CBDCs and other new forms of digital money: Goodbye privacy and anonymity?

First published by Digital Pound Foundation, written by Claire Conby

Use of physical cash is declining.  We are witnessing a growing appetite for digital alternatives,  driven not only by private sector innovation, but also by an increasing recognition from central banks and governments of the role to be played by public digital money (namely central bank digital currencies, or CBDCs) in the economy of the future. As both public and private sector research and explorations continue to delve into the design principles and attributes of these new forms of digital money, there is one topic that repeatedly raises its head as a core discussion point – and, for many, an essential feature: Privacy.

Unlike cash, digital payments are inherently capable of generating an audit trail of transactions and spending behaviour. The potential for personal information connected to this activity to be made available beyond its intended use leads to significant privacy concerns. Individual users may often prefer to keep their data – not only their personal data but also potentially sensitive or revealing spending information – anonymous. They may also have concerns around commercial data-sharing and monetisation of data, and the potential discrimination and unfair business practices that can occur as a result. 

A central bank issuing a CBDC does not have the same profit-maximisation and commercial imperatives of a private stablecoin or tokenised e-money issuer. Nevertheless, there are concerns that government access to this personal and transactional data (which would otherwise remain anonymous in the case of physical cash transactions) could result in privacy infringements for individual CBDC users. These concerns could potentially dissuade individuals from using CBDC as a digital alternative to cash, potentially pushing them towards alternative, potentially less transparent, payment mechanisms. 

It must be acknowledged that, from a government’s perspective, part of the value in implementing a CBDC lies in the ability to better manage and use data about transactions and users for more effective policy delivery. This could include, for example, protecting the integrity of the financial system by reducing financial crime through enhanced anti-money laundering measures, or improved ability to monitor the effectiveness of benefits and other interventions. Whilst the efficiency benefits are likely to be attractive, the competing concerns and interests raise the question of whether it is possible to find an equilibrium point, whether the same level of anonymity that is afforded by cash can also be achieved in the design of a CBDC (and indeed whether or not this is ultimately desirable), and whether user concerns around privacy can be balanced with government imperatives and objectives.

We should also recognise that increased access to data (and the associated perceived decrease in privacy) is by no means the sole driver of explorations into a CBDC or other new forms of digital money. The introduction of a digital currency, if well-designed, has the potential to promote innovation, enhanced efficiencies, and greater financial inclusion. It can also underpin a more resilient and competitive payment landscape. All of these can support  the central bank in fulfilling its objectives to maintain monetary and financial stability as well as supporting the UK in its transition to a digital economy. This again reinforces the point that there needs to be a balance between responding to privacy concerns, without detriment to the innovative features that digital money can deliver.

When is privacy not a choice?

Firstly, let’s consider whether individuals have a blanket entitlement to privacy, regardless of the circumstances. Most individuals would agree that privacy is a basic human right and that protections for privacy are essential in a free and democratic society. It should however be recognised that there are times when legal and regulatory obligations prevail, and when complete privacy (“anonymity”) is simply not possible. The challenge then becomes how to balance the entitlement to privacy, whilst protecting society from crime and fraudulent behaviour, which is ultimately costly to the economy (as well as taking a social toll).

When it comes to new forms of digital money, it would be impossible for all data and transactions to remain anonymous without increasing the risk of financial crime such as money laundering, terrorist financing and large-scale tax evasion. Indeed, financial institutions, amongst other regulated entities, have an obligation to ensure that their anti-money laundering and counter terrorist financing frameworks are robust. This includes the ability to identify parties to a transaction, and to monitor transactions for any signs of suspicious activity. Within this context, privacy to the point of anonymity is not fully achievable. Indeed, the UK General Data Protection Regulation (“UK GDPR”) states that processing personal data in order to fulfil a legal obligation is permitted, and does not breach data protection regulations.

When using a regulated financial service, individuals and organisations therefore need to accept that certain personal information is required to be shared. This is no different to those using commercial banking services now. In return, respecting the anti-financial crime driver for this data collection, and supported by the UK GDPR, CBDC and other digital money issuing firms will need to ensure that they incorporate an appropriate level of privacy and associated controls into the design of their digital money operating frameworks. Data collected for the purposes of identity verification and transaction monitoring should be stored within a secure database that is only accessible by those working within the financial crime teams, and of course the authorities in the event of an investigation.

If we can accept that financial institutions have a regulatory duty to identify us and to monitor our payment activity for anti-money laundering and counter terrorist financing purposes, and that it is in the interests of the UK economy and society for them to do so, it would seem sensible to focus any privacy concerns on information sharing that does not seek to protect society from crime and bad actors. 

More specifically, these privacy concerns include fears that a move from cash to a digital form of currency would enable the government and other organisations including private digital money issuers, to have a closer insight into who we are, our transactions and spending choices.  With even the most honest citizen feeling uncomfortable at this perceived intrusion into their privacy, these are perhaps more pertinent issues to consider around privacy rights and protections with respect to new forms of digital money. 

Can cash-like anonymity be achieved, without contravening anti-money laundering requirements?

Even with the strictest controls around data usage and the most robust data security framework, it may be argued that only physical cash can be guaranteed to be anonymous, as it does not come with any risk of unauthorised data exposure (i.e. because there isn’t any data record!). Emerging technologies are capable of offering enhanced levels of security that haven’t been possible in traditional systems. We will consider, in a separate paper, the extent to which new technologies are able to provide as close as possible to absolute security (and to honour privacy and anonymity). For now let’s focus on the absolute anonymity that can be achieved through physical cash, and the extent to which this could be achieved with cash-like digital products.

In the case of physical cash transactions, there is no audit trail in terms of the payer or receiver, nor any evidence of the transaction linked directly and inextricably to means of payment itself. Currently, identification and verification exemptions are permitted under the existing e-money regulations for non-cash related, e-money transactions made to purchase products or services below a certain value threshold. It may be possible to apply similar criteria to a CBDC or other new forms of digital money. This is the model being explored in Sweden, whereby the e-krona pilot allows for anonymous transactions in small amounts.

The existence of such exemptions would enable smaller transactions to be executed without identification of the payer, in the same way that is permitted today with cash. Sanctions checks would however still be required, as would transactional activity monitoring, with further information being requested should any activity be deemed to be suspicious or if there was a potential sanctions match.  In the absence of KYC checks, there would certainly be a general sense of anonymity for these lower risk transactions. This does however raise the question of whether it is actually possible to achieve complete cash-like anonymity when transacting in a digital environment that involves a financial institution, and whether it would actually be desirable to do so. The answer is most likely that full anonymity cannot be achieved at the point of onboarding (due to the sanctions checks alone) but that it could be a possibility at the transactional level.

If lower value payments could be made anonymously, the next question is how these  transactions could be separated from larger value purchases and activity? We’ll assume that the financial institution involved in provision of wallet or account infrastructure and enabling payments to be made would most likely have identified the user as their customer at onboarding. Therefore,  we are unlikely to end up in a situation where CBDCs or another new form of digital money is being held in an account or wallet issued by a financial institution that does not identify its customers. A solution that supports this differentiation of treatment for lower value transactions could reassure users that eligible transactions would not be reportable or the associated data shared.

By taking a risk-based approach, there could be some manoeuvrability around the identification of payer requirements for lower value transactions, in the same way as different thresholds are applied to different users and activity with varying risk classifications.The technology used for CBDC and new forms of digital money transactions would need to be capable of allowing for this differentiation. 

Can users control the transactional data that is made available to the government and third parties?

A number of key architecture and design questions must be addressed in order to ascertain when, where, by whom and with whom, transactional data will be collected, stored, used and shared. For example, what form will the digital money take – CBDC, synthetic CBDC or another new form of digital money such as a tokenised regulated liability or stablecoin? Who will be the entity responsible for issuing and distributing the digital money? Who will provide the wallets and accounts in which it can be stored and from which transactions can be initiated? What will the client onboarding process look like? Will any other third parties be involved?

In the case of a true CBDC, where the Bank of England is issuing and distributing its own digital currency, the Bank will determine the data that it wants to collect, either directly or via the proposed Payment Interface Provider network. Privacy considerations, as they relate to the impact of the central bank and / or government having direct access to payments and transactional data (data that is currently unavailable through the use of physical cash) then become all the more relevant and, for some, concerning.

Where commercial banks are distributing a “synthetic CBDC”, or indeed issuing their own private form of digital money, they will be able to decide the extent to which the transactional data they have access to is a commodity. Commoditisation of this data could lead to its commercialisation and onward-selling to and use by either the government or commercial organisations, such as product and service providers, opening up the potential for new revenue streams.

For non-bank issuing entities, such as Ethereum, Tether and USD Coin, data collection is not generally incorporated into their business model.  The original premise behind cryptocurrencies is anonymity and this still stands to a large extent. Contrary to these institutions, non financial firms such as Meta and Amazon can realise financial gains through gathering user and transactional data and this data collection tends to lie at the core of their business models.

This is where GDPR may come into play. Assuming that within this context there will be at least some minimal GDPR-compliant standard level to which individuals will be able to control how their data is used and who it is shared with, there may also be a demand for mechanisms by which people can object to their personal data being shared in ways that they are not comfortable with. The extent to which an issuer of digital money implements capabilities for individuals to control their data may ultimately depend on the need to incentivise uptake and adoption of the digital money issuance in question. People will ultimately have a choice between continuing to use physical cash, using other incumbent payment methods (which may be subject to similar privacy concerns) or using new forms of digital money. The level of data privacy may also influence the issuing entity selection by the customer; those most concerned about privacy may be more likely to transact with digital money through a wallet or account that is less driven by the commercial gains associated with data capture and sharing.

The opposite situation may even arise – where a preference evolves for wallet and account providers that capture, utilise or share data in order to provide more products and services, and a better user experience. Parties to certain types of transactions may come to see value in HMRC having the ability to implement logic and oversight that enables the instant calculation (and deduction) of VAT and other taxes at the point of transaction. Retailers, both physical and online, could potentially issue their own digital money, analyse consumer spending behaviours, and provide discounts for customers transacting with it. 

To some, these scenarios may be appealing. The provision of tailored marketing and analysis that then enhances the user experience and makes personal and business administration that little bit easier to manage might just steer a user towards a particular digital currency, over and above another payment method.

That said, there doesn’t necessarily need to be a situation in which people are having to choose between one privacy extreme or the other. With the right technology, it may be possible to implement a robust and diverse suite of controls that can support information sharing only as specified by the user. In this scenario, individuals would be able to control who their data is shared with, and for what purpose. Such solutions can strike a balance between realising the potential benefits and opportunities that arise from new forms of digital money, whilst giving users control over their data and privacy. 

Where do we go from here?

With an increasing focus on anti-money laundering and counter-terrorist financing, it is extremely unlikely that the opportunity will not be taken here to reduce the level of anonymity that currently exists. That said, privacy is a closely intertwined matter, and the adoption of a risk-based approach can help address privacy concerns whilst supporting regulatory objectives around prevention and detection of financial crime. 

In order for new forms of digital money, whether publicly or privately issued, to be widely accepted by the public, the potential user base must feel that their concerns are being listened to and that their privacy rights and protections have been taken into account. Establishing trust will be paramount. 

First, a secure and compliant solution with a robust information security management infrastructure must be identified. 

Beyond the technology architecture, the issuer or wallet / account provider must consider the extent to which they will support privacy and anonymity within their design. It is difficult to envisage that a fully cash-like, anonymous offering could be an option. This means that at a minimum, all individuals and organisations wishing to transact in new forms of digital money will need to provide a base level of personal information in order to be onboarded by the service provider.

Secondly, anti-money laundering due diligence requirements must be proportionate, adopting a risk-based approach, with proportionate requirements applied to the extent to which customer data and transactional activity are monitored, surveilled, and shared with authorities. This could reduce the unnecessary visibility of all transactional information.

It is clear that the potential for transactional data to be collected, utilised and shared for commercial purposes poses a major challenge to privacy. Different organisations will have differing motivations here – from the central bank, to payment interface providers, to commercial banks, to the myriad other types of issuers that might exist – some will be driven by the revenue opportunities for selling on this user data, others less so. 

Privacy may ultimately become the key determinant, for users, of the digital money in which they choose to transact – whether it’s CBDC, or a specific privately-issued digital currency that meets their privacy requirements – and the accounts / wallets in which they hold and transact with these. Some may prefer providers that offer explicit, baked-in protections for privacy; others may, in some use cases, see benefits to their data being collected and shared, and may appreciate the prospect of tailored product and service offerings. In the same way that people currently choose which financial institution to bank with, whether to pay by debit card, and whether to withdraw cash from an ATM (or, in some extreme cases, to keep all their funds in cash so that it is instantly available when needed), it will come down to consumer choice. The extent to which data and privacy are protected from a legal and regulatory standpoint, whether by GDPR or a successor to it, will play a key role in this. 

Previous
Previous

The Benefits of a True Risk-Based Approach to Digital Onboarding

Next
Next

Stabilising stablecoins: What can we learn from the collapse of TerraUSD?