Rethinking CBDCs: Addressing design flaws and privacy concerns

by Geoffrey Goodell, senior research associate, UCL Computer Science

Share this post

What is this article about?

The flaws in prevailing central bank digital currency (CBDC) designs and suggestions for improving them.

Why is it important?

These design flaws could undermine efforts to create a public digital payments system for the future economy. 

What’s next?

To rethink the assumptions behind CBDC proposals and push for more privacy-oriented innovative solutions

Many central banks and financial authorities worldwide are experimenting with central bank digital currency (CBDC), including the European Central Bank, the US Federal Reserve, and the Bank of England, among others. The designs broadly share a set of characteristics that, by and large, reflect a common set of mistaken assumptions that reveal important flaws in the prevailing CBDC proposals. These design mistakes are important, in no small part, because they could undermine the important task of developing a public payment option for the digital economy. The errors broadly fall into three categories: the assumption that all money must be held in accounts, the assumption that wallets must be subject to control by authorities, and the reliance upon exceptional access mechanisms. The good news is that there is a path forward, but we must first begin by critically examining the reasoning behind the proposals.

Accounts

Nearly all of the prevailing CBDC proposals assume that money must always be held in accounts maintained by a service provider, making that service provider a de facto custodian, and suggesting that bearer instruments have no place in the future of digital money.

This assumption follows from some earlier work by economists that suggested that accounts might be economically more efficient than tokens. In the late nineties, some economists, including Narayana Kocherlakota of the Minneapolis Fed, suggested that bearer tokens constitute an inferior form of money because they do not make use of all of the information available about the history of counterparties to a transaction. It would be more efficient, the argument goes, to make every transaction using credit, including the decision about whether to transact. Around the same time, the Financial Action Task Force advised governments to seek to use modern technology to replace cash transfers with account-based transfers, implicitly suggesting that account-based transfers would significantly reduce financial crime without meaningful negative externalities.

In the end, however, money is not only an economic instrument but a social instrument as well. Other economists questioned the popular conclusions about bearer instruments, suggesting that their affordances constitute an economic value of their own and that some transactions might not happen or might not be consummated at the right price in their absence. But the damage was done. If anything, complex rules in support of expansive AML/KYC regulations benefited card platforms and other payment service providers by raising a barrier against new entrants.

Of course, the assumption that tokens must be inefficient because they necessitate certain interactions, such as withdrawing tokens, depositing tokens, and handling inexact change, ignores that digital technology can also automate that interaction. Tokens are powerful precisely because they represent value independent of identity and enable transactions without reference to some history that will ultimately rely upon records held and maintained by third parties whose involvement invariably carries a price, one that the provision of value-added services might not mitigate.

Nearly all of the prevailing CBDC proposals assume that money must always be held in accounts maintained by a service provider, making that service provider a de facto custodian and suggesting that bearer instruments have no place in the future of digital money.

This assumption follows from some earlier work by economists that suggested that accounts might be economically more efficient than tokens. In the late nineties, some economists, including Narayana Kocherlakota of the Minneapolis Fed, suggested that bearer tokens constitute an inferior form of money because they do not use all of the information available about the history of counterparties to a transaction. The argument goes that it would be more efficient to make every transaction using credit, including the decision about whether to transact. Around the same time, the Financial Action Task Force advised governments to seek to use modern technology to replace cash transfers with account-based transfers, implicitly suggesting that account-based transfers would significantly reduce financial crime without meaningful negative externalities.

In the end, however, money is not only an economic instrument, but a social instrument as well. Other economists questioned the popular conclusions about bearer instruments, suggesting that their affordances constitute an economic value of their own and that some transactions might not happen or might not be consummated at the right price in their absence. But the damage was done. If anything, complex rules in support of expansive AML/KYC regulations benefited card platforms and other payment service providers by raising a barrier against new entrants.

Of course, the assumption that tokens must be inefficient because they necessitate certain interactions, such as withdrawing tokens, depositing tokens, and handling inexact change, ignores that digital technology can also automate that interaction. Tokens are powerful precisely because they represent value independent of identity and precisely because they enable transactions without reference to some history that will ultimately rely upon records held and maintained by third parties whose involvement invariably carries a price, one that the provision of value-added services might not mitigate.

Wallets

Most of the CBDC proposals assume that wallets must be under the control of authorities, necessitating some combination of wallet registration and certified hardware. There are two main justifications for this assumption, the first of which is that holding limits are necessary to prevent bank runs. Unless some maximum value that can be held in a wallet is enforced, the argument goes, banks will be depleted of their deposits without warning, and if the technology of the wallets themselves can be called upon to enforce these limits, then the problem is solved. Surely, the leadership of some banks must be concerned that some retail consumers might not appreciate the value of money creation through banking and only maintain deposit accounts as a means to access electronic payments. But if we consider the multitude of ways to stop bank runs, we are missing some important successes. Consider, for example, that in 2015, the government of Greece restricted bank withdrawals to 60 euros per day for the purpose of preventing banks from collapsing during its negotiation with the IMF and the EU about a possible exit from the Eurozone. The strategy worked, and the banks did not collapse. It can be reasoned that the best way to stop bank runs resulting from cascading withdrawals is to limit the rate of withdrawals, not the amounts that individuals can hold. And whilst nationwide limits on withdrawals might not be enough to stop individuals from hoarding money, such a policy can be supplemented with individualised limits on withdrawals, as well as limits to cumulative withdrawals done by an individual over a period of time. Such policies involve controlling the withdrawal of digital currency in a manner akin to existing limits on the withdrawal of cash from ATMs, and they do not necessitate control over wallets.

The second justification for control of wallets is related to offline payments. The consultation material for the digital euro, in particular, demonstrated a significant focus on offline payments as if it were a requirement without which the digital euro could not succeed, although economic models show that directly competing with cash would be worse than useless. As it turns out, there is no way to achieve settlement of a payment without the involvement of a third party, so certified hardware running on secure elements and trusted execution environments could ensure that the third party is hardwired into devices carried by holders of digital currency wherever they go. Surely, manufacturers of secure hardware technology must be excited about the possibility that regulators might require consumers to carry digital wallets containing their devices, and, given the high fixed costs, there are few companies that can manufacture such technology. But this logic, too, is flawed. The reason for the interest in CBDC is precisely the result of the rise of online payments, both in e-commerce and the point of sale, and the decline of offline payments. Specifying the requirements for a payment protocol around offline payments, to say nothing of assuming that the demand for privacy and self-custody should only apply to offline payments, misses the point entirely.

Privacy

Finally, nearly all of the various CBDC proposals have also assumed that government authorities must be able to know where all the money is: not just when it is transacted, but when it is at rest as well, a capability that they never had with cash. In addition, the designs assume that authorities should have a way to find both counterparties associated with every transaction, for example, if such knowledge might be useful to an investigation. There are several problems here, starting with the assumption that CBDC must inherit all of the properties that apply to custodial transfers of the sort specified by ISO 8583 or ISO 20022, which ignores the possibility, which is no less valid, to frame CBDC in terms of producing a digital form of cash, which can also be designed to incorporate appropriate compliance and security characteristics.

Another problem involves the definition of privacy. If an authority can unilaterally choose to lift the veil on the identity of the payer in a transaction, without asking the payer for permission, and without the possibility that the payer might decline, then the payer is not actually private, analogously to backdoors in encryption technology. It does not matter whether there is some legal process whereby several different authorities must turn their keys at the same time. It is like Chekhov’s gun: If the gun is on the wall in the first act, then surely someone will find a way to use it; otherwise, why put it there? Moreover, if there is no way for a payer to verify that privacy has been respected, then there is no reason to trust that it has been respected, either. Then there is the matter of profiling. Will automated searches through the personal histories of an entire population become commonplace, enabled by machine learning algorithms trained to furnish answers to questions about which actors exhibit behaviour that is outside the norm?

These arguments seem to assume that privacy of payers and the ability for payers to hold their own money are incompatible with police investigations or enforcement of compliance rules, but they are not. Rather than assume that profiling consumers is the best way to prevent crime, it is better to develop other ways to prevent abuse instead, such as payee verification and inviting consumers to assist in investigations.

Takeaway points

Although the prevailing CBDC proposals were supposedly made with the public interest in mind, the designs reveal a lack of imagination about what is possible, along with a certain lack of respect for retail consumers and businesses alike. When central banks consider the question of financial stability, do they assume that this means buttressing the existing business models, even when they are past their expiration date? With the rise of the digital economy, central banks and financial authorities are under the mistaken impression that doing nothing is a conservative choice.

Payments leaders would do well to rethink the assumptions underpinning prevailing consumer payments infrastructure and push for more innovative, privacy-oriented solutions.

Facebook
Twitter
LinkedIn

Read more Payments Intelligence

More To Explore

Membership

Merchant Community Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.

Welcome

Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Continue reading

Identifies key flaws in CBDC designs, advocating for innovative, privacy-focused solutions. Join The Payments Association to read the full article.

Become a member to continue reading

Member of The Payments Association? Log in to continue reading

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?