Professional Documents
Culture Documents
In recent times, we have been witnessing well overdue transformational change and
increased digitization within the payments space. With the growing interest in private
sector digital currencies and their growing acceptance, combined with the reduction
in everyday use of physical cash in parts of the world, this has opened a wealth of
new opportunities and risks for central banks and financial institutions across the
globe. As recently stated in an AWS publication, we have seen over 85 countries,
representing nearly 90% of the global GDP researching the possibility of
launching their own retail Central Bank Digital Currency (otherwise known as a
'CBDC') [1]. However, as central banks begin to critically evaluate the benefits and
limitations to developing a CBDC, it has been documented that they are all
considering different approaches and designs, either individually or in conjunction
with other countries or international institutions (i.e. BIS) to address the variety of
localized needs, use cases and scenarios of each respective country.
It has been cited by global policy-makers that CBDCs have the potential to serve as
either a complement to or replacement for each of the different existing and
emerging payment instruments: cash, deposits, stablecoins, etc. Central banks will
need to determine where they would want their adoption to be focused, based on
either a limited number of specific use cases or widespread to bring about more
significant transformation to their jurisdiction. The desired role of a CBDC may evolve
with policy objectives but starting with a clear unifying goal and vision will help align
with other monetary policy decisions.
Introduction
As previously discussed, let's quickly take stock of what a CBDC is and what types of
models we are seeing either researched or developed to-date. A CBDC is a new form
of digitized sovereign currency, which is stated to be equal to physical cash or
reserves held at the central bank. In laymen terms, CBDC can be viewed as the
electronic form of central bank money that citizens can use to make digital
payments and store value. What makes it different to e-money is that it is central
bank money, or a component of the monetary base and a direct liability of the
central bank. Currently, central bank money is composed of physical cash (coins
and bills) and reserves held at the central bank by financial institutions with access
to the central bank’s deposit facility. Hence, a CBDC would constitute a third form of
central bank money (see diagram 1 below).
As of today, we understand that the general public holds central bank money in the
form of physical cash (coins and bills). For countries attempting to move towards
CBDC adoption, there are two primary methods of adoption, either through retail or
wholesale CBDCs. A retail CBDC (also called “general-purpose” CBDC), would
constitute the first digitised form of central bank money and liability the general
public could own. With a retail CBDC, in principle the public could have accounts of
the digitised fiat currency within the central bank, or hold CBDC on mobile devices,
prepaid cards or other forms of digital wallets. While the central bank issues and
manages retail CBDC (through ecosystem participants, such as commercial banks
and payment service providers - PSPs), they could be involved in the CBDC
monetary system through either a one or two-tiered structure, facilitated by the
offering of interoperable payments and services.
A visual representation of the two key model types for CBDCs is illustrated below
(diagram 2), demonstrating the relevant issuance mechanisms (one-tier vs two-tier).
As central banks pursue further research into the solution based technical
implementation of their CBDC, there are a number of technical design decisions that
will need to be factored in to determine and shape the high-level architecture of the
system. These no doubt lead and arise to a number of questions which can only be
addressed by taking a clear view of the problems that a central bank is trying to
solve. It is essential to consider the type of tool it seeks to build to address its
individual use case. The establishment and setting of a clear vision are indeed a
critical step in dictating the technical and operational parameters within which a
CBDC must operate.
After the end-state 'To Be' CBDC design is fully defined, realised and achieved by
policy-makers, the next evolution in the digital journey should be to identify and
investigate the most appropriate technology stack to deliver the CBDC. As
highlighted by the World Economic Forum (WEF) report on their Policy Toolkit
(January, 2020), it would be prudent and valuable to wait until as late in the process
as possible to identify the target technology solution, suspending preconceived
notions in order to allow for more flexibility and informed technology decisions,
something in which we've seen the US do compared to other nations such as China
[2]. It is cited that any CBDC issuance and design can be seen as a largely
technology-agnostic decision. It is important for policy-makers to conduct their
own research to fully evaluate technology solutions and providers, and they should
be wary of simply selecting a convenient technology solution without the
appropriate due-diligence.
This evidently leads to the key question, "what infrastructure might the different
CBDC architectures require for the central bank, and how could they be
implemented in the most resilient way?" This decision could be represented as the
second tier of the CBDC pyramid, which would follow immediately after the decision
on the IT architecture because the infrastructure requirements for the central bank
differ substantially across the three architectures. The CBDC IT infrastructure could be
based on a conventional centrally controlled database, or on a novel distributed
ledger using Blockchain technology. Diagram 3 below demonstrates how elements
of DLT could play a role in CBDC. The first DLT-related design choice hinges on
whether the authority to update the database is centralised or delegated to a
network of identified and vetted validators (see diagram below).
Indirect vs Direct IT Model Architecture for a CBDC
If we examine the indirect nature of a CBDC model, it would loosely follow and
imply loads similar to those seen in today’s banking system. By contrast, the direct
model for a CBDC would require massive technological capabilities, as the central
bank processes all transactions by itself, handling a volume of payments traffic
comparable with that of today’s credit or debit card operators [3]. There is a third
option which is the hybrid CBDC. This CBDC based architecture is more complex to
operate than the indirect model because here the central bank does maintain retail
balances which isn't what central banks are known to traditionally manage and
operate. Nevertheless, it could be potentially implemented at scale using today’s ever
evolving technology and with a relatively modest infrastructure.
As highlighted in recent BIS study (BIS Quarterly Review, March 2020), conventional
and DLT-based infrastructures often store data multiple times and in physically
separate locations [3]. The main difference between both of the infrastructure
designs lies in how data is updated. In conventional databases, resilience is typically
achieved by storing data over multiple physical nodes, which are controlled by
one authoritative entity – the top node of a hierarchy. By contrast, in many DLT-
based systems, the ledger is jointly managed by different entities in a
decentralised manner and without such a top node. Consequently, each update of
the ledger has to be harmonised between the nodes of all entities (often using
algorithms known as “consensus mechanisms”). This typically involves broadcasting
messages and then awaiting replies on multiple messages before the transaction can
be added to the ledger with finality (the moment at which funds transferred from
one account to another, officially become the legal property of the receiving party).
The IT overheads needed to operate and manage a consensus mechanism is the
main reason why DLTs have lower transaction throughput than conventional
architectures [3]. Specifically, these limits imply that current DLT could not be used
for the direct CBDC except in very small jurisdictions, given the probable volume of
data throughput. However, DLT based infrastructure could be potentially leveraged
for the indirect CBDC architecture, as the number of transactions in many wholesale
payment systems is comparable with that handled by existing blockchain platforms,
as also demonstrated in several wholesale CBDC projects (as discussed by Bech,
Hancock, Rice and Wadsworth in their paper on the Future of Securities Settlement
(2020)). Enterprise versions of DLT might also be feasible for the hybrid CBDC
based architecture but the existing research efforts on this area is still in its infancy
stages [4].
With blockchain and DLT based solutions that are currently being examined for
CBDC prototypes to manage ledgers, we have witnessed varying levels of
decentralisation. Most projects to-date have so far have chosen private,
permissioned iterations of open-source and public blockchain technology to
furnish pilots. Consensys stated in their technical CBDC paper (2020) that Blockchain
technology can be used by central banks to support both types of CBDC (retail
and wholesale). For example, DLTs could be leveraged as an alternative approach to
existing wholesale central bank systems, which includes either real-time gross
settlement systems such as CHAPS, Target 2, Fedwire, or deferred net settlement
systems like BACS, EURO1, TIPS, ACH. Also, it could potentially be used to create
platforms for the distribution and issuance for retail CBDCs on a far broader scale,
and offer a true government-backed electronic cash-base system.
In particular, Corda, Fabric, and Quorum have successfully proven that blockchain is
a formidable technology for the development of CBDCs, at least as a prototype.
More recently, we have seen next-generation public networks being developed and
utilized for high profile CBDC projects, including the Banque de France’s Digital
Euro program, built on Tezos, and the Marshall Islands’ pioneering their
sovereign currency, built on Algorand [5], to name but a few.
Whilst we have observed many central banks expressing some degree of interest in
DLT-based approaches (for both wholesale and retail use cases), most of the current
experiments or pilots conducted to date have focused on primarily on the wholesale
model. Existing projects include Project Ubin (Monetary Authority of Singapore),
Project Khokha (South African Reserve Bank), China’s DC/EB, and Project Stella
(joint research project by the ECB and the Bank of Japan).
The creation of any CBDC which promotes seamless and efficient transfers between
citizens can be viewed by regulators a means for establishing new market
standards, encouraging financial institutions operating in the retail space a new
way forward to improve their value proposition to consumers. Such
improvements could include potentially longer operating hours (24/7), richer data in
payment messages and greater transparency on the processing status for payments,
higher interoperability between different platforms and finally further development
of programmable money (which is one if key value propositions to adopting
blockchain technology).
It is still relatively early to make a judgement on whether DLT can be used for the
Retail CBDC use-case but with future innovation in this space, I am confident that it
can offer more depth for this solution design discussion in the future.
Furthermore, dependent on the technology chosen for the CBDC platform, policy-
markets will need to develop new forms of technical expertise (SME), particularly
given the great magnitude of consequences linked to economic activity, financial
stability and public trust in event of system failure. Such concerns could be partially
addressed by outsourcing or partnering with technology providers to support the
delivery of a CBDC solution, which has been seen across the globe in central banking
projects related to CBDCs. However, managing new third-party vendors and partners
may still require increasing technical capacity and should be appropriately vetted
and evaluated to determine the appropriate selection of the vendor.
There are a number of different design choices for a CBDC instrument and for the
underlying CBDC system [6]. These choices all have some bearing on one another
and thus making a coherent set of choices will be essential for smoothly functioning
and working system.
The BIS recently stated in their foundational principles and core features report
(2020), the impact of design choices is a complex challenge. Whilst CBDC research
remains a young field with limited pilot examples or testing at scale, it will be crucial
to examine how a system could work, which includes understanding the respective
roles of both the private and public sector.
Key policy makers will need to strive to better understand technology design choices.
As previously mentioned in this article, existing literature to date has discussed
choices around ledger technology (distributed ledger technology (DLT) versus
conventional databases) and their associated data structure (which either captures
individual CBDC units or maintains a combined balance for an individual’s account).
The architecture and design choices (for example, roles and information flow
between participants) can be more sensitive to policy decisions and require
specification early in the design process.
Based on the above diagram which is taken from the AWS CBDC study with Oliver
Wyman [1], there are four primary roles that can be examined when it comes to
CBDC management. CBDC system management can be defined by how the core
ledger and processing infrastructure is run. At a very minimum the private sector,
acting as distributors, can play a role in connecting citizens to the CBDC network by
providing gateway access. However, if a more expansive role is desired, CBDC
distributors may also operate parts of the CBDC infrastructure, by processing
transactions (for example, validating those transactions are correct, posting
transactions, and producing the necessary messaging) or by storing relevant data.
The next item on the role list is CBDC account management. This can be defined as
the creation of end-user accounts and the processing of corresponding transactions.
Such policy- makers may want end users to have a CBDC distributor (potentially
through a third party) playing an expansive role in deliver which would include
managing access, authenticating the identity of users, and possibly even processing
granular-level transactions so the CBDC system only has to process distributor-level
transactions. Also, policy-makers may wish to minimize reliance on such
intermediaries and promote mechanisms for individuals to access the infrastructure
more directly (for example, through a non-custodial wallet). In such cases, the private
sector could still play a critical role in authenticating identity and performing know-
your-customer (KYC) checks as part of CBDC account creation process for end users,
if desired by central banks.
The third item is related to CBDC-based payment services which would include
additional customer-facing services that include user interfaces (mobile applications),
value-added functionality, merchant services, payment gateways, customer support
services and potentially other forms of programmability. These are not services that a
central bank currently undertakes or is involved with will be unlikely to consider
delivering itself but are critical to a country’s payment system. Distributors can play a
large role in end-user services. However, non-distributors may also be active in the
space by leveraging system access provided by a distributor. Policy makers should
work to ensure that non distributor access to the system has low barriers of entry.
This can then incentivize actors in these areas to adapt their services to support the
delivery of the CBDC and to encourage the evolution of a competitive and innovative
market.
Finally, we have CBDC governance which defines the processes by which policy-
makers undertake decisions over the structure, capabilities, and technical features of
a CBDC system. Policy-makers will need to consider not only what role the private
sector plays in the functions above but what role they play in how those functions
evolve over time. Central banks cannot assume the private sector will want to serve in
the role of distributor. Hence, it is critical that the central bank provides clarity
around expected investment costs, risks, and potential business models of this key
role which is an area that a lot of work is currently being explored by central banking
institutions. Such types of incentives that might be appealing are also likely to evolve
over time, which requires considering viable business models at time of launch and
at future points. Developing hypotheses and scenarios for how these business
models may evolve over time can support continued engagement and participation
of the private sector.
Financial privacy for transactions is individuals which is key debate when it comes to
CBDC design and privacy protection consistently ranked in public surveys as one of
the top priorities for payment systems [7]. At the most basic level, a payment system
can attempt to provide anonymity for its users by identifying them using
pseudonyms rather than persistent identifiers and such undertaking for CBDC is
crucial and central to its final design.
As stated in a recently published SUERF paper (2021) on "how to issue a privacy-
preserving CBDC", data relating to payments can be particularly revealing, and a
CBDC could potentially provide a great deal of data on citizens, making them
vulnerable to malicious use for political or commercial purposes. We thus believe
that a successful CBDC would need to provide credible transaction protections in
order to gain broad public acceptance. Moreover, privacy is not just an individual
value, it also has a social value. Privacy is essential for a free society and democracy.
The potential privacy aspects for CBDCs must be designed to answer questions such
as “who should have this data and when?”, under which circumstances?”, “who
should verify or sign off on changes to this data?” and “what evidence must be
furnished to determine whether a proposed update is valid?” All are significant
questions that need to be well thought through. Central banks will need to make
careful decisions about user privacy in any CBDC system, factoring in a number of
different dimensions, starting with whether the identities of transaction participants
remain anonymous. Different participants in the system may be granted different
levels of visibility into user information, such as CBDC distributors, payment
services providers (PSPs), and central banks themselves. Policy-makers must also
need to establish the conditions under which public entities can access both
data and metadata from the CBDC system (for example law enforcement or national
security investigations), and how such data can and may be shared within the private
sector.
To achieve the optimal design for privacy, policy-makers will need to rely on a
multitude of modern technology, including cryptographic techniques that can
mask identity, and data governance policies, such as regulations that access and
limit usage. Such implementation of said technology can help reduce the probability
that the desired privacy approach is undermined by institutions violating regulations,
or by a change in political direction. Also, such implementation through government-
based policy can provide greater flexibility to adapt to changing societal expectations
and desires.
Furthermore, more advanced technological features to address privacy can include
transaction tear-offs where transactions are structured in a way that allows them to
be digitally signed without disclosing the transaction’s contents, key randomisation
where parties linked to a transaction are identified only by their public keys, and
fresh key pairs are generated for each transaction which leads to an onlooker not
being able to identify which parties were involved in a given transaction, and state
reissuance where when a new transaction is created, input states are included in the
proposed transaction by reference. These input state references link transactions
together over time, forming a transaction backchain. Long transaction backchains
are undesirable as resolution along the chain slows down performance. As well as all
backchain transactions are shared with the new owner [8].
It's not just privacy that is crucial to evaluate. A retail CBDC has the potential to
impact individuals in many ways beyond privacy. Other considerations may include
how to ensure additional individual protection and rights. How these are to be
considered can vary across jurisdictions as will the approaches and philosophies used
in securing them, whether that involves policy, law, the market, or a combination of
mechanisms and some of these will have a greater influence on technology design:
the ready access of data collected about individuals, and redress in case of
mistakes through lost authentication, fraud, and systemic IT failures [1].
Beyond privacy, some jurisdictions may also want to provide individuals with access
to their own data as well as the ability to easily port their data and switch providers.
Some policy makers may want to provide even further means of individual
autonomy and provide individuals with the ability to interact directly with the CBDC
system through distributor managed software. Another important protection is
ensuring individuals have access to their claim over the central bank should a
distributor have an insolvency event or attack. Operational resilience will have to
meet or exceed current payment system standards.
Based on the above illustrative policy trade-off diagram, there are a number of trade-
offs that policy-makers will need to consider when discussing the above decision
points.
Depending on the current and future central bank capacity and the desired level of
public-private partnership, policy-makers can design a CBDC system to have more or
less centralised control over the core system. In this scenario, such policy-makers can
have full control over the regulatory environment. The key question here is the
extent to which there is distributed control over transaction processing and
storage of core ledger data. It can be argued that the control of the CBDC network
can be reserved entirely for the central bank or decentralised to incorporate a large
number of trusted private-sector entities. Incorporating fully centralised control
could limit the need to negotiate with a collection of governing entities, which would
afford central bank identities more control over system design and potentially
speeding decision-making.
What role the private sector will play will ultimately depend in part on existing
institutions and their relative levels of maturity We have seen that with central
bank in countries which are less developed financially may opt for more centralized
control, while the central bank of a country with a diversity of firms ready and
engaged in the payment system may opt for a more distributed model.
Conceptualizing how the technical layers of a CBDC will need to be designed and
structured is no simple feat. Firstly, the technology stack can be viewed as the set
of hardware and software tools/frameworks leveraged to provide the complete
set of functionalities needed for an application or system. There are many ways
to represent the layers of a CBDC technology stack, which will inevitably differ across
implementations which is evident based on the work undertaken to date by central
banks across the globe. In this section, we attempt to generalize this stack into four
distinct layers, which serve to represent functionality that would exist in both DLT
and conventional database architectures.
Incidentally, the BIS in their latest publication (2022) on Project Dunbar (international
settlements using multi-CBDCs) had a slightly different outlook on the CBDC
technology architecture, citing four key areas including Application Architecture,
Data Architecture, Infrastructure and Security [8]. It can be argued that these
areas loosely follow the layers below, with the network layer covering both the
infrastructure and security areas, with transactions being seen as something which
flows through the entire end-to-end technology stack.
The network layer controls the mechanism through which participants in the CBDC
system will be discovered, validated, and have information propagated to them. A
well-functioning network layer can be supported through high-speed network
connections, such as a cloud network’s internal backbone. Redundancy in these
connections also supports a resilient system across participants. As cited in the BIS
paper for Project Dunbar, if a DLT based solution was to be leveraged using say for
example the Corda network, it would be structured as a peer-to-peer network,
comprising of nodes. Each node represents a legal entity, and each runs the Corda
software which is an instance of Corda and one or more Corda applications
(otherwise known as CorDapps). All communication between nodes is point-to-
point and encrypted using transport layer security (TLS). This would imply that all
data is shared on 'a need-to-know basis'. Virtual machines would be leveraged to run
network identities running this software, with the use of messaging queues through
TLS encryption.
Other technical considerations for the network will also include network services
which identify the nodes involved in the transaction, identity manager services
acting as a gatekeeper to the network, signing services which would acts as the
bridge between the main network map and identity manager services, and the public
key infrastructure (PKI) and hardware security module (HSM) infrastructure.
Finally, a network cluster would provide uniqueness through a consensus by
attestation for a given transaction, has not already signed other transactions that
consume any of the proposed transaction’s input states. This would prevent the issue
of 'double spend' [8].
The transaction layer defines the CBDC data and transaction structure. This layer’s
design depends on choices made about how transactions are to be processed and
approved. Basic transaction posting and advanced payments logic can be supported
at this level to support multiple transaction types and validation structures.
Event-driven architectures can support scalable transaction processing and are
designed to optimize the per transaction cost structure.
The data layer defines what and how much transaction data is stored, current
global state, and system event logging. This layer’s design depends on choices
made around data management, access, and storage. High availability datastores
with synchronous data replication will underpin data storage for both centralized and
decentralized architectures. Additional data access controls will also support data
privacy. Going back to the Project Dunbar publication released by the BIS, CorDapps
(Corda distributed applications) would sit at this layer, which are distributed
applications that run on the Corda platform, and the Corda vault, which acts like a
database to store on-ledger shared facts for a node.
The final layer is the application layer, where end-user functionality and business
logic can be implemented. This logic, whether built into or built on the core CBDC
stack, can be implemented through cloud native or containerized solutions.
Additionally, the interface to distributor software can be supported through private
links or an API gateway. Such design configuration options presented in this
section will impact functionality within each of these layers, with policy-guided
system management design decisions impacting how differing participants operate
in each individual layer.
Finally, Digital wallets are software applications (dApps) through which users would
be able to interact with the CBDC system and would sit at the application layer. A
digital wallet typically allows users to view their balance in one or more accounts,
make payments, receive currency or digital assets from other users and sometimes to
trade assets or execute other financial transactions. The design and functionality of
digital wallets are crucial not only for usability but also for security (users do not like
to lose their money) and for privacy.
System management defines how the core ledger and processing infrastructure is
run. This moves along a spectrum from highly distributed control of the CBDC system
across a set of distributors to highly centralized control of the system by the central
bank. Additionally, transaction processing would be a core function of the CBDC
solution for processing of transactions would cover the validation and transaction
logic. Data storage would also be a key component under system management
where central banks will need to set policies governing access to both transaction
data and transaction metadata.
Wallet and account management defines how end-user accounts are created and
how end users interact with their funds. This moves along a spectrum from high
individual control of personal funds to high reliance on a distributor for control of
those funds. Wallet and account types can be determined by leveraging three
separate design decisions, based on the responsibilities of distributors in the delivery
of CBDCs. But who bears responsibility for fund custody is a crucial design criterion. If
it is custodial based then a third party holds all information necessary to sign and
submit a transaction on behalf of the user, thus assuming custody over these assets
on behalf of the user. If it is non-custodial then an individual would hold all
information necessary to sign and submit a transaction on their own.
The foundation to any CBDC would be a digital record of all of the transactions that
have taken place in a system. Such a record is often referred to as a digital ledger
and can be viewed abstractly as a digital bulletin board where all transactions are
posted [9]. The transactions in the ledger cumulatively determine the account
balances in the system. In the context of a retail CBDC, it would assign account
balances to individual users, necessitating a regime for account management as
discussed earlier, with a supporting notion of identity concepts.
One of the key goals for any CBDC would be to track the balance of its users,
allowing each to transact only his/her coins. This coin cannot be a simple file, and a
transaction cannot be the transmission of the file from one user to another. If it was
done this way, the sender could keep his/her copy and thus keep the coin whilst also
sending it. Existing global currency systems maintain a global state, comprising
the balances of all users. This includes everything from banks' per-client balance
tables. Updates to these states are called transactions, simple transfers of funds or
interactions (which in the DLT world are facilitated through smart contracts). If DLT
were to be adopted by central banks, they would be typically aggregated into so-
called blocks, each containing many transactions and the blocks are linked to form a
chain, hence the terminology ‘blockchain’.
To avoid any vulnerability to a crash or misbehavior to the system, the blocks and
state should be replicated, i.e. stored and processed concurrently by multiple
machines. The challenge here is to thus orchestrate these machines, despite
network latencies and arbitrary misbehavior by a subset of them. Even in a
centralised architecture-based setting, there are hardware failures so it is prudent to
IT system design to incorporate multiple nodes for fault tolerance.
In addition, a commonly cited requirement in current white papers for future CBDC
systems is the ability to perform offline transactions. The reasons behind this are
many, including the need provide resiliency in the case of lost network connectivity
and the enabling access to funds in case of natural disaster and in areas of poor
electrical or internet connectivity, which are critical to financial inclusion goals. Policy-
makers will need to bear in mind a set of high-level considerations regarding the
system design and challenges of offline transactions. A primary concern with
regards to offline payments is security. Online transactions are validated in real-
time to ensure and support funds are not spent more than once (double spend
problem) and that the funds themselves were in fact issued by the central bank. In an
offline setting, validation is dependent on a number of technological components
including the hardware and software of the devices which are used to complete the
transaction (this can include dedicated electronic devices, smart phones or
smartcards). A highly secure design to mitigate compromise of these devices is
paramount to any CBDC design.
The primary options [9] for policy makers for core ledger design includes the
following:
1. Centralised Ledgers
2. Centralised but Verifiable Ledgers
3. Semi-centralised Ledgers
4. Decentralised Ledgers with Central Bank Monetary Control
Centralised but Verifiable Ledgers: Even in a centralized setting, there are still ways
to limit the trust that clients need to place in the servers maintaining the ledger. In
particular, authenticated data structures (ADSs) provide a method by which a
server, in possession of some data, can prove things about that data to a client who
does not necessarily trust the server to give accurate answers.
For example, a citizen receiving money in a CBDC may want to ensure that the
transaction in which they are being paid has gone through before providing any
goods or service; i.e., they want to check for the inclusion of this transaction in the
ledger. Rather than having the server simply tell the client if the transaction is
included or not, in an ADS the server also provides cryptographic proof of inclusion
that the client can verify. The main guarantee of an ADS is that it should be
impossible for a server to provide valid proof for a response that does not accurately
reflect the data it has stored.
To satisfy this requirement, clients must have some commitment to the data stored
by the server, which the clients can then check the proof against. This commitment
acts as a cryptographic fingerprint of the state of the entire dataset at a given
point in time and is updated as the data changes; crucially, while it covers the entire
dataset its size is a small constant that is independent of the size of the dataset.
The basic design considerations of protocols for semi-centralized systems are similar
to the centralized case. Indeed, the distributed systems literature puts them in the
same category, implementing a replicated state machine by a set of predefined
nodes. However, the large number of nodes make classical solutions problematic –
the amount of communication they require is typically quadratic in the number of
nodes, making them prohibitively slow among many independent parties.
In one example, central banks could program digital currency with logic so it can be
spent only for a designated purpose. For large companies at the helm of complex
supply chains, programmable currency promises the instantaneous delivery of
payment upon product receipt. A CBDC could bring a plethora of economic benefits
including automated payments, such as paying toll road usage; automated
checking of money laundering; automated collection of taxes; and distribution
of consumer support in emergencies [16].
As Alexander Lee of the Federal Reserve recently wrote, the term “programmable
money” remains ill-defined. Lee differentiates between “programmable money” and
“programmability” [16]. He notes that there are two natural components of the
definition: 1) a “digital form of money” and 2) “programmability” which is a
“mechanism for specifying the automated behavior of that money through a
computer program.” There is little new about programmability per se, as Lee notes
“given that various combinations of similar technology for payments automation
have existed for decades.”
It is also worth noting that each part of this process highlighted above is covered by
a formal legal contract signed (sometimes electronically) between the customer and
the bank; by formal codes of conduct adopted by the banking industry; by national
consumer legislation; and importantly, by laws relating to dispute resolution, where if
the bank is at fault, the actions will be reversed (and where necessary restitution is
made). In its original definition, this has been labeled a “smart contract” or a
combination of automated and legal processes to achieve a particular (in this case
financial) objective [16].
We have seen with recent literature on programmable money that it is very much a
work in progress. One major key ongoing challenge (especially with cross-border
payments) is the prevention of money laundering, fraud, and terrorist financing.
Central bank digital currency (CBDC) can be programmed with anti-money
laundering logic to reduce and mitigate fraud.
At an extreme PoV, potential, desirable smart contract features that are not provided
by the CBDC platform itself, may be achieved by relying on third party custodians
[9]. This is already the case, for example, with stablecoins such as Coinbase’s USDC
which is backed by deposits of dollars custodied by Coinbase itself as a third party,
hence relies in trust in them as an administrator. It may be feasible that limiting the
extensibility of the CBDC in an attempt to improve safety may have the unintended
effect of driving more users to services outside the sphere of influence of the central
bank which could be a positive thing. This may be an argument in favor of the CDBC
providing smart contract features.
As highlighted by Alexander Lee from the Federal Reserve (June, 2021), "These
incentives can be viewed as falling within at least three broad categories of
economic incentives, legal incentives, and reputational incentives. These
categories are not mutually exclusive, though certain would-be providers of
programmable money may rely more heavily on some of them than on others."
Whether future CBDCs are retail or wholesale based, it has to have the same price
stability and level of trust. It is important to note that trusting an organization like
a central bank also means trusting that country’s economy and that it will be pivotal
in determining if programmability can be designed into a CBDC architecture. While
"programmable money" as a term has originated within the public blockchain
community, as a concept it does not necessarily need to involve DLT at all.
Conclusion
We have covered a broad range of technical design features in this article and we
have only just scratched the surface of what a CBDC technical stack could look like
for central banks. The complete journey for policy-makers for CBDC discovery all the
way through to their launch is a multi-year effort that requires close collaboration
between policy makers, technology teams, and all impacted stakeholders.
Throughout this journey, there will likely be many points at which various countries
decide to continue, or not, toward a CBDC launch which has been evident on the
work existing central banks have conducted. Research, experimentation, and
collaboration along the way can ensure that if a central bank makes it to launch, they
will have a well-designed policy-driven CBDC system.
Throughout the multi-year program for central banks and their policy-makers, many
new technological considerations (over and above what has been discussed here) will
likely emerge and have an impact on policy. Policy-makers must stay on top of such
developments in order to refine their policy choices which will ultimately dictate the
final design of their CDBC. Those closest to new technological advancements will be
best positioned to understand it. We should also consider that there may potentially
be second-order effects that are best understood when there is clarity on policy
objectives. As the iterative process progresses, every CBDC design decision needs to
be evaluated both for its technical ability to meet functional requirements and for its
impact on the ability to meet today's and tomorrow's policy objectives for central
banks.
Finally, experimentation by central banks should continue whether it's wholesale or
retail based but that does not require a final decision about whether or not to launch
a CBDC. Many countries are awaiting the results from their own and other’s
experiments before finalizing their decision. CBDC systems will need rigorous
technical experimentation around system requirements for resilience, throughput,
and scalability, for example, before determining if the system can achieve policy
goals.
Citations:
1. Retail Central Bank Digital Currency from vision to design: A framework to align
policy objectives and technology design choices (March, 2020)
https://aws.amazon.com/blogs/publicsector/approaches-retail-central-bank-digital-
currency-aligning-technology-policy/
2. Central Bank Digital Currency Policy-maker Toolkit (January, 2020)
https://www3.weforum.org/docs/WEF_CBDC_Policymaker_Toolkit.pdf
3. The technology of retail central bank digital currency (March, 2020)
https://www.bis.org/publ/qtrpdf/r_qt2003j.pdf
4. On the future of financial securities settlement (March, 2020)
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3561195
5. Infrastructure and design of Central Bank Digital Currencies (May, 2021)
https://bisontrails.co/downloads/bison-trails-infrastructure-and-design-cbdcs.pdf
6. Central bank digital currencies: foundational principles and core features (December
2020) https://www.bis.org/publ/othp33.pdf
7. How to issue a privacy-preserving central bank digital currency (June, 2021)
https://www.suerf.org/suer-policy-brief/27227/how-to-issue-a-privacy-preserving-
central-bank-digital-currency
8. Project Dunbar: international settlements using multi-CBCS (March 2022)
https://www.bis.org/publ/othp47.pdf
9. Design choices for Central Bank Digital Currency: policy and technical
considerations (July, 2023)
https://www.brookings.edu/wp-content/uploads/2020/07/Design-Choices-for-
CBDC_Final-for-web.pdf
10. Fast and secure global payments with stellar (October 2019)
https://dl.acm.org/doi/10.1145/3341301.3359636
11. Libra white paper: Blockchain (June, 2019) https://libra.org/en-US/white-paper/.
12. An ECB digital currency – a flight of fancy? (May. 2020)
https://www.ecb.europa.eu/press/key/date/2020/html/ecb.sp200511~01209cb324.en.h
tml.
13. Frontrunning in decentralized exchanges, miner extractable value, and consensus
instability (July, 2020) https://ieeexplore.ieee.org/document/9152675
14. How China’s new digital yuan app makes money programmable (September, 20210)
https://www.theblockcrypto.com/news+/117641/china-digital-yuan-smart-contract-
programmable
15. China's digital yuan shows why we still need cryptocurrencies like bitcoin (February,
2022) https://edition.cnn.com/2022/02/04/perspectives/china-digital-yuan-
cryptocurrency-bitcoin/index.html
16. CBDC: how dangerous is programmability? (September, 2021)
https://sites.law.duke.edu/thefinregblog/2021/09/21/cbdc-how-dangerous-is-
programmability/
17. As programmable money emerges, central banks ramp up for tokenized economy
(March, 20201) https://www.forbes.com/sites/sap/2021/03/25/as-programmable-
money-emerges--central-banks-ramp-up-for--tokenized-economy/?sh=6d352354c402
18. What is programmable money? (June 2021)
https://www.federalreserve.gov/econres/notes/feds-notes/what-is-programmable-
money-20210623.htm