The potential impact of introducing CBDC (Central Bank Digital Currency) on monetary policy is still unclear and is purely speculative, India’s central bank, Reserve Bank of India (RBI), concluded in its concept note published on October 7, 2022. The RBI observed that the CBDC project was being explored by a limited number of countries across the world, noting that it left them without a precedent.
The note also highlighted the need to respect privacy and data protection in the CBDC system. Moreover, the central bank wrote that ensuring an “appropriate degree of anonymity” in CBDC is a “political and social question” rather than a “narrow technical question”.
“Privacy and data protection is an issue that is of concern to policymakers in government and other authorities and should be considered carefully when designing CBDCs,” read the note which was reviewed by Medianama.
The RBI ruled out “truly anonymous payments” citing the need to be compliant with money laundering regulations but it added that the system can still offer control to users over how their data is shared and protect their privacy.
Why it matters: The concept note elaborates on the direction of RBI’s position on CBDC and how it plans to introduce CBDC in the country. It sheds light on aspects like potential design features, implications on various policy issues, and the possible requirements of a technology platform.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
RBI’s stance on policy implications
Privacy and Data Protection
The RBI took note of the discussions around CBDC which suggest that the digital rupee should offer the same degree of anonymity as cash because it is being touted as its equivalent. It clarified that an “in-person cash payment provides an anonymous means of payment” is the nature of that payment method.
Defining privacy practices: The concept note stated that it is “essential” to have defined privacy principles and data subjects rights given that customer-related data is collected by the central bank when it issues CBDC. Furthermore, it said that it is imperative to prioritise the “best interests” of the citizens owing to which only personal identifiable data which is necessary must be collected. It also stressed the need to subject the data to purpose limitation.
Preserving data security: The note said that the bank can refer to some of the “most-used risk and security frameworks, guidance, and standards” while conceiving its CBDC project. “RBI may refer to CPMI-IOSCO Principles for Financial Market Infrastructures particularly,” read the note, adding that it looks to seek guidance on managing operational risk, which includes information security risk.
- It is important because the note said that data generated from CBDC platforms can assist in evidence-based policy making. It suggests that RBI will be okay with providing the data to companies for analytics as it acknowledged the richness. It also plans to use this data to enforce AML regulations.
An in-depth look at security considerations
The note raised the issue of cyber-attacks given that current payment systems are also exposed to them. It added that digital-payment related frauds may spread to CBDCs in countries with low financial literacy levels.
Here are some of the guidelines laid down in the note:
- Security will be the prime design concern in the CBDC’s design
- An enhanced risk management framework for users with privileged roles within the CBDC network
- Rigorous testing of the user interface to prevent exploitation of any vulnerabilities.
- No single point of failure: The system must ensure to not have any single point of failure to prevent any breach in one segment from affecting other segments.
- Cryptography & Quantum Resistance: The note promoted the use of cryptography for a safe design but remained wary of quantum resistance and advised that it must be kept in mind.
- Recall feature: The RBI said that it should be possible to recall hacked tokens on an instant basis or release new security features digitally.
- Recoverability: A CBDC system will have to factor for swift recoverability in case of a breach, the note said. It added that the system should be built to minimise the adverse impact on production systems and business processes.
“CBDC requires a legal framework that clarifies whether the central bank has the mandate to issue CBDC and what status it would have legally,” read the note, adding that potential amendments will need to be made to existing laws before CBDC goes mainstream.
The RBI said that existing legal frameworks were enacted in a pre-digital age so it is important to ascertain whether law reform is necessary for the central bank to have legal backing for its actions. It also added that the monetary law of the country needs to be changed on issues such as the right of issuance of CBDC, legal tender status, and criminal law protection from counterfeits, etc.
- What will the framework depend on: The legal considerations for issuing CBDC will be dependent on final operational and technological design features, as per the RBI.
- The central bank also added that different forms of issuance will carry different legal significance:
- Account-based CBDC: It means that each CBDC account will be verified at the time of creation and payments will be facilitated then. The note explained that If the central banks decide to issue CBDCs in account form, legal amendments will be required to allow central banks to open accounts for the public because central banks are capable of opening bank accounts but with certain restrictions as to who can hold an account with the central banks.
- Token-based CBDC: A token-based CBDC system would involve a type of digital token issued by and representing a claim on the central bank. The note elaborated that the central banks will need to have the power to issue currency in general rather than limiting their powers to only banknotes and coins.
Anti-money laundering (AML)/ Combating Financing of Terrorism (CFT) perspective
The note said that central banks will be expected to design CBDCs that “conform” to the AML/CFT requirements.
- It called for the CBDC framework to address the following aspects:
- Responsibility for customer due diligence (CDD) needs to be delineated in the framework clearly
- Maintain integrity by embedding a mechanism for identifying and monitoring transactions, as per the threshold limit applicable for cash, in the CBDC’s design
Handled by banks: The note suggested that commercial banks can handle responsibilities of keeping an eye out for suspicious activity. It added that opening and maintenance of CBDC accounts with commercial banks will not require any change in the present guidelines. It will prevent banks from holding granular personal data on any user, thereby reducing privacy concerns without compromising on due diligence.
“This means that the identity of CBDC users would need to be known to at least some authority or institution in the wider CBDC network who can validate the legitimacy of their transaction,” read the note.
Risk of bank runs: The note stated that potential demand for CBDC is “highly uncertain”. It said that it could result in faster bank runs during financial crises. It also added that financial disintermediation— the process of cutting out middlemen— could lead banks to rely on expensive and less stable sources of funding.
- Understanding disintermediation: When the note talks of disintermediation, it is referring to a potential scenario in which CBDCs yield interest which can result in a loss of deposits by banks, affecting their credit creation capacity in the economy. It is why the central bank may be leaning towards offering CBDCs which do not bear an interest.
Preventive measures: The note said that a central bank can consider measures such as access criteria for permitted users, limits on individuals’ CBDC holdings or transactions, and particular choices around CBDC remuneration to address some of concerns.
The concept note acknowledged that there may be times when users have little or no access to network connectivity especially in India. It is why a CBDC system will need offline capabilities.
Guarding against double-spending: The note shed light on the risk of double-spending because it will be possible to use a CBDC unit more than once without updating the common ledger of the CBDC. However, it added that it can be addressed by technical solutions and appropriate business rules including a monetary limit on offline transactions.
What can be done: The note recommended that the wallets should be able to verify the authenticity of any CBDC transaction without communicating with the server during the transactions independently.
- It is also essential to devise uniform standards and protocols for the offline exchange of CBDC, as per the note.
Consumer Protection and Grievance Handling
The note pointed out that CBDC’s digital nature is likely to give rise to consumer protection issues which will need to be mitigated.
“The customer protection framework…must consider variations in the digital literacy of consumers and ways to increase consumer understanding and transparency so that an informed choice is made by them,” read the note.
The note predicted that the adoption of CBDC is likely to raise several complaints due to which resolution of customer grievances will play a key role in facilitating adoption of CBDC by the public. It called for a “robust and efficient” grievance redressal mechanism.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- Summary: US President Biden’s Executive Order to explore various facets of digital assets including CBDCs
- Nandan Nilekani suggests India’s CBDC should have anonymity to avoid concerns of surveillance: Report
- Summary: IMF’s report on CBDC advocates information-sharing among countries for successful roll-out