MKitch3|Sept. 21,2025
You can’t open a financial journal or scroll a central banker’s LinkedIn feed without stumbling on four letters: CBDC. Central Bank Digital Currency.
Depending on who you ask, it’s either the evolution of money, or the most polite dystopia since QR codes on restaurant menus. But strip away the hype, and what you find is a mountain of research papers, pilots, and stress-tested prototypes. Taken together, they form a rough blueprint of what a CBDC system will actually look like if and when the switch gets flipped.
This piece digs into that blueprint—the tradeoffs, the pilots, and the recurring design patterns that matter.
Why are central banks obsessed with this?
At a high level, the goals are surprisingly sober:
• Keep control of monetary sovereignty as cash usage declines.
• Boost payment resilience in case commercial systems collapse.
• Nudge competition in retail payments where a handful of private players dominate.
• Explore inclusion and cheap cross-border rails that don’t take three days and a kidney to settle.
As of 2025, 94% of central banks are officially “exploring” a CBDC. Translation: everyone’s tinkering, but only a handful are in live production.
Core design choices
The research converges on a few forks in the road:
1. Distribution model: The overwhelming favorite is “two-tier.” The central bank runs the core ledger, while private banks and fintechs handle onboarding, compliance, and wallet innovation. BIS’s Project Rosalind is the poster child here, sketching out an API layer that lets intermediaries plug in without the central bank becoming a retail help desk.
2. Ledger structure: Some experiments lean into distributed ledgers (think wholesale corridors like Project Jura or mBridge), while retail pilots often look suspiciously like a high-performance centralized database (see Project Hamilton’s blazing throughput demo).
3. Token vs. account: Do you want each digital “note” to exist like a token (UTXO style), or do you just update account balances? Answer: both, depending on who’s running the pilot.
4. Programmability: Everyone likes to whisper about “programmable money.” In reality, most designs punt policy enforcement to the wallet and API layer—transaction limits, KYC rules, consent frameworks—not hard-coded into the core ledger.
The privacy dilemma
This is where the politics crash into the math. CBDCs force societies to pick a point on the spectrum between cash-like anonymity and panopticon-level traceability.
Options on the table:
• Selective disclosure: Share data only with regulators when due process demands it.
• Privacy-enhancing tech: Zero-knowledge proofs, blind signatures, multiparty computation—the usual cryptography suspects, though still not plug-and-play at national scale.
• Chaumian eCash 2.0: BIS’s Tourbillon prototype tested anonymous, quantum-resistant tokens that can still be audited for counterfeits.
Europe is pushing hardest on “high privacy.” The US prefers to mumble vaguely about “balancing innovation and compliance.”
Offline payments: the holy grail nobody has solved
Everyone wants cash-like resilience—value that changes hands without network coverage. The BIS Polaris handbook lays out the requirements: tamper-resistant hardware, risk caps, reconciliation protocols, and a tolerance for lost devices. But no one has rolled out a national-scale solution yet. Offline CBDC remains the most technically gnarly corner of the map.
Field lessons: what went wrong and right
• DCash (Eastern Caribbean): The network went dark because someone forgot to renew a security certificate. Let that sink in: a digital currency taken down by the IT equivalent of an overdue library book.
• Sand Dollar (Bahamas): First-mover advantage, but still struggling with adoption. The tech works, the people are ambivalent.
• eNaira (Nigeria): Same story—big launch, lukewarm uptake. Reminds us that you can build the rails, but you can’t force the train to run.
• JAM-DEX (Jamaica): Got attention by literally paying people to sign up. Adoption through incentives—go figure.
The cross-border obsession
Domestic CBDCs are one thing. The real prize is cross-border payments: instant, cheap settlement without correspondent banks clipping the ticket.
• mBridge (China, UAE, Thailand, Hong Kong): Live MVP for wholesale settlement across currencies.
• Project Cedar (NY Fed): Demonstrated atomic FX settlement in seconds.
• Project Jura & Helvetia (Europe/Switzerland): Proved delivery-versus-payment on tokenized assets with wholesale CBDC.
• Icebreaker (Nordics + Israel): Hub-and-spoke model for retail CBDCs exchanging across borders.
The tech works. The sticking point is governance—who runs the hub, who enforces rules, and who eats the cost of failure.
So what’s the “safe” design?
If you distill hundreds of pages of public research, you get a recipe:
• Two-tier distribution with a central bank core and intermediaries at the edge.
• API-first architecture so wallets and fintechs can innovate without destabilizing the base.
• Minimal core ledger, leaving programmability and policy knobs to the wallet/API layer.
• Privacy-enhancing features baked in early, with selective disclosure as the default.
• Dedicated offline subsystem with risk caps and secure hardware.
• Interoperability plan from day one, whether through shared platforms (mBridge), interlinked ledgers (Jura), or hub-and-spoke models (Icebreaker).
And above all: operational discipline. The DCash outage taught everyone that grand designs crumble if you forget to renew a certificate.
The open debates
• How much privacy is enough?
• Should retail or wholesale CBDC come first?
• Can offline ever really be secure?
• Do central banks risk crowding out private innovation?
• Who actually governs cross-border corridors?
None of these questions have neat answers, which is why CBDC papers read like Choose-Your-Own-Adventure novels.
Final thought
CBDCs aren’t just a monetary experiment. They’re a stress test of how much trust people are willing to hand back to central banks in a digital age. The architecture is emerging—two-tier, API-driven, privacy-tempered—but the politics will decide if anyone actually uses the thing.
Money is already mostly digital. The real question is whether the next upgrade to the operating system comes from the public sector, the private sector, or some uneasy hybrid.