Central Bank Digital Currency: A Design Guide

Updated: Mar 24, 2021


Just over a year ago, central bank digital currencies (CBDC) were perceived as an exciting fringe topic that might have passed through your newsfeed but didn't warrant a dinner time conversation. Since then, Covid and the rise of cryptocurrencies have shaken the world economy to the point where dare we say it – central banks regularly use the words 'distributed ledger technology,' 'digital currency,' and 'blockchain.' Without getting into the detail of what has changed (because that requires at least five dinner time conversations), it is essential to know that Central Banks around the world are increasingly researching and developing CBDC (check out cbdctracker.org); this matters because the CBDCs that we might end up using will fundamentally alter how we transact, who is transacting, and how the transactional data can be used. For this reason, we wanted to help you understand a little bit more about how we can design these CBDCs.


Designing a CBDC


In January of 2020, the World Economic Forum (WEF) published the Central Bank Digital Currency Policy Maker Toolkit. It is designed to be an evaluation and design guide for policy-makers considering embarking into the murky waters of CBDC development. This framework is helpful because it has aggregated several complex topics into a sequenced decision flow-chart (Figure 1). CBDC design and tech, steps 9 and 10, respectively, have gained particular attention over the last year.


This article digs into general-purpose CBDC design features and challenging technological decisions that digital architects, policy-makers and bankers are currently working on. Arguably, the paper could be many pages longer, but we wanted to offer more of a stock-take review so that you, the reader, could see the larger design picture more easily. We expect that the inventory of features and issues will continue to change over time as evaluations and testing proceeds. Still, we stand at a fascinating point in the continuing journey towards digital economies at this moment in time.


Figure 1: Policy-makers decision flow chart.

Source: World Economic Forum. (January 2020). Central Bank Digital Currency Policy-Maker Toolkit. Insight Report. Centre for the Fourth Industrial Revolution.


The Feature Set


If anything, efforts this past year have evolved toward the design process of CBDCs. Moves toward CBDCs are now about solving implementation issues, not about the probability of use. This section reviews 13 design components that central banks around the world are exploring. The customized combination of these elements will vary among countries to reflect both local context and international relationships. Of course, design sensitivities and interdependencies will come into play when combining these features, so reader beware – customization is essential.


1. Structural design – the business model


Central banks are the only entity that can issue and redeem a CBDC. However, central banks can decide how directly or indirectly they are involved in the operations and use of a general-purpose CBDC. This structure will impact claims and payment processing, including where the associated transaction/balance records are kept, and maybe even having a direct CBDC e-wallet. This structural design is largely a business model choice. John Kiff of the International Monetary Fund provides this helpful diagram for CBDC business model considerations where PSPs refer to payment service providers (Figure 2).

Figure 2: CBDC Business Model Considerations

Source: Kiff, J., (March 17 2021). Retail Central Bank Digital Currency: Operational Considerations. International Monetary Fund. Presentation to CBDC Think Tank Online.


The centrality level that a bank opts for should be considered on a spectrum from entirely direct, to entirely indirect, with hybrid options in between.


A CBDC would remain a claim on the central bank in a perfectly direct model, and the central bank would be responsible for the payment systems and all ledgers. Central banks would disintermediate commercial banks, which would expand most central bank mandates – intentionally kept very narrow currently. Central banks would likely need to take on lending activities not to dry up retail credit markets. In the case of account-based direct CBDC (see the following section for discussion on account versus token), central banks would be forced to enter into the world of digital identity management. Know-your-client (KYC) practices and onboarding could be outsourced to intermediaries, but the standards would still be centrally established and maintained. This approach could significantly reduce costs as an entire layer (and its associated profits) once in place; however, the cost of establishing this system and the resultant operational costs are immense.


In an indirect retail CBDC model, commercial banks or intermediaries would remain to interface with individuals and businesses. The CBDC could be a claim on the intermediary, not the central bank, and all liabilities would need to be fully backed in turn, with claims on the central bank. The central bank would remain responsible for the wholesale (interbank) CBDC. This design allows for greater competition in user experience and payment processing, reducing interference in credit markets, and alleviating central banks of claim dispute resolution while still linking retail CBDC users with the central bank, similarly to how cash functions now. Some believe that this model doesn't leverage technology in doing away with costly intermediary functions – with the transaction ledger held by intermediaries, central banks would still heavily rely on those actors, which can be a very costly relationship. We tend to agree that this model only digitizes our existing system; if this becomes a stepping stone to deeper change, it holds more significant value.


A hybrid option between direct and indirect also exists as a possibility. CBDC could remain a claim on the central bank (unlike the indirect model), but intermediaries could handle all retail payment processing. The transaction ledger would be the onus of the central bank, which could remain independent, or a part of an interbank ledger. New and different types of financial intermediaries could enter into the competition and would likely still be better positioned to facilitate KYC protocols than central banks. Worldwide, this avenue might provide the best means of accessing the underserved. Think of your local post office offering modest banking services – except now you don't need the post office, and you can bank remotely. See Figure 3 for an excellent visual on structural design options as discussed.


Figure 3: Potential retail CBDC structures

Source: Auer, R., and R. Böhme. (March 2020). The technology of retail central bank digital currency. BIS Quarterly Review. P. 16.


2. Account or Token-based


In an account-based system, the accounts are the asset, whereas, in a token-based system, the tokens are the asset. The differences in approach are substantial.


CBDC accounts held by individuals but managed by an intermediary bank, or the central bank, represent the account-based approach. Transferring value would happen by debiting one account (the payer) and crediting another account (the payee) with the corresponding amount, and all tracked on a ledger. Account-based CBDC would have strong know-your-customer (KYC) and anti-money-laundering (AML) features. Still, most central banks would need to expand mandates to account holder verification or outsource it to realize this.


Verification, together with mass data of transaction records, would give central bankers (and third parties) an immense amount of precious information that they currently do not have. Of course – this runs the very likely risk of introducing mass surveillance while creating a honeypot for hacking activity and political interference in central bank activities. These risks are nothing to sneeze at.


Account-based CBDC puts one function of central banks in competition with commercial banks – that is, if commercial banks remain as service providers of depositor accounts. If individuals prefer central bank accounts over deposit accounts at any point, they will opt to relocate money into the CBDC out of commercial banks. Real or perceived differences in security, fund redeem-ability, interest, and add-on services are a few factors that could influence people's choices in this regard. Significant money movement to CBDC, away from commercial banks, runs the risk of eroding credit markets and makes bank runs more readily possible in times of financial crises. CBDC account holding limits and interest-bearing options (discussed below) may relieve these risks to a degree, but it remains a significant concern for central bankers (and commercial bankers!).


Token-based CBDC would function very similarly to current cash systems where value is transferred directly through handing over a token. Possession of the digital token, provided that it is a legitimate token (which requires significant anti-counterfeit security measures), lessons the need for identity associated with the CBDC holder. Arguably, some token-based systems may choose to incorporate identity features at the expense of anonymity – but it won’t be as comprehensive as in an account-based system. In general, token-based CBDC allows for greater privacy and anonymity of transacting but limits KYC/AML controls, a desirable feature for central bankers. The million dollar question here is, what threshold of anonymity and privacy will be deemed acceptable by the users – or will this push more people into the crypto-sphere?


3. Ledger infrastructure


CBDC can be based on a centrally controlled and non-distributed database, similar to how our fiat systems currently work. Alternatively, a CBDC can be built on a semi-centralized distributed ledger.[1] The primary distinction between these two models is who gets to update the database and how. In a fully centralized system, one authority can change the database, and that process is opaque. In a DLT or blockchain-based system, multiple entities (nodes) with authority and permission are structured to achieve consensus on ledger updates – adding transactions to the ledger. Another term for this is a private-permissioned distributed ledger network.


For a general-purpose CBDC, a private-permissioned DLT model is possible, and with many new developments, it provides excellent value potential. For the following reasons, we believe it is the superior approach to general-purpose CBDCs:

  • sharding (dividing the system's workload among nodes), second layer options, side channels for off-chain transactions, and proof-of-stake consensus mechanisms with blockchain technology are being developed and can enable transaction throughput volumes required by everyday system-wide use;

  • specialized hardware is making offline transacting possible, albeit not the primary means for transacting with a DLT system. This is particularly important when achieving the financial inclusion goal of CBDC;

  • the technology can offer new and exciting features to transacting, including but not limited to programmability and diversification of payments systems, all spurring financial innovation. See the discussion below on 'programmable features' for more on this;

  • digital identity capabilities on the blockchain associated with the financial system, could enable fast and accurate humanitarian cash-transfers. This can be an absolute game changer in aid and social-welfare systems – a tangible way to finance the UN sustainable Development Goals;

  • a semi-distributed network will improve system resiliency if any one node were to experience downtime;

  • there will be less of a honeypot for hacking activity (currently a risk with centralized database systems).

4. Availability, access, and inclusion from a users’ perspective


The availability, accessibility, and inclusiveness of CBDC are dependent on three design features: online and offline capabilities, universality, and security.


(a) Online and Offline


It would not be wise to restrict a CBDC to only online usage. Different areas and socio-economic groups face differences in connectivity in the form of reliable electricity or access to affordable online devices (i.e. smartphones, computers, et cetera). For areas where smartphone/computer penetration and electricity are highly reliable, extreme weather events, natural disasters, and unforeseen power market complications could disable CBDC. Online and offline capabilities are needed for everyone.


Token-based CBDCs have the advantage of allowing for easy offline transacting. This presents a double-edged sword for financial inclusion because offline exchange eliminates access-barriers associated with being online to transact (access to internet, a smart phone etc.). It also limits the extension of financial services associated with accounts (i.e. savings, interest, loans, equity and insurance).


Hybrid access options could include a wallet or universal access device connected sometimes but stores a usable balance offline. More work is needed for this category of option.


(b) Universality


For central banks, CBDC universality typically means making CBDC usable by all, regardless of age, gender, access to a bank account or a smartphone/computer, income sources and amounts, whether or not one lives in a remote or urban community, and without barriers for those with sensory/motor/or cognitive impairment. We push this concept further to consider barriers resulting from culture, digital and financial literacy, those living with limited civil liberties (i.e. the incarcerated), and transacting with cash-dependent societies. If the financial inclusion motivation of CBDCs is to be realized, this area of work needs a tremendous amount of attention. The United Nations should lead this effort in coordination with strategic partners. For more about this topic, see our November 25th article, Central bank digital currencies may not be the holy grail of financial inclusion.


(c) Security


An available and accessible CBDC is useless if it is not secure. So far, CBDC security discussions have focused on the security of use, but the conversation should be extended to the security of accessing it. For example, suppose an NFC-enabled card is issued as a universal access device for CBDC users. In that case, it should be outfitted with the ability to disable it if it gets into the wrong hands and the ability to be used offline and in emergencies when access to the internet or electricity may be limited. It could include bio-credentials such as a fingerprint scan to authenticate a transaction. More options should be considered.


5. Privacy and Anonymity


Anonymity is about who you are, and privacy is about what you do. So if your transaction is private but not anonymous, only you or a limited type and number of people know the details of your transactions, but you are still identifiable. Anonymity on its own would mean that you are not identifiable, but your transaction data is more widely available. To a certain extent, anonymity is limited in the digital world since your transaction history can be used to identify you reasonably.


The design trade-offs here center around individual protections and rights versus KYC-AML compliance and enforcement. Token-based CBDCs could establish similar privacy and anonymity levels that come with cash, but this does not add anything to our fight against illicit money flows (giving careful attention to how illicit is defined and acted against). An account-based CBDC will provide an opportunity in fighting fraud, facilitating government-citizen transfers (i.e. taxes, social transfers). Still, it will require delicate data controls to prevent dangerous overreach by central banks and governments or create a hackable honeypot.


6. Custody and Storage


Central banks, intermediary financial institutions, or users themselves could custody CBDC in theory. Exclusive-user custody is not a great option because if a person loses their phone or access device, or their keys, they will lose their CBDC. It is unlikely that central banks themselves will want to be in the business of storing retail CBDC. This will broaden bank operations to include digital identity management and even greater cybersecurity risk. The most likely cause is for central banks to approve third-party CBDC custodial services provided by commercial banks or maybe a new form of digital payment rails - VISA, Mastercard, PayPal, and others give a heavy sigh right about here.

Source: Unconfirmed
Figure 4: Picture of CBDC access card

Pictured here (Figure 4 - source unconfirmed) is an example of an NFC-enabled access card as a non-smartphone example of how people could use a CBDC. It shows the current balance, the immediate transaction amount, and the number of offline transactions remaining.