Clifford Chance

As the global thinking in respect of central bank digital currencies (CBDCs) evolves, models for public-private collaboration for distributing CBDCs are becoming clearer. This includes proposals by the Bank of England as well as the recent ground-breaking Project Sela from the Bank for International Settlements (BIS) Innovation Hub, the Bank of Israel and the Hong Kong Monetary Authority (HKMA), which aimed to reduce financial exposure for retail CBDC intermediaries by developing a model where they are not required to hold client assets.

This has the effect that CBDCs are treated as closely as possible to physical cash and potentially paves the way for a more accessible CBDC system. Clifford Chance was delighted to advise the BIS Innovation Hub on this significant project.

In this article we explore these developments, and analyse the legal architecture and regulatory framework that may be required to facilitate structures when intermediaries do not hold CBDC (or other assets) belonging to their clients.

Context and definitions

On 12 September 2023, the BIS Innovation Hub published a report - Project Sela: An accessible and secure retail CBDC ecosystem with the Bank of Israel and the HKMA which proposes a new type of financial services provider referred to as an “Access Enabler” (AE). AEs enable access to and transmission of CBDCs for retail users but importantly never take hold of their customers’ funds. A similar type of payment services provider is envisaged in the Bank of England’s (BoE) February 2023 Consultation Paper on the digital pound. The BoE refers to these as Payment Interface Providers (PIPs). Similar to AEs under Project Sela, the BoE states that PIPs “would never be in possession of end users’ digital pound funds”. As the services, activities and position for customer assets of AEs and PIPs significantly overlap, we simply refer to PIPs throughout this briefing.

What is a CBDC?

There are many types of CBDC, however, at their core CBDCs share the key characteristic that they represent a direct liability of a central bank. In some cases, principally when it is available to retail users, a CBDC is exchangeable at par for physical cash (banknotes and coins). CBDCs may qualify as legal tender in certain jurisdictions. While CBDCs are by their nature “digital”, it is up to the issuing central bank and jurisdiction to decide what technology is used for their issuance. Some CBDC projects rely on distributed ledger technology, while others envisage CBDCs existing on non-DLT based centralised platforms. Notably, the BoE’s proposed digital pound is expected to exist on a centralised platform.

Wholesale vs. retail?

Central Banks may restrict the availability of CBDCs to categories of users and transactions. For example, so called wholesale CBDCs may be restricted to a limited group of commercial banks and clearing institutions and/or to settle financial market or foreign exchange transactions. On the other hand, so called retail CBDCs may be made available to individuals and retailers in order to settle low value day to day transactions. Both Project Sela and the BoE proposal envisage the operation of PIPs in the context of a widely available retail CBDC. As such, the focus of this briefing is on retail CBDCs.

Credit exposure of end users with traditional assets or fiat money

When a financial services provider holds property for a client, there are broadly two types of claims that the client may have against such provider: a claim for redelivery of the property (a proprietary claim) or a debt claim.

Claim for redelivery (or proprietary claim)

When a financial services provider holds property, such as a financial asset on behalf of another person, the ownership of such property typically does not automatically transfer to the provider. Generally, the law acknowledges that the asset ultimately remains the property of the client. Consequently, the resulting responsibility of the provider is classified as a proprietary one (where the same assets will need to be redelivered) and not as a debt claim.

For example, under English law, if a client entrusts financial instruments to a custodian, the client will have a proprietary claim on these financial instruments because the custodian is holding the assets on trust for the client. The client remains the (beneficial) owner of the assets, while the custodian safeguards and administers them on the client’s behalf. The exact nature of a custody relationship may vary significantly between jurisdictions. For example, in jurisdictions which do not recognise trust structures in the same manner as English law there may be a contractual or statutory obligation to safeguard and return the specified assets to the customer.

Regardless of the specific legal mechanism used to recognise the client’s entitlement, the recognition of the client’s interest protects the client in the event of the custodian’s insolvency. The client can enforce its rights against third parties, including the custodian’s creditors. However, as the asset is entrusted to the custodian, the client is still exposed to certain risks relating to the custodian and its practical operational arrangements.

This type of claim generally applies to things or assets other than cash.

Debt claim

A debt claim arises in circumstances where a person has lent their cash (banknotes or coins) to a financial services provider. Typically, the law assumes that as soon as cash is transferred from one person to another, ownership passes so that the new holder is in the first instance recognised as the owner of that cash, unless something to the contrary was agreed. Depending on the applicable legal framework, such an outcome could be avoided in certain circumstances (for example, by establishing a trust or through segregation, etc.). However, without any specific additional action by the person transferring the cash, ownership passes and the new holder becomes the owner. At that point, the new holder may owe a debt, i.e. an obligation to repay that money, to the original holder.

By way of illustration, when a client deposits cash into their current account, this typically creates a contractual obligation for the bank to return the deposited amount to the client. The cash deposited by the client becomes part of the bank’s assets. Consequently, in the event of the bank’s insolvency, these funds are accessible to the bank’s creditors, and the client’s claim for their money is treated like that of any other unsecured creditor. In practice, in many jurisdictions there may be consumer deposit protection schemes that would protect or insure a client’s claim in this scenario, however, the existence of these schemes would not change the nature of the client’s underlying claim

Credit exposure of end users with CBDCs What type of exposure is relevant?

Generally, the two types of exposures discussed above also apply in the context of digital assets that exist exclusively in a digital environment. To make CBDCs as close as possible to cash (e.g., banknotes and coins), a financial services provider “holding” CBDC for someone should result in a debt claim of a beneficiary against the holder. However, we note that it is technically possible to create proprietary claims in respect of fiat money; for example, if cash is put in a safe deposit box and segregated from the other assets of the financial services provider. As such, it should also be possible to create a CBDC framework which operates on the basis of a proprietary claim, noting that this would mean that transfers of fiat money and CBDC may be treated differently and potentially have different outcomes on an insolvency of the financial services provider.

In either case, the fundamental question to determine is in what circumstances the end user’s CBDCs may be “held” by the PIP in order to understand when end users have a credit risk exposure to the PIP.

When would an exposure to a PIP arise?

Digital assets exist as data packets on an electronic platform. This makes them incorporeal and incapable of being held physically. As such, it is necessary to find a suitable legal fiction which enables the law to deem someone to be holding them when certain criteria or circumstances are met. The specific criteria for when a person would be deemed to be “holding” digital assets (including CBDCs) have not been universally settled and legal certainty on this point in any particular jurisdiction will only be achieved through case law or specific legislation. However, there are proposals that aim to increase clarity. 

Law Commission approach

In the UK, the Law Commission in its July 2022 consultation paper and subsequent June 2023 report has highlighted “control” as the most suitable way to capture the concept of “holding” or “having” digital objects such as cryptoassets and  cryptocurrencies, and proposes that “the person in control of a [digital] object at a particular moment in time” should be “the person who is able sufficiently to:

1. exclude others from the [digital] object
2. put the [digital] object to the uses of which it is capable
3. identify themselves as the person with the abilities specified in (1) to (2) above”. For example, “the person in control will be able to exclude others from the [digital] object as a practical matter by controlling access to their private key”

UNIDROIT approach

This idea of “control” is aligned with the UNIDROIT Principles on Digital Assets and Private Law which propose a similar approach. In summary, at Principle 6, they state that a person has ‘control’ of a digital asset if:

(a) the digital asset, or the relevant protocol or system, confers on that person:

(i) “the exclusive ability to prevent others from obtaining substantially all of the benefit from the digital asset”

(ii) “the ability to obtain substantially all the benefit from the digital asset”

(iii) “the exclusive ability to transfer the abilities […] (i) and […] (iii) to another person”; and

(b) the digital asset, or the relevant protocols or system, allows that person to identify itself as having the abilities set out in (a) above.

Sources of exposure

In our view, in practice, the above has the effect that a PIP would be regarded as controlling (and therefore holding) a user’s CBDC if they have control over the relevant cryptographic key(s) or analogous devices on the CBDC platform, such that the PIP could exclusively prevent the end user and others from making payments in, and/or obtaining substantially all the benefit from, the CBDCs. Other instances where a PIP may be regarded as holding the end user’s CBDC may include instances where the PIP operates a CBDC account which allows it to execute transfers and transactions for the end user and others, or if the PIP otherwise takes responsibility for returning CBDC to the end user (for example, by entering into an agreement whereby the PIP itself does not hold the CBDC but delegates this to another provider who controls the digital assets for the PIP or the end user).

How can a CBDC framework avoid PIPs ever holding end users’ CBDCs?

Project Sela proposes a model where the central bank operates the real-time gross settlement (RTGS) and CBDC systems (including the retail ledger), issues and redeems the CBDC, and is the account/ledger provider to end users. Banks and other financial institutions convert CBDC to and from other forms of money in the economy (e.g., bank deposits and cash). However, end users control their own CBDC funds in wallet applications on their mobile devices by having sole authority over their private keys. PIPs handle all customer-facing CBDC operations by transmitting instructions from the end user’s device to the CBDC platform.

Would users be banking with the central bank if the central bank’s CBDC platform provides accounts to end users?

One of the fundamental concerns when considering the introduction of CBDCs in any jurisdiction is that the anonymity afforded to cash payments may be lost. That is because CBDCs always rely on a technological solution and ultimately are represented by data packets where account data and records of transactions could be linked to individual users. This is a legitimate concern that must be addressed as part of the design of any CBDC platform.

Project Sela addresses this through privacy-enhancing measures where any personal identifiable information is de-identified by PIPs using a hash function. The effect is that the central bank operates the CBDC platform which will have individual “accounts” (or ledgers) for each end user. However, in the day-to-day operation of accounts, the central bank cannot identify specific individuals in relation to specific transactions. As such, the central bank would not operate “accounts” in the way that a typical commercial bank would and all of a user’s interactions with the CBDC platform would be intermediated through a PIP. On this basis it seems unlikely that individuals would regard themselves as “banking” with the central bank.

In this model, the end user would not incur a credit risk exposure on a PIP on the basis that the PIP: (a) does not have control over the end user’s cryptographic private key (which is at all times held in a self-hosted wallet on the end user’s device); (b) does not hold the end user’s CBDC account (which is maintained for the end user on the CBDC platform); and (c) does not provide any services which may result in an obligation on the PIP to return CBDCs to the end user.

This is an elegant solution on the basis that individual end users would have a single CBDC account at platform level which can be accessed by the end user via one or more PIPs which, in practice, perform all customer-facing tasks, including KYC/AML etc. The PIP’s role is limited to acting as a validator of the end user’s cryptographic keys and as a messenger of the payment instruction that the end user sends from the self-custodial wallet on their own device to the CBDC platform.

For completeness, it is crucial to differentiate that, due to the PIP’s adherence to relevant regulatory obligations like KYC, AML or sanctions screening, the PIP may decline to act on behalf of the end user in a specific situation or more broadly. While this would effectively hinder the end user from conducting payments and checking their balances through that specific PIP, from our perspective, this would not constitute control in the manner outlined by the UNIDROIT Principles or the UK Law Commission, such that the PIP would hold the CBDCs for the end user. This is because no single PIP would possess the exclusive authority to block the end user from making payments or accessing the assets as in the case of sanctions for example, the applicable legal framework would likely prevent all PIPs from providing these services to the end user.

Does the end user incur any risk in respect of the PIP? How should this be addressed in the accompanying regulatory framework?

The services likely to be provided by a PIP (such as the transmission of payment instructions and the ability to view CBDC balances on the platform) would not expose an end user to the credit risk of a PIP. However, there would still be a degree of operational risk if the PIP does not perform its services in the way intended. As such, PIPs should be subject to a regulatory framework.

As PIPs would not be holding end user assets, their regulatory framework need not mirror the standards applied to banks or investment firms. Specifically, there is no need to impose minimum liquidity or capital requirements tied to client assets which would represent a significant cost to potential new entrants. However, as PIPs will be delivering essential services to retail customers, and their potential failure could be highly disruptive, certain regulatory provisions should be introduced to ensure operational continuity for a specified period until customers can transition to an alternative service provider.

Jurisdictions currently operating under an open banking framework, such as the EU and UK, may choose to base their regulation of PIPs on the existing rules applied to payment initiation service providers (PISPs) and account information service providers (AISPs). Although the prerequisites for conducting these regulated activities are relatively modest, an authorisation process ensures that PISPs and AISPs establish robust governance structures, internal procedures, and control mechanisms, possess sufficient indemnity coverage, and have directors and managers who are fit and proper to provide payment services. In the EU and UK these rules also impose prudential requirements, which include adequate systems and controls, governance, capital, and liquidity to facilitate continued operation for a defined duration. Similar requirements should also be sufficient for PIPs.

Who is holding CBDCs, if not PIPs?

Central bank

CBDCs could be regarded as being held by the central bank if any applicable requirements for control in the relevant jurisdiction are met. Assuming the UNIDROIT Principles or the Law Commission approach are adhered to, as long as the central bank does not have the ability to obtain substantially all the benefit from CBDCs and transfer this ability to another person, the central bank should not be viewed as holding CBDCs.

If for example, it was determined as a matter of policy that it was appropriate for the central bank to be considered to be “holding” CBDCs for the end user even where control is not demonstrated, this could still be effected by operation of a specific law. In this case, CBDC account balances would need to be treated in the same way as commercial bank money, except that in this case the end user would have a debt claim against the central bank. Additional consequences would be that the central bank’s activities become much closer to retail banking which – depending on the policy choice – may give rise to obligations as a service provider to the end user, potentially triggering certain obligations under consumer protection legislation, etc. For these reasons, it would be necessary to ensure that the law is sufficiently clear in terms of the exact scope of the central bank’s duties towards CBDC account holders and any specific limitations on the central bank’s liability.

End user

Similarly, assuming that the criteria proposed by the UNIDROIT Principles and/or the UK Law Commission apply, the central bank’s ability to make changes to the system and thus control the account is very limited (e.g., if the central bank’s ability to make transfers of balances out of the end user’s account on the CBDC platform can only be exercised in certain limited circumstances, such as a court order or similar), it would be possible to argue that the end user has at the outset “agreed, consented to, or acquiesced in sharing that ability” with the central bank (as set out in (3)(b) at Principle 6 of the UNIDROIT Principles) and thus controls (“has” or “holds”) their own CBDCs.

Impact of this structure

Whether it is appropriate to have the central bank or individual end users holding CBDC in any particular jurisdiction will need careful consideration, however, crucially in both cases, it is someone other than the PIP holding funds. This has the benefit that CBDCs are treated as closely as possible to physical cash, by making them widely accessible with no credit risk exposure between end users and intermediaries. This may be appealing from a policy perspective, but also has the advantage of lowering the barriers to entry for CBDC service providers by eliminating the need for them to hold funds to ensure liquidity or to reduce settlement risk. In practice, this means that we would be likely to see a much broader range of firms (beyond existing regulated financial services providers) entering the market to provide services in relation to retail CBDC accounts.

If you've found this of interest we'd be delighted to share our learnings from these projects and on advising the BIS Innovation Hub on Project Sela and the impact that these may have on your projects and proposals