Digital currencies force central banks into hard choices over privacy and bank stability

New research warns that central banks designing retail digital currencies face a structural policy dilemma that cannot be solved by technology alone. The review finds that public digital money may improve payment systems and financial inclusion, but central banks cannot simultaneously maximize privacy, financial stability and regulatory compliance without sacrificing at least one of those objectives.

The study, titled "Designing Retail Central Bank Digital Currencies: A Systematic Literature Review of Trade-Offs Between Security, Privacy, and Financial Stability," was published in the International Journal of Financial Studies. Based on a systematic review of 140 peer-reviewed articles, the paper proposes a "CBDC design trilemma" and finds that the existing research consistently supports the claim that retail central bank digital currencies (CBDCs) must operate within a zone of compromise rather than a perfect design model.

Central banks face a three-way conflict in digital currency design

CBDCs have moved from academic debate to active policy planning as cash use declines, private payment platforms expand and cryptocurrencies challenge the traditional role of state-backed money. The study notes that more than 130 countries, representing nearly the entire global economy, have explored CBDC projects at different stages of research, development or deployment. Major pilots and programmes in China, the Bahamas, Nigeria and the euro area have turned digital public money into one of the most closely watched questions in financial policy.

The review argues that designing a CBDC is not simply a technical exercise. Every design choice creates trade-offs. A system that gives users strong privacy may weaken anti-money laundering controls. A system that protects banks from deposit outflows may be less attractive to users. A system that maximizes regulatory monitoring may raise surveillance concerns and reduce public trust.

The authors frame these tensions as a CBDC design trilemma. The three vertices are privacy or anonymity, financial stability, and regulatory compliance. Privacy refers to the degree to which users can make payments without exposing their identity or transaction behaviour. Financial stability refers to the protection of commercial banks, credit supply, monetary transmission and the prevention of rapid deposit migration. Regulatory compliance refers to the ability to enforce anti-money laundering, counter-terrorism financing, know-your-customer and tax transparency rules.

According to the study, central banks cannot fully maximize all three objectives at once. A CBDC that resembles cash in privacy terms would be difficult to monitor for illicit finance. A CBDC that allows anonymous holdings could make it easier for depositors to move money quickly out of commercial banks during a crisis. A CBDC built around strict compliance and stability safeguards may be safer for regulators and banks, but less attractive to consumers.

The authors describe the trilemma as a synthesis of the literature rather than a mathematical impossibility theorem. The claim is not that a perfect CBDC is logically impossible forever. Instead, the review finds that no design identified in the 140-article sample fully resolves the conflict among privacy, stability and compliance under current technology, legal frameworks and policy expectations.

The strongest evidence appears in the privacy-compliance conflict. The study finds that full anonymity is rarely recommended because financial integrity rules require traceability. At the same time, full transparency risks creating public concern about surveillance and deterring adoption. This leaves central banks searching for partial solutions.

Tiered privacy emerges as the most widely supported compromise. Under such a model, small-value transactions may receive greater privacy while larger or riskier transactions face stronger identity checks and monitoring. This approach attempts to preserve some cash-like privacy for ordinary payments while meeting regulatory requirements for suspicious or high-value activity.

The review also finds a strong preference for two-tier or intermediated CBDC architectures. In such systems, the central bank issues digital currency, but commercial banks or payment providers handle user-facing services. This structure is seen as less disruptive to banking than a direct system in which the central bank manages retail accounts for the public.

Most design-focused studies favour hybrid systems, combining elements of account-based and token-based models. Account-based systems support traceability and compliance because identity verification is central to the design. Token-based systems better resemble cash because they focus on the validity of the payment instrument. Hybrid systems try to balance both, though they do not eliminate the underlying trade-off.

Technology choices also remain unsettled. Earlier CBDC discussions often assumed that blockchain or distributed ledger technology would be the default infrastructure. The review finds more recent scholarship to be more cautious. Distributed ledger technology may offer advantages for wholesale or cross-border settlement, but centralized systems may be more efficient for large-scale retail payments.

Privacy, bank stability and adoption pull CBDC design in different directions

The study identifies financial stability as the most developed part of the CBDC literature. The largest share of reviewed articles focused on risks to banking, liquidity and monetary policy. The main concern is disintermediation: if households and businesses shift deposits from commercial banks into CBDC, banks may lose a key source of funding for lending.

This concern becomes more serious during periods of financial stress. A digital currency issued by the central bank could become an instant safe haven if depositors fear weakness in commercial banks. Unlike physical cash withdrawals, CBDC transfers could happen quickly and at scale. The review describes this as a potential acceleration of digital bank runs.

To reduce this risk, many studies support holding limits, zero remuneration and intermediated distribution. Holding limits would cap how much CBDC an individual or firm can hold. Zero remuneration would prevent CBDC from competing too strongly with interest-bearing bank deposits. Two-tier distribution would preserve a role for commercial banks and payment firms.

These safeguards protect financial stability but weaken the CBDC's appeal. If users cannot hold large balances, earn interest or access stronger privacy than existing digital payments provide, they may have little reason to switch. This is especially true in advanced economies where people already use fast, reliable private payment systems.

The study finds that adoption outcomes in real-world CBDC projects have so far been modest. China's e-CNY, Nigeria's eNaira and the Bahamas' Sand Dollar show that government issuance alone does not ensure public use. Merchant acceptance, digital literacy, trust, convenience and clear user benefits are all essential.

The adoption literature reviewed by the authors identifies five major drivers of CBDC uptake: trust in the issuing institution, perceived usefulness, financial literacy, financial inclusion needs and social influence. It also identifies five major barriers: privacy concerns, perceived risk, switching costs, lack of awareness and the digital divide.

The divide between advanced and developing economies is important. In advanced economies, the key problem is often demand. Consumers already have bank cards, mobile wallets, instant payments and trusted digital services. A CBDC must offer clear added value to overcome switching costs. In developing economies, CBDCs may have stronger financial inclusion potential, but users may face barriers such as limited internet access, weak digital literacy and low trust in institutions.

Privacy remains vital to adoption, but the study shows that the issue is more complex than simple demands for anonymity. Users may say they value privacy, but they also value fraud protection, payment reversibility and safety. Many consumers are willing to accept some traceability if it helps protect funds, resolve disputes or prevent criminal use.

This creates what the authors describe as a privacy paradox. People may express strong concern about surveillance but still choose payment tools that are convenient, secure and recoverable. Privacy matters most in certain sensitive transactions, but it is not always the dominant factor in routine purchases.

Additionally, compliance and stability rules can create friction. Strong regulators may move more slowly in CBDC development because they internalize legal, operational and institutional risks. This produces a regulatory paradox: countries with strong institutions may have the capacity to launch CBDCs, but also greater caution about doing so.

Tiered privacy and two-tier systems emerge as the leading compromise

Retail CBDC design is likely to converge around compromise models rather than maximalist designs. The dominant model in the literature is a two-tier CBDC with tiered privacy, zero or limited remuneration, holding limits and some form of simplified access for smaller transactions.

This model attempts to preserve commercial bank stability, meet regulatory obligations and offer enough user privacy to maintain trust. It does not fully satisfy any one objective. It protects privacy less than cash, provides less utility than an interest-bearing digital asset, and may offer less innovation than more open programmable money systems. But it is seen as the most feasible design within current constraints.

Financial inclusion is one area where CBDCs could deliver major benefits, especially if they include simplified know-your-customer rules for small-value wallets and offline payment capability. Offline functionality could help users in areas with poor connectivity and provide resilience during disasters or network failures. Yet offline payments also raise compliance and security concerns because they cannot always be checked in real time.

The review identifies cross-border interoperability as another unresolved challenge. CBDCs could improve international payments, reduce costs and speed settlement. But linking national digital currencies raises questions about exchange rates, monetary sovereignty, data sharing and regulatory alignment. Smaller economies may face additional risks if foreign CBDCs become attractive substitutes for domestic money.

However, much of the CBDC literature remains theoretical. Financial stability risks, adoption patterns and privacy trade-offs are often modelled rather than observed. The authors argue that more empirical research is needed from live deployments, especially outside China and across different legal and institutional systems.

Wholesale CBDC is another underdeveloped area. The reviewed literature focuses overwhelmingly on retail CBDC, even though wholesale applications for interbank settlement, cross-border transactions and institutional liquidity could reshape financial markets. The authors suggest that wholesale CBDC may involve a different set of trade-offs, including settlement efficiency, monetary sovereignty and interoperability.

Cybersecurity is also identified as a critical gap. Retail CBDCs would become national payment infrastructure, making them high-value targets. Offline wallets, digital identities, cryptographic protocols and large-scale transaction systems all create new risks. The review calls for more work on network attacks, hardware wallet vulnerabilities and the long-term threat of quantum computing to CBDC cryptography.

The authors also warn that CBDC design must account for vulnerable populations. Elderly users, rural communities, low-income households and people with limited digital skills could be excluded if CBDCs are built around smartphone access, complex onboarding or high digital literacy. A public digital currency designed for inclusion could worsen exclusion if these groups are not considered.

Policymakers must treat CBDC design as a multi-objective policy problem, not a technology rollout, the study points out. Central banks must decide which trade-offs they are willing to accept and explain those choices to the public. A CBDC cannot be evaluated only by whether it is technologically advanced. It must be judged by how it balances privacy, trust, banking stability, legal compliance, inclusion and usability.

The study also suggests that public communication will be decisive. If people believe CBDCs are surveillance tools, adoption may suffer. If commercial banks see CBDCs as a threat to deposits, resistance may grow. If regulators prioritize compliance so heavily that the system becomes inconvenient, users may ignore it. CBDC success will depend on aligning institutional design with public expectations.

The future of public money will not be determined by central bank issuance alone. It will depend on whether digital public money can offer enough value to users while avoiding destabilizing side effects. Cash has historically provided privacy, simplicity and public trust. Recreating those qualities in digital form while satisfying modern financial regulation is the key challenge, the study asserts.