CBDCs will fail without public trust and privacy safeguards

The real success of Central bank digital currencies (CBDCs), digital forms of sovereign money issued by central banks, will depend less on technology and more on whether people trust governments and central banks with their financial data, suggests a new study, warning that retail CBDCs could improve payment efficiency and financial inclusion, but weak privacy rules, poor communication and fears of surveillance could stop people from using them.

Published in FinTech, the study "Trust, Privacy, and Adoption: A Global Policy Framework for Central Bank Digital Currencies, develops a global policy framework for retail CBDCs by examining privacy, trust and adoption risks across major CBDC cases, including the Bahamas Sand Dollar, Nigeria's eNaira, China's e-CNY and the proposed digital euro.

Privacy has become the make-or-break issue for CBDCs

Governments and monetary authorities are studying them as cash use falls, private digital payment systems expand and stablecoins raise concerns about monetary control. Supporters argue that CBDCs could make payments faster, cheaper and more inclusive, particularly in countries where many people remain outside the formal banking system.

According to the study, these benefits will be hard to achieve unless CBDCs answer a major public concern: who can see users' transactions and under what conditions. Unlike cash, a CBDC can create a digital record of payments. The record may help regulators detect money laundering, terrorist financing, tax evasion and sanctions breaches. However, it can also raise fears that governments could monitor daily spending, political activity, religious giving or personal behavior.

Now, central banks face a key policy problem: If a CBDC is designed with too much anonymity, it could be misused for illicit finance. If it is designed with too much visibility, citizens may reject it as a surveillance tool. The study argues that policymakers must find a workable middle ground where privacy and regulatory oversight coexist.

The paper's review of existing evidence shows that privacy is not a secondary design feature. It is a condition for adoption. Survey experiments cited in the study found that strong privacy safeguards can sharply increase willingness to use a CBDC. The paper also points to public consultation evidence showing that privacy ranks above many other CBDC features for users, including security, fees and cross-border usability.

A CBDC can include privacy tools, but users may still reject it if they do not trust the issuing institution. The study separates technical privacy from institutional privacy. Technical privacy depends on how the system handles data, identities, transaction records and encryption. Institutional privacy depends on whether laws, courts, regulators and audit systems limit how authorities can access user data.

People do not judge CBDCs only by what central banks promise, but by whether those promises are enforceable. A privacy claim is weaker if users don't know who stores the data, how long it is retained, whether law enforcement can access it and whether courts or independent bodies oversee the process.

Central banks entering the retail payments space are taking on a new role. In addition to being guardians of money value, they may also become custodians of sensitive personal financial data - a role that requires stronger public accountability than traditional monetary policy tools because CBDCs would affect citizens' daily financial lives.

Why design and trust must work together

The study compares four major CBDC cases to show how privacy design, public trust and adoption can interact:

The Bahamas Sand Dollar, launched as one of the first nationwide retail CBDCs, uses a tiered system in which low-value wallets have lighter verification rules while higher-value wallets require stronger identification. The design supports financial inclusion and limits the central bank's direct exposure to personal retail data. Yet adoption has remained modest, showing that privacy alone is not enough if users and merchants do not see a strong reason to switch.

Nigeria's eNaira offers a sharper warning. The study says the system included wallet tiers, but privacy protections were not clearly communicated to the public. Adoption remained extremely low, and public distrust deepened when the rollout became associated with cash shortages and coercive pressure to use digital money. The case shows that technical architecture cannot compensate for weak institutional trust or poor public communication.

China's e-CNY represents a different model. It has reached a much larger pilot scale and uses what the study describes as controllable anonymity. Commercial banks handle identity checks, while the central bank can see anonymized flows under ordinary conditions. But the system also allows de-anonymization under state-controlled processes. The paper says this technical model is advanced, but its wider trust value is limited by concerns about surveillance and weak independent legal constraints.

The proposed digital euro offers the strongest privacy-governance example. Its development is shaped by data-protection law, public consultation, offline payment planning and institutional oversight. According to the study, the European model benefits from stronger legal safeguards and democratic accountability, although actual adoption cannot yet be measured because the digital euro has not been launched.

Across these cases, the study finds that CBDC success depends on more than launch status or technical capacity. Systems need a full trust architecture, including privacy-by-design, legal safeguards, tiered data access, privacy-enhancing technologies, transparency, operational resilience and international coordination.

• Privacy-by-design means privacy must be built into the CBDC from the start, not added later after public concern grows. This includes data minimization, default privacy settings, secure handling of user information and independent privacy assessments before rollout.
• Legal safeguards: CBDC transaction data should be protected by clear laws covering data access, retention limits, independent audits and judicial oversight. Without those rules, users may assume that privacy depends only on institutional goodwill.
• Tiered data access provides the practical compromise between privacy and compliance. Low-value transactions can receive stronger privacy protections, similar to cash, while higher-value or suspicious transactions can be subject to stricter verification and oversight. This approach can protect ordinary users while still giving regulators tools to respond to financial crime.
• Privacy-enhancing technologies: The study discusses tools such as zero-knowledge proofs, secure multi-party computation, blind signatures, tokenization and offline payment capabilities. These technologies can help prove that a transaction follows the rules without exposing unnecessary personal information, but such tools must be auditable and understandable enough to support public trust.

Why CBDC policy must put trust before rollout

Governments should not treat CBDC adoption as a technology deployment problem, but a trust problem. Central banks can build a working digital currency, but people may still avoid it if they fear surveillance, misuse of personal data, cyberattacks or forced dependence on digital money, the research states.

Policymakers should begin with public trust before pushing CBDC use. Public consultation should happen early and repeatedly. Central banks should explain in plain language what data is collected, who can access it, how long it is stored and what rights users have. Users should not need legal or technical expertise to understand the privacy terms of public money.

CBDC systems must include visible accountability. Independent audits, public reporting, privacy impact assessments, grievance channels and clear redress mechanisms can help show that privacy safeguards are more than policy statements. If citizens believe the state can quietly expand access to transaction data, adoption will suffer.

Security and resilience are also key aspects. A CBDC that protects privacy but fails during outages or cyber incidents will lose trust quickly. The paper recommends strong cybersecurity standards, penetration testing, backup systems, offline payment options and clear incident-response plans. It also stresses that cash should remain available as a fallback where large groups still depend on it. Forcing people into digital money can turn a payments reform into a public trust crisis.

International coordination is another policy priority. CBDCs will eventually interact across borders, especially for remittances, trade and regional payments. If countries develop incompatible privacy and compliance standards, users and firms may shift activity toward weaker jurisdictions, creating regulatory arbitrage. The study calls for common standards on data protection, interoperability and lawful cross-border information sharing.

For emerging economies, the framework also links privacy with financial inclusion. People without full banking access may benefit from CBDCs, but they may also be among the most vulnerable to misuse of data. Low-value wallets, offline access and simplified identity requirements can make CBDCs more inclusive without exposing users to unnecessary surveillance.

Privacy should be strongest for ordinary low-risk payments, while regulatory access should be targeted, lawful and proportionate. The goal is to avoid both extremes, a fully anonymous system that enables crime and a fully traceable system that undermines civil liberties.

The study also acknowledges that the framework is policy-oriented and proposes testable ideas rather than proving causal effects. Many CBDC projects are still early, and adoption data remain limited. The cases differ widely in political systems, legal safeguards, technical design and public trust. Future research will need broader cross-country data to test whether stronger privacy governance consistently leads to higher adoption.