The key challenges in retail CBDC design and adoption – BIS paper

The BIS and seven central banks look at system design and legal issues surrounding retail CBDC and produce a summary of the current CBDC thought. The central banks (cbanks)participating included the Bank of Canada, the Bank of England, the Bank of Japan, the European Central Bank, the Board of Governors of the Federal Reserve System, Sveriges Riksbank, and the Swiss National Bank.

Since 2020, a group of central banks, together with the Bank for International Settlements, have been exploring selected aspects of central bank digital currencies (CBDCs).1 As part of this joint work, the group shares insights and perspectives gained from the central banks’ individual analysis and experiments on a range of CBDCthemes, including those more broadly related to payments modernization.
2 This report summarises the group’s discussion on several topics in relation to the system design of retail (also called general-purpose) CBDC arrangements.3 These may likely become relevant should a central bank consider developing a retail CBDC arrangement.

The report first provides some perspectives on overall system design and then focuses on four key issues essential for designing a well-functioning retail CBDC system: privacy, cyber security (including quantum computing), offline functionality4 and point of sale considerations. These issues are multi-dimensional and often interconnected.

Technical experimentation frequently highlights complementary policy choices that a jurisdiction may need to determine when it is designing or modernizing a payments system. Jurisdictions each have their own existing policy, legal, and regulatory frameworks, as well as their own policy objectives. For a given jurisdiction, addressing legal and public policy requirements as well as interactions and interconnectedness both within and beyond the system may be essential to ensure a coherent system design.

The work of the group over the last 18 months has discussed those areas alongside technical capabilities to better understand the associated tradeoffs, without drawing specific policy conclusions. Despite progress to better understand the practicalities around these issues, challenges and open questions remain. In addition, for the purpose of developing a well-functioning retail CBDC system, there are other issues which should be addressed.

The main takeaways are:

. In a two-tier CBDC system centralised versus decentralised options may not have to be two mutually exclusive and incompatible design choices. A jurisdiction’s optimal architecture may consist of many different modular components, each supporting a specific set of requirements.

. Privacy may be a key consideration for central banks when designing a CBDC system and involves navigating numerous trade-offs. Privacy enhancing techniques (PETs) may provide both opportunities and challenges within a retail CBDC system and trade-offs should be examined when considering PETs versus more traditional methods to deliver privacy. The system should also be designed in a way to ensure that the implementation of privacy still allows for robust protection of end-users and issuers against fraud and forgery.

. PET may allow extraction of information from encrypted data without revealing personal information and would add an extra layer of protection and design flexibility. However, experimental work conducted by some of the central banks contributing to this report suggests that some of these PETs may not yet be feasible to use in real-time, are complicated, introduce additional latency and raise reliability concerns. However, the field is evolving, and more investigation might be required.

. Most security risks are not unique to CBDC. However, traditional risks may be amplified for CBDC because there may be greater incentives for malicious actors to attack the system. Existing cyber defence practices and frameworks may be applicable to CBDC, but the choice of a two-tier model, which may allow external parties to innovate in the ecosystem in jurisdictions that allow them to do so, can introduce new challenges.

. Quantum computers of the future may have the potential to challenge the integrity of the current (‘classical’) cryptography methods, albeit over an uncertain period. A path to utilising post-quantum cryptography (PQC), or avoiding the vulnerabilities of classical cryptography, likely needs to be formulated. The question of quantum safety may also apply to conventional payment systems but, being greenfield, central banks, if issuing CBDC, may be well placed to adopt transition strategies to PQC and make relevant trade-offs proactively.

. Security may also be interconnected with the ability to deliver offline services ensuring funds cannot be double spent, minted outside the central bank, or compliance circumvented. There is cautious optimism that a practical solution for offline functionality may be found, though jurisdictions may choose to have additional controls such as holding limits in place to mitigate residual risks.

. Central banks may also consider how to use existing technology and standards in accordance with their strategies for adoption. For example, according to the proof-of-concept by a central bank, overall modern Point of Sale (PoS) terminals may be ubiquitous and flexible enough to accommodate CBDC, though there may likely still be several technical considerations.

More details here: Central bank digital currencies – System design