Key implementation issues of central bank digital currency in the light of infrastructure and operation

Next Article

Effects of central bank digital currency on payments

IX. Key implementation issues of central bank digital currency in the light of infrastructure and operation

István Ádor – Péter Eigen – Zoltán Huszár – Zsolt Láda-Hartyáni – Szilvia Szécsiné Kardos – Róbert Taczmann

The possible introduction of central bank digital currency will result in significant changes both in technological and business terms, which must be preceded by complex and detailed analyses. Traditional infrastructures and future IT solutions are examined against the key criteria of reliability, transaction speed and cost-effectiveness. When choosing the business model, the needs of prospective users must be considered, and the cooperation between the central bank and participants in payments must also be planned, with the needs and options of all market participants taken into account. Following the selection of the operating model and the technological solution serving it, arrangements can start for the provision of the infrastructural conditions and staffing required for the central bank to perform its new tasks, each providing a pillar of the operations, ensuring that the new service is efficient and innovative.

1. Introduction

The main promise of central bank digital currency (CBDC) is that it offers security similar to that of scriptural money, except that claims are made directly on the central bank rather than on a commercial bank or other payment service provider, which provides for an outstandingly high level of reliability, given that a situation where a beneficiary is unable to enforce such a claim

against the central bank is essentially unthinkable. (Auer & Böhme, 2020). Although in the literature terminology the indirect model is also classified under CBDC, this model carries the important difference that claims are not made on the central bank, whereby its operational risk is also higher. CBDC can be implemented in a variety of ways. In this study we only address issues related to the implementation of “retail” CBDC, which is widely available to households and corporates and can serve as a payment instrument in similar payment situations as scriptural money or payment cards. Ideally, CBDC is also a good approximation to available cash payment options. From a methodological point of view, the following main cases of CBDC implementation can be distinguished: • Account-based approach: – Central bank as account provider: The central bank provides all customers with accounts – both consumers and companies – which could amount to servicing millions of accounts in a central bank account management system. – Model based on distributed ledger technology (DLT)81 operations: The central bank can also service accounts in a socalled distributed ledger model (equally in a closed or an open network), the participants and rules of which are determined by the central bank. The availability of individual items of customer and transaction data from several actors gives this solution enhanced protection in terms of data redundancy82 and counterfeiting; however, with critical infrastructures

81 Distributed Ledger Technology; DLT 82 In IT, the term redundancy refers to the multiplication of data, information, or, in a broader sense, system components and systems. For the latter, from an operational point of view, it is advantageous for critical components of a system to be configured on a redundant basis, and many fault tolerant systems use redundancy to achieve that objective.

this technology is not yet used live production situations anywhere, on the grounds of which some central banks (e.g. In Israel) rejected this solution, while the pilot project of the Swedish central bank is based on DLT (Sveriges Riksbank, 2020).

• Value-based approach: Similarly to current prepaid card solutions, a solution is possible where CBDC would be stored on a device (e.g. on a card or in a mobile application). It should be examined whether in this case, it is absolutely necessary to keep a central record of the amounts stored on each device, or the anonymous solution provided by the technology can also be used (Mancini Griffoli, et al., 2018). • It is also possible to combine the two solutions, so that accountbased records can be complemented by value-based solutions, primarily to provide offline, low-value, possibly anonymous payment options. When introducing complex systems and services, including the case of a potential CBDC implementation, it is necessary to examine several factors in detail so that the design process can consider all relevant circumstances and potential impacts, and thus eliminates the most significant possible errors. Accordingly, this study seeks to take stock of the main issues and aspects that must definitely be examined for the introduction of CBDC. As the examination should cover the important environmental parameters listed below, the subject is presented in the same structure in each sub-chapter: • examination of the possibilities offered by the technological environment

• review of existing and planned resources • cataloguing processes relevant to their impact on operations.

2. The technological environment

One of the first steps in the design of the CBDC to be implemented is the examination of the available technologies, as they are prerequisites of an implementation. Today, there are several information and communication technologies that support rapid transactions, of which the most appropriate one must be selected to achieve the objectives at hand, which enables the desired operations to be achieved without compromise. Basically, there are two main directions; accordingly, we will present the options of technological implementation along those lines. On the one hand, it is possible to use new, innovative technologies, of which DLT is perhaps the best known. Another obvious possibility is that existing financial infrastructures will be further developed for the introduction of CBDC.

2.1. Benefits and risks of distributed ledger technology

For the technical implementation of central bank digital currency, it is necessary to examine both established and mature, and new technologies. The advantage of the former is their low level of hidden risks, while the latter can offer innovative, modern and mostly rapid solutions in some cases. One of the latest technologies, gaining ground for the past few years, comprises solutions based on distributed ledger technology. In order to judge whether DLT is appropriate for a given CBDC project, it is necessary to determine the following: – the objectives pursued by the introduction of CBDC that can be supported by the specific features of DLT; – the system requirements that can be met using DLT to a higher standard or in a simpler way compared to traditional technology, and the requirements that are more challenging to meet; – the type of DLT required for each model and the model-specific questions arising; – the risks in using DLT and how to manage them.

2.1.1. CBDC objectives supported by DLT Improve acceptance of innovative technologies and test innovative technologies As a new form of money, CBDC offers a good opportunity to involve innovative technologies in operations, and can adequately support their improved acceptance, with DLT being a possible practical application. Improve access to financial services The logical structure of DLT solutions enables easier, and sometimes faster, access to financial services. Research by the Swedish central bank has found that if the objective is to make digital financial services available to those who do not have bank accounts and, as a consequence, asset-based currency needs to be managed through anonymous transactions, DLT is able to support this adequately and more maturely than traditional technologies (Sveriges Riskbank, 2018.). In this case, the central bank issues tokens83 of specified value, which are transferred directly or indirectly (through commercial banks or other financial service providers) to digital wallets whose owners are not personalised, and payment transactions are made between these digital wallets. If, however, anonymity is to be ensured on a substantially limited scale, only between portable devices, or even for offline CBDC transactions, and consequently CBDC itself can be account-based, then traditional technology can be applied in the same way, according to a report by the European Central Bank (European Central Bank, 2020). Increase the security of payments and ensure their operation in crisis situations

Increasing the security of payments, and the combined availability and improved operation of individual infrastructure elements can

83 A CBDC token is a digital entity that has a monetary value guaranteed and fixed by the central bank, is passive, and a given token can only belong to one digital wallet at a time – e.g. it can be accessed with a secret (private) cryptographic key –, and is transferable.

be achieved by creating a separate CBDC infrastructure operating in parallel to existing infrastructure, while at the level of society the cost of operating parallel systems can be much higher. The continuous operation of an infrastructure deployed on those foundations can be ensured through both traditional redundant IT infrastructure and a DLT solution. The assessment of the risks inherent in DLT is complex; the technology provides adequate support for increased protection against fraud, but precisely due to its distributed nature, it is more exposed to cyberattacks and therefore requires a very high level of consistently robust protection compared to traditional technology. In addition, the novelty of the technology also carries risks, given the lack of a history of experience with it, gained through multiple implementations. Achieve greater transparency in payments and reduce the black economy In terms of achieving greater payments transparency and reducing the black economy, the DLT is essentially equivalent to traditional technologies, but as this objective limits the objective of transaction anonymity, the applicability of DLT should be assessed with that in mind.

Make payments more efficient While DLT solutions can play a role in making payments more efficient, this goal can also be achieved through traditional technologies. Spreading over the past decades, instant payments systems have significantly increased the efficiency of payments, but have apparently opted for traditional technology. This may be explained by the fact that although DLT itself is a suitable tool to drive efficiency gains, the use of new technologies in payments started with a lag, on the one hand because the need to avoid compromising trust in payment systems adds much more to the balance, and on the other hand because DLT’s transaction processing speed is currently not sufficient to provide the settlement time expected in instant payments systems, and

building a system with sufficient speed is not possible within the confines of economic viability. Other possible CBDC objectives Additional objectives pursued by the introduction of CBDC may be to develop the market for financial services, to stimulate competition, to improve financial awareness, to increase the efficiency of monetary transmission and thereby to increase economic performance, and to reduce cash holdings and cash logistics costs. These objectives can be achieved with both traditional and DLT-based systems, and the more appropriate of the two technology groups can be selected in light of the specific implementation and the objectives at hand.

2.1.2. Comparison of expectations and the possibilities offered by the technologies One of the most important expectations is that the technology applied should be safe and resilient to environmental impacts. The resilience of DLT systems to malicious interference is a result of (1) transactions being arranged into chains using cryptographic processes so that their sequence and data content cannot subsequently be altered, (2) storing multiple, perfectly identical copies of the chains across the nodes of the network, and (3) transactions that make up the chains being typically controlled by multiple nodes. This represents a clear advantage over traditional technology, but also higher costs at the level of society due to the multiplication of individual system components and data. DLT systems vary significantly in terms of vulnerability depending on the technological functionality of the chosen DLT platform and the way it is implemented; consequently, if significantly higher cybersecurity84 than what is offered by traditional technology is also a priority objective pursued through the introduction of CBDC, then great emphasis must be placed on this in platform

84 Cybersecurity is a collective concept comprising the secure operation and use of the cyberspace created by IT solutions, and protection of its data.

selection and implementation. Among other aspects, the following aspects must be examined: – The number of nodes validating transactions in the given solution – increasing their number will increase reliability exponentially, along with cybersecurity risk and costs resulting from a possible failure to provide for consistently robust protection, accompanied by reduced transaction processing speeds. – The type of consensus algorithm85 applied in the solution. – Whether completely identical chains are stored at each node, or possibly a single node can store several different chains that are identical only at the nodes involved in the given transaction. – How authentication and encryption certificates are managed. However, greater resilience does not mean that DLT systems are unbreakable, and therefore they must be protected in the same way as systems based on traditional technology, with information security technologies and methods. Importantly, all nodes should have the same level of protection, because out of all accessible nodes, cyberattacks will target the one with the weakest protection. Where a new feature of protection is introduced, it should be applied uniformly at all nodes, otherwise the measure will not work its effect. Proper design of intrusion protection is crucial for the application of any technological solution, because the highest level of reliability is primarily achieved through the prevention of unauthorised access. After a successful intrusion attempt, it is essentially “merely” a matter of computing power to crack any encryption algorithm used today. In the post-intrusion phase, DLT is offers a higher level of protection compared to traditional technologies due to its distributed structure, because data to which unauthorised changes are made would have to be

85 A mechanism of the network through which agreements are reached as to which transaction can be considered valid and stored in the system.

transmitted to and changed in all data storage nodes, which may increase security. However, if sufficient time is available – i.e. the intrusion is not detected within a short time – encrypted data can be decrypted. A requirement closely related to the expectation of security is that users of the system should trust the data on the system. In the case of systems based on traditional technology, apart from physical and technological protection solutions, trust is also strengthened by the legal environment regulating the system operator, and by the activities of the third party supervising its enforcement. In the case of DLT systems, compliance with the rules is guaranteed by the procedures stored in the system and running automatically. However, the significance of that may be smaller with CBDC, because even in the case of infrastructures operating on current traditional systems, no concerns are likely to arise about the manipulation of data or transactions from the central bank side. Although anonymous transaction processing can also be implemented using traditional technology, in the case of CBDC anonymity involves the handling of asset-based currency rather than account-based currency, except where anonymous transactions are carried out between portable assets in an accountbased CBDC arrangement. In the case of asset-based currency, it should be ensured that a given token cannot be spent more than once, and it should also be possible to subdivide a token within certain limits. DLT systems provide solutions to address these needs.

In addition to the above, transaction processing speed is one of the most important aspects in the design of systems. Due to the large number of cryptographic operations to be performed and the distributed system logic, the processing speed of DLT systems is lower than that of systems using traditional technology, which makes this one of the biggest challenges in DLT deployment. In general, DLT’s performance may be sufficient for clearing in payment cycles of several hours, but it is not sufficient to provide

the settlement times required for instant payments systems, of typically only a few seconds. The infrastructure of the Hungarian instant payments system has been scaled to a throughput of 500 transactions/second, and although the demand on the system has never exceeded 155 transactions per second to date, this is already a much higher value than what has ever been achieved using CBDC test applications implemented with a DLT system (South African Reserve Bank, 2018). The performance of DLT systems may vary greatly depending on their deployment platform, the method of implementation, the number of validating nodes, and the size of the blocks. However, if higher performance is achieved by using a single dedicated validation node or by recording only the transactions of the nodes concerned in a given chain and only storing them on these nodes, this will come at the price of higher system vulnerability (South African Reserve Bank, 2018). Apparently, the most important advantage of DLT systems – a particularly high level of authenticity in terms of transaction data – amounts to more of a disadvantage in terms of speed, as speed needs to be improved at all nodes simultaneously. This does not arise as a major problem in the design phase, but when the system is subsequently further developed.

Figure 1: Conceptual decision points in CBDC implemented on a DLT basis

CBDC type?

Account-based Asset-based

Non-anonymised Anonymised

Source: MNB

Compliance with the legislative environment is another major challenge facing DLT systems. Compliance with the requirements of the GDPR86, in particular the right to erasure and the right to be forgotten, is complicated due to the specific nature of DLT, as the basic principle of the system is precisely the inability to alter transactions subsequently. Solutions to the problem already exist, including the storage of only imprints87 of personal data in the chain and the storage and deletion of personal data outside of the chain, or the encrypted storage of personal data in the chain and

86 EU general data protection regulation 2016/679 (GDPR); the Regulation of the European Union on the processing of personal data, which entered into force on 25 May 2018. 87 Cryptographic hash

the disposal of the encryption key, but their use will reduce the resilience of the DLT system. In addition to the processing of personal data, compliance with the rules on the processing and confidentiality of non-personal data also causes problems due to data sharing. The legislation defines precisely which institutions may process data on financial transactions, for what purpose, and how. According to the current interpretation of the law, the storage of data qualifies as data processing even if the data is encrypted and the storing organisation does not have the key required for decrypting it; accordingly, even the storage of data subject to bank secrecy in a distributed network in encrypted form raises a question of legal compliance. Issues arising from the specificities of the legislative environment and DLT technology are still to be resolved, and the inherent legal risk cannot be eliminated until that is done; therefore, a thorough analysis of the relevant legislation is required when designing DLT solutions. It should be examined whether each item of data stored in the system can be lawfully processed by the institutions operating each node, and if not, what legally compliant technological solution is available to enable processing. The operational arrangements mentioned earlier under performance improvement, in which fewer institutions function as nodes in the system or only the transactions of the nodes concerned are recorded in a given chain and only stored on these nodes, provide an answer to this problem, but that comes at the price of reduced system redundancy.

Figure 2: Effect of validation and form of redundancy on security and processing speed

Validation? Redundancy?

One node performs Multiple nodes perform Identical chains are on each node

Several different chains are on the nodes

Security Performance Security Performance Security Performance Security Performance

Source: MNB

In an alternative arrangement, all data may be stored in encrypted form on each node, and the key to decrypt specific data is only held by the authorised nodes. In this arrangement, if these nodes are also involved in the validation of transactions, it should also be ensured that the node concerned performs the validation so that the institution operating the node cannot decrypt the data of transactions in which it is not involved, in order to avoid bank secrecy from being compromised. This, however, will significantly increase the complexity of the administration and functionality of key management, which will in turn increase the vulnerability of the system. Storing encrypted data in chains will pose an additional challenge for the system in the long run. Namely, the keys used currently can become breakable over time as computing capacities evolve, which calls for the development of a method whereby the data stored in the system will be re-encrypted with the new key providing the required security,

and the data encrypted with the old key will be deleted. Due to the immutability of the chain, this amounts to either rebuilding the chain or starting to build a new chain and permanently deleting all copies of the old chain, which raises new technological issues. A payment system must provide the means to determine the finality of settlements. In DLT systems, this can be provided by transaction validation and the system’s consensus algorithm, but that requires the development of an appropriate operating model, and the choice of a platform in which this can be achieved (Monetary Authority of Singapore, 2018.), (Burgos, Filho, Suares, & De Almeida, 2017).

The cost-effectiveness of operations is largely dependent on the answers given to the questions referred to earlier; accordingly, those answers also influence the complexity of the DLT system to be implemented, and consequently the cost of its implementation and operation. Whether a CBDC system is more cost-effective with traditional technology or a DLT solution cannot be determined in general, it can only be established once the solution to be implemented is precisely known, after a detailed analysis. In the case of DLT systems, the modification of the scope of processed data and stored procedures is more complex than with traditional technology; consequently, when designing the system more care and foresight needs to be taken in this regard to ensure that the scalability of the system is appropriate. Since DLT systems are architecturally different from existing technologies, there is no difference between the two groups in terms of user interface, transparency, easy accessibility and uptime, and both types of technology are fully capable of performing these functions.

2.1.3. Operating models and types of DLT In all three models that may be conceived of according to the possible roles of the central bank and market participants, entry into the network as a new node – and depending on the model,

participation in the consensus – must be made subject to central bank authorisation, but the system must be accessible and open to anyone through the nodes. For the three basic implementation models, i.e. direct, indirect and hybrid (described in chapters 4.1.1.1 − 4.1.1.3), the most important question is which institutions should be the operators of the nodes, that is also influenced by the issues mentioned previously in connection with performance and the legal environment of data processing. In the hybrid and indirect models, besides the central bank, it is appropriate that commercial banks and other payment service providers should participate in the network as nodes, whereas in the direct model these institutions are excluded, in which case a relevant question is how many and what type of institutions should operate nodes apart from the central bank in order for the benefits of the distributed network to be felt. In the latter case, because of the centralised nature of the model, the expediency of applying DLT is questionable, as the transactions could only be stored and validated by the central bank’s node and possibly by a node operated by a clearing house that acts as an independent institution even in the current infrastructure.

2.1.4. Risks and their management Regarding the operation of the financial infrastructure, the biggest risk of DLT systems is that no solution based on this technology is currently operating on any critical financial infrastructure, which means there is no compliance experience even at international level, and as a result, there are unknown technological risks that cannot be mitigated in advance. Additional risk results from the above-mentioned challenges, to which it is currently uncertain whether an appropriate response can be given in a live production environment, as typically the response to one challenge either increases the vulnerability of the system, or makes it more difficult to develop a solution to another challenge (South African Reserve Bank, 2018).

Consequently, it is appropriate to create experimental, testtype DLT systems with gradually increasing functionality, whereby risks can be better explored, appropriate solutions can be developed to the individual challenges at the current level of maturity of the technology, and thus an informed answer can be obtained as to whether a potential CBDC infrastructure would be optimally operated with DLT or traditional technology.

2.2. Aspects of upgrading central bank RTGS systems

The design of Real Time Gross Settlement (RTGS) systems dates back to the mid-‘80s, and since then many countries have introduced (Bech & Hobijn, 2007) such a system, primarily used for high-value transfers88. With their emergence, processing lead times then measurable in days and weeks decreased significantly, to a few minutes. The system design aspects that were considered modern at the time when RTGS systems became widely adopted, may also pose significant limitations in terms of today’s expectations for upgradability. Gross settlement in central bank money (Committee on Payment and Settlement Systems of the central banks of the Group of Ten countries, 1997) is characteristic of both RTGS systems and a potential CBDC implementation, in this sense the upgrade of RTGS provides a good basis for the development of a new CBDC if the processing speed of RTGS is an acceptable compromise. If it proves to be slow, the possibilities and costs of increasing speed should also be examined.

One characteristic of RTGS systems is the small number of participants and accounts, as well as the high amount of individual transactions in addition to the low number of transactions. Significant increases in the number of participants and accounts and of daily transactions warrant a system redesign in terms of

88 These systems are commonly classified in the Large Value Payments System (LVPS) group because they primarily serve large-value transactions.

capacity and performance, where the extent of performance gains and enhancement costs are in direct proportion to each other, but not necessarily in a linear manner. The main advantage of multi-currency operations is that it is sufficient to build a single system, but in terms of operations it can also be pointed out that serious operational problems will have the same effect on all currencies, that is, either the system is fully operational or none of its segments are functioning. In addition to functional enhancement, this is a special case of scalability, since a single system member will have multiple accounts serviced, and the number of transactions will also increase significantly. The majority of RTGS systems implement account servicing by central banks for commercial banks and possibly other key partners, with access granted through a secure communication channel (RTGS Monitoring). RTGS systems are basically self-contained systems, where participant account holders hold in central bank money their mandatory central bank reserves and coverage for other settlement systems, among other assets. CBDC enhancement requires opening up to other systems that is not justified prior to CBDC.

2.2.1. Upgrade limitations Although RTGS systems have made a major breakthrough by providing processing times of around 1 minute, they have been far outpaced by the instant payments systems that have since been widely adopted. If processing times similar to those of instant payments systems are required for the development of the RTGS system CBDC, this can only be achieved by replacing the entire communication infrastructure of the RTGS system and the account management system. Depending on the expectations, a blended solution is also possible, where the RTGS system is retained, and CBDC functionality is implemented with a front-end system. Regarding opening hours, RTGS systems typically fall short of instant payments systems – they do not operate 24/7 – and they are

also characterised by the mandatory execution of daily opening and closing activities and the daily routine activities associated with them. It is possible to open system maintenance windows outside the operating hours, which enable scheduled installations, backups, archiving and other tasks to be performed in a wellplanned manner. The opening hours of RTGS systems can be extended up to a reasonable limit, but continuous availability cannot be achieved without redesigning the system and the scope of services. The continuous availability on a 24/789 basis can only be achieved by replacing the RTGS account management system in a new infrastructure environment. Very high availability (24/7 operations) requires full application of the principle of redundancy in all aspects of system operation, thus avoiding single-point-offailure90 risks, which may call for the deployment of additional site(s). The number of sites required for normal operations can be supplemented by at least one backup site to ensure that the service is provided even in the event of planned shutdowns at any site (e.g. replacement of computer room extinguishers).

2.3. Setup of sites and their communications

For the development of the CBDC system, regardless of its operating model, two main problem areas need to be examined and planned for in terms of core IT infrastructure: the location of the server-side infrastructures of the central or distributed ledger model, and the data transmission network technologies between components. Aspects of infrastructure location are fundamentally influenced by the choice of the technology to be implemented, i.e. a distributed ledger technology or a principal central bank technology. For

89 The term refers to continuous operations 24 hours a day, 7 days a week. 90 Used in systems analysis and technological design, the concept refers to a system component whose failure causes the entire system to shut down.

Also known as critical error point.

design purposes, the same parameters should be examined from the point of view of availability, because the business need will not change due to the method of implementation. The fundamental difference is that in the case of a distributed ledger system, the high-availability infrastructure elements are not necessarily located with the owner or operator, because the individual server DLT nodes can operate autonomously, allowing for the separation of their ownership and, consequently, the responsibility for their operation. In the case of principal central bank technology, the basic principle of the implementation of high-availability functionality operating on a 24/7 basis is to ensure adequate redundancy for all components of the entire infrastructure to cover singular errors, even in the case of planned operation and maintenance works.

Computer centres and the energy, engineering, fire protection, air conditioning technology and physical security systems supporting their operations must comply with the requirement of high availability as defined by the international standard91, which is a condition for critical operations on a 24/7 basis. The distributed and the centralised solutions, do not involve any significant difference in terms of data centre infrastructure, except the possibility to recognise investment and operating costs in a decentralised or centralised way, respectively. Conversely, the direct, hybrid and indirect models, are substantially different according to whether CBDC accounts are serviced directly at the central bank. If so, i.e. in the case of direct and hybrid models, the number of accounts to be serviced is only a matter of scaling the appropriate resource, but from the point of view of the basic infrastructure, it is irrelevant whether arrangements need to be made for servicing a few tens of thousands or a few million accounts, as this only affects computing and data storage capacity. In this case, for operational

91 ANSI/TIA-942 Tier 3

security it is essential to have the three independent data centres with at least high operational security provided in each. In the case of the third computer room, it should be considered whether in addition to two owner-occupied computer rooms with adequate operational security (or one less than the required site number), a third (or of a higher serial number, but no more than one) virtual data centre based on Platform as a Service92 (Violino, 2019) technology should also be incorporated as a cloud service. While there is nothing in the Hungarian legal environment93 or in Recommendation No. 4/2019. (IV.1.) of the Magyar Nemzeti Bank to prevent the implementation of this arrangement, its deployment may pose technological, application security and data security risks, given that the cost is lower per server, but that may in turn carry higher data security risk. If a model is developed in which the account holders are commercial banks, the central bank will not be required to deploy a system that provides a higher level of operational security than what is currently in place. Another important design aspect involves the design of individual telecommunication channels. A fundamental distinction should be made between the data link between the end-user, i.e. the account holder and the account provider, and the data links between the elements of the account provider(s) infrastructure. Based on market practice, there can be no doubt that the transmission medium for the data link between the account holder and the account provider can only be the Internet. This provides the possibility for the use of either terminal networks or mobile devices, but it obviously also enables transactions to be carried out directly from CBDC customers’ computers, from corporate governance systems, or cash registers.

92 PaaS: a cloud service where the service provider provides the infrastructure, resources and operating systems, but the applications and databases continue to be owned and operated by the customer. 93 Act L of 2013 on the state- and local government-owned organisations’ electronic information security

In the indirect model, the existing data transmission media can be used to ensure a data link between the account provider and the central bank, and the only changes that may need to be made concern some of their parameters, such as bandwidth, compression and encryption. If the account servicing function is partially or fully assigned to the central bank, whether a distributed ledger system or a central bank system is to be served makes a difference in terms of the communication medium to be used. In the case of a distributed ledger system, if the DLT nodes are not owned by a single operator, the speed and reliability of the data transmission channels between each server node will significantly influence the operability of the whole system, i.e. in this respect the stability of the DLT system is exposed to a much greater extent, which is inversely proportional to the number of nodes. Transmission channels are a critical element in all communication networks, as their failure may cause the entire service may to shut down, and therefore this element carries one of the highest operational security risks. The higher the number of these elements, the greater the risk to business continuity, which rise exponentially as the number of nodes increases. Where distributed ledger system elements are not owned by a single operator, it should be examined whether an independent, self-contained communication network should be deployed, or whether an existing self-contained communication network (such as SWIFT, GIROHáló) may be used to serve these systems, and under what conditions. In addition, the use of channels based on an open network and protected by appropriate encryption may be considered, but their exposure to cyberattacks is constantly higher, and consequently they require more attention and a larger pool of assets for their protection. From the viewpoint of data links between central elements, it is irrelevant whether transmission technology should be implemented between the data centres of a central bank system or whether there are nodes of a multinode DLT technology in several data centres of the central bank.

As an additional design task for communication modes, the most appropriate means must be found to provide technical interoperability between CBDC and traditional payment systems.

3. Providing the required human resources

For CBDC design purposes, in addition to these other components – system enhancements and replacements, introduction of new services and technologies, 24/7 operations – account must be taken of the development of operating personnel, which will differ significantly in size for the direct model and for the indirect model. Staff is affected by the decisions made on all other issues, since the organisation of 24/7 operations is a complex task in itself, but the setup of a nationwide customer service or of an access network similar to a classic branch network is a similar challenge, not to mention the development of a completely new account management system. In addition to determining the required headcount, the scope of training should also be defined, with the most effective organisational structure and its operating expenses specified, and other parameters factored in. In addition, the office, IT and labour law issues of the working environment must also be reviewed and organised. Arrangements should be made for the further training of existing staff in order to enable new colleagues to be trained in a mentoring system, and training materials should also be prepared.

4. Operational processes

Naturally, in addition to the technological and legal environment, operational aspects will also need to be examined, as these typically form the basis for defining the principles and rules of future operations. This environment is the most complex, because it is requires a review of not only the systems, needs and opportunities of the central bank, but also other participants.

4.1. Interconnection of central bank and commercial bank infrastructures

Depending on the operational model deployed, monetary movements between the commercial bank account and the CBDC account can be ensured in several ways. A fundamental question is whether the CBDC at hand is anonymous or not. Another aspect to address with non-anonymous CBDC is the distribution of tasks between the central bank and payment service providers. Some possible solutions for operational implementation are explained below (Auer & Böhme, 2020).

4.1.1. Non-anonymous CBDC Non-anonymous CBDC differs from current central bank money, i.e. cash, in that while the central bank has no information about the amount of cash held by each consumer, it knows precisely, or at least approximately, the amount of CBDC each consumer has. Whether accurate or approximate information is available depends on whether the direct, hybrid or indirect model is implemented during deployment. The model implemented also determines what improvements are needed for customers to initiate a transaction between their commercial bank account and their CBDC account.

4.1.1.1. Direct model Key features of the direct model: – Consumers have claims on the central bank.

– The central bank is also in direct contact with consumers.

– The central bank provides payment services along with its performance of customer identification, onboarding and other customer-related operations. Of all models, this is the most challenging from a central bank point of view, because many tasks need to be solved and new functions need to be deployed with which the central bank has only limited or no experience to date.

As central banks tend to provide account services to a limited number of customers, unrestricted retail account servicing is a major challenge due to the amount of accounts to be serviced, because instead of a few tens or a few hundred invoices, accounts will have to be serviced in the order of several hundred thousand, or millions. In this case, at least the capacity of the central account management system needs to be significantly increased, which is a complex task in itself, since the capacity of RTGS systems is typically not scaled to such a high number of accounts. In addition, the scope of services will also differ, as very similar services will be needed for accounts serviced by commercial banks, in which central banks generally have limited direct experience. In addition to the above, applications should be developed at the central bank that provide consumers with the options commonly offered by market participants, such as access to internet banking, mobile banking and payment card transactions. Consumers have the same expectations for the system elements deployed by the central bank as they experience on the market: fast and reliable operations, with user-friendly interfaces. With the first two, central banks have considerable experience, but since they are not usually in contact with massive numbers of users, the experience in that regard, along with the operation of services such as a customer service, can also be new territory.

Figure 3: Schematic diagram of the direct CBDC operating model

Central bank

Assets

600

CBDC

A: 200 B: 100 C: 300

Source: MNB

Consumer A

Consumer B

Consumer C

For the execution of credit transfers to and from the CBDC accounts held with the central bank, the central bank’s account management system must be linked to the settlement systems handling CBDC transactions. The proportion of the functions offered by the settlement systems to be implemented in the account management system depends primarily on the scope of services related to the CBDC account servicing. Below we present the available options for implementation through the example of the Hungarian payments system. In the direct model, a customer can initiate a top-up of their CBDC account against the debit of their payment account with their account provider financial institution through the usual channels such as internet bank, mobile bank, or mobile application. In accordance with the dedicated Hungarian business process, the payment service provider may execute the order through VIBER94 or through the BKR’s95 instant settlement service. Through VIBER, the commercial bank transmits the customer’s order to the central bank, which is executed within one minute of its receipt in the system, so that the amount of the order can be credited to the customer’s CBDC account held with the central bank within a few minutes, depending on the method of submitting the order. Debits may be made in a similar way, with orders charged to the balance of the account to be sent to the central bank, to be executed by the central bank through VIBER. For the central bank – the operator of VIBER – the expected increase in the volume of VIBER messages may represent a task to be solved in the VIBER account management system. The capacity requirements of the communication channels and the processing

94 Real-time gross settlement system, a domestic payment system operated by the MNB.

95 Interbank Clearing System is a payment system operated by GIRO Zrt., in charge of interbank clearing for domestic HUF credit transfers and direct debits.

speed of the ancillary systems, which may also affect the rate of transaction processing on the side of the central bank, need to be examined. As far as account servicing payment service providers are concerned, it should also be examined whether the increase in VIBER transaction volumes requires a capacity increase in their systems. BKR’s Instant Payments Platform can also serve as a settlement channel, where payment orders are executed in a shorter time compared to the solution outlined above, within 5 seconds. Where access is made to the instant payments service, the central bank must appear in the system on both the sending and receiving sides. The capacity of the systems should also be examined in this case, and payment participants should ensure that CBDC transactions are processed quickly and accurately within the limits required by the instant payments service. In Hungary, this solution may involve the lowest development need from a central bank point of view, as system membership is mandatory; however, as the regulation of membership in the instant payments system varies by country (it is voluntary in several places), this positive effect will not necessarily be made consistently. The increase in order numbers may be decelerated by the periodic net settlement of CBDC transactions. In this case, commercial banks and customers send their CBDC transfer orders to the central bank, the central bank aggregates them at specified times and then initiates the net amounts allocated to each payment service provider in a settlement system. In parallel with the monetary movements, through a dedicated communication channel the central bank also submits analytics containing the information on the basis of which the transactions can be booked in customers’ accounts.

Out of the possible solutions presented above, implementation through instant settlement may represent the least amount of IT development for participants. Net settlement would require the introduction of new elements into current payment processes,

due to the operating principle of the model, the clearing would not be completed immediately, which would be a step backwards compared to the instant payments system, and the user experience would be significantly impaired relative to the speed of the instant payments system. If the central bank’s CBDC account servicing is complemented by additional services such as lending, a major enhancement to the central bank’s account management system or even the introduction of a new account management system will be necessary. In addition to the credit registration system, applications for credit approval, collateral valuation and registration and customer relations can also play an important role. Another issue to be decided is whether customer service tasks should be performed on digital, traditional or mixed channels. The use of digital channels may narrow the potential customer base – older age groups follow new technologies to a lesser extent – but it requires less input from the central bank, and thus from taxpayers, as traditional face-to-face customer service may even require the establishment of a nationwide branch network, the cost of which may be very high. The increasing penetration of digital channels can also be observed in the market for financial institutions; however, despite their declining share, traditional orders and administration, mostly carried out through the branch network, have not disappeared. The need to ensure a high level of consumer service may require the central bank to adopt 24/7 operations, which would also require a significant effort in organisational terms, since central banks typically do not provide such operations, or only to a limited extent.

4.1.1.2. Hybrid model Key features of the hybrid model: – Consumers have claims on the central bank.

– They are in direct contact with consumers and payment service providers, mainly commercial banks. – Services are provided to consumers by market participants.

Figure 4: Schematic diagram of the hybrid CBDC operating model

Central bank

Assets

600

CBDC

A: 200 B: 100 C: 300

Payment service provider

Payment service provider Consumer A

Consumer B

Consumer C

Source: MNB

The hybrid model combines the characteristics of the direct and indirect models and requires close cooperation between the central bank and commercial banks, since while the consumer’s claim is on the central bank, all payments and customer service activities are carried out by commercial banks. The risks arising from this duality should be assessed in detail and the model should be designed in such a way that no additional risks can arise within the system as a result of the operation of commercial banks, or if they do, their management should be ensured. The central bank should have up-to-date information from commercial banks in all respects to ensure that the CBDC balance records of individual consumers are accurate.

The model is conceivable both with direct central bank account servicing and with the registration of payment service provider balances. For both solutions, the execution of the transactions initiated by the consumer is accompanied by the exchange of information between the central bank and the payment service provider. In the case of direct central bank account management, the central bank has up-to-date information on the consumer’s account balance; accordingly, the payment service provider requests statements of funds from the central bank, and carries out the transactions only in the event of a positive response. If consumers’ balances are recorded by payment service providers, the central bank records the data in its own register periodically, even several times a day, but at least once a day. The setup and operation of the conditions for information flow between the central bank and commercial banks are important tasks for all participants. If not within the central bank, the increase and decrease of the balance of the CBDC account against the commercial bank account may take place through payment infrastructures. Similarly to the direct model, provided that it services accounts directly, the central bank is also required to connect to settlement systems in this case.

4.1.1.3. Indirect model Key features of the indirect model: – Consumers have claims on market participants. – Consumers are in direct contact with commercial banks.

– Services are provided to consumers by market participants. – Market participants must keep CBDC (any central bank money) at 100 per cent to secure each consumer claim. Similarly to cash in circulation, the central bank is responsible for recording the amount of CBDC. Due to the nature of the

model, market participants have the latest information about the distribution and movement of CBDC in circulation. Central bank records cannot be provided without the cooperation of market participants and the central bank, as part of which the account servicing payment service providers send their data to the central bank on a regular basis. That reporting would also enable the verification of whether market participants have provided CBDC coverage in any form of central bank money corresponding to the balance of the CBDC accounts they manage. The reporting of data requires IT developments at the banks, and its reception and processing at the central bank, while the recording of coverage requires the renewal of the central bank collateral valuation system. As with the design of instant payments, the question arises also when designing a CBDC solution whether the coverage provided by account servicing payment service providers should be included in their minimum reserve to the same extent as the total value of the CBDC held by the customers. Determining that is a complex monetary policy task, and the answer to that question requires prior in-depth analysis. Assuming that, as a result of an analysis, the answer is that CBDC deposit coverage can be included in the fulfilment of the reserve requirement, then, after comparing the reporting with the actual coverage provided, the central bank records the amount recognised as a fulfilment of reserve requirements equivalent to the portion set aside for that purpose from the midnight balance of the settlement accounts of instant settlement. The criteria for the accrual of interest on the amount recorded as reserve should also be decided in the light of monetary policy objectives. In the indirect model, market participants service both traditional and CBDC accounts for consumers, and the monetary movements between the two intra-bank accounts, whether between their own commercial bank account and the CBDC account or between

two customers, can be handled within the system of the financial institution in question, similarly to other payment systems. However, one of the solutions to support CBDC transactions between banks may need to be the establishment of a system, separated from traditional scriptural money, that meets the conditions for CBDC account servicing at the central bank as well as at the rest of payment participants. It is necessary to ensure the conditions for the monetary movements between CBDC accounts across payment service providers, and therefore both the RTGS system for high value payments and the settlement systems for low value transactions should be prepared for the task. In addition, in the case of a CBDC settlement system for a given financial infrastructure, it is obvious that its main service parameters should be adapted to the most advanced system, thus having parameters similar to those of a single express payment system: – 24-hour operations every day of the year – Fast processing and execution of the entire payment process, typically within 1 minute – Transaction costs not exceeding those of traditional payment systems, possibly zero – At least 99.9% availability – Interoperability with other payment systems. A new settlement system does not necessarily have to be established to execute interbank transactions, CBDC flows can be handled using the current infrastructure if the expectations of the central bank are met, for example, if CBDC accounts are secured by coverage equivalent to the amount of their balance. While such a solution does not represent a major development task for payment participants, neither would it bring about an improvement in the quality of service. If one of the main objectives of introducing CBDC is to increase the resilience of the system,

this is not the right solution because the objective cannot be achieved.

Figure 5 Schematic diagram of the indirect CBDC operating model

Central bank

Assets

600

CBDC

X: 300

Y: 300

Bank X

CBDC

300

Liabilities

A: 200

B: 100

Consumer A

Consumer B

Bank Y

Source: MNB

CBDC

300

Liabilities

C: 300

Consumer C

4.1.1.4. Transmission of transactions between participants Whichever model a central bank implements, the monetary movements between the CBDC account and the commercial bank account should be ensured in payment systems. To resolve this, payment service providers and the operators of the domestic payment systems would have a register of direct and indirect participants in the domestic payment systems, ensuring that each participant can be identified and addressed by all other participants. In Hungary this function is carried out by the authentication table, which is operated and issued by the MNB to payment participants on the basis of the data reported by the system members. Since the introduction of CBDC will no longer allow payment orders to be executed only in traditional scriptural money, it may also be necessary to indicate the addressability of CBDC accounts in the authentication table by enhancing the data content of the register. Changes in registration standards would

require IT development at the payment service providers, the operators of the domestic payment systems and the central bank.

4.1.2. Anonymous CBDC Anonymous CBDC is not held by its owner in an account, but, for example, by means of a plastic card or a mobile application in such a way that the balance can be used without the identification of the holder’s person. In this sense, CBDC is very similar to banknotes, where the central bank only has information about the amount circulating in the economy, but is no information about who has what amount. In its physical realisation, it can behave in the same way as a top-up gift card that can be purchased from a merchant or a digital gift voucher that can be used in instalments. The balance is updated by overwriting the chip on the card or the application registry, when we pay or when we are paid. CBDC top-ups charged to commercial bank accounts can be made using an ATM96 or by using a dedicated terminal network, internet or mobile connection. When using ATMs, as with the current cash withdrawal, a funds coverage query is sent to the account provider bank and, in case of a positive answer, the CBDC account can be topped up by selecting the appropriate function of the ATM and entering the number of the CBDC account held with the central bank. CBDC balances may be reduced through the opposite process. The great advantage of the solution is that the CBDC held can be used to make offline and anonymous payments with a card or application, just like with cash payments, it does not require a connection with payment infrastructures, and if properly designed, not even electricity is strictly necessary, but it carries a significant risk in the sense that since the total of the balances is not known at any moment, it may be the target of fraud.

96 Automated Teller Machine.

5. Conclusions

The possibilities of introducing central bank digital currency have been addressed by the central banks of an increasing number of countries in recent years, and as a result of the investigations pilot projects already exist, such as the e-crown in Sweden, whereas China also already has its own production CBDC system in place. Central banks tend to share the position that a more in-depth analysis of the subject is necessary; accordingly, the Magyar Nemzeti Bank is also examining the possibilities of introducing this form of money, its effects, risks and preconditions. In our study, we reviewed the tasks arising in connection with infrastructure and operations, examined new technologies such as DLT, addressed the differences and problems of sites and the intermediary channels in different designs, as well as the reuse of the basic infrastructure elements of the financial intermediary system and the issue of the integration of an independent system with these in the event introducing the new form of money. We reviewed the effects on the central bank’s operating organisation and presented in detail the transformation of certain operating processes for each CBDC model. We have found that for CBDC implemented under the direct, indirect or hybrid models, each variant represents a significant amount of tasks to be solved for the banking system as a whole, although for each variant the load is placed at a different level of the banking system and in a different way. On the one hand, due to the limited knowledge and limited operational examples available, the deployment of such a system requires a significant analytical and planning capacity within the central bank organisation and, on the other hand, the existing systems should also be adapted to the solution at the second level of the banking system.

References

Auer, R., & Böhme, R. (2020). BIS Quarterly Review. Bank for International Settlements. Bech, M., & Hobijn, B. (2007). Technology Diffusion within Central Banking: The Case of Real-Time Gross Settlement (Working Paper. kötet). Federal Reserve Bank of New York. Burgos, A., Filho, J., Suares, M., & De Almeida, R. (2017. augusztus 31). Distributed ledger technical research in Central Bank of Brazil. Source: Central Bank of Brazil Web site: https://www.bcb.gov.br/content/publicacoes/outras_pub_alfa/Distributed_ ledger_technical_research_in_Central_Bank_of_Brazil.pdf Committee on Payment and Settlement Systems of the central banks of the Group of Ten countries, B. f. (1997). Real-Time Gross Settlement Systems. European Central Bank. (2020. október). European Central Bank. Source: European Central Bank web site: https://www.ecb.europa.eu/pub/pdf/other/Report_on_a_ digital_euro~4d7268b458.en.pdf?0b17405a54c7c6ad4e137e257dd02672 Mancini Griffoli, T., Soledad Martinez Peria, M., Agur, I., Ari, A., Kiff, J., Popescu, A., & Rochon, C. (2018). Casting Light on Central Bank Digital Currencies. International Monetary Fund.

Monetary Authority of Singapore. (2018.. november 12.). Monetary Authority of Singapore. Source: Monetary Authority of Singapore Web site: https://www.mas. gov.sg/news/media-releases/2018/mas-and-sgx-successfully-leverage-blockchaintechnology-for-settlement-of-tokenised-assets South African Reserve Bank. (2018). South African Reserve Bank. Source: South African Reserve Bank web site: https://www.resbank.co.za/Lists/News%20and%20 Publications/Attachments/8491/SARB_ProjectKhokha%2020180605.pdf Sveriges Riksbank. (2020). The Riksbank’s e-krona pilot. Stockholm: Sveriges Riksbank. Source: https://www.riksbank.se/globalassets/media/rapporter/ekrona/2019/the-riksbanks-e-krona-pilot.pdf Sveriges Riskbank. (2018.). Sveriges Riskbank. Source: Sveriges Riskbank web site: https://www.riksbank.se/globalassets/media/rapporter/e-krona/2018/the-riksbankse-krona-project-report-2.pdf

Violino, B. (2019. 07 19). What is PaaS? Platform-as-a-service explained. Source: InfoWorld: https://www.infoworld.com/article/3223434/what-is-paas-softwaredevelopment-in-the-cloud.html