Fintech perspectives from a bunch of policy wonks. The views expressed herein are those of the authors and should not be attributed to the Bank for International Settlements or the International Monetary Fund
The US-based Bank Policy Institute (BPI) is raising concerns that a sizeable proportion of Circle’s USDC stablecoin reserves could be parked at the Federal Reserve, despite Circle not having a central bank account. Since November, BlackRock has been managing about two-thirds of the reserve assets in a bespoke money market fund, the Circle Reserve Fund (CRF) , which invests mostly in U.S. short-dated Treasuries. The BPI claims that Blackrock has applied for the fund to access the Fed’s overnight reverse repo (ON RRP) facility, which provides money funds and government-sponsored enterprises a standing option to invest overnight with the Fed at a fixed rate, currently 4.3%. This involves the fund buying Treasuries from the Fed, which are resold to the Fed at a future date at a slightly higher price. The net effect of the cash flows, with the transfer of money to the Fed, is not dissimilar to depositing the USDC reserve cash at the Federal Reserve. The use of the ON RRP by the CRF could effectively transform USDC into a “backdoor” synthetic central bank digital currency (CBDC) if all of the assets are parked there. [Read more at the BPI]
Interestingly, the Fed covered this in an appendix to a 2022 paper on the Macroeconomic Implications of CBDC that is well worth reading (see below). It concludes that, “while research has shown that take- up in the ON RRP can crowd out private repo, and that the demand for safe assets can increase ON RRP take-up at the expense of private repo, the overall impact on the banking sector so far has not led to a significant contraction in bank deposits or bank lending… That said, the effect on the banking sector could change as short-term interest rates increase and the Federal Reserve’s balance sheet contracts.”
The Sovereign Yidindji Government launched a digital version of their Sovereign Yidindji Dollar (SYD) on January 26, 2022, and the first successful transaction was confirmed on February 1. The new payment system is connected to the MetaMUIself-sovereign identity system that is already in use throughout Yidindji. The Sovereign Yidindji Government and MetaMUI are calling the SYD a central bank digital currency (CBDC) and the purpose of this post is to ascertain the “CBDCness” of the SYD.
Yidindji is an Australian pre-colonial indigenous nation that asserted its independence and continuing validity of Yidindji laws and customs in 2014, in accord with Resolution 1514 adopted by the United Nations General Assembly in 1960. However, until a treaty is signed between the governments of the Commonwealth of Australia and the Sovereign Yidindji Government, regarding land rights, Yidindji will not be represented by the United Nations or international law.
Is the SYD a central bank digital currency?
According to the Bank for International Settlements (BIS) a CBDC is a digital payment instrument, denominated in the jurisdiction’s unit of account, that is issued by and a direct liability of the jurisdiction’s central bank or monetary authority. The SYD is a obviously a digital payment instrument, and the rest of this note argues that it seems to meet the other BIS CBDC criteria too.
Does the Yidindji Nation have a central bank?
The Yidindji Reserve Bank Act 2016 established the Yidindji Reserve Bank (YRB) as the central bank of the Yidindji Nation to issue SYD. The SYD was pegged to the Australian Dollar (AUD) and backed by gold and silver. The Yidindji Department of the Treasury guarantees the ability to exchange from SYD to AUD. Appropriate amounts of AUD are held by the YRB to for these exchanges. (Before the introduction of the digital currency, SYD transactions were settled in commercial bank money on a manual ledger.)
However, according to the Act, the YRB wasn’t responsible for some of the key functions associated with a central bank. The YRB had no payment system role, and it was prohibited from issuing bearer money, both foundational central bank roles. But the Act was revised in 2022 to give the YRB typical central bank responsibilities, including issuing currency, regulating/supervising deposit-taking institutions, and overseeing and promoting an efficient, sound, and safe payment system. So, Yidindji has a central bank.
Is the SYD denominated in the Yidindji’s unit of account?
To be a unit of account, a currency must be usable as a medium of exchange across a variety of transactions between several people and as such represent a form of co-ordination across society. The Yidindji Currency Acts of 2014 and 2022, Yidindji citizens must settle their obligations in SYD, and Australian citizens must settle their obligations in AUD. But the two currencies are convertible one-to-one, it would seem that, if the digital SYD is convertible one-to-one into SYD and AUD, which are both units of account in Yidindji, then there’s no reason to dispute its status as a unit of account.
When Yidindji’s central bank is fully operational and carrying out typical central bank operations and responsibilities, the digital SYD will indeed be a CBDC, as it will meet all other CBDC defining criteria; like being issued and backed by, and a direct liability of, Yidindji’s central bank, and being denominated in Yidindji’s unit of account.
 Gold and silver bars are kept in two undisclosed locations. These bars are from internationally recognized mints and meets current standards of fineness, majority are from Perth Mint with much smaller amounts from other mints. All bars are in accord with the specifications of the LBMA Good Delivery Rules though not listed on the LBMA list. Once again it is this lack of formal agreement to be seen legally in the UN sphere of jurisdiction. The gold is rebalanced on a monthly basis, whilst audits of the metals take place at three monthly intervals.
 Upon the completion of a treaty with the Commonwealth of Australia, the SYD will be the only mechanism for Yidindji residents to discharge their monetary obligations.
One of the first big retail central bank digital currency (CBDC) design decisions is the operating model. In a single-tier model the central bank performs all the tasks involved, from issuing and distributing the CBDC to running user wallets. In multi-tier models, the central bank issues and redeems CBDC, but distribution and payment services would be delegated to the private sector. Which model to adopt will depend on country-specific circumstances, such as financial sector breadth and depth, financial integrity standards compliance, and financial market infrastructure availability and supervision capacity.
In a single-tier model, CBDC transactions resemble transactions with commercial banks, except accounts would be held with the central bank. A payer would log in to an account at the central bank through a web or mobile application and request a transfer of funds to a recipient’s account, also at the central bank. The central bank would ensure settlement by updating a master ledger, but only after verification of the payer’s authority to use the account, enough funds, and authenticity of the payee’s account. This mode gives central banks more control over the product design and implementation process.
However, the single-tier model requires the central bank to assume an active role in distribution and payment services that may exceed the scope of its core mandate and capacity. Moreover, central banks would directly compete with existing digital payment service providers creating disintermediation risk. Conceptually, the single-tier model may be appropriate for a country with a well-resourced central bank in which the financial sector is extremely underdeveloped, so that there are no institutions to assume distribution and provision of payment services, as may be the case in some low-income countries.
In multi-tier models, the central bank issues CBDC but outsources some or all the work of administering the accounts and payment services. However, CBDC remains the liability of the central bank and thus CBDC holders would not be exposed to default risk of the engaged payment service providers (PSPs).
The multi-tier model has been the overwhelmingly preferred solution in CBDC pilots and the only launch so far. Running currency distribution is not something the central bank is well-suited to perform, requiring customer-facing activities that may be beyond their capacity. Also, the multi-tier model is less disruptive than the single-tier one as financial institutions play their traditional roles in distribution and payment services. In addition, this layered approach facilitates the integration of new types of consumer electronic devices without the need to alter the core of the system, and it supports the ability for third parties to build on top of the core (Shah and others, 2020; Armelius et al, 2021).
Different Flavors of Multi-Tier
Auer and Boehme (2021) discuss two different multi-tier models that differ in terms of the records kept by the central bank. In a “hybrid” architecture the central bank records all retail CBDC holdings and the CBDC is never on PSP balance sheets so that user holdings are not exposed to claims by PSP creditors in the event of PSP insolvency (first panel below).
In an “intermediated” architecture the central bank only runs a ledger of PSP wholesale CBDC holdings (second panel). Central banks may prefer this architecture due to privacy and data security concerns. However, the central bank still must honor CBDC holder claims in the event of PSP insolvency or data breaches, relying on the integrity and availability of the PSP’s records. This will require close supervision to ensure that the wholesale holdings add up to the sum of all retail accounts at all times.
Auer and Böhme (2020) suggest that, in an intermediated architecture, there be a legal framework that keeps user CBDC holdings segregated from PSP balance sheets so that the holdings are not considered part of a failed PSP’s estate available to creditors. They also suggest that the legal framework could give the central bank the power to switch user accounts in bulk from a failed PSP to a functional one. To do this expeditiously, the central bank would likely have to retain a copy of all retail CBDC holdings.
Bank of England (2020) proposes running a hybrid architecture on a “platform” in which the central bank provides a fast, highly secure and resilient technology infrastructure to provide the minimum necessary functionality for CBDC payments (the “core ledger” below). Payment interface providers would connect to it via an application programming interface (API) to provide customer facing CBDC payment services. This model effectively “combines indirect connection to the central bank with direct access to the central bank balance sheet and the CBDCs.” (Prates, 2020)
Overarching Multi-Tier Model Considerations
The multi-tier CBDC ecosystem should be designed to create economic incentives for PSPs to participate in ways that serve central bank interests (making the CBDC broadly available to the public, across regions, etc.). There should be a cost-effective business model for such PSPs with enough revenues from interest spreads, fees, and cross-subsidization, as well as controllable fixed and variable costs. Also, regulations should leave room for enough users to reach critical mass and incentivize network buildup while promoting PSP market competition.
For example, regulations that encourage interoperability of competing payment systems to encourage new entrants and reduce concentration risk should take care not to adversely impact network build-up. (For a new PSP, interoperability across PSPs could diminish the incentive of a startup to innovate since it could lower the value of a privately developed network. It could also restrict competition by excluding certain technical innovations or restricting new business models and reduce the value and increase the costs to PSPs. In addition, interoperability might increase overall risks if an innovative service provider has a higher risk profile.)
Central banks that have made the decision to explore retail central bank digital currency (CBDC) issuance are focusing on a common set of key design choices. These include the operating model, the technology platform (centralized versus decentralized database technology, or token-based), degree of anonymity/privacy, availability/limitations, and whether to pay interest. These design decisions are driven by country-specific factors and balance the need to achieve the policy objectives that launched the exploration process and be attractive to users and merchants. (For more detail on these factors and considerations see the 2020 IMF working paper on CBDC operational considerations.)
In this blog I want to talk about the technology platform decision, broadly speaking breaking down into those with centralized or decentralized ledger architectures, and ledger-less offline peer-to-peer stored value platforms. In a traditional centralized ledger (client-server model with no distributed components) transaction processing would entail the payor connecting to the central ledger keeper and initiating a funds transfer to the recipient’s account. The ledger would be updated after the payor has been confirmed as the account holder who has enough funds to carry out the transaction.
Alternatively, the ledger could be run on a distributed ledger technology (DLT) platform, in which the ledger is replicated and shared across several participants. With a DLT platform the central bank could have a centralized, decentralized or partially-decentralized authority for verifying and/or committing transactions. DLT platforms can be “public” (accessible by anyone) or restricted to a group of selected participants (“consortium” or “private”). Ledger integrity can be managed by a selected group of users (“permissioned”) or by all network participants (“permissionless”).
So far, central banks that have reached the proof of concept (PoC) and pilot stages of CBDC explorations have opted platforms that allow for control over platform access and participants, and role-based oversight and visibility of transactions (see table). Such platforms also ensure that the central bank retains full control over money issuance and monetary policy. They include centralized ledger and DLT private permissioned platforms, and digital bearer instrument platforms. Permissionless (decentralized authority) platforms have tended to fall short on scalability, and settlement finality, and financial integrity risk management.
It has been generally believed that centralized platforms process transactions more quickly. VISA says their network can handle up to 65,000 transactions per second (TPS), while private DLT platforms have tended to be way slower (e.g., 10,000+ TPS). There is also the issue of “finality” – the point at which transferred funds become irrevocable. Some networks, like Bitcoin and R3 Corda, offer only what is called “probabilistic finality” which won’t cut it for a retail payment system.
Although all the pros and cons of DLT-based versus centralized ledger-based retail payment systems are out of scope of this post, it’s worth mentioning that DLT-based platforms may offer enhanced resiliency by reducing single points of failure. Also, potential data loss at one node can be recovered through replication of the ledger from other nodes when the network comes back online. But DLT-based platforms may experience attacks against the network layer, which includes the consensus mechanism by which database updates are approved, or smart contract exploits. (For more on such pros and cons, see Raphael Auer and Rainer Böhme’s Technology of Retail Central Bank Digital Currency article)
In the table below, I’ve listed what I believe to be the main players in the retail CBDC platform space. My main criterion for inclusion is that the platform has been used in a CBDC or sovereign digital currency pilot or proof of concept or has published something substantive to back up the claim that it offers a viable CBDC platform. I’ve tried to categorize them by whether they’re ledger- or token-based, and if they’re ledger-based, whether the ledger management is centralized or distributed. My plan is to make this a “live” table, and possibly add more columns based on your comments and suggestions. If you have platform suggestions that I’ve missed, please provide links to written material that supports the claim.
In a previous post I discussed what is and isn’t a retail central bank digital currency (rCBDC): A broadly available general purpose digital payment instrument, denominated in the jurisdiction’s unit of account, that is a direct liability of the jurisdiction’s monetary authority, and subject to the same rules and regulations as imposed on the jurisdiction’s other units of account. The gist of this is summarized in the following table.
I then went on to describe wholesale central bank digital currency (wCBDC) as being like an rCBDC, but being restricted to wholesale, financial market payments. But some will notice that I never mentioned the technology platform – whether it runs on a centralized or decentralized ledger, or whether there is even a ledger at all (i.e., “token” based). And that’s because discussions around rCBDC are generally agnostic about the platform type. However, it’s my sense that that is not the case for wCBDC.
And that may be because wCBDC is not really anything new. For example, a 2018 IMF staff discussion note characterized central bank reserves as a “wholesale form of CBDC used exclusively for interbank payments” which has been around for ages. And in 2020, ECB legal staff noted that “the issuance by central banks of digital liabilities and the corresponding holding, by third parties, of intangible money claims against the balance sheet of the digital liability-issuing central bank would not represent a genuine novelty.”
And a 2020 paper that surveyed wCBDC research found that “the overarching motivation for CBDC research by CBs is to assess the impact of distributed ledger technology (DLT) on financial market infrastructures (FMIs). Which all implies to me that when people say “wholesale CBDC” they really mean to say is “distributed ledger technology (DLT) based wholesale CBDC. This may be a trivial discussion but when we say “retail CBDC” we encompass all platforms (centralized, distributed and token-based) and as everyone knows I’m a stickler on definitions!
And although I don’t follow wholesale CBDC developments closely, I’ve tabulated below the experiments that have popped up in my Daily Digest. If I’ve missed any, please let me know in the comments! FYI I plan to keep the table updated on my Kiffmeister Chronicles blog. That’s also the best version of the table to use if you want to follow the live links in the “references” section.
According to the Bank for International Settlements (BIS), a retail central bank digital currency (CBDC) is a broadly available general purpose digital payment instrument, denominated in the jurisdiction’s unit of account, that is a direct liability of the jurisdiction’s monetary authority. To this I would add, subject to the same rules and regulations as imposed on the jurisdiction’s other units of account. By “general purpose” is meant that it can be used by the public, for day-to-day payments rather than CBDCs restricted to wholesale, financial market payments. A liability issued by a monetary authority that is not in its own currency (i.e., where it does not have monetary authority) is not a CBDC. I’ve summarized this definition in the table below and have added that it can be used for peer-to-peer transactions, which the Banque de France also views as an essential characteristic.
In previous versions of this tabulation, I included legal tender status as a key characteristic. A currency’s legal tender status entitles a debtor to discharge monetary obligations by tendering the currency to the creditor. However, a recent IMF working paper casts doubts on whether a digital currency can, or even should be given legal tender status. For example, designating CBDC as legal tender is not obvious if broad layers in the population are not positioned to technically receive it as a means of payment (e.g., not owning a computer or smartphone). Legally, it may not be possible either, because the creditor without access to the technology cannot accept the payment even if she wants to.
Anyways, this is the definition I’ve been applying to my real-time tabulation of retail CBDC explorers, but I frequently get suggestions to add new entries that don’t fit my definition. However, many turn out to be clearly wholesale CBDC, which are easy to identify and reject. And there are several more subtle ones that pop up, such as the Republic of Marshall Islands (RMI) SOV, and Cambodia’s Project Bakong, that I will briefly run through here. The SOV is easy to reject because there is no RMI monetary authority, and it is not denominated in the country’s unit of account, which is the U.S. dollar.
Cambodia’s Project Bakong has been sometimes called a quasi-form of CBDC but from my read of the white paper, it is arguably at most some form of synthetic retail CBDC. To me it appears to be a central bank-run interbank retail payments system that runs on distributed ledger technology rails that requires that any user balances be parked at the central bank. That makes it possibly a synthetic CBDC, in the same way that China’s AliPay and WeChat Pay are because they are required to park user funds at the People’s Bank of China. But in all these cases, the digital currencies are not issued by and direct liabilities of the central banks, so they’re not CBDC.
And the National Bank of Cambodia’s Chey Serey would seem to agree that Bakong isn’t a CBDC. “Instead, the platform augments the existing Fast and Secure Transfer (FAST), real-time retail payment system and Cambodian Shared Switch (CSS) that facilitate mainly interbank transactions among commercial banks and MFIs. They were launched respectively in 2016 and 2017 and are Cambodian riel (KHR) and US dollar account-based systems that do not interoperate with the twenty or so PSPs that serve mainly the unbanked. With the launch of Bakong, banks, MFIs and PSPs have a ready-made universal mobile app interface to connect users with FAST, CSS and each other.”
However, I have been long maintaining the Banco Central del Ecuador’s Dinero Electrónico mobile payment system in my CBDC explorer tabulation but being somewhat uneasy about its inclusion. The program, which operated between 2014 and 2018, allowed citizens to transfer USD balances in real-time from person to person using basic cell phones. From my read of a recent paper on the Dinero Electrónico it would seem to be a central bank-run USD asset-backed stablecoin. Like with the RMI, the USD is the country’s unit of account, but in this case the digital currency is indeed denominated in Ecuador’s unit of account, and it was issued by, and a liability of, the central bank. Hence, it’s a CBDC by my definition.
However, Marcelo Prates has suggested that digital currencies like the Dinero Electrónico is nothing more than a stablecoin issued by a central bank. Basically if the central bank can’t issue traditional money (reserves + cash), it can’t issue the “digital” version of this money. Hence, by this logic, only central banks that issue their own currency can issue CBDC, which precludes completely dollarized country central banks from issuing CBDC. Besides U.S. territories, these include Ecuador, El Salvador, Marshall Islands, Micronesia, Palau, Panama, Timor-Leste, and Zimbabwe. The same would go for countries in the eurozone and other currency unions. But would countries with currencies anchored to another country’s would still be able to issue CBDC?
BTW some might note that I don’t include in my tabulation the Avant smart card system created by the Bank of Finland in the 1990’s that was the world’s first CBDC. It is indeed a CBDC, but my tabulation seeks to cover CBDC projects that are potentially still live, whereas Avant shut down in 2006. However, I have added a new section to my tabulation for retail CBDC projects that have been shut down.
In that regard, I’m tempted to drop the Banco Central del Ecuador’s Dinero Electrónico from my CBDC explorer tabulation because it is now similarly defunct, and it is questionable whether the Ecuador central bank can even issue a CBDC. But alternatively, I could include the Avant as a CBDC that has launched/ piloted. Any thoughts out there?
In 2018, the Republic of Marshall Islands (RMI) parliament passed the Sovereign Currency Act 2018 (the SOV Act), which established the digital currency Sovereign (SOV) as second legal tender in addition to the US dollar based. As legal tender, the SOV would be able to be used for any purchases as well as all payments of debt and tax obligations. Pursuant to this law, the SOV would be issued by the Ministry of Finance and would be non-redeemable. It was to be introduced via an initial coin offering (ICO), which the appointed organizer – SFB Technologies was tasked to perform. The law also requires transparency over the identity of the SOV users. The SOV would be issued on the Algorand blockchain.
One main purpose of the SOV is to generate revenue for the government. Additional motivations expand financial inclusion and improve RMI’s access to the global digital financial system.
After the initial issuance through an ICO, the number of SOV units would grow by 4 percent per year coded into the blockchain independently of the demand for the currency. Half of the revenue from the initial issuance (24 million SOVs) would be allocated to SFB Technologies and the other half to the RMI government. SFB technologies is tasked with developing and implementing the SOV and would bear all the necessary costs to issue the SOV and perform the ICO.
SFB technologies was planning on organizing a pre-sale of rights to future SOV units, with an eye to “test the markets and technology” and to gather additional information that could inform the government’s decision whether to proceed with the launch of the SOV. The pre-sale as currently conceived is independent of the RMI government and is designed as a private sale.
At a first glance, this arrangement sounds great, but a closer look reveals that it sounds too good to be true. Let us deconstruct the statements above to figure out where the SOV’s fatal flaws lie.
First, introducing the SOV would imply that the RMI would move to a dual currency system. In the absence of a monetary policy framework and a central bank this would impose significant risks to macroeconomic, monetary, and financial stability. The fixed annual growth rate of 4 percent irrespective of the demand for the currency would lead to large fluctuations in the value of the SOV against other currencies, including the U.S. dollar, the primary legal tender. These fluctuations, in turn, could create incentives for households, firms, and visitors to hoard the more stable/appreciating legal tender, while discharging debts and other obligations, including tax obligations, in the depreciating legal tender. This could have serious adverse consequences for the RMI’s public finances. Also, given that the RMI does not have a central bank, the country would effectively outsource its monetary policy to a private sector party creating a strong dependency.
Third, based on the SOV’s issuance through an ICO as a way of raising revenue can be considered a securities offering. As there is no securities regulation governing either the pre-sale or the actual issuance, the RMI exposes itself to a regulatory vacuum unable to thwart or respond to potential fraud and manipulation.
Fourth, the identity of SOV users is expected to be verified through licensed international exchanges. However, licensing exchanges that will list the SOV is a mammoth task that may exceed this small country’s existing regulatory capacities. Moreover, although the exchanges are responsible for identity verification and establishing white and black lists for financial integrity purposes, the RMI government would still have to manage those lists as well as monitor and enforce compliance. Given the weakness of the country’s anti-money laundering (AML) and counter-terrorism financing (CFT) regime and capacity constraints within the regulatory and supervisory agencies, it remains questionable whether financial integrity risks can be mitigated adequately. The Digital Economic Zone for the exchange of virtual assets would only exacerbate the financial integrity issues.
Fifth, the stated goal behind the SOV is to raise revenue for the government to offset the fallout from revenue from the reduction of the U.S. Compact grants after 2023. However, there is no indication how much revenue the SOV issuance would generate. For revenue to be sizeable, there would need to be strong demand for SOV by foreigners. This seems difficult given the strong competition from existing crypto assets. In addition, through the SOV issuance, the small economy’s revenues would be subject to global crypto market price volatility.
It is easy to get blinded by the promise of enormous revenue from a state-backed crypto-asset like the SOV especially considering impending revenue fallouts. But issuing, managing and sustainably maintaining a crypto-asset designated as legal tender is a complex endeavor and requires important prerequisites such as an adequate legal and regulatory framework, sufficient capacity to supervise and regulate the SOV as well as the security of the underlying system and a viable digital infrastructure. Rather than embarking on a project of this magnitude and complexity, the Marshallese could consider other options such as rationalizing public spending which is the highest in the Pacific region to unlock extra revenue, lean on regulated stablecoin or e-money providers to expand access to finance, work with development partners such as the World Bank or the Asian Development Bank to expand the country’s core infrastructure and request technical assistance to enhance the country’s legal and regulatory regime.
The government is now considering to repeal the SOV Act and a bill on establishing a Digital Economic Zone was submitted to the Parliament recently.
In designing central bank digital currency (CBDC), central banks face a trade-off between satisfying legitimate user preferences for privacy and mitigating financial integrity risk. Physical cash protects privacy because it is anonymous, but it also facilitates criminal financial transactions such as money laundering, financing of terrorism, corruption, and tax evasion.
A CBDC that gives authorities access to user identity and their transaction data would provide obvious financial integrity oversight benefits. However, such fully transparent CBDC might raise concerns around digital surveillance with CBDC potentially being instrumentalized against users, especially in jurisdictions where trust in public institutions is low. Also, such CBDC might disadvantage those without access to identification, which could impair financial inclusion efforts.
On the other hand, a fully opaque CBDC that hides users and their transactions from authorities, could introduce significant financial integrity risks, notably due to the ease and speed with which transactions can be performed and their potential global reach. Privacy preferences are not driven only by the desire to conduct illicit transactions but also to mitigate spamming and identity theft, and of being stalked or robbed (Kahn and others, 2005).
But there are many dimensions of anonymity and privacy with different CBDC design implications.
Dimensions of CBDC Anonymity and Privacy
Brookings (2020) and R3 (2021) specify two dimensions of privacy – anonymity and transaction privacy. Anonymity means that it is impossible to link transactions or activity to the sender or recipient. Under the EU General Data Protection Regulation (GDPR) identity data is considered personal data, i.e., any piece of information that relates to an identifiable person. This can range from pseudonymous keys or metadata (e.g., location data or online identifier) to personally identifiable information, like government ID numbers. A transaction is private if related metadata (e.g., whether it occurred, its amount, between who and when, whether the two parties have transacted before) is not revealed.
Then there is the question of who and how identity and transaction data is shared with. Bech and Garratt (2017) specify two types of financial anonymity – counterparty and third-party anonymity. Counterparty anonymity means that a payor need not reveal their identity to the recipient. Third-party anonymity means that the payor’s identity is invisible to all other parties, including the operator of the payment system.
Digital Currency Design Considerations
The Financial Action Task Force (FATF) has issued standards that countries should implement to prevent money laundering and terrorist financing that will impact CBDC design considerations. In most instances, to comply with FATF standards, some information on CBDC users and transactions would need to be collected and, on a when-necessary basis, made available to competent authorities. However, some form of proportionality could be applied to reduce data requirements on low value transactions to foster adoption and usability, provide a more ubiquitous access to CBDC, and assuage data privacy concerns. For example:
Brookings (2020) suggests that the central bank could delegate account and identity management to one or more payment service providers (PSPs) who verify and record specific identity information, while the central bank sees only pseudonymous public keys. In this business model, individuals are at least pseudonymous with respect to the central bank and the transactions it processes if the PSPs adequately protect this identity information. However, the PSP can disclose the identity associated with a suspicious account to address regulatory compliance and anti-money laundering. See the table below for three examples of this type of business model in action.
The European Central Bank tested out “anonymity vouchers” in a proof of concept (ECB, 2019). These non-transferrable vouchers allow users to anonymously transfer a limited amount of CBDC over a defined period whereby a user’s identity and transaction history cannot be seen by the central bank or counterparties other than those chosen by the user. Hence, anonymous CBDC transfers can be enforced without recording the amount of CBDC that a user has spent, thereby protecting users’ privacy.
China’s eCNY design includes “controllable anonymity” in its design. Although the central bank will be privy to the identity of its users and their transaction data, users will have the ability to control what information they expose to counterparties (Qian, 2018). It aims to keep the degree of anonymity within a controllable range by requiring the disclosure of transaction data only to the central bank (Fan, 2020).
A stored value CBDC hardware solution that takes the form of a card or a mobile wallet app on which prepaid values are stored locally opens the possibility of almost complete anonymity. Such a wallet could conceivably be as anonymous and private as physical cash, although the central bank may require identification to enforce a one wallet per person policy or holding and/or transaction size limits to mitigate financial integrity risk. A couple of vendors (BitMint and WhisperCash) offer this CBDC platform option.
Physical/email address, phone number and photo for low-limit access (B$500 holding and B$1,500/month transaction). Plus, government-issued photo ID for higher limits (B$8,000 holding and B$10,000/month).
Transaction transparency to enable CB to monitor suspicious transactions and stop accounts. Pseudonyms ensure user anonymity. CB maintains ledger and server is encrypted.
Physical/email address, phone number, photo and birth date/place for low limit access (EC$1,000 to EC$2,700/month transaction depending on risk profile). Plus, full name and bank account for higher limits (EC$3,000 to EC$20,000/day).
CB can see anonymized transaction data and outstanding CBDC in each digital wallet. Registered financial institutions can fully observe the identity of payers and payees and the purpose of transactions.
Physical/email address, SIM card and national ID for low limit access (UYU30,000 wallet maximum). No higher limits except for businesses (UYU200,000).
User data is segregated across different databases. Transaction data per (anonymous) digital wallet can be decrypted to reveal the user’s identity under very restrictive conditions – e.g., a competent authority prosecuting someone that has probable cause to access the transaction data.
People’s Bank of China eCNY
SIM card for low limit access (¥10,000 holding, ¥2,000/transaction and ¥5,000/day). Plus, full name, address, phone number and bank account for higher limits (¥500,000 holding, ¥50,000/transaction and ¥100,000/day).
Controllable anonymity: The PBOC will be privy to the identity of its users as they are required to provide their real identities when they first sign up. However, users will have the ability to control what information they expose to counterparties
Digital currency privacy tradeoffs have sparked intense debate with seemingly irreconcilable differences of opinion. On the one hand, authorities do not want to allow anonymous CBDC because of potential financial integrity risks. Others don’t believe it’s possible to design a fully anonymous currency that’s resistant to double spending attacks. On the other hand, law-abiding users consider privacy an intrinsic non-negotiable right and nobody should have full oversight over their transactions. However, the choice between user anonymity and transparency doesn’t need to be black and white. For example, the recent digital euro public consultation found that, although potential users place a high value on transaction privacy, they don’t support full anonymity. Ultimate design choices will depend on the motivation for CBDC issuance, country specific circumstances and user preferences.
This post was co-written by Sonja Davidovic and the Kiffmeister
Tabulated below are all of the central bank and sovereign retail digital currency launches and pilots I know of that have revealed their technology partners and platforms. I didn’t include the South Korean pilot because they haven’t revealed their technology partners or platforms. Please keep in mind that this is just a first crack and comments and suggestions are welcome.
I’ve tabulated the key features of the two active central bank digital currency (#CBDC) projects in the Caribbean area. The Central Bank of the Bahamas (CBOB) went live with its Sand Dollar on October 21, 2020 after a ten month pilot, and the Eastern Caribbean Central Bank (ECCB) started a twelve month pilot of its DCash on March 31, 2021 on four of the eight island countries under its currency union. This is all based on publicly-available information – hence some of the question marks. If there are errors of omission or commission, please let me know in the comments! Also, see below for an updated version of the PDF version of the table that includes the Central Bank of Uruguay 2017-2018 e-Peso pilot.
System utilizes enhanced short-lived one-time web tokens
Smartphone & smart card
Initially no, but maybe yes later
None during pilot
Tier 1 requirements
Physical/email address, phone number and photo.
For “value-based“: Physical/email address, birth date/ place, phone number and photo.
Tier 1 transaction limit
EC$1,000/m or EC$2,700/m
Tier 1 holding limit
Tier 2 requirements
Tier 1 requirements plus govt.-issued photo identification
For “register-based“: Full name, address, phone number, and bank account
Tier 2 transaction limit
EC$3,000, EC$5,000, EC$20,000/d depending on risk profile
Tier 2 holding limit
Business license & VAT ID number
Business name, physical/email address, phone number
B$20,000/m or 1/8th of annual revenues whichever is greater.
EC$25,000/d to EC$300,000/d based on risk rating
B$8,000 or 1/20th of annual sales, up to an annual limit B$1 million.
Users can make a pre-set dollar value of payments when communications access to the Sand Dollar Network is disrupted. Wallets would update against the network once communications were re-established.
The party initiating the transfer (sender) must have an internet connection. If the receiver is offline the payment will still be processed, and they will see the change in their balance as soon as they are back online.
Transaction transparency to enable central bank monitor suspicious transactions and stop accounts. Pseudonyms ensure user anonymity. Central bank maintains ledger and server is encrypted
Central bank can see anonymized transaction data and outstanding stock of DCash in each digital wallet. Registered financial institutions can fully observe the identity of payers and payees and the purpose of transactions