Are there technical solutions to privacy and compliance trade-offs for CBDCs?
A retail central bank digital currency (CBDC) has the potential to give authorities more information about users and their transactions, as well as aid detection, supervision, surveillance and enforcement efforts. . However, this opens the central bank to criticism that CBDCs could be used as a surveillance tool not just by themselves, but by banks and payment service providers that are part of the CBDC ecosystem.
Furthermore, authorities could theoretically censor specific users and transactions, thereby undermining users’ freedoms. Storing and collecting personal and transactional information could ultimately lead to price discrimination for CBDC users and increase their cybersecurity risks. In the event of a hack, the leak of personal information could lead, in the most extreme case, to financial losses that the central bank and/or its agents could be forced to cover.
This article is part of CoinDesk Political Week. John Kiff, a former senior financial sector expert at the IMF, is Director of Research at the Sovereign Official Digital Association (SODA), Head of CBDC/Digital Capital Markets Advisory at Satoshi Capital Advisers, and Advisor at WhisperCash. Dr. Jonas Gross is President of the Digital Euro Association (DEA) and Chief Operating Officer at etonec.
For these reasons, enabling high privacy for CBDC transactions is crucial.
What do we mean by “privacy” and how private are existing digital payment rails?
Although privacy is a fundamental civil right, for example specified in Article 12 of the Universal Declaration of Human Rights by the United Nations, its application is not necessarily black and white, and different forms of money differ in terms of the degree of secrecy.
Cash is the most private form of money. If a payment is made in cash, only the two parties involved in the transaction know the information about the transaction, such as the amount of the transaction and the parties to the transaction. No third party can observe the payment data.
Today, the public already accepts a certain invasion of financial privacy. Existing digital payment methods, such as debit and credit cards, bank transfers and mobile money payments, do not offer a high degree of privacy and are gaining market share. Know-your-customer (KYC) measures are necessary to open bank accounts and ultimately to conduct transactions. This confidential KYC and transaction data is shared with intermediaries, such as banks, credit card companies, etc., who are involved in the transaction process.
See also: What is KYC and why is it important for crypto?
According to a recent survey by the European Central Bank (ECB), in the European Union (EU), the volume of digital payments in 2022 – for the first time – exceeded the volume of cash payments. However, the survey also revealed that high cash privacy is a highly valued feature, indicating strong demand for privacy-focused payment methods.
However, high privacy for payments also has a general downside. As transaction data remains private, it is more difficult for financial institutions to comply with Financial Action Task Force (FATF) standards for combating money laundering, terrorist financing and combating the financing of of proliferation (AML/CFT/CPF). By definition, transaction data would not be shared with third parties, making it difficult – and in some cases impossible – to identify the parties involved, investigate the origin of funds, etc.
In preparation for the privacy and compliance discussion, how private are CBDC payments? There is no general answer to this question. It ultimately depends on the design of the CBDC and the objectives of the central bank. As mentioned, privacy is not black or white. The privacy of CBDCs will vary from jurisdiction to jurisdiction.
The European Central Bank (ECB), for example, sees four possible forms and degrees of transaction data privacy around a potential digital euro. These privacy provisions are listed in order from little to full:
- Fully transparent to the central bank: all transaction and KYC data is visible to the central bank
- Transparent for intermediaries: all transaction and KYC data is visible to intermediaries
- Privacy Threshold: High degree of privacy for low-value transactions, while high-value transactions are subject to standard customer due diligence checks, typically implemented through built-in limits in digital wallets. The ECB has tested non-transferable “anonymity vouchers” which allow users to transfer a limited amount of CBDC over a set period with a higher degree of confidentiality. A key question around a privacy threshold is whether end users should trust the central bank to maintain privacy, for example, in the sense that the central bank guarantees not to examine the data for transactions at large volume or monetize data, or whether privacy is independent of the central bank, for example, implemented via privacy-focused cryptographic techniques, such as zero-knowledge proofs or blind signatures.
- Not transparent to third parties: assets/balances and transaction amounts are not known to intermediaries and the central bank. In the most extreme case, this can mean complete anonymity, where – as with cash payments today – the identity of users is not known and no KYC measurements are made except when integration.
The privacy threshold model appears to be the preferred compromise between ensuring payment privacy, while considering regulatory requirements, in retail CBDC launches and pilots. Countries like China, Nigeria, and the Bahamas use such a model for their CBDCs.
See also: China launches digital yuan smart contract functionality through e-commerce app Meituan
However, the ECB, which conducted a survey and found that privacy is the most requested feature for a digital euro, uses a so-called “transparent to intermediary” framework. This ‘base model’, the design considered so far, is intended to meet AML/CFT requirements, although it may conflict with the general public’s demand for privacy.
New technology approaches to balance payment privacy and regulatory compliance
The degree of confidentiality of a CBDC has a significant effect on adoption. It has an impact if people see central bank systems as a substitute for cash or digital forms of payment – which have distinct uses. If users have strong privacy preferences, a CBDC that has cash-like attributes could result in higher usage and less encroachment on bank deposits.
Technology solutions – both software and hardware – have been developed to provide CBDCs with ways to ensure a high degree of privacy while complying with regulations, such as:
- Gross et al. (2021) proposed a CBDC system that allows cash-like private CBDC transactions up to specific monetary limits. If these limits are reached, transactions above the limit have similar (lower) degrees of privacy as existing digital payment platforms. Limits can be specified in terms of transaction size, holdings and/or turnover. The system works best with the availability of a unique digital ID available to all users, but such a digital ID is not a requirement. High privacy guarantees and adherence to boundaries are ensured by the use of zero-knowledge cryptographic proofs.
- Chaum and Moser (2022) proposed a CBDC system based on blind signatures that allows central banks to issue tokens through payment service providers without knowing who owns specific tokens. The central bank keeps a record of all coin IDs, so no one can mint new tokens, but transactions between wallets are not recorded. However, if users want law enforcement to find the stolen tokens, they can waive the confidentiality of their tokens. The Swiss center of the Bank for International Settlements (BIS) innovation hub has launched the Tourbillon project which will build and test this eCash 2.0 platform.
- CBDC hardware solutions that take the form of a card or mobile wallet application on which prepaid values are stored locally also open up the possibility of near complete anonymity. These wallets could potentially be as anonymous and private as cash, although the central bank may require identification to enforce a one-per-person wallet policy or holding and/or transaction size limits to mitigate risk. of financial integrity. Giesecke+Devrient tested a card-based CBDC platform in Ghana that allows unlimited consecutive offline transactions.
The thing is, as discussed in this 2021 article, how much data privacy to choose for a CBDC isn’t a technological question. Technologically, all degrees of intimacy can be achieved.
See also: What will 2023 bring to CBDCs?
It is rather a political and strategic question. With retail CBDC launches and pilot projects garnering disappointing user interest, to put it mildly, now is the time to consider CBDC solutions that are closer to cash and privacy-focused. A CBDC can only become successful if it meets relevant user needs – and enjoys sufficient trust from society.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.