16 June 2025
by Payments Intelligence
What is this article about?
A Bank of England experiment proving that offline payments with a digital pound are technically feasible, but complex.
Why is it important?
It highlights major trade-offs in security, privacy, and policy that must be addressed before offline CBDC payments can scale.
What’s next?
Policymakers must resolve governance questions while the industry prepares for potential integration and standard-setting.
The Bank of England (BoE) has demonstrated that it is technically feasible to carry out offline payments with a digital pound. The experiment was carried out in partnership with Thales, Secretarium, and Consult Hyperion, demonstrating both the technical plausibility and the layered complexities of enabling a central bank digital currency (CBDC) to function without internet connectivity.
For payments leaders, the findings are not simply a technical footnote. If implemented, offline CBDC capability could introduce new consumer behaviours, shift merchant requirements, and alter the economics of digital payment acceptance. Simultaneously, it would entail trade-offs in security, user experience, and operational design that demand careful scrutiny across the industry.
Despite the success of the experiment, no final decision has been made on whether to implement an offline payment functionality if a digital pound were launched.
The project assessed whether it was feasible to enable payments between parties who had no access to the CBDC network at the time of transaction, a scenario often triggered by poor connectivity or service outages. This “device-to-device” approach would allow smartphones or smart cards to store value locally and initiate peer-to-peer (P2P) or person-to-business transactions offline.
All solutions trialled were able to achieve “final and irrevocable offline CBDC payments,” meaning that once funds were transferred, the payee could spend them immediately, without needing to reconnect to the central ledger. These solutions functioned by pre-loading funds onto user devices via an intermediary, creating a separate offline balance within the digital wallet.
However, this structure introduced practical constraints. Offline functionality was contingent on the user having pre-downloaded funds, limiting its spontaneity during unexpected outages. Furthermore, wallets had to manage dual balances (offline and online), requiring users to actively choose between them when transacting. These mechanics underscore the critical role of user interface design in ensuring ease of use does not become a barrier to adoption.
Two distinct payment flows were tested:
Asynchronous: where the payer sends funds using the payee’s wallet ID, without the payee being present. The payment does not need to be sent to the payee’s device directly, and could be generated as a QR code, sent via SMS, or over email, for example. As the payment message includes the issuer’s public key, the payee’s device can verify the transaction upon receipt of the payment.
While asynchronous payments may appear more flexible, they introduce a major risk: irrecoverability. Once sent, funds are deducted from the payer’s device regardless of whether the payee ever receives them. In contrast, the synchronous model offered built-in safeguards, allowing for the recovery of funds in failed transactions.
This distinction has real-world implications. Retailers and service providers may favour synchronous models to mitigate payment disputes. In contrast, asynchronous payments could serve niche use cases, such as ticketing or peer-to-peer gifting, if paired with clear user warnings and fallback mechanisms.
Offline payments, by definition, occur outside the purview of real-time ledger reconciliation, thus introducing the risk of double spending (attempting to spend the same funds twice). The experiment explored multiple countermeasures, chief among them being the use of Secure Elements: tamper-resistant chips that store cryptographic keys and transaction data on user devices.
The experiment tested two implementation models: one in which the Secure Element contained the entire transaction capability, and another in which only sensitive keys were protected. Both approaches provided a degree of protection, but neither was perfect. The reliance on Secure Elements introduces new dependencies for manufacturers and wallet providers, and if compromised, could open the door to widespread fraud.
Storage limitations within these chips also constrained transaction volumes and the complexity of risk detection algorithms. For instance, smart cards had markedly less capacity than smartphones, affecting their ability to track suspicious behaviours or store chains of transaction history.
As a secondary measure, online reconciliation was used to detect anomalies when users eventually reconnected. While effective for post-transaction monitoring, this retrospective approach cannot prevent losses, a point the BoE explicitly highlighted in its reflections. Preventive mechanisms must therefore strike a balance between protection and practicality.
To enable double-spend detection and fraud analytics, it is necessary to store a local transaction record. Solutions ranged from full, cryptographically linked transaction histories to minimal or even non-existent record keeping. Each approach carries trade-offs between security, privacy, and device storage constraints.
The experiment showcased privacy-enhancing technologies, including data pseudonymisation, confidential computing, and ephemeral key management. These tools allowed transaction records to be shared with intermediaries for verification, without exposing personally identifiable information to the BoE’s core systems.
In future implementations, privacy controls will likely be tailored to specific use cases, with varying levels of transparency and traceability. The Bank’s commitment to privacy-by-design remains a cornerstone of trust-building, particularly as offline capabilities inherently increase the complexity of data flows.
From a hardware integration perspective, the experiment tested several communication technologies to enable offline payments. Near-field communication (NFC) has proven effective for card-based transactions but has revealed ergonomic challenges, such as inconsistent reader placement across smartphones, which can affect ease of use.
Bluetooth Low Energy (BLE) offered more flexibility for phone-to-phone transactions and accommodated larger data transfers, making it better suited for Unspent Transaction Output (UTXO)-based payment models. However, BLE introduced latency and connection issues, particularly during the initial pairing process.
Ultimately, neither protocol emerged as superior; each complements different device types and use cases. This has implications for merchant acceptance infrastructure: payment service providers (PSPs) and terminal vendors will need to support diverse standards and develop hardware-agnostic interfaces.
Perhaps the most important finding of the experiment was not technical, but strategic. The feasibility of offline payments is deeply intertwined with policy decisions on liability, fraud thresholds, user protections, and regulatory oversight.
For instance, how much value can a user store offline? What are the obligations of wallet providers if a transaction fails or is fraudulent? Who bears the cost of reconciliation errors or counterfeit detection failures?
These are not engineering questions; they are matters of governance and legal architecture, and they must be resolved before any offline CBDC capability can be deployed at scale. As Diana Carrasco Vime, head of the Digital Pound Project, has reiterated, trust, security, and usability will determine whether the digital pound gains real traction.
For payments firms, the potential introduction of offline digital pound payments raises both opportunities and operational questions. Retailers could benefit from reduced transaction costs, particularly on low-value payments where card fees remain disproportionately high. Merchants in rural or connectivity-constrained areas may also see value in cash-like functionality delivered via digital means.
The integration effort will not be trivial. As the BoE’s point-of-sale proof-of-concept demonstrated, existing terminals require firmware updates, secure key management, and potentially new back-end APIs to accommodate CBDC payments, particularly in offline mode. The ecosystem will need to coalesce around standards to avoid fragmentation.
Meanwhile, startups and fintechs have a window of opportunity to innovate. From smart wallets that optimise offline balances to fraud detection algorithms and user-friendly interfaces, there is scope to lead the market in enabling trusted offline transactions.
The Bank has made clear that no decision has yet been taken on whether the digital pound will include offline functionality. However, this trial confirms it is technically viable, albeit not without cost or complexity. The next phase will require a policy assessment to determine the risk appetite and strategic goals of such a feature.
For industry leaders, this is a crucial moment to engage. As the BoE moves toward a potential build phase by the middle of the decade, the voice of the private sector will shape how user experience, merchant integration, and risk management are operationalised.
Offline payments may never be the default mode of digital pound transactions but their availability could serve as a vital backup option, enhancing resilience, inclusion, and trust in a rapidly digitising economy.
UK merchants expect agentic commerce to grow rapidly, but uncertainty around liability, fraud, and standards is slowing readiness.
Stablecoins are moving into mainstream finance, reshaping payments, trade, and regulation as institutions explore faster, programmable settlement.
A forward-looking overview of key regulatory developments across payments, crypto and financial services, with timelines and practical implications.
You need to be logged in to do this!
