Central Bank Digital Currency: A Design Guide

Updated: Mar 24, 2021

Just over a year ago, central bank digital currencies (CBDC) were perceived as an exciting fringe topic that might have passed through your newsfeed but didn't warrant a dinner time conversation. Since then, Covid and the rise of cryptocurrencies have shaken the world economy to the point where dare we say it – central banks regularly use the words 'distributed ledger technology,' 'digital currency,' and 'blockchain.' Without getting into the detail of what has changed (because that requires at least five dinner time conversations), it is essential to know that Central Banks around the world are increasingly researching and developing CBDC (check out cbdctracker.org); this matters because the CBDCs that we might end up using will fundamentally alter how we transact, who is transacting, and how the transactional data can be used. For this reason, we wanted to help you understand a little bit more about how we can design these CBDCs.

Designing a CBDC

In January of 2020, the World Economic Forum (WEF) published the Central Bank Digital Currency Policy Maker Toolkit. It is designed to be an evaluation and design guide for policy-makers considering embarking into the murky waters of CBDC development. This framework is helpful because it has aggregated several complex topics into a sequenced decision flow-chart (Figure 1). CBDC design and tech, steps 9 and 10, respectively, have gained particular attention over the last year.

This article digs into general-purpose CBDC design features and challenging technological decisions that digital architects, policy-makers and bankers are currently working on. Arguably, the paper could be many pages longer, but we wanted to offer more of a stock-take review so that you, the reader, could see the larger design picture more easily. We expect that the inventory of features and issues will continue to change over time as evaluations and testing proceeds. Still, we stand at a fascinating point in the continuing journey towards digital economies at this moment in time.

Figure 1: Policy-makers decision flow chart.

Source: World Economic Forum. (January 2020). Central Bank Digital Currency Policy-Maker Toolkit. Insight Report. Centre for the Fourth Industrial Revolution.

The Feature Set

If anything, efforts this past year have evolved toward the design process of CBDCs. Moves toward CBDCs are now about solving implementation issues, not about the probability of use. This section reviews 13 design components that central banks around the world are exploring. The customized combination of these elements will vary among countries to reflect both local context and international relationships. Of course, design sensitivities and interdependencies will come into play when combining these features, so reader beware – customization is essential.

1. Structural design – the business model

Central banks are the only entity that can issue and redeem a CBDC. However, central banks can decide how directly or indirectly they are involved in the operations and use of a general-purpose CBDC. This structure will impact claims and payment processing, including where the associated transaction/balance records are kept, and maybe even having a direct CBDC e-wallet. This structural design is largely a business model choice. John Kiff of the International Monetary Fund provides this helpful diagram for CBDC business model considerations where PSPs refer to payment service providers (Figure 2).

Figure 2: CBDC Business Model Considerations

Source: Kiff, J., (March 17 2021). Retail Central Bank Digital Currency: Operational Considerations. International Monetary Fund. Presentation to CBDC Think Tank Online.

The centrality level that a bank opts for should be considered on a spectrum from entirely direct, to entirely indirect, with hybrid options in between.

A CBDC would remain a claim on the central bank in a perfectly direct model, and the central bank would be responsible for the payment systems and all ledgers. Central banks would disintermediate commercial banks, which would expand most central bank mandates – intentionally kept very narrow currently. Central banks would likely need to take on lending activities not to dry up retail credit markets. In the case of account-based direct CBDC (see the following section for discussion on account versus token), central banks would be forced to enter into the world of digital identity management. Know-your-client (KYC) practices and onboarding could be outsourced to intermediaries, but the standards would still be centrally established and maintained. This approach could significantly reduce costs as an entire layer (and its associated profits) once in place; however, the cost of establishing this system and the resultant operational costs are immense.

In an indirect retail CBDC model, commercial banks or intermediaries would remain to interface with individuals and businesses. The CBDC could be a claim on the intermediary, not the central bank, and all liabilities would need to be fully backed in turn, with claims on the central bank. The central bank would remain responsible for the wholesale (interbank) CBDC. This design allows for greater competition in user experience and payment processing, reducing interference in credit markets, and alleviating central banks of claim dispute resolution while still linking retail CBDC users with the central bank, similarly to how cash functions now. Some believe that this model doesn't leverage technology in doing away with costly intermediary functions – with the transaction ledger held by intermediaries, central banks would still heavily rely on those actors, which can be a very costly relationship. We tend to agree that this model only digitizes our existing system; if this becomes a stepping stone to deeper change, it holds more significant value.

A hybrid option between direct and indirect also exists as a possibility. CBDC could remain a claim on the central bank (unlike the indirect model), but intermediaries could handle all retail payment processing. The transaction ledger would be the onus of the central bank, which could remain independent, or a part of an interbank ledger. New and different types of financial intermediaries could enter into the competition and would likely still be better positioned to facilitate KYC protocols than central banks. Worldwide, this avenue might provide the best means of accessing the underserved. Think of your local post office offering modest banking services – except now you don't need the post office, and you can bank remotely. See Figure 3 for an excellent visual on structural design options as discussed.

Figure 3: Potential retail CBDC structures

Source: Auer, R., and R. Böhme. (March 2020). The technology of retail central bank digital currency. BIS Quarterly Review. P. 16.

2. Account or Token-based

In an account-based system, the accounts are the asset, whereas, in a token-based system, the tokens are the asset. The differences in approach are substantial.

CBDC accounts held by individuals but managed by an intermediary bank, or the central bank, represent the account-based approach. Transferring value would happen by debiting one account (the payer) and crediting another account (the payee) with the corresponding amount, and all tracked on a ledger. Account-based CBDC would have strong know-your-customer (KYC) and anti-money-laundering (AML) features. Still, most central banks would need to expand mandates to account holder verification or outsource it to realize this.

Verification, together with mass data of transaction records, would give central bankers (and third parties) an immense amount of precious information that they currently do not have. Of course – this runs the very likely risk of introducing mass surveillance while creating a honeypot for hacking activity and political interference in central bank activities. These risks are nothing to sneeze at.

Account-based CBDC puts one function of central banks in competition with commercial banks – that is, if commercial banks remain as service providers of depositor accounts. If individuals prefer central bank accounts over deposit accounts at any point, they will opt to relocate money into the CBDC out of commercial banks. Real or perceived differences in security, fund redeem-ability, interest, and add-on services are a few factors that could influence people's choices in this regard. Significant money movement to CBDC, away from commercial banks, runs the risk of eroding credit markets and makes bank runs more readily possible in times of financial crises. CBDC account holding limits and interest-bearing options (discussed below) may relieve these risks to a degree, but it remains a significant concern for central bankers (and commercial bankers!).

Token-based CBDC would function very similarly to current cash systems where value is transferred directly through handing over a token. Possession of the digital token, provided that it is a legitimate token (which requires significant anti-counterfeit security measures), lessons the need for identity associated with the CBDC holder. Arguably, some token-based systems may choose to incorporate identity features at the expense of anonymity – but it won’t be as comprehensive as in an account-based system. In general, token-based CBDC allows for greater privacy and anonymity of transacting but limits KYC/AML controls, a desirable feature for central bankers. The million dollar question here is, what threshold of anonymity and privacy will be deemed acceptable by the users – or will this push more people into the crypto-sphere?

3. Ledger infrastructure

CBDC can be based on a centrally controlled and non-distributed database, similar to how our fiat systems currently work. Alternatively, a CBDC can be built on a semi-centralized distributed ledger.[1] The primary distinction between these two models is who gets to update the database and how. In a fully centralized system, one authority can change the database, and that process is opaque. In a DLT or blockchain-based system, multiple entities (nodes) with authority and permission are structured to achieve consensus on ledger updates – adding transactions to the ledger. Another term for this is a private-permissioned distributed ledger network.

For a general-purpose CBDC, a private-permissioned DLT model is possible, and with many new developments, it provides excellent value potential. For the following reasons, we believe it is the superior approach to general-purpose CBDCs:

  • sharding (dividing the system's workload among nodes), second layer options, side channels for off-chain transactions, and proof-of-stake consensus mechanisms with blockchain technology are being developed and can enable transaction throughput volumes required by everyday system-wide use;

  • specialized hardware is making offline transacting possible, albeit not the primary means for transacting with a DLT system. This is particularly important when achieving the financial inclusion goal of CBDC;

  • the technology can offer new and exciting features to transacting, including but not limited to programmability and diversification of payments systems, all spurring financial innovation. See the discussion below on 'programmable features' for more on this;

  • digital identity capabilities on the blockchain associated with the financial system, could enable fast and accurate humanitarian cash-transfers. This can be an absolute game changer in aid and social-welfare systems – a tangible way to finance the UN sustainable Development Goals;

  • a semi-distributed network will improve system resiliency if any one node were to experience downtime;

  • there will be less of a honeypot for hacking activity (currently a risk with centralized database systems).

4. Availability, access, and inclusion from a users’ perspective

The availability, accessibility, and inclusiveness of CBDC are dependent on three design features: online and offline capabilities, universality, and security.

(a) Online and Offline

It would not be wise to restrict a CBDC to only online usage. Different areas and socio-economic groups face differences in connectivity in the form of reliable electricity or access to affordable online devices (i.e. smartphones, computers, et cetera). For areas where smartphone/computer penetration and electricity are highly reliable, extreme weather events, natural disasters, and unforeseen power market complications could disable CBDC. Online and offline capabilities are needed for everyone.

Token-based CBDCs have the advantage of allowing for easy offline transacting. This presents a double-edged sword for financial inclusion because offline exchange eliminates access-barriers associated with being online to transact (access to internet, a smart phone etc.). It also limits the extension of financial services associated with accounts (i.e. savings, interest, loans, equity and insurance).

Hybrid access options could include a wallet or universal access device connected sometimes but stores a usable balance offline. More work is needed for this category of option.

(b) Universality

For central banks, CBDC universality typically means making CBDC usable by all, regardless of age, gender, access to a bank account or a smartphone/computer, income sources and amounts, whether or not one lives in a remote or urban community, and without barriers for those with sensory/motor/or cognitive impairment. We push this concept further to consider barriers resulting from culture, digital and financial literacy, those living with limited civil liberties (i.e. the incarcerated), and transacting with cash-dependent societies. If the financial inclusion motivation of CBDCs is to be realized, this area of work needs a tremendous amount of attention. The United Nations should lead this effort in coordination with strategic partners. For more about this topic, see our November 25th article, Central bank digital currencies may not be the holy grail of financial inclusion.

(c) Security

An available and accessible CBDC is useless if it is not secure. So far, CBDC security discussions have focused on the security of use, but the conversation should be extended to the security of accessing it. For example, suppose an NFC-enabled card is issued as a universal access device for CBDC users. In that case, it should be outfitted with the ability to disable it if it gets into the wrong hands and the ability to be used offline and in emergencies when access to the internet or electricity may be limited. It could include bio-credentials such as a fingerprint scan to authenticate a transaction. More options should be considered.

5. Privacy and Anonymity

Anonymity is about who you are, and privacy is about what you do. So if your transaction is private but not anonymous, only you or a limited type and number of people know the details of your transactions, but you are still identifiable. Anonymity on its own would mean that you are not identifiable, but your transaction data is more widely available. To a certain extent, anonymity is limited in the digital world since your transaction history can be used to identify you reasonably.

The design trade-offs here center around individual protections and rights versus KYC-AML compliance and enforcement. Token-based CBDCs could establish similar privacy and anonymity levels that come with cash, but this does not add anything to our fight against illicit money flows (giving careful attention to how illicit is defined and acted against). An account-based CBDC will provide an opportunity in fighting fraud, facilitating government-citizen transfers (i.e. taxes, social transfers). Still, it will require delicate data controls to prevent dangerous overreach by central banks and governments or create a hackable honeypot.

6. Custody and Storage

Central banks, intermediary financial institutions, or users themselves could custody CBDC in theory. Exclusive-user custody is not a great option because if a person loses their phone or access device, or their keys, they will lose their CBDC. It is unlikely that central banks themselves will want to be in the business of storing retail CBDC. This will broaden bank operations to include digital identity management and even greater cybersecurity risk. The most likely cause is for central banks to approve third-party CBDC custodial services provided by commercial banks or maybe a new form of digital payment rails - VISA, Mastercard, PayPal, and others give a heavy sigh right about here.

Source: Unconfirmed
Figure 4: Picture of CBDC access card

Pictured here (Figure 4 - source unconfirmed) is an example of an NFC-enabled access card as a non-smartphone example of how people could use a CBDC. It shows the current balance, the immediate transaction amount, and the number of offline transactions remaining.

7. Monetary policy options

Associating an interest rate with CBDC can give central bankers several policy options; the socio-economic benefits or damage associated with CBDC interest would be a function of how the rate is set and by who, and the economic standing of anyone CBDC holder/user. We expect that CBDC interest would function similarly to current central bank key interest rates, which tend to move gradually and in predictable ways according to inflation.

If CBDC interest is kept at zero percent, then money flows associated with the price of money would function in a very similar fashion as cash. An interest rate below zero – breaking the effective lower bound (ELB), means that account holders would have to pay to hold money with the central bank. In this case, the attractiveness of CBDC as a store of value would evaporate, and the potential and scale of bank runs out of commercial banks, would be limited. For those who have little or no other options for storing value (likely the poorer segments of society), this will function to exacerbate inequality as they will be forced to pay a more significant percentage of their money in interest. An interest rate above zero could counteract competition from other currencies, incentivizing individuals to use and hold CBDC for a small return. The interest could be further refined to be time-variant or contingent on the balance being held. All that said – enabling a CBDC to be interest-bearing does not commit a central bank to use this feature; it just provides an option that is not available in current cash technology. As advocates for a more humane banking system, we sincerely hope that central bankers consider the interest-bearing feature with extreme care.

8. Account limits

Limiting the amount any individual can hold in an account is a controversial policy tool. We don’t see many users being excited about this type of control – or maybe it’s just a case of the emperor in new clothes. That said, account limits, where individuals could only hold so much in their CBDC account, would function to dis-incentivize CBDC as a store of value, reducing the risk of bank runs out of commercial banks. Again – a run on a commercial bank would have the knock-on effect of directly impacting the credit markets. We can't ignore the fact that some - usually crypto maximalists - view disintermediation (either through the structure or crisis – bank run) as being a natural progression in our banking system – a financial survival of the fittest type situation. We’re in favour of banking evolution that establishes greater economic dignity – both as a means and an end.

Account limits have also been discussed in the KYC-AML literature through 'tiered' limits; transactions and holdings below a certain threshold wouldn't be subject to verification. Those above a threshold would face levels of reporting and surveillance. Necessary controls would need to be put in place to prevent anyone from holding multiple accounts, circumventing the account limit rule in effect. No matter how the limits are established or why it remains a contentious issue that will face a challenge – both formally and in practice.

9. Security

For central banks, the security of CBDC means that they have exclusive issuance and redemption authority while maintaining public trust. For users to maintain this trust, security in the form of confidentiality, reliability, integrity (against fraud and double-spending) and availability are critical. How best to satisfy those features somewhat depends on ones' views of centralized versus decentralized ledger systems. Does a central and private system enhance security via monopolistic control, or does open, decentralized technology established security through transparency? Most central banks are erring on the side of centrality (surprise-surprise!), while others consider hybrid systems. Again – let’s not forget the crypto-maximalists, who are working on entirely new systems that aim to do away with banks altogether; here security is achieved through perfect decentralization. The bankers have primarily ruled out fully public and open DLT, but they will arguably face competition from those pursuing this route.

Going further, CBDC value can be stored in several places in the network – its position within that chain determines its relative security risks. For example, if CBDC value is stored in front-end components such as user-devices, then the device, its software, and any web interfaces should be security-heavy. If CBDC value is stored remotely, back-end data storage systems, access points to front-end components, and redundancy elements (firewalls, backups) should have higher security. This is an oversimplification of a complex topic; for a well-thought-out description of CBDC security issues, Minwalla's 2020 note via the Bank of Canada is an interesting read.

10. Interoperability

The interoperability of a retail CBDC is a crucial design function that must be solved. CBDCs will need to be interoperable with existing payment and monetary systems and future ones, including cryptocurrencies, stable-coins, and other privately issued digital currencies. They will need to interoperate locally and internationally when it comes to currency exchange, cross-border payments and solve for tourist activity. Interoperability will need to be solved at infrastructure, coding, and regulatory levels.

The good news is that work on interoperability is fast and furious at the moment. At least regionally, standard setting is in the works, and pilot testing between partnered jurisdictions or projects is being established. We won't see large-scale functional interoperability until more CBDCs move into their pilot phase. Still, even then, we will have a critical window of opportunity to cooperate and coordinate internationally before the leading CBDC issuers set de-facto interoperability standards. The risk here is exaggerating the digital divide between economies even further. This is another area of work that warrants some serious attention and the United Nations and International Telecommunications Union are well positioned to lead the effort – (check out the Digital Currency Global Initiative which we are actively a part of).

11. Digital identity

Digital identity systems are necessary for account-based CBDC (See a BIR article published December 22, 2020). Digital identity infrastructure and applications are well developed outside of the CBDC space, but there is a lot of work to do if CBDCs are to take on digital ID elements. This work will include establishing and maintaining a federal-level digital ID system with the necessary privacy and security controls to protect against (a) government or central bank misuse and surveillance and (b) cyberattack. Biometrics will likely need to be involved. Moreover, maximizing this system's benefits should be interlinked with tax services, social welfare payments, voting and medical records management, travel identity, and some insurance.

12. Programmable features

Even though blockchain-based CBDCs are still very much in the early stages of development, we know that blockchains can likely offer some exciting features – essentially making money programmable. Some of these features include:

  1. atomic exchanges or swaps, where both parties (the payer and payee) confirm the transaction within a specified period using a cryptographic hash function that would enable delivery versus payment, and payment versus payment transactions;

  2. hard-coded compliance features such as wallet or account thresholds, permissioned access, and observance of local laws and regulation;

  3. pre-determined timing, amount, and hard-coded spending rules for social benefit and aid payments;

  4. or even withholding monies on a conditional basis (this one makes us nervous!).

For these, and potentially other programmable features to be possible, blockchain systems will need to solve scalability and digital currency literacy better. Regulatory regimes will need to be well pre-established to account for the unique privacy concerns and range of transacting options not otherwise available. Checks and balances will be needed to prevent government overreach when 'programming' money – this is a scary concept that warrants slow, steady and transparent design.

13. Lending

Retail lending is a feature of commercial or intermediary banks in most countries. These banks can lend out depositor money according to local regulation – for example, how much central bank money they need to retain in reserve as collateral (if at all), expanding the money supply. This system is made possible by sizeable government-backed insurance schemes that protect depositor money in the event of bank insolvency. Direct retail CBDC threatens to upend this system by disintermediating commercial banks, drying up credit markets until another financial intermediary or solution comes into play in this respect. Interest and account limits are two strategies discussed above that could restrict this process if it is something to avoid.

With a sober second thought by researchers at the Bank of Canada, if possible to lend on the back of a CBDC, this could open up deposit competition, increasing bank lending and GDP. However, if central banks did get into the credit markets directly, mandates would expand into uncomfortable territory for central bankers (and by that, I mean beyond the bounds of maintaining monetary and financial stability, at least in the short term). What is potentially and importantly offered is the ability to provide banking services to the under-banked or unbanked. For this reason alone, central banks should seriously consider lending options.

Summarizing – let's keep an eye on the end goals

Building a general-purpose CBDC with any variance and combination of design features and tech is not a facile undertaking. Navigating the design elements will require acute awareness of the core purpose for CBDCs, which is usually one or a combination of these things: to maintain monetary and financial stability, reducing physical cash costs and risks, to maintain a direct link to retail users in the face of declining cash-usage, to avoid sanctions, to increase financial inclusion, to distribute stimulus payments and social welfare or humanitarian transfers, and to compete with private cryptocurrencies and stable coins. Some view de-dollarization as the purpose for CBDCs, but we don’t think that this is a strong enough motivation on its own. It’s going to take a lot more than a change in currency format to de-dollarize the global economy. Moreover, we expect wide-scale CBDC development to take many years yet because of the complexity of creating a successful general-purpose CBDC; we will likely see a number of attempts but not broad adoption around the world for another 5-10 years. Resistance from large financial intermediaries such as VISA, Mastercard and Paypal will further bog this process down. You can trust that we will keep a very keen eye on CBDC and cryptocurrency developments in this coming year.


By Tanya Smith and Peter Schober


Sources and Interesting Reads

Agur, Itai, Anil Ari and Giovanni Dell'Ariccia. 2019. “Designing Central Bank Digital Currencies.” IMF Working Paper 19/252.

Allen, S., Čapkun, S., Eyal, I., et al. July 23 2020. Design choices for central bank digital currency: Policy and technical considerations. Available online.

Auer, R., Cornelli, G., and J. Frost. (August 2020). Rise of the central bank digital currencies: drivers, approaches, and technologies. Monetary and Economic Department. BIS Working Papers. No. 880.

Auer, R., and R. Böhme. (March 2020). The technology of retail central bank digital currency. BIS Quarterly Review. P. 16.

Bindseil, Ulrich. 2020. "Tiered CBDC and the financial system." ECB Working Paper 2351 January.

Chaum, D., C., Grothoff, and T. Moser. (February 2021) How to issue a central bank digital currency. SNB Working Papers.

Davoodalhosseini, M., F., Rivadeneyra, and Y. Zhu. (February 2020). CBDC and Monetary Policy. Staff Analytical Note. Bank of Canada.

Free Exchange. December 2020. Will central-bank digital currencies break the banking system? The Economist. Available online.

Kiff, J., (March 17 2021). Retail Central Bank Digital Currency: Operational Considerations. International Monetary Fund. Presentation to CBDC Think Tank Online.

Kumhof, Michael and Clare Noone. 2018. "Central bank digital currencies - design principles and balance sheet implications." Bank of England, Staff Working Paper No. 725.

Mandeng, O. J., Blockchain's critical role in central bank digital currency. Accenture. Available online.

Minwalla, C., June 2020. "Security of a CBDC." Staff Analytical Note. Bank of Canada

OMFIF and IBM. (2019). Retail CBDC: The Next Payments Frontier. Available online.

World Economic Forum. (January 2020). Central Bank Digital Currency Policy-Maker Toolkit. Insight Report. Centre for the Fourth Industrial Revolution.


[1] Many cryptocurrencies such as Bitcoin, operate in a fully decentralized and distributed model.

Thanks for subscribing