CBDC: Digital Sovereign Money

Updated 29 October 2025

CBDC is a digital form of sovereign money issued by central banks for direct retail and wholesale transactions, distinct from private cryptocurrencies.
CBDC architectures typically leverage two-tier and DLT-enabled models that balance central bank oversight with scalability and privacy.
CBDCs incorporate programmability, interoperability, and offline payment capabilities to enhance financial inclusion, security, and policy effectiveness.

Central Bank Digital Currency (CBDC) is a digital form of sovereign money issued by a nation’s central bank, designed for direct retail or wholesale use as legal tender. CBDCs are positioned to complement, not replace, existing central bank reserves and physical cash, and they are distinct from private-sector digital assets such as stablecoins and cryptocurrencies. The architecture, access modalities, and economic implications of CBDC are highly variable, reflecting complex technical, regulatory, and socio-economic design choices.

1. CBDC System Architecture: Models, Ledger Technologies, and Access Modalities

CBDC architectures are stratified across four primary dimensions: system architecture, ledger technology, access model, and application area ("CBDC Design Pyramid") (Tang et al., 10 Jul 2025). System architecture spans from direct models (central bank directly interfaces with end-users) to two-tier/hybrid models (central bank retains core ledger functionality, while commercial banks or PSPs manage user-facing services) (Braine et al., 2022). The two-tier configuration dominates (>90% of surveyed pilots/implementations), balancing central bank oversight with scalability, privacy partitioning, and leverage of incumbent financial infrastructure.

Ledger technologies range from centralized ledger technology (CLT)—simple but vulnerable to single-point-of-failure and scaling issues—to distributed ledger technology (DLT), especially permissioned blockchains (e.g., Hyperledger Fabric, R3 Corda, Corda, Elements), which provide tamper-evident audit trails, decentralization of transactional validation, and support for smart contracts and programmability (Junior et al., 17 May 2024, Tang et al., 10 Jul 2025, Homoliak et al., 2023). Hybrid approaches combine centralized account management with privacy-enhancing distributed transaction processing (Tang et al., 10 Jul 2025).

Access models are differentiated as account-based (identity-verified users; traditional KYC) or token-based (access and transfer of value via cryptographic tokens or credentials, supporting higher user privacy and potential for offline functionality) (Tang et al., 10 Jul 2025, Rafiee et al., 5 Dec 2024). Hybrid designs allow for both modalities, with risk-based wallets and limits (Wenker, 2022).

Design Dimension	Leading Options	Typical Use
Architecture	Two-tier (central + intermediaries)	Retail, Wholesale
Ledger Tech	Permissioned DLT, CLT, Hybrid	Both
Access Model	Token-based, Account-based, Hybrid	Retail, Hybrid
Application Area	Retail, Wholesale, Cross-border	All

2. Programmability, Interoperability, and Ecosystem Layering

Recent advances in architecture emphasize programmability and ecosystem overlay layers. Industry architectures, such as the UK "platform model," propose placing commercial bank money and CBDC on a similar operational footing by introducing a common programmability layer accessible via standardized APIs (including Open Banking APIs), allowing for unified development of programmable financial products (conditional payments, smart escrow, automated tax) independent of underlying money type (Braine et al., 2022). This overlay is designed to be distinct from the core ledger, reducing complexity and containing risk within competitive, innovative PIP (Payment Interface Provider) ecosystems.

Interoperability between CBDC systems and integration with existing payment rails is a rapidly evolving focus—both domestically, via open API frameworks, and cross-border, using techniques such as blockchain-anchored atomic swaps supported by Trusted Execution Environments (TEEs) and registry contracts (e.g., CBDC-AquaSphere), which achieve atomicity, censorship resistance, and supply integrity across independent DLT ledgers (Homoliak et al., 2023). Standardization of APIs, metadata (ISO/IEC 11179), and programmable contract logic is a critical enabler identified across multiple deployments (Junior et al., 17 May 2024, Tang et al., 10 Jul 2025).

3. Privacy, Security, and Trust Mechanisms

CBDC design and policy reflect fundamental trade-offs between privacy, regulatory compliance, and assurance of public trust. Empirical research highlights "six ways" to maximize CBDC trust and reduce privacy concerns: institutional trust in the central bank/government, explicit user guarantees, leveraging positive CBDC reputation, minimized human handling/automation (e.g., smart contracts), transparent and controllable wallet features, and strong privacy or anonymity guarantees both in the app and backend (Zarifis et al., 2023).

Mechanisms include:

Privacy-enhancing cryptography (zero-knowledge proofs, blind signatures, Pedersen commitments),
Granular access control (pseudonymization at core, KYC/AML at ecosystem layer),
Tokenization and cryptographic agility (to support PQC migration and secure offline capability) (Hupel et al., 2023, Rafiee et al., 5 Dec 2024),
Smart contracts for automated compliance (e.g., VAT split, programmable benefits—"Smart Money" infrastructure) (Louvieris et al., 25 Jun 2024).

The security model often leverages a public key infrastructure (PKI) anchored at the central bank with a detailed certificate hierarchy, supporting controlled rollout of credentials to FSPs, wallet manufacturers, and hardware devices. Special consideration is given to the management of certificate rollover, revocation, and validity to ensure continuous operation, especially for offline hardware wallets (Rafiee et al., 5 Dec 2024).

4. Offline Payments, Inclusiveness, and User Experience

CBDC research recognizes offline payment capability as essential for cash-equivalent functionality, financial inclusion, and resilience (Christodorescu et al., 2020, Beer et al., 13 Aug 2024). Protocols achieving secure offline payments must ensure:

Double-spend protection (via trusted hardware, TEEs, or secure elements),
Transaction finality and replay prevention,
Quantum-resistant cryptography for longevity,
Local settlement and enforceability of holding limits (to prevent regulatory violation in offline mode) (Beer et al., 13 Aug 2024).

Designs such as PayOff (Beer et al., 13 Aug 2024) introduce attribute-based account states, ZK proofs for balance confidentiality, and mechanisms for session-linked unlinkability, fraud accountability, and transferability under risk of compromised secure elements. Self-printed, QR/NFC-tokenized CBDC and non-custodial wallets extend accessibility to unbanked populations, children, and travelers, illustrating the importance of maintaining cash-like properties (no mandatory accounts, flexible device support, and inclusion for digitally excluded groups) (Zhou et al., 2021, Bowler et al., 2023).

User-centered, participatory design methodologies and multi-style wallet offerings (hardware, software, card-based) are instrumental for adoption, comprehension, and trust (Bowler et al., 2023).

5. Economic, Monetary, and Financial System Implications

CBDC impacts on bank intermediation, monetary policy, and financial stability are subject to intensive theoretical and agent-based analysis. Key findings:

Introduction of CBDC reduces bank deposit market power, narrows deposit spreads, and grants policy-makers an auxiliary lever for optimal monetary policy. However, the risk of massive bank disintermediation is limited under practical parameterizations and regulatory constraints (Chen et al., 20 Jul 2025).
Agent-based macro models demonstrate that CBDC exacerbates bank runs only if holding is unconstrained. Imposing a cap (30–40% of deposits) effectively mitigates instability and can enable modest welfare gains (Barucci et al., 24 Oct 2025). Universal, uncapped CBDC can redistribute wealth toward households at expense of banks/firms and raise loan rates.
Collateral constraints on central bank lending (as in real-world collateralized funding) reshape bank portfolios, shifting assets to government bonds and away from firm lending, but do not necessarily reduce aggregate bank credit if central bank refinancing rates are optimally calibrated (Chen et al., 2023).
Retail CBDC can enhance payment system fairness, reinforce monetary sovereignty, and counter dilution of public money by private digital currencies. However, CBDC cannot directly "solve" the cryptocurrency challenge, due to inherent regulatory and privacy trade-offs (Wenker, 2022, Goodell et al., 11 Mar 2024).

6. IT Governance, Standardization, and Future Research Directions

The shift to digital sovereign money requires substantial IT governance innovation. Key resources identified for robust CBDC governance include distributed ledgers, tokenization platforms, cross-blockchain interoperability protocols, smart contract platforms, multi-layered PKI, and modular, resilient network architectures (Junior et al., 17 May 2024, Rafiee et al., 5 Dec 2024). Current governance models focus on architectural stratification (direct, indirect, hybrid, intermediated), with an emerging emphasis on integrating compliance, open standards, and automated privacy management, but no mature COBIT- or ISO-grade frameworks have yet been standardized for CBDC governance (Junior et al., 17 May 2024, Jin et al., 2021).

Forward-looking research priorities:

Privacy-preserving technologies that enable audit/compliance without mass surveillance,
Interoperability for cross-currency and cross-ledger transactions,
Robust offline protocols capable of secure, quantum-resistant, and scalable operation,
Smart contract and programmable features for advanced policy implementation,
User-centric wallet design for inclusive, loss-resistant key management, and
Socio-economic modeling to understand the full spectrum of monetary, competition, and stability impacts (Tang et al., 10 Jul 2025).

7. Comparative Case Studies and Implementation Lessons

Case analysis (e.g., Bahamian Sand Dollar, UK platform model, Project Helvetia III, mBridge) reveals the dominance of two-tier, permissioned DLT, and token-based strategies, but stresses the need for local adaptation. Pilots illustrate technical, regulatory, and user-acceptance bottlenecks—failed projects (e.g., in Canada, Australia) underscore pitfalls in token adoption, privacy specification, and infrastructural readiness (Tang et al., 10 Jul 2025).

Project/System	Architecture	Ledger	Access Model	Policy Notes
Bahamas Sand Dollar	Two-tier	DLT	Account	Strict KYC; hard caps; limited privacy
UK Platform Model	Two-tier	DLT/API	Hybrid	Common programmability, Open Banking
Helvetia III	Two-tier	DLT	Token-based	Regulated DLT, wholesale settlement
mBridge	Multi-central	DLT	Token-based	Cross-jurisdiction, multi-currency

Central Bank Digital Currency is a multidimensional research and implementation frontier, requiring careful orchestration of technical infrastructure, economic design, regulatory adaptation, and social acceptance. The current convergence is toward two-tier, DLT-enabled, token-access models with a pronounced focus on interoperability, privacy, and programmability, while empirical and theoretical results indicate that stability and public trust are only achievable within the context of attentive design balancing innovation, competition, and regulatory prudence.