This article is part of CoinDesk’s Policy Week. John Kiff, a former senior financial sector expert at the IMF, is the research director at the Sovereign Official Digital Association (SODA), head of CBDC/digital capital markets advisory at Satoshi Capital Advisers and advisor to WhisperCash. Dr. Jonas Gross is chairman of the Digital Euro Association (DEA) and chief operating officer at etonec.
A retail central bank digital currency (CBDC) has the potential to give authorities more information on users and their transactions as well as facilitate detection, supervision, monitoring and law enforcement efforts. However, this opens the central bank to criticisms that CBDCs could be used as a surveillance tool not only by itself, but by banks and payment service providers that are part of the CBDC ecosystem.
Also, authorities could theoretically censor specific users and transactions, thereby impairing user freedoms. Storing and collecting personal and transaction information could ultimately lead to price discrimination for CBDC users and increase their cybersecurity risks. In the case of a hack, the leakage of personal information could lead, in the most extreme case, to financial losses that the central bank and/or its agents may be obliged to cover.
Due to these reasons, enabling high privacy for CBDC transactions is crucial.
What do we mean by ‘privacy’ and how private are existing digital payment rails?
Although privacy is a fundamental civil right, e.g., specified in Article 12 of the Universal Declaration of Human Rights by the United Nations, its application is not necessarily black and white, and different forms of money differ in terms of their degree of privacy.
Cash is the most private form of money. If a payment is conducted with cash, only the two transaction parties involved know the information about the transaction, such as transaction amount and transaction parties. No third party can observe any payment-related data.
Today, the public already accepts some financial privacy invasion. Existing digital payment methods, such as debit and credit cards, bank account transfers and mobile money payments do not have a high degree of privacy – and are growing in market share. Know-your-customer (KYC) measures are necessary to open bank accounts and, ultimately, to conduct transactions. That confidential KYC and transaction data is shared with intermediaries, such as banks, credit card companies, etc., that are involved in the transaction process.
According to a recent survey by the European Central Bank (ECB), in the European Union (EU), the volume of digital payments has in 2022 – for the first time – overtaken the volume of cash payments. However, the survey also revealed that the high privacy of cash is a feature that is highly appreciated, indicating strong demand for privacy-oriented payment methods.
High privacy for payments, however, also has a general drawback. As transaction data remains private, it is more difficult for financial institutions to comply with Financial Action Task Force (FATF) anti-money laundering, countering terrorist financing and combating proliferation financing (AML/CFT/CPF) standards. Per definition, transaction data would not be shared with third parties making it challenging – and in some cases impossible – to identify the parties involved, study the origin of funds, etc.
With a view to the discussion on privacy and compliance, how private are CBDC payments? There is no general answer to this question. It ultimately depends on the CBDC design and the goals of the central bank. As mentioned, privacy is not black or white. Privacy of CBDCs will differ across jurisdictions.
The European Central Bank (ECB), for example, sees four possible forms and degrees of transaction data privacy around a potential digital euro. These privacy provisions are listed in order from little to complete:
- Fully transparent to the central bank: All transaction and KYC data is visible for the central bank
- Transparent to intermediaries: All transaction and KYC data is visible to intermediaries
- Privacy threshold: High degree of privacy for low-value transactions, while large-value transactions are subject to standard customer due diligence checks, typically implemented via limits built into digital wallets. The ECB has tested out non-transferrable ”anonymity vouchers” that allow users to transfer a limited amount of CBDC over a defined period with a higher degree of privacy. One key question around a privacy threshold is if the end-users need to trust the central bank for preserving privacy, e.g., in a sense that the central bank guarantees not to look into data for large-volume transactions or monetize data, or if privacy is independent of the central bank, e.g., implemented via privacy-oriented cryptographic techniques, such as zero-knowledge-proofs or blind signatures.
- Non-transparent to third parties: Holdings/balances and transaction amounts are not known to intermediaries and the central bank. In the most extreme case, this can mean full anonymity, where – as for cash payments today – the identity of users is not known and no KYC measures are conducted, except when onboarding.
The privacy threshold model seems to be the preferred compromise between guaranteeing privacy of payments, while accounting for regulatory requirements, in retail CBDC launches and pilots. Countries like China, Nigeria and the Bahamas use such a model for their CBDCs.