded that there is probably less illicit activity in the bitcoin ecosystem than there is in the traditional banking system. Furthermore, he highlighted blockchain analysis as a highly effective crime fighting and intelligence gathering tool. 

Crypto-related regulatory developments (see also Table 1 in the below-linked PDF)

Türkiye Cumhuriyet Merkez Bankasi has banned the direct and indirect use of crypto-assets for payments. According to its statement “payment service providers cannot develop business models in a way that crypto assets are used directly or indirectly in the provision of payment services and electronic money issuance and cannot provide any services related to such business models.” The regulation comes into force on April 30. Turkey ranks 29th out of the 154 countries on the Chainalysis’ Global Crypto Adoption Index, and number one in the Middle East.  

A review of 16 leading crypto-asset exchanges, including the seven that contribute prices to the CME Bitcoin Reference Rate, found that just four were found to be subject to a significant level of trading-related regulation (itBit, eToroX, LMAX Digital, and Currency.com). Seven of the remaining exchanges, including Coinbase, operate as licensed Money Service Businesses (MSBs) or equivalent, but their trading activities are effectively unregulated. And three of the top exchanges appear not to be subject to any regulatory scrutiny whatsoever (Bittrex, Luno, and Bitfinex). 

The U.S. House of Representatives passed the Eliminate Barriers to Innovation Act of 2021 (H.R. 1602) which includes a section on digital assets. The legislation seeks to set up a digital asset working group with representatives from the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC). The overarching goal is to clarify when the SEC has jurisdiction over digital assets, in the case of when they are deemed securities and when the CFTC has a final say, in the case of when digital assets are classified as commodities. 

U.S. Securities and Exchange Commission (SEC) Commissioner Hester Peirce unveiled an updated version of her proposed three-year regulatory safe harbor for token sales. The update adds “semi-annual updates to the plan of development disclosure and a block explorer”; an “exit report requirement” that “would include either an analysis by outside counsel explaining why the network is decentralized or functional, or an announcement that the tokens will be registered under the Securities Exchange Act of 1934”; and  that exit report requirement “provides guidance on what outside counsel’s analysis should address when explaining why the network is decentralized.” 

Other digital asset market developments (see also Table 1 in the below-linked PDF)

Robinhood experienced on and off again issues executing users’ crypto-asset trades on April 16, blaming it on unprecedented demand for crypto services. At the same time, Robinhood continues to face headwinds from regulators. For example, the Massachusetts Securities Division published has accused Robinhood of a “pattern of aggressively inducing and enticing trading among its customers – including Massachusetts customers with little or no investment experience.” Subsequently, Robinhood filed a complaint and motion in the Massachusetts State Court to block the complaint.

The People’s Bank of China (PBOC) has ordered Ant Group to “cut off” the “improper connections” between its payment platform and its financial products. More specifically, told the PBOC told Ant to become a financial holding company that will be regulated more like a bank, eliminate unfair competition in its payments business, end its monopoly on information, improve its corporate governance, and better manage liquidity risks in its major fund products (including downsizing its Yu’ebao money-market fund).  

Retail Central Bank Digital Currency (CBDC) developments (see also Table 2 in the below-linked PDF)

On April 5, 2021, the Bank of Japan (BoJ) began its Phase 1 central bank digital currency (CBDC) proof of concept (PoC) work. In PoC Phase 1, the Bank plans to develop a test environment for the CBDC system and conduct experiments on the basic functions that are core to CBDC as a payment instrument such as issuance, distribution, and redemption. This phase will be carried out through March 2022. The BoJ will then move to Phase 2 to test more detailed functions of CBDC, and then, if necessary, on to Phase 3, in which private businesses and end-users will participate in a pilot program. 

The Riksbank concluded the first phase of its e-krona central bank digital currency (CBDC) proof of concept (PoC). Working with Accenture, the objective was to test a blockchain-based R3 Corda technical platform to increase the Riksbank’s knowledge of how an e-krona could function and be used as a complement to cash. The next phase of the PoC will test the platform’s capacity to manage retail payments on a large scale and will include potential distributors. It will also test offline functionality and integration with existing point-of-sale terminals, and different means of storing private keys to the tokens and the tokens containing e-kronor.

The Bank of Thailand has set its agenda for a retail central bank digital currency (CBDC) with preliminary testing protocols scheduled to begin in Q2 2022. As part of its plans, the central bank published a preliminary report detailing its CBDC thesis. The main motivations are increasing financial inclusion and reducing the risk of private stablecoins undermining the central bank’s “monetary sovereignty and financial stability.” The central bank will begin its CBDC developmental efforts by engaging with stakeholders followed by cost-benefit analysis to ascertain the opportunities, risks and challenges.  

The European Central Bank (ECB) published in-depth results of their digital euro consultation. The survey, which ran from October 20, 2020 to January 12, 2021 and collected 8,221 responses, asked 18 questions pertaining to the benefits and challenges of issuing a digital euro and on its possible design. It found that privacy is the most demanded feature followed by security and usability. 47% of respondents were from Germany, which is notorious for its continuing high levels of cash usage, and most respondents (33%) come from the tech industry. More than two-thirds of respondents acknowledge the importance of intermediaries providing innovative services that allow access to a digital euro and indicate that it should be integrated into existing banking and payment systems. They would like additional services provided on top of basic digital euro payments.

The Bank of England and the U.K. Treasury announced the creation of a Central Bank Digital Currency (CBDC) Taskforce that will (i) coordinate exploration of CBDC objectives, use cases, opportunities and risks, (ii) guide evaluation of the design features, and (iii) support a rigorous, coherent and comprehensive assessment of the overall use case. Also, the Bank of England established a CBDC Unit, and created a CBDC Engagement Forum to engage senior stakeholders and gather strategic input on all non-technology aspects of CBDC, and a CBDC Technology Forum to gather input on all technology aspects of CBDC. 

General Fintech Developments (see also Table 3 in the below-linked PDF)

The People’s Bank of China (PBOC) and four other regulatory agencies summoned 13 domestic internet platform companies including Tencent, JD Finance and ByteDance for talks on their financial businesses. The firms were urged to bring their online lending and deposit-taking businesses in line with regulatory requirements, and to to refocus on their payment service business, enhance their transaction transparency and break any information monopolies.  

Paxos Trust Company completed a same-day settlement of US-listed equity trades in partnership with Instinet and Credit Suisse on its Paxos Settlement Service permissioned blockchain solution.  Paxos said the project demonstrated its ability to enable same-day settlement for trades conducted throughout the day. In the current system, settlement can only occur the same day if trades are completed before 11 AM ET and therefore is rarely utilized. The platform is said to be interoperable with the legacy clearing system and can facilitate settlement on any time cycle. 

The Bank of England unveiled a new type of omnibus account as part of its real-time gross settlement service. With it an operator of a payment system can hold funds in the omnibus account to fund their participants’ balances with central bank money. This account co-mingles funds from different entities for the purposes of wholesale settlement. Fnality sees these new accounts as supportive of the opportunity to use tokenized cash assets to enable on-chain wholesale exchange of value.

Fnality uses an Ethereum-based permissioned blockchain that will run on chain payment systems in multiple currencies in each jurisdiction. When a bank wants to make a payment, it transfers money from its central bank account to the Fnality omnibus account, which then tokenizes it. The bank then uses the tokens to make a payment, and the recipient bank can then opt to convert the received tokens back to central bank money, or it could use the tokens for further payments.

The Monetary Authority of Singapore and the Bank of Thailand launched the linkage of Singapore’s PayNow and Thailand’s PromptPay real-time retail payment systems. Customers of participating banks in Singapore and Thailand will be able to seamlessly and securely transfer funds of up to S$1,000 or THB25,000 daily across the two countries, using just a mobile number. The fees will be affordably priced and transparently displayed to senders prior to confirming their transfers. 

The European Investment Bank (EIB) launched a €100 million two-year digital bond issuance on an Ethereum-based public blockchain platform. The EIB paid the three underwriters (Goldman Sachs, Santander and Societe Generale) using Banque de France-issued wholesale CBDC. Societe Generale – FORGE provided the end-to-end services to issue and manage the digital-native security tokens.

Miscellaneous commentary and research

A Bank of Canada paper proposed a framework to allow authorities to understand the defining characteristics of stablecoin arrangements, to be specific about any concerns they may have, and to be objective in their treatment from issuer to issuer. First, it classifies arrangements into three parts, coin structure, related transfer system(s) and related financial service(s), and then categorizes the attributes of each one. Secondly, it identifies specific risk scenarios that are relevant to the stablecoin arrangement, and thirdly, it quantifies the range of probable loss and possible frequency associated with the identified risk scenarios.

A BIS paper assessed emerging crypto-asset financial integrity regulatory approaches and supervisory practices and identifies policy priorities to address common challenges faced by financial authorities. It points to opportunities to adopt new approaches, like blockchain analytics, that take advantage of the inherently data-rich nature of the crypto-asset sector. Also, the inherently cross-border nature of crypto-assets, as well as the uneven global implementation of international standards in this area, make international cooperation a critical component for effective supervision. 

The ECB published a report on the use of distributed ledger technology (DLT) in securities post-trade processes. It categorized securities issuance and post-trade processes into models depending on how DLT is used in each case, drawing implications for the use of DLT at different stages of the securities life cycle, from issuance to custody and settlement. It recommends that, to prevent market fragmentation, the adoption of DLT-based solutions should be based on common practices and standards that enable DLT systems to interact with both each other and conventional systems.