If column inches are any indicator, new central bank digital currency-based monetary systems (known colloquially as CBDCs) look on the cards for most Western jurisdictions. Those advocating these regimes say they stand to broaden financial accessibility and lower the cost of transactions.
In reality, however, there are both upsides and downsides with instituting CBDCs. Among the downsides, which most central bankers acknowledge, are the potential negative impacts on bank funding availability and privacy.
But there is another overlooked issue.
If — as increasingly looks likely — a CBDC-regime will initiate an era of identity-linked money, the question of who controls the data, and how breaches will be handled, will increasingly become central to monetary policy.
Irrespective of whether central banks choose to outsource such management to banks or other private entities, or find ways to compartmentalise the data, it’s fair to assume monetary officials will remain accountable for any breaches of data protection rules.
That invites the awkward possibility that in somewhere like the UK, the Bank of England’s powers could in some circumstances be curtailed by the Information Commissioner’s Office (ICO).
Given the breadth of personal information CBDCs may end up holding about people, this might seem rational. Why shouldn’t the BoE, like other public bodies, be accountable to the ICO?
FT Alphaville has held discussions with central bankers who have openly opined that CBDCs, as well as holding transaction data, will very likely incorporate credit information into their data stashes (and perhaps even broader sets of personal data).
That introduces the very real possibility that, in the not too distant, future money could morph from being something neutral and universally equivalent (and thus fungible) into something much more bespoke and conditional.
Think of supermarket points, as an example of where things might be heading. They reward your loyalty and predictability, generating the greatest purchasing power when they’re redeemed in conjunction with special sales offers. That is, when the spending suits the interests of the supermarket the most.
Whatever one’s views are about the desirability of such a system, the challenge the structure presents in terms of data protection is undeniable.
Whoever the BoE entrusts with the job of managing the data, the scenario will position the central bank at the front line of the data and identity fraud war. This is not necessarily something it is used to.
As we know from conventional bank fraud dealings, ascertaining what constitutes an authorised versus unauthorised data access incident can often be incredibly subjective.
In the case of banks, it’s the financial ombudsman and the FCA that plays the biggest part in determining the outcome of personal cases. The ICO’s supervision, meanwhile, tends to focus on institutional level breaches that are not related to phishing attacks or identity theft cases that impact customers directly.
But what if a CBDC was hacked?
Consider the following hypothetical. Officials at the BoE wake up one morning to discover the UK’s CBDC system has been hacked and the personal data of millions of users has been stolen. Worse than that, the data is being used to initiate unauthorised transactions that are draining the accounts of countless victims.
The issue, at this point, is not just what the BoE can do to reverse these transactions but also whether it should compensate victims if it can’t and, if so, to what degree. Another critical question is how that compensation should be funded.
The pathways for correcting the breach are likely limited to the following options: 1) suspend or reverse all related transactions if they haven’t yet escaped the system 2) if they have escaped the system, offer direct compensation funded by freshly “printed” central bank money — a sort of economy-wide socialisation of the losses or 3) offer direct compensation with fully-funded central bank money — a type of institutional bail-in.
In the old non-CBDC central banking world, it would — in most circumstances — have been up to the central bank to determine the response to any major liquidity or capital-compromising hacking incident such as this. But in a CBDC world, where central bank data management practices are subject to the ICO’s regulatory authority, it’s very possible the central bank would have to defer to the data regulator for guidance.
For now, the ICO does not have the power to dictate how much compensation an institution should offer to customers affected by the breach, even if it can strongly influence matters. Its powers are limited to fining institutions directly for breaches. But a data regulator “fining” a central bank for bad practice seems an absurd proposition on many grounds.
So how might a mass data breach in a CBDC structure play out?
Very similarly, we would argue, to the hacking episodes that have already been experienced in the cryptocurrency space, notably in the case of Bitfinex in 2016, the DAO smart contract breach the same year and the Poly Network hack of this week.
All of these episodes, one can argue, led to “monetary policy” level responses within their native systems.
In the Bitfinex case, the exchange opted for an effective bail-in to spread the cost of the data breach across its entire user base (irrespective of whether users were directly impacted or not). In the DAO incident, it was determined that the nuclear option of a system reset was the better bet (undermining the whole notion of the code is the law and leading to a broad reversal of transactions, including entirely legitimate ones).
Most recently, in the Poly Network episode, the institution initiated a direct negotiation with the hackers instead. The hope there was to neutralise the impact of the hack via moral outreach to the perpetrator directly. *By convincing the hacker to return a big chunk of the stolen funds, the incident was arguably transformed from a multibillion-dollar fraud into more of a penetration test by proxy. Any funds retained by the hacker in that scenario might be considered a bug bounty.
The big difference between those cases and a would-be CBDC breach is that the crypto institutions in questions had the autonomy to determine their own response choice. In a CBDC breach, figuring out how to proceed might not be up to the central bank as much as the data regulator.
That might have considerable implications for monetary policy and financial supervision because what’s good for the victims of data breaches might not be good for financial stability.
It’s also worth noting that many jurisdictions currently racing to launch CBDCs, such as Ghana, are entirely new to instituting data protection standards or regulations. China’s data protection laws, meanwhile, are only just coming into force, and are unlikely to protect users from the authorities themselves. This further introduces the risk that users of their systems might be exceptionally vulnerable not just to hacks, but also to having their data mined by the authorities themselves.
In that light, the hope that CBDCs will finally make financial systems interoperable on a cross-border basis is probably quite fanciful. Data regulation is, after all, even less aligned around the world than banking regulation is.
*The hacker’s decision to return the money was also very likely influenced by the fact that, Tether, the embattled stablecoin issuer, had frozen a large sum of the stolen funds. This in itself demonstrated that Tether is far from a decentralised entity. It also demonstrated that Tether, ironically, is as inclined as conventional banks and governments to sanction what it considers bad actors.