Summary of RBI Concept Note on Central Bank Digital Currency (07/10/2022)

Chapter 4 Design Consideration for CBDC

4.1 In the October 2020 report12, the BIS, in collaboration with several leading central banks, outlined the core features and foundational principles of a CBDC. In formulating its foundational principles, BIS (2020) followed a risk-based approach. It highlighted the need to identify all potential risks associated with issuing a CBDC, particularly those that threaten financial stability or negatively impact financial market structures. BIS, thus outlined three important foundational principles for central banks to consider in issuing a CBDC:

(i) It should not interfere with public policy objectives or prevent banks from performing their monetary stability mandate (a “do no harm” principle).

(ii) It should be used alongside and complement existing forms of money (the coexistence principle).

(iii) It should promote innovation and competition to increase the overall efficiency and accessibility of the payment system (the innovation and efficiency principle).

4.2 Considering the above principles, the design choices considered for issuing CBDCs are driven mainly by domestic circumstances. There will be no “one size fits all” approach to CBDC. A well-functioning CBDC will require an extremely resilient and secure infrastructure that can be scalable to support users on a massive scale. The design of CBDC is dependent on the functions it is expected to perform, and the design determines its implications for payment systems, monetary policy as well as the structure and stability of the financial system. Given that designs and systems will differ by jurisdictions, so will the risk, which will require significant research by a central bank before implementation. A central bank should have robust means to mitigate any risks to financial stability before any CBDC is issued.

4.3 The key considerations that need to be borne in mind while making a design choice are discussed below. The committee recommended the followings in respect to these issues:

4.3.1 Types of CBDC

Based on the usage and the functions performed by the CBDC and considering the different levels of accessibility, CBDC can be demarcated into two broad types viz. general purpose (retail) (CBDC-R) and wholesale (CBDC-W).

CBDC-R is potentially available for use by all private sector, non-financial consumers and businesses. In contrast, wholesale CBDCs are designed for restricted access by financial institutions. CBDC-W could be used for improving the efficiency of interbank payments or securities settlement, as seen in Project Jasper (Canada) and Ubin (Singapore). Central banks interested in addressing financial inclusion are expected to consider issuing CBDC-R.

Further, CBDC–W has the potential to transform the settlement systems for financial transactions undertaken by banks in the G-Sec Segment, Inter-bank market and capital market more efficient and secure in terms of operational costsCosts Subject to any written law, costs are at the discretion of the Court, and the Court has the power to determine all issues relating to the costs of or incidental to all proceedings, including by whom and to what extent the costs are to be paid, at any stage of the proceedings or after the conclusion of the proceedings. Generally “Costs” includes charges, disbursements, expenses, fees, and remuneration. Costs in any matter are payable from the date of the order of the Court unless the parties otherwise agree. The costs of a third-party funding contract are not recoverable as part of the costs of, or costs., use of collateral and liquiditymanagement. Further, this would also provide coincident benefits such as avoidance of settlement guarantee infrastructure or the need for collateral to mitigate settlement risk.

According to a BIS report13, wholesale CBDCs are intended for the settlement of interbank transfers and related wholesale transactions. They serve the same purpose as reserves held at the central bank but with additional functionality. One example is the conditionality of payments, whereby a payment only settles if certain conditions are met. This could encompass a broad variety of conditional payment instructions, going far beyond today’s delivery-versus-payment mechanism in real-timeTime Where any expression of it occurs in any Rules, or any judgment, order or direction, and whenever the doing or not doing of anything at a certain time of the day or night or during a certain part of the day or night has an effect in law, that time is, unless it is otherwise specifically stated, held to be standard time as used in a particular country or state. (In Physics, time and Space never exist actually-“quantum entanglement”) gross settlement (RTGS) systems. In effect, wholesale CBDCs could make central bank money programmable, to support automation and mitigate risks. Further, wholesale CBDCs would be implemented on new technology stacks. This clean-slate approach would let wholesale CBDC systems to be designed with international standards in mind to support interoperability.

CBDC-W could also be explored for the following:

Wholesale market for asset classes which are OTC and bilaterally or settled outside CCP arrangements- CPs, CDs, etc.

Access to retail for buying assets such as G-secs, CPs/CDs, primary auctions etc bypassing the bank account route

In case of g-secs, if assets are also tokenised, this could be extended to non-residents to investment in domestic asset classes.

The adoption will depend on exchanges and trading infrastructure being upgraded and CBDC-W to be integrated with RTGS. The adoption will also depend on whether the cost of CBDC-W settlement less than the cost of existing settlements including liquidity savings, guaranteed, margin funding etc.

CBDC-R is an electronic version of cash primarily meant for retail consumption. IndiaIndia Bharat Varsha (Jambu Dvipa) is the name of this land mass. The people of this land are Sanatan Dharmin and they always defeated invaders. Indra (10000 yrs) was the oldest deified King of this land. Manu's jurisprudence enlitened this land. Vedas have been the civilizational literature of this land. Guiding principles of this land are : सत्यं वद । धर्मं चर । स्वाध्यायान्मा प्रमदः । Read more is already having a sound payment system with a different array of payment products ranging from RTGS, NEFT to UPI etc. coupled with an exponential increase in digital transactions. The introduction of CBDC-R will provide a safe, central bank instrument with direct access to the Central bank money for payment and settlement. It is also argued that it could also reinforce the resilience of a country’s retail payment systems. CBDC can provide an alternative medium of making digital payments in case of operational and/or technical problems leading to disruption in other payment system infrastructures. CBDC could reduce the concentration of liquidity and credit risk in payment systems (Dyson and Hodgson (2016)).

Looking at the different advantages of CBDC-W and CBDC-R, there may be merit in introducing both CBDC-W and CBDC-R.

4.3.2 Role of Central Bank and Other Entities: Who administers the CBDC

A key question in the design of a CBDC would be the respective roles of the central bank and the private sector in facilitating access to and use of a CBDC. There are three models for issuance and management of CBDCs across the globe. The key differences lie in the structure of legal claims and the record kept by the central bank.

A) Single Tier model – This model is also known as “Direct CBDC Model”. A Direct CBDC system would be one where the central bank is responsible for managing all aspects of the CBDC system including issuance, account-keeping, transaction verification et. al. In this model, the central bank operates the retail ledger and therefore the central bank server is involved in all payments. In this model, the CBDC represents a direct claimA Claim A claim is “factually unsustainable” where it could be said with confidence before trial that the factual basis for the claim is entirely without substance, which can be the case if it were clear beyond question that the facts pleaded are contradicted by all the documents or other material on which it is based. on the central bank, which keeps a record of all balances and updates it with every transaction. It provides an advantage of a very resilient system as the central bank has complete knowledge of retail account balances which allows it to honour claims with ease since all the information needed for verification is readily available. The major disadvantage of this model is that it marginalises private sector involvement and hinders innovation in the payment system. This model is designed for disintermediation where central bank interacts directly with the end customers. This model has the potential to disrupt the current financial system and will put additional burden on the central banks in terms of managing customer on-boarding, KYC and AML checks, which may prove difficult and costly to the central bank.

B) Two-Tier Model (Intermediate model) The inefficiency associated with the Single tier model demands that CBDCs are designed as part of a two-tier system, where the central bank and other service providers, each play their respective role. There are two models under the intermediate architecture viz. Indirect model and Hybrid Model.

Indirect Model – In the “indirect CBDC” model, consumers would hold their CBDC in an account/ wallet with a bank, or service provider. The obligation to provide CBDC on demand would fall on the intermediary rather than the central bank. The central bank would track only the wholesale CBDC balances of the intermediaries. The central bank must ensure that the wholesale CBDC balances is identical with all the retail balances available with the retail customers.

Hybrid Model – In the Hybrid model, a direct claim on the central bank is combined with a private sector messaging layer. The central bank will issue CBDC to other entities which shall make those entities then responsible for all customer-associated activities. Under this model, commercial intermediaries (payment service providers) provide retail services to end users, but the central bank retains a ledger of retail transactions.

This architecture runs on two engines: intermediaries handle retail payments, but the CBDC is a direct claim on the central bank, which also keeps a central ledger of all transactions and operates a backup technical infrastructure allowing it to restart the payment system if intermediaries run into insolvency or technical outages.

Comparison of three models

Aspect	Direct	Indirect	Hybrid
Liability	Central Bank	Central Bank	Central Bank
Issuer	Central Bank	Central Bank issues and intermediaries distribute it	Central Bank Issues and Intermediaries distribute it for retail use
Operations	Central Bank	Intermediaries	Intermediaries
Ledger	Central Bank	Intermediaries	Intermediaries as well as Central Bank
Settlement Finality	Yes	No	Yes
(Figure 8: Source: RBI Internal)

Considering the meritsMerits Strict legal rights of the parties; a decision “on the merits” is one that reaches the right(s) of a party as distinguished from a disposition of the case on a ground not reaching the rights raised in the action; for example, in a criminal case double jeopardy does not apply if charges are nolle prossed before trial commences, and in a civil action res judicata does not apply if a previous action was dismissed on a preliminary motion raising a technicality such as improper service of process. of different models, the Indirect system may be the most suitable architecture for introduction of CBDC in India.

As per the RBI Act, 1934, the Reserve Bank has the sole right to issue bank notes, which has now been amended to include currency in digital form also. Therefore, in this model, RBI will create and issue tokens to authorised entities called Token Service Providers (TSPs) who in turn will distribute these to end-users who take part in retail transactions. The rationale behind the same are as given below:

(i) In the entire supply chain, there are a wide range of customer-facing activities where the central bank is unlikely to have a comparative and competitive advantage as compared to banks, especially in an environment where technology is changing rapidly, which inter-alia includes distribution of CBDCs to public, account-keeping services, customer verification such as KYC and adherence to AML/CFT checks, transaction verification, etc.

(ii) Banks and other such entities have the expertise and experience to provide these services.

(iii) These entities can provide their customers with the ability to transact in and out of CBDC and thus can enrich the customer experience and may facilitate wider adoption of CBDCs.

4.3.3 Instrument Design – Should CBDCs bear interest?

The economic design of CBDC could depend on the purpose of the CBDC and the technologies and entities involved. For example, most discussions around retail CBDC envisage it being introduced primarily as a method of payment like cash, with the presumptionPresumption An inference of the truth or falsehood of a proposition or fact that stands until rebutted by evidence to the contrary. that it would not bear interest.

Remunerated CBDC

The payment of (positive) interest would likely to enhance the attractiveness of an instrument that also serves as a store of value. Some proponents support interest bearing CBDCs as it could improve the effectiveness of monetary policy by shifting the transmission leg from overnight money market rate to directly deposit rate (or CBDC as a substitute of deposits), strengthening the pass-through of the central bank’s policy rate to the broader structure of interest rates in the financial system. But, designing a CBDC that moves away from cash-like attributes to a “deposit-like” CBDC could lead to a massive disintermediation in the financial system resulting from loss of deposits by banks, impeding their credit creation capacity in the economy. Further, in such a scenario, banks may be compelled to increase deposit rates, thus increasing their costs of funding and a decrease in Net Interest Income. As a response to this, banks could be motivated to pass on these additional costs to borrowers or resort to engage in riskier activities in search of higher returns. Moreover, banks would need to maintain additional liquidity buffers to support CBDC demand, as access to large central bank and money market liquidity would need to be backed by eligible collaterals. One possible way to mitigate the risk of disintermediation is to impose a cap or limit on individual holdings but these features will reduce the attractiveness and wide acceptability of CBDCs along with adding complexities to the CBDC system.

Non – remunerated CBDC

If a CBDC is designed to be non-interest bearing, the public would have less incentive to switch from holding bank deposits to CBDC, and the effect of banking disintermediation would then be limited. The Bahamas and China currently do not pay interest on CBDC holdings. In both the cases, the reason is to limit CBDC competing with bank deposits. If there is no interest, CBDC can still be attractive as a medium of payment, even while its attractiveness as a store of value (savings instrument) diminishes. Further, a non- interest bearing CBDCs can avoid a major disruption to banking services and a possible disintermediation of banks. However, there is still a concern expressed in some quarters that there could be a possibility of shifting of some of the current accounts maintained by corporates and business entities with banks in favour of CBDC to gain access to central bank money. We believe that the current account is a relationship based and their association with banks is a function of multiple services offered to them and thus it is anticipated that scale of bank intermediation will be low for such deposits.

In a nutshell, the economic design of a CBDC should be least disruptive to the existing financial system. Moreover, CBDCs are electronic form of sovereign currency and should imbibe all the possible features of currency. Since, physical cash does not carry any interest it would be logical to offer Non-Interest bearing CBDCs. Banks would restrain themselves from distributing CBDCs if they find it as a threat to their bank deposits which can hamper credit flows and adoption of CBDCs. Further, to begin with, many jurisdictions have opted to limit the holdings of CBDCs available to the public for transactional purposes (in wallets) to put a cap on the scale of disintermediation, as it is expected to be least disruptive.

Trade-off: A more effective CBDC vs more dynamic monetary policy transmissionAlthough a non- interest bearing CBDCs can avoid major disruption to banking services and a possible disintermediation of banks, the trade off with this consideration is that a non- interest bearing CBDC may not improve the monetary policy transmission in India. The trade-off challenge for policy resulting from interest bearing CBDC is between improved interest rate transmission and a clogged credit market resulting from financial disintermediation. Since the interest rate channel of transmission must operate by influencing the credit conditions and financial flows to the productive sectors of the economy, and non-interest bearing CBDC will not hamper the existing transmission dynamics, avoiding any scope for financial disintermediation should be the prime objective while dealing with this trade-off.This can be achieved by setting a conversion limit between deposits or cash to CBDC or paying no interest or lower interest rates on CBDC relative to bank deposits.

4.3.4 Account-based or token-based?

CBDC can be structured as ‘token’ or ‘account’ based or a combination of both.

Token vs Account

(i) A token-based CBDC system would involve a type of digital token issued by and representing a claimA Claim A claim is “factually unsustainable” where it could be said with confidence before trial that the factual basis for the claim is entirely without substance, which can be the case if it were clear beyond question that the facts pleaded are contradicted by all the documents or other material on which it is based. on the central bank and would effectively function as the digital equivalent of a banknote that could be transferred electronically from one holder to another. A token CBDC is a “bearer-instrument” like banknotes, meaning that whoever ‘holds’ the tokens at a given point in time would be presumed to own them. In contrast, an account-based system would require the keeping of a record of balances and transactions of all holders of the CBDC and indicate the ownership of the monetary balances.

(ii) Another difference between tokens and accounts is in their verification: a person receiving a token will verify that his ownership of the token is genuine, whereas an intermediary verifies the identity of an account holder. Transactions in account-based system would involve transferring CBDC balances from one account to another and would depend on the ability to verify that a payer had the authority to use the account and that they had a sufficient balance in their account. Transactions in token-based CBDC might only depend on the ability to verify the authenticity of the token (to avoid counterfeits just as in the case of a paper currency) rather than establishing the account holder’s identity.

(iii) In an account-based CBDC system, during the initial creation of each CBDC account, the identity of the account holder would need to be verified and from that point onward, payment transactions could be conducted rapidly and securely. By contrast, in a token-based system, the entire chain of ownership of every token must be stored in an encrypted ledger. In case of tokens on distributed ledger, new payment transactions are collected into blocks that must be verified before being added permanently to the ledger.

The CBDC-W may be issued in account-based form, as legally, it attempts to offer instant settlement and their legal status is well understood and established. Moreover, the use case of CBDC-W warrants them to be account based to facilitate the transactions.

CBDC-R is mainly devised for consumption of common public with features akin to physical cash viz. anonymous, unique serial number etc. A token-based system would ensure universal access – as anybody can obtain a digital signature – and it would offer good privacy by default. Moreover, the token generated will have a unique token number which will enable the detection of counterfeiting of tokens and potentially also the restoration of value if an individual loses the device. Under a token-based CBDC-R regime, users would be able to withdraw digital tokens from banks in the same way they can withdraw physical cash. They would maintain their digital tokens in a wallet and could spend them online or in person or transfer them via an app. The token based CBDC also supports innovation with an ability to include programmable feature that supports efficiency such as standardisation of compliance rules, fraud detection, wrapped CBDC to other use cases in future. Further, token-based CBDC-R can be used to accomplish financial inclusion goals.

4.3.5 Anonymity – What degree of privacy would apply and who could hold CBDC?

For CBDC to substitute currency as a medium of exchange, it needs to incorporate all the features that physical currency represents – anonymity (that currency transactions can be carried out without maintaining evidenceEvidence All the means by which a matter of fact, the truth of which is submitted for investigation, is established or disproved. Bharatiya Sakshya (Second) Adhiniyam 2023 of transacting parties), universality (that currency can be used for any transaction) and finality (that payment of currency unconditionally settles the transaction). Ensuring anonymity for a digital currency particularly represents a challenge, as all digital transactions leave a trail. Clearly, the degree of anonymity would be a key design decision for any CBDC and there has been significant debate on this issue. Most central banks and other observers have, however, noted that the potential for anonymous digital currency to facilitate shadow-economy and illegal transactions, makes it highly unlikely that any CBDC would be designed to fully match the levels of anonymity and privacy currently available with physical cash. An intermediate degree of privacy may be thought of and can also be possible. For example, the European Central Bank (2019) has experimented with the concept of a CBDC with elements of programmable money, by which individuals could be allotted a certain amount of ‘anonymity vouchers’ that could be used for small transactions, with larger transactions still visible to financial intermediaries and the authorities, including those responsible for AML and CFT.

Trade-off: Anonymity vs AML/CFT complianceAnonymity is one of the key traits of cash, and the rise of digital payments threatens the lawful or legitimate preference for anonymity as they leave digital trails. The anonymity will expand the user base for CBDC and will increase its acceptability and usage, but it is seen as a potential risk in the digital ecosystem. Anonymity can also be used for illicit purposes and can undermine AML/CFT measures. Anonymity, therefore, poses a policy trade-off—the more anonymous, the larger the risk for illicit use.Considering the potential risks associated with privacy and anonymity, the idea of complete anonymity in digital world is a misnomer. To what extent a Central Bank should allow spending in digital currency to be anonymous is an open question. However, the principle of Managed Anonymity may be followed i.e., “anonymity for small value and traceable for high value,” akin to anonymity associated with physical cash. The importance of protecting personal information and data privacy needs to be considered to foster usability and wider adoption.

4.4 Fixed Denomination vs minimum Value based CBDCs

A token based CBDC may be issued either with minimum value or fixed denominations akin to existing physical currency denominations. The usage of minimum value of token may result in higher volume and, thus, lead to increase in processing time and performance issues. Further, the physical appearance (touch and feel) of cash in India imparts trust to public to undertake cash transactions. The introduction of CBDC with fixed Denomination as in physical currencies in denominations of Rs. 500, 100, 50 etc., shall facilitate in building the same level of trust and experience among public albeit in digital form. This similarity with existing currency is expected to induce wider acceptance and adoption of CBDC. Moreover, the fixed denomination CBDC shall facilitate transactions by way of exchange management of tokens in permissible legal tender of the country with help of TSPs. Therefore, introduction of fixed denomination CBDC is presently considered as preferable taking into account the Indian scenario.

4.5 Summary of Design Features

The table below summarises the design features under consideration or deployed by the six central banks.

	Carry Interest or Not	Quantitative Restrictions	Anonymity	Offline	Cross-Border Payments
Bahamas	No	Yes	For lower tier	Yes/exploring	Future project
Canada	Undecided	Undecided	Undecided	Exploring	International collaboration
China	No	Yes	For lower tier	Yes	Experimenting/international collaboration
ECCU	No	Yes	For lower tier	No	Future project
Sweden	Undecided	Exploring	Undecided	Exploring	International collaboration
Uruguay	No	Yes	Yes, but traceble	No	Possible future project
(Figure:10, Source: IMF FinTech Notes (February 2022))

4.6 Preferred Design Choices: snapshot

Chapter 5: Technology Considerations for CBDC

5.1 CBDC being digital in nature, technology considerations shall always remain at its core. Technology is what will constitute any CBDC and technology is what will translate the abstract policy objectives to concrete forms. Having discussed the motivations and possible implications of CBDC, it is apt to deliberate on the technology considerations of the digital currency. While the “Why” has been discussed in previous chapters, the current chapter will focus on “How”.

The technical principle underlying the deployment of CBDC to achieve the intended objectives may include:

1. Strong cybersecurity, technical stability and resilience.
2. Sound technical governance

The first and fundamental question that needs to be answered is the choice of technology platform. The platform can either be a distributed ledger or a centralised system. In addition to platform choices, other technical considerations shall flow from the policy imperatives. For example, if one of the motivations behind introduction of CBDC is financial inclusion, it should support offline capability. Further, the security aspects of CBDC shall also determine its resilience and will be necessary for robust, secured implementation. The business continuity planning will also need to be embedded in the technology architecture. In the end, the environment and energy intensiveness concerns shall also need to be factored while designing the technology choices.

5.2 Choice of Technology Platform

5.2.1 Platform features

CBDC should be developed in India as a large-scale enterprise-class digital platform which may have the following features:

• Highly scalable to support very high volume and rate of transactions without performance degradation.
• Robust to ensure stability of financial ecosystem
• Tamper-proof access control protocols and Cryptography for safety of data, both CBDC and transactional data
• Cross platform support, to allow development of large variety of client applications using CBDC for financial services
• Ability to integrate with other IT platforms in the financial ecosystem must be at the core of platform design
• Configurable workflows for quick implementation of policy level directives issued by RBI from time to time
• Comprehensive administration, reporting, and data analytics utilities
• Highly evolved fraud monitoring framework to prevent occurrence of financial frauds

5.2.2 Technology Architecture Options

5.2.2.1 Large scale digital platforms using traditional client-server architecture have been successfully implemented across the world in the banking, retail, health, and other sectors. These platforms provide all the platform features described in the earlier paragraphs but in the case of CBDC, careful planning is required on account of following key requirements:

a) Zero downtime, to keep the economy functioning

b) Zero frauds, to prevent destabilization of the economy

c) Decentralization, for effective participation of the ecosystem

d) Need for confidentiality, authentication, data integrity, and non-repudiation

e) High volume and rate of Transactions, will be a key requirement of the ecosystem partners to avoid choking of the CBDC platform resulting in delays in completing financial transactions

f) Design for unpredictable workloads, the platform must handle both lean and peak load periods in a cost-effective manner.

g) Zero loss due to Distributed Denial of Service (DDoS) and other brute cyberattacks

h) Mission Critical approach, to meet all the above key requirements

5.2.2.2 DLT or non-DLT

The infrastructure selected for implementing CBDC could be based on a conventional centrally controlled database, or on a distributed ledger. Conventional and Distributed Ledger Technology (DLT)-based infrastructures often store data multiple times and in separate physical locations. However, the key difference between conventional and DLT based infrastructure lies in how data is updated. In conventional databases, resilience is ensured by storing data over multiple physical nodes, which are controlled by one authoritative central entity, i.e., the top node of the hierarchy. On the other hand, in DLT-based systems, the ledger is usually managed jointly by multiple entities in a decentralised manner and each update needs to be harmonised amongst the nodes of all entities without the requirement of a top node. This consensus mechanism requires additional overhead which is the primary reason why DLTs enables lower transactions than conventional architectures. Given the above, DLT at this point of time, is not considered suitable technology except in very small jurisdictions, given the probable low volume of data throughput. However, DLT could be considered for the indirect or hybrid CBDC architecture. Further, it may also be possible that some layers of the CBDC tech stack can be on centralized system and remaining on distributed networks. The choice of tech architecture shall also factor in the resource intensiveness and energy efficiency associated with the solutions.

5.3 Scalability

It is expected that every CBDC project will start with a limited scale pilot and would subsequently be scaled up at population scale. Despite being a limited pilot, it will always be essential that the system should be designed so that it can be extended in the future and used in production or large-scale deployments. To begin with, the system should be able to accommodate the likely volume of transactions (Billions per day) involved in a large-scale deployment. The architecture should not be redesigned or reworked to achieve this. Additionally, the system should be designed so that it can be expanded in the future without needing to be redesigned or reworked.

5.4 Trusted Environment

It is essential that entire lifecycle of CBDC should be within an end-to-end trusted environment. It can be achieved by ensuring that Double-spend and malicious token creation or manipulation is avoided, monitored and checked regularly. It also needs to be confirmed that data is shared only with the relevant parties and does not need to be shared across the whole network (distributed or otherwise) for verification. Further, systemic checks through third party validation should ensure that in case of a token system, only such tokens issued by the Central bank are circulating in the ecosystem. Additionally, a competent party should be able to verify identity information before a participant is allowed to join the CBDC network.

Policy related Tech Considerations

5.5 Recoverability

In case of account-based models, the issue of recoverability does not arise as the identity of user shall always be available where the account is held. In the case of token-based models, based on whether CBDCs will be recoverable or not, the system can support two types of wallets based on User Consent:

• Custodian Model – Token’ service provider (TSP) is responsible for managing the keys of wallet holding tokens on behalf of user. In this model, wallet is recoverable with same public address, Wallet Pin and Tokens held by user. Since the user details are held in custody by the service provider, the security of the tokens shall be dependent on the robustness of security protocols of the TSP. While dependency on external entity shall allow recoverability, it may also compromise with anonymity as the service provider shall always have visibility over the token movements in and out of the wallet.
• User Held Model – The responsibility of key holding is with User and its device. Wallet is not recoverable in case of loss of user held device.

5.6 Offline Functionality

Digital payments traditionally rely on online communications with several intermediaries such as banks, payment networks, and payment processors to authorise and process payment transactions. While these communication networks are designed to be highly available with continuous uptime, there may be times when CBDC users will experience little or no access to network connectivity.

In India out of the 1.4 billion (143.3 crores) population, 825 million people have internet access. This means many Indians will not be able to use CBDCs due to connectivity unavailability. To ensure widespread use of CBDC, offline capabilities need to be incorporated.

The Bank of Japan (BoJ) has published a research paper exploring the potential offline use of a digital yen using central bank digital currency (CBDC). Some of the solutions examined in the paper include using a chip (IC) on a SIM card but with a feature phone rather than a smartphone. The paper concludes that these solutions may not be very user friendly. BoJ also explored the potential use of PASMO/Suica cards, which are used for railway and transport ticket passes as well as electronic money.

Visa has also proposed an Offline Payment System (OPS). The protocol outlined by Visa allows CBDCs to be directly downloaded onto a personal device, such as a smartphone or tablet. The money is stored on a secure hardware embedded in that device and managed by a wallet provider. The CBDC can be transacted from one device to another device directly without any intermediaries such as banks, payment networks, or payment processors using Bluetooth and Near Field Communication. However, Visa’s solution does not account for double spending of tokens.

In offline mode, the risk of “double-spending” will exist because it will be technically possible to use a CBDC unit more than once without updating the common ledger of CBDC, however, the same can be mitigated to a larger extent by technical solutions and appropriate business rules including monetary limit on offline transactions.

The use of offline transactions would be beneficial in remote locations and offer availability and resilience benefits when electrical power or mobile network is not available. For offline transactions, the wallets must be able to independently verify the authenticity of any CBDC transaction without communicating with the server during the transactions. It may be highlighted that even in the case of offline transactions, there would still be a periodic need for power and network connectivity to reload or redeem CBDC balances or to synchronize the local wallet balances with central servers.

It is thus desirable that CBDC should have offline capabilities, without which it will not prove to be an attractive and accessible medium of payment for a wide category of users.

It is essential to devise uniform standards and protocols for the offline exchange of CBDC. To make sure that these standards and protocols are robust and future ready, it is necessary to have extensive industry consultation.

5.7 Programmability

One interesting application of CBDC is the technical possibility of programmability. CBDCs have the possibility of programming the money by tying the end use. For example, agriculture credit by banks can be programmed to ensure that is used only at input store outlets. Similarly, for MSMEs etc., that may take care of the issue of diversion of funds and further financial inclusion. This may help in ensuring the end-use which banks have to continuously grapple with across the globe. However, the programmability feature of CBDC needs to be carefully examined in order to retain the essential features of a currency. It can also have other implications for monetary policy transmission as tokens may have an expiry date, by which they would need to be spent, thus ensuring consumption. The programmability of tokens can be achieved using the following:

• Smart contracts: Business rules are stored as code that is executed during transactions to verify that the token is being used correctly.
• Token version: The version of the token can be tightly linked to the technical code class. The alternative is that the version is stored as a token data field.

5.8 Integration with existing Payment Systems and interoperability: Domestic and Cross-Border

India is leading the world in terms of digital payments innovations. Its payment systems are available 24X7, available to both retail and wholesale customers, they are largely real-time, and the cost of transaction is perhaps the lowest in the world.

An Indian CBDC should be able to utilise the current payments infrastructure like UPI, digital wallets like Paytm, Gpay etc. Interoperability between payment systems contributes to achieving adoption, co-existence, innovation, and efficiency for end users. It would be key to integrate a CBDC into the broader payments landscape of India which would possibly help drive end user adoption (both for the public and merchants). This will obviate the need for the creation of a parallel acceptance infrastructure. RBI would have options in how it plans to achieve interoperability, from the use of established messaging, data, and other technical standards to building technical interfaces to communicate with other systems. Integration between systems through APIs shall allow a light yet secure inter-operable architecture. It will be necessary to ensure the robustness of APIs as well for heightened cyber-security. Yet barriers to interoperability would likely to exist, covering technical, commercial, and legal aspects. Dialogue with stakeholders would be key in addressing these. Achieving interoperability is a collaborative process and will require the active involvement of all industry players in the Indian payments landscape.

Cross Border Payments Enabler

When engaging in cross- border CBDC transactions, RBI will sometimes deal with different networks for each major currency transaction. Here, interoperability between networks will become important. Being able to conduct exchanges of assets in coordinated transactions across two different ledgers (centralized or decentralized), without requiring an intermediary, will help enhance efficiency and mitigate risk. An example of wholesale CBDC involving different currencies is the BIS innovation hub project involving the central banks of China, Hong Kong, United Arab Emirates and Thailand collaborating on the Multiple Central Bank Digital Currency (m-CBDC) Bridge Project¹⁷. This project aims to develop an international settlement platform through which central banks can utilise CBDC for transactions by financial institutions. The mCBDC project would enable cross-border payments that can be done in real-time between the four jurisdictions 24X7, with the foreign exchange leg settled in real time.

Similarly, Project Dunbar brings together the Reserve Bank of Australia, Bank Negara Malaysia, Monetary Authority of Singapore, and South African Reserve Bank with the BIS Innovation Hub to test the use of CBDCs for international settlements.

In case of different jurisdictions functioning with two disparate technical architecture, inter-operability can be achieved through a common bridge that is able to standardize the inputs and outputs from different systems in a common form understandable to every stakeholder. Such a bridge shall also need to configure various country specific regulations related to access, and legislations relating to foreign exchange, respective jurisdictional boundaries, governance issues etc. Various control mechanisms would also need to be put to prevent any spillover effects in an inter-connected global world.

It may, thus, be preferred if a jurisdictionJurisdiction Authority by which courts receive and decide cases. Limited Jurisdiction: the authority over only particular types of cases, or cases under a prescribed amount in controversy, or seeking only certain types of relief, the District Court is a court of limited jurisdiction. Original Jurisdiction: Jurisdiction of the first court to hear a case. works on developing the robust standards required to enable interoperability between CBDC with the existing or proposed payment systems. Collaboration with stakeholders including with BIS on developing common global standards for facilitating easy cross-border transactions, will be a way forward.

5.9 Security Considerations

CBDC ecosystems may be at similar risk for cyber-attacks as the current payment systems are exposed to. The cybersecurity considerations need to be taken care of both for the item and the environment. For example, while the token creation process should ensure the highest levels of the cryptography to ensure security at the item level, the transaction of tokens also needs to be secured to ensure trusted environment.

5.9.1 Further, in countries with lower financial literacy levels, the increase in digital payment related frauds may also spread to CBDCs. Ensuring high standards of cybersecurity and parallel efforts on financial literacy is therefore essential for any country dealing with CBDC. It is also understood that the CBDC ecosystem would be a high value target owing to its significance for maintaining public trust.

5.9.2 Much of the plans to address cyber risks would depend on the underlying technology. Public blockchains preserve transparency but that does not provide cyber security by itself. On the other hand, centralised systems will have the same cyber security concerns as is applicable to the existing Fast Payment Systems (FPS). While the plan to address cyber risks shall be very specific as per respective cases, certain principles that can be applied for CBDCs are:

1. Security has to be the prime design concern while designing CBDCs since inception.
2. Users with privileged roles within the CBDC network should be made subject to an enhanced risk management framework.
3. While the back-end infrastructure shall certainly be robust, the user interface should also be rigorously tested to prevent the exploitation of any vulnerabilities.
4. Vertical Segmentation & No Single Point of Failure: The entire CBDC eco-system would be segregated into different segments like wholesale or retail, with different forms like account based or token based which will not have any single point of failure. Any breach in one segment will not automatically affect other segments.
5. Cryptography & Quantum Resistance: CBDCs shall be using cryptography that will render the system safer as compared to the existing payment infrastructure. However, the futuristic scenario of tackling quantum resistance also needs to be factored in while designing the CBDCs. Quantum computers are machines whose processing power far outstrips even the most powerful supercomputers available today. Quantum-resistant algorithms — also known as post-quantum, quantum-secure, and quantum-safe — are cryptographic algorithms that can fend off attacks from quantum computers. Every CBDC will aim to be resistant to quantum computing. Therefore, robustness of cryptographic techniques along with that of other encryption methods and ensuring quantum resistance shall be highly important to have a safe and secure CBDC technical infrastructure.
6. Recall Feature: In case any specific series of tokens get hacked, it may be technically possible to recall them on an instant basis or release new security features digitally.
7. Recoverability: The CBDCs would need to factor in the principle of recoverability, as per which even if the system gets breached, it should be resilient enough to recover as soon as possible. Further, to the maximum extent possible, the adverse impact on production systems and business processes should be minimised. The use of APIs (Application Program Interfaces) facilitate interaction with required currency management systems at central banks and token service providers.

Therefore, in addition to technology solutions, security risks would also need to be mitigated through policy calls like putting caps, enhanced risk management and governance framework and rigorous testing of functionalities through pilot before rolling out the CBDCs for public.

5.10 Data Analytics

The CBDC platform is expected to generate huge sets of data in real time. After factoring in the concerns related to anonymity, appropriate analytics of Big Data generated from CBDC can assist in evidence-based policy making. It may also become a rich data source for service providers for financial product insights. Further, the data would be highly useful for enforcing money laundering regulations. It may also generate intelligent leads that may assist in curbing non-compliance of existing rules and regulations, thus assisting in risk-based approach to curb money laundering by identifying potential risks and assisting in developing strategies to mitigate them

5.11 Technology choices

It is, therefore, imperative that while crystallising the design choices in the initial stages, the technical choices should not be frozen. As technology evolves, the policy related, and security related considerations shall also change. Therefore, it is necessary to have an open-ended flexible approach while zeroing in on the technical choices. It is also necessary that while engaging any technology service provider, there should not be a vendor lock in and in case any proprietary systems are being used, there should be enabling clauses to allow complete ownership by the Central Bank. Further, Central Banks shall be issuing CBDCs based on algorithm driven processes rather mining through competitive reward methods. These algorithms shall have energy efficiency and environment friendliness as their core principles. Therefore, issuance and management of CBDCs is expected to have much lesser energy consumption vis-à-vis more energy intensive processes normally associated with mining and distribution of private cryptocurrencies. Therefore, technology choice also needs to factor the resource intensiveness of the system.

5.12 Ownership on creation and distribution of CBDCs

For the purpose of creating CBDCs, RBI can either do it internally or create a separate technical subsidiary for the same. For distributing CBDCs, external agencies can certainly be engaged.

---