Design Principles of CBDCs
1 Introduction
At the end of 2021, around 90 countries covering over 90% of the world’s GDP, have been exploring the introduction of a central bank digital currency (CBDC) (see CBDC Tracker, 2022). Expecting even more project announcements in the future, one particular project sticks out of the mass — the Sistema de Dinero Electrónico project announced by the Ecuadorian central bank in 2014. After suffering hyperinflation in 1999, and hence, resulting in the Ecuadorian government officially pegging their domestic currency to the US dollar, economists suspected the Dinero Electrónico to be an attempt to stop the dollarization, or to get an interest-free loan from the public (see Rosenfeld, 2015).[1] Less than three years after launching, the project has been shut down as “the state system had failed to attract a significant number of users or volume of payments” (White, 2018). Offering participation of the CBDC voluntarily, opposing a state monopoly on mobile payments, and even banning cryptocurrencies are some of the reasons why adoption has been insufficient, but the most crucial point is the lack of trust. Since the Ecuadorian central bank was issuing claims on US dollars, rather than default-risk-free claims on its domestic currency, residents of Ecuador recognized that their dollars held in Dinero Electrónico, i.e. at the central bank, were more likely to default than dollars at commercial banks. Thus, hesitant to use the newly created form of money, adoption of the state-run project has been inadequate with expectations, resulting in a decommissioning of the project in late 2017 (see White, 2018). Despite current CBDC projects generally focusing on sovereign domestic currency, the Ecuadorian case proves that the introduction of a CBDC comes with several challenges that need to be evaluated. Therefore, designing a CBDC in detail beforehand will be crucial to its success. To gain a deeper understanding of technical design implementations, this paper aims to give an overview of design principles of CBDC. First, it defines CBDC and explains the motivation behind an introduction (Section 2) before providing an analysis on CBDC design considerations (Section 3). Further, it discusses the risks and limitations of CBDC (Section 4) and finally concludes with all relevant aspects (Section 5).
2 Background
At this moment, the only form of money issued by most nations’ central banks, that can be held by the public, is physical cash.[2] Merely banks and other financial institutions can access electronic money, issued by a monetary authority, in the form of central bank reserves. CBDC introduces the public to digital central bank money that is universally accessible (see Bank of England, 2020). The rest of this section will define CBDC and enumerate reasons to introduce CBDC. Note that this paper particularly focuses on retail CBDC.
2.1 Definition of CBDC
Since the digital representation of money keeps evolving, there are no clear CBDC definitions. Despite having no universally accepted definition, this paper will determine five defining characteristics. CBDC is (Ⅰ) electronic money and therefore a digital representation of capital. The central bank guarantees cash in exchange for CBDC, hence making CBDC (Ⅱ) a central bank liability. It can be used in (Ⅲ) peer-to-peer exchanges and allows for households and businesses to make payments (see Bech and Garratt, 2017). Moreover, CBDC (Ⅳ) is issued by the central bank (see Kiff et al., 2020). Finally, it can be used to (Ⅴ) store value, fulfilling one of the general purposes of money (see Bank of England, 2020).
2.2 Reasons to introduce CBDC
The fact that 86% of central banks are investigating CBDC, shows the enormous interest by central bankers to introduce this new form of money (see Boar and Wehrli, 2021). An introduction of CBDC can improve the resilience and robustness of financial systems and as a result lead to higher financial stability (see Groß et al., 2020). It also competes with other digital payment providers and can avoid the risk of private money creation such as Bitcoin. Therefore, the central bank can minimize the risk of losing its relevancy. Further, a CBDC addresses the consequences of declining cash usage and provides an electronic alternative (see Bank of England, 2020). An introduction can also extend financial inclusion especially for developing countries and, thus, offer financial services to presently unbanked people. The aforementioned arguments reveal the massive potential CBDC can contribute to any currency.
3 Design considerations
To implement these benefits, based on a country’s regulatory framework central banks must select the right design decisions for a successful introduction. This section details design considerations for CBDC by first analyzing the CBDC pyramid (see Figure 1) and then discussing further design choices.
3.1 CBDC Pyramid
Essentially, the CBDC pyramid, which was first introduced by Auer and Böhme (2020), details consumer needs and their associated CBDC design principles for the central bank. These are then divided into 4 layers and “form a hierarchy in which the lower layers represent design choices that [subsequently feed into] higher-level decisions” (Auer and Böhme, 2020).
3.1.1 Architecture
Beginning with the CBDC pyramid’s base layer, the architecture contains several consumer needs. Besides access to peer-to-peer money transfers, people demand convenient real-time payments rather than deferred payments.[3] Further, a CBDC should allow convertibility with other forms of money and in addition support interoperability between various payment systems.
To tackle these consumer needs, central bankers must determine the legal structure of claims and define the operational roles of central banks and private intermediaries in their respective payment systems (see Auer and Böhme, 2020). The difficulty lies in balancing between providing convenience, innovation, and efficiency, generally done by private institutions, and retaining financial stability. This leaves us with three distinct CBDC architecture solutions, varying in the management of records kept by central banks and their structure of claims.[4]
Firstly, in a direct CBDC architecture, the central bank maintains the record of all transactions and additionally executes retail payments and payment services. Consequently, users have a direct claim for CBDC on the central bank, suggesting that retail has direct access to bank accounts at the central bank (see Auer et al., 2020). Accordingly, payment efficiency could suffer if certain technical requirements are not fulfilled. Despite its simplicity, merely the minority of central banks are considering introducing a direct CBDC solution, due to its potentially massive expansion of operations (see Auer and Böhme, 2020). Some economists are also concerned that a direct CBDC architecture could lead to the disintermediation of commercial banks (see Section 4).
Contrary to this is the indirect or synthetic CBDC model. Indicating a two-tiered financial system, consumers have indirect claims on CBDC as intermediaries are forced to back all retail CBDC-like liabilities with central bank money. Therefore, consumers have indirect CBDC-like claims on intermediaries which then must hold “real” CBDC or other central bank money in return. Here, intermediaries handle all retail payments and other customer-related services, while financial institutions settle at the central bank. Whilst relieving central bank operations, no records of individual claims on CBDC are stored at the central bank. Unlike cash, consumers have no direct proof of claims on CBDC if intermediaries fail. This can end in “a […] lengthy […] process with an uncertain outcome” (Auer and Böhme, 2020). As the safety of funds is a priority of central banks, the disadvantages of the indirect CBDC architecture designate why no central bank considers this architecture for any CBDC project (see Auer et al., 2020).
Merging elements of both models, the hybrid CBDC architecture is another solution. Again, intermediaries manage all retail payments and other customer-related services. However, claims on CBDC are directly linked to the central bank, which controls a central ledger of all transactions to restore CBDC balances if intermediaries fail (see Auer et al., 2020). This capability is termed private sector messaging layer and grants consumers the safety of their CBDC, even when intermediaries default since records of individual holdings are kept at the central bank. Combining a more resilient solution than the indirect architecture and simpler operations than the direct architecture, the hybrid CBDC model stands in between the aforementioned solutions (see Auer and Böhme, 2020). A study by Auer and others (2020) suggests that most central banks prefer the idea of a hybrid CBDC architecture.
3.1.2 Infrastructure
Next, building on top of our architecture solution, the second layer of the CBDC pyramid refers to the infrastructure. In addition to supporting the resilience and robustness of operations, any CBDC infrastructure should also provide a scalable payment system that enjoys continuous access. Some consumers also ask for a certain level of transparency to adopt the new form of money.
This leaves us with two design choices. Either the infrastructure will be based on a conventional centrally controlled database or on distributed ledger technologies (DLT). In essence, both “infrastructures often store data […] in physical separated locations” (Auer and Böhme, 2020). Whilst conventional databases rely on a single party to verify and update the ledger, DLT allows for multiple entities to participate in the authorization and verification process of transactions. Agreeing on what transaction comes next, is generally done by using consensus mechanisms that differ in scalability, security, and decentralization. After insufficient performances of permissionless DLT systems in central bank settlement initiatives, central banks deviated from exploring these infrastructures (see Gensler, 2018).[5] In permissioned DLT systems only previously approved entities are authorized to update the ledger, unlike permissionless infrastructures where the public can participate in this process. Considering both options, central banks need to weigh trade-offs accordingly.
Centrally controlled infrastructures achieve a higher transaction throughput than distributed infrastructures since only one entity must agree on updating the ledger, rather than multiple parties first communicating, then agreeing on an outcome.[6] Likewise, administrative and operating costs of centralized databases are typically lower compared to DLT infrastructures. On the other hand, DLT can reach higher resilience since the database and ledger updating processing is distributed and thus not object to single-point-of-failure (see Auer and Böhme, 2020).[7] Hence, its decentralized nature, DLT also presents a more transparent solution regarding its transaction authorization process. All in all, central banks must decide if distributing the authorization of transactions is desired and poses a benefit over a centrally controlled infrastructure. Depending on what aspects are prioritized, trade-offs between conventional and distributed databases must be weighed out properly. According to Auer and others (2020), several central banks tend towards introducing a distributed infrastructure, while others are considering a combination of DLT and conventional databases or purely conventional databases. Most regulators however still haven’t decided what infrastructure model to implement.
3.1.3 Technology
After establishing an architecture and later an infrastructure solution, central banks must answer the questions of whom to give access to CBDC and how private the data of participants will remain. A survey by the Deutsche Bundesbank (2021) demonstrates that around 80% of the questioned Germans, acknowledge privacy as a fundamental characteristic for the adoption of the digital Euro. To tackle these consumer needs, technology, the third layer of the CBDC pyramid, offers two approaches.
One option is an account-based system, where CBDC balances are tied to identities. Here, the system records every individual’s CBDC balance and updates them after transactions are made accordingly. Tying identities to account balances is a common practice of commercial banks. Therefore, an account-based approach relies on linking individuals to accounts throughout the whole payment system. So, assuming any person has a sufficient CBDC balance, payments will proceed, if identity over an account is proven.
The other option refers to token-based systems. Akin to Bitcoin, balances are not tied to identities but to digital wallets that store CBDC tokens. Hence, payments will be executed, if ownership over a sufficient digital wallet is provided, not necessarily being forced to identify oneself. To prove ownership over a certain wallet, “the secret part of a public-private key pair [can be] used to sign […] message[s]” (Auer and Böhme, 2020).[8] Since public keys merely verify that their corresponding private keys were used to sign a digital signature, wallets are only tied to public keys and therefore act as pseudonyms. For this reason, anybody is capable of acquiring a key pair, granting universal access even across borders in a token-based CBDC solution.
Any CBDC introduction must comply with the jurisdictions’ laws, resulting in several challenges for the technological design of moving funds. On one hand, CBDC must follow AML and CFT frameworks, to combat illicit activities, which require identifiable traction of capital.[9] On the other hand, CBDC must also preserve several data protection regulations, protecting users against the exploitation of personal data and data breaches. Although “account‐based systems and token‐based systems can be configured with various identity solutions, ranging from fully anonymous to pseudonymous and to a fully transparent, identifiable solution” (Bank of England, 2020), truly anonymizing the use of CBDC opposes AML and CFT regulations, while an entirely transparent system opposes data protection procedures. In a token-based scenario where the secret key of a consumer is lost or stolen, control over all funds in that certain wallet is gone, because ownership over that wallet cannot be proven or the attacker already withdrew all funds (see Kiff et al., 2020). Despite all this, token technology sets the basis for potential payments with Internet-of-Things (IoT) applications or physical devices by equipping machines with digital wallets.
It is important to emphasize the gravity of payment data protection as it safeguards sensitive personal data. Therefore, regulators must carefully decide what technological features to implement in their solution. Certain privacy measures must be given, so adoption doesn’t fail, while at the same time regulatory frameworks against illicit activities must be enforced as well. When it comes to deciding what technological approach to implement in a CBDC, most central banks are undecided whether to select an account-based, a token-based or a mix of both technologies (see Auer et al., 2020).
3.1.4 Interlinkages
Lastly, the top layer of the CBDC pyramid discusses whether cross-border payments and interlinkages with foreign currencies should be a feature. Consumers “demand for seamless and inexpensive cross-border payments [since] international e-commerce, remittances and tourism [have expanded dramatically]” (Auer and Böhme, 2020).
Central banks might have an interest in letting non-residents use and participate in their domestic currency for several reasons.[10] Widening the use of a nation’s currency, can help foreign residents with unstable domestic currencies to conveniently adapt to more stable currencies such as the USD, which could result in dollarization. Further, a cross-border capability competes against stablecoins and cryptocurrencies that already offer cheap and fast international payments.[11] These interlinkages depend on a jurisdiction’s access framework. If the underlying technology of a CBDC is token-based, foreigners have access to CBDC by default. Whereas an account-based CBDC has the option to implement the aforementioned interlinkages (see Auer and Böhme, 2020). Regulators of multi-country currency areas must focus on cross-border capabilities accordingly. Most central banks lean towards a nationwide framework and don’t fixate on offering international money transfers, a study by Auer and others (2020) reveals.
3.2 Additional design choices
Auer and Böhme’s CBDC pyramid offers regulators an overview of design considerations in a subsequent order. Despite its detailed summary of various design principles, there are additional design choices central banks need to contemplate. Note that some of the following options help to fight risks associated with an introduction of CBDC (see Section 4).
For instance, CBDC has the capability to bear interest. Unlike physical cash and its incompatibility with interest rates, positive and negative interest rates can be applied to CBDC to modulate consumer behavior. Assuming that cash availability is restricted, a negative interest-bearing CBDC could effectively eradicate the zero lower bound. However, most countries only introduce CBDC in addition to cash rather than replacing it. One problem of interest-bearing CBDC is that due to tax reporting requirements in numerous jurisdictions, account holders need to be identified, which withstands anonymous payment options (see Kiff et al., 2020).
In their paper, Christodorescu and others (2020) claim that an offline capability for CBDC can improve a payment system’s resilience by allowing users to transact without connection to the payment network. They suggest that, despite having no connection to the internet and therefore to the payment network, households and businesses should still be able to transact by using authorized hardware solutions such as credit cards and alike. Assuming potential power outages or areas without network access, regulators must consider introducing an offline capability for CBDC.
Another potential implication of CBDC is programmable money, often referred to as smart contract functionality. Essentially, smart contracts are code-based statements that execute actions (e.g. payments) if pre-defined conditions are fulfilled. To put this in perspective, programmable money allows to automate processes with the inclusion of IoT applications and physical devices. Smart contracts can be applied to conventional databases or DLT infrastructures. Nevertheless, the code must be secure to prevent exploitation (see Bank of England, 2020).[12]
Additionally, “[r]ecent CBDC pilots have imposed limits on holdings and transaction size” (Kiff et al., 2020), in order to influence the management of CBDC holdings. Assuming central bankers want to prevent consumers from replacing bank deposits with CBDC, setting an upper limit on account holdings, limiting the maximal transaction size, and possibly even restricting convertibility of CBDC balances can effectively support regulators in this case. But akin to interest-bearing CBDC, an introduction of limits only poses a benefit if users can be identified.
Finally, attractive transaction fees can persuade merchants to accept CBDC payments rather than other digital payment services. Fees can be deducted at certain percentages or fixed amounts and depend on transaction types. Peer-to-peer payments could be free of charge, whilst payments to businesses would impose fees to cover the costs of providing the payment system (see Kiff et al., 2020).
4 Risks and Limitations of CBDC
Following the analysis of CBDC design considerations, Section 4 discusses the risks and limitations of CBDC. It is of utmost importance to differentiate these risks as every design choice causes various effects resulting in separate threats.
Assuming cross-border capability has been introduced and users have convenient access to foreign currencies, exchange rates could potentially be extremely volatile since currencies can be swapped easily (see Kiff et al., 2020). This could lead to very unstable exchange rate movements and therefore challenge internationally operating businesses, which depend on stable exchange rates to minimize their exchange rate risks.
Further, regulators must find a way to prevent the unlawful use of CBDC for illicit activities such as money laundering and terrorism financing. Fully anonymizing the usage of CBDC without any suspicious money flow tracking is equivalent to greeting criminals with open arms. Hence, central banks must choose a technology that can control against such activities and if needed block certain payments.
However, introducing a technology that grants no anonymity at all leads to another risk. While payment providers in electronic payments and payees in peer-to-peer payments have insight into personal payment data nowadays, CBDC generates payment data of individuals to which the central bank hasn’t had access before. As just one entity stores and verifies a lot of sensitive payment data, these must be protected to the highest degree and offer a certain amount of privacy (see Groß et al., 2020). The Bank of England (2020) suggests that “[payers] could have anonymity with regards to [merchants and] other users, without having anonymity with regards to law enforcement”. Regardless, central bankers must be aware that consumers could refuse to use CBDC if inadequate privacy is provided.
The greatest threat however ascribes a digital bank run, which could potentially lead to financial instability due to a disintermediation of commercial banks. After introducing a CBDC, users could start swapping their bank deposits to CBDC, so they can maintain a safe form of money digitally. Central banks can technically never default, since it’s the only establishment permitted to print money, promising guaranteed safety of CBDC balances. Therefore, if sufficient individuals start substituting their bank deposits with digital central bank money, commercial banks might have problems to stay solvent. Whenever one intermediary defaults, this could trigger a chain reaction of other intermediaries struggling staying solvent, which could ultimately lead to a financial crisis. To prevent such a scenario, regulators must take actions accordingly. One option is to promise private institutions credits if solvency becomes an issue. Another option is to restrict users of exchanging bank deposits with CBDC by imposing holding limits or convertibility limits. This way, keeping CBDC deposits becomes unattractive, incentivizing consumers to use CBDC as a medium of exchange rather than a store of value. Additionally, applying negative interest rates on CBDC balances has the same effect (see Groß et al., 2020).
5 Conclusion
With the rising popularity of cryptocurrencies in 2021, related topics such as CBDC, stablecoins or decentralized finance gained a lot of traction internationally. While a continuous number of people are starting to invest in digital currencies, central banks around the globe are searching for answers to ongoing trends. Stablecoins growing market cap of 156 billion USD, advancing reduction of cash usage due to the Covid 19 pandemic or El Salvador’s adoption of Bitcoin as a legal tender, all these developments validate why regulators push to explore CBDC and its impact on financial systems.[13]
However, cases like Ecuador’s or Finland’s failed attempts due to insufficient adoption demonstrate that any introduction of CBDC is met with several challenges. After providing background information, this paper has analyzed various design considerations before lastly discussing potential risks and limitations of CBDC. Considering the varying effects of different design solutions, the tricky part for central banks is to find a solution that covers all risks, while simultaneously providing an added value to the current payment system. Therefore, regulators must examine, what design aspects they prioritize, and based on their jurisdiction’s motivation, determine what design features to implement accordingly. The CBDC pyramid offers a helpful start as it portrays what aspects to consider first. Additional design choices can help to mitigate certain risks. Personally, I think that the education problem of complex financial systems can slow down further process as average people might lose interest in using CBDC.
Looking forward, it will be interesting to follow forthcoming developments around digital currencies and observe what design principles will be implemented in upcoming CBDC projects.
_
[1] In an article for Ideas for an Alternative Monetary Future Larry White implies that dollars held by the public in the form of government-issued credits are the same as an interest-free loan from the public and consequently a fiscal measure.
[2] Just two countries, i.e. the Bahamas and Nigeria, are the only countries to have launched their nationwide, ongoing CBDC.
[3] Most individual payments are processed through netting systems and can take up to one or two business days.
[4] Auer and others (2020) describe an additional fourth CBDC architecture, nearly identical to a hybrid CBDC solution. The intermediated CBDC model’s differentiating element is merely keeping track of the wholesale ledger rather than all transactions.
[5] In 2016 three projects, namely Jasper 1 (Canada), Brazil 1 (Brazil) and Project Ubin 1 (Singapore), explored the functionality of Ethereum for CBDC applications. All projects identified permissionless systems to be unsuitable for CBDC operations (see South African Reserve Bank, 2018).
[6] Transaction throughput of CBDC should match other payment system providers’ numbers. Visa can reach up to 65,000 transactions per second, whereas Bitcoin stagnates at 7 transactions per second (see Kiff et al., 2020).
[7] DLT systems can still be exposed to Denial-of-Service (DoS) attacks. In a permissioned infrastructure however, the possibility is near zero.
[8] Public-private key pairs enable asymmetric encryption and decryption of data, often used in various cryptocurrencies.
[9] Anti-Money-Laundering (AML) and Countering the Finance of Terrorism (CFT) are legal frameworks to fight money laundering and financing of terror activities.
[10] The People’s Bank of China (PBoC) proposed to allow foreign visitors of the Winter Olympics 2022 to access the digital yuan. One motive of the PBoC is to broaden the international use of the Yuan (see Huang, 2021).
[11] Many immigrant workers in the United States make use of the relatively cheap cross-border fees of cryptocurrencies, sending Bitcoin to their families all over Latin America.
[12] In 2016 an attacker managed to steal $60 million worth of funds by exploiting a mistake in the computer code of the DAO, a decentralized autonomous organization (see junion.eth, 2021).
[13] “Stablecoins are a class of cryptocurrencies that have a constant value over time. They represent a market cap of $154 billion as of [December 2021] which is [around] 7% of the total ecosystem” (Subburaj, 2021).
_
References:
Auer, R.; Böhme, R. (2020): The technology of retail central bank digital currency, Bank of International Settlement (BIS)
Auer, R.; Cornelli, G.; Frost, J. (2020): Rise of the central bank digital currencies: drivers, Bank of International Settlement (BIS)
Bank of England (2020): Central Bank Digital Currency Opportunities, challenges and design
Bech, M.; Garratt, R. (2017): Central bank cryptocurrencies, Bank of International Settlement (BIS)
Boar,C.; Wehrli,A. (2021): Ready, steady, go? — Results of third BIS survey on central bank digital currency, Bank of International Settlement (BIS)
CBDCtracker (2022): https://cbdctracker.org/ (last accessed on 12.01.2021)
Christodorescu, M. and others (2020): Towards a Two-Tier Hierarchical Infrastructure: An Offline Payment System for Central Bank Digital Currencies, VISA Research
Deutsche Bundesbank (2021): Monthly report October 2021
Gensler, G. (2018): Course Blockchain and Money at MIT, Lecture 16 Central Banks & Commercial Banking, Part 2
Groß, J.; Klein, M.; Sandner, P. (2020): Digitale Zentralbankwährungen: Chancen, Risiken und Blockchain Technologie, Wirtschaftsdienst 100 (7)
Huang, R. (2021): As China Evangelizes Digital Yuan (e-CNY) During The Winter Olympics, Concerns Remain, Forbes
junion.eth (2021): The DAO Hack: The Story of Ethereum Classic, https://www.youtube.com/watch?v=rNeLuBOVe8A (last accessed on 18.01.2021)
Kiff, J. and others (2020): A Survey of Research on Retail Central Bank Digital Currency, International Monetary Fund (IMF)
Rosenfeld, E. (2015): Ecuador becomes the first country to roll out its own digital currency, CNBC
South African Reserve Bank (2018): Project Khokha: Blockchain Case Study for Central Banking in South Africa
Statista Research Department (2021): https://de.statista.com/statistik/daten/studie/325609/umfrage/inflationsrate-in-ecuador/ (last accessed on 07.01.2022)
Subburaj, V. (2021): Stablecoins: What are they? And how are they redefining the crypto ecosystem?, The NEWS Magazine
White, L. (2018): The World’s First Central Bank Electronic Money Has Come — And Gone: Ecuador, 2014–2018, Ideas for an Alternative Monetary Future
