Visa - How to PayFac - September 2023

BIS: CBDCs Need Risk Management Framework to Counter ’Operational Risks’

Scores of central bank digital currency (CBDC) initiatives are in the works or already active — and yet pose some key concerns for central banks.

In a paper released this week by the Bank for International Settlements, the warnings are that CBDCs could have “major implications” for the banks issuing them.

Simply put, the risks are considerable, touching on the stability of the financial system, and would conceivably impact the conduct of monetary policy and payments, the BIS contended.

 “For CBDCs to be a reliable means of payments, central banks also need to address, among others, the risks of interruptions or disruptions and ensure integrity and confidentiality,” per the report. The report comes against a backdrop where the number of central banks across the globe that are working on CBDCs has tripled over the last three years — to 130 as of the middle of this year.

“CBDCs using novel technologies such as distributed ledger technology (DLT) will face unique cyber risks, as there is no widely accepted cyber security framework for DLT. Furthermore, there are limited real world data pertaining to threats to CBDCs, regardless of the type of technology they use,” the paper stated.

Looking Toward a Framework

In an effort to address those risks, the assessment — penned by a consultative group on risk management established at the BIS Representative Office for the Americas, including the central banks of Brazil, Canada, Chile, Colombia, Mexico, Peru and the United States — recommended that a framework be developed to help ensure proper risk management.

The group said the framework “can be applied to the entire life cycle of a CBDC, from the research and design stages to implementation and operation.” Depending on the design of the CBDCs — wholesale or retail — different models and architectures carry differing levels of operational risk, as “they entail different levels of internal handling vs delegation to third parties of features such as record-keeping, security, integrity and availability.”

And the paper noted, specifically, that account-based CBDCs require user identification for access, but token-based CBDCs are tied to private/public keys. While the keys are anonymous, the anonymity itself “implies risks related to the loss or theft of [those] keys. Further, it could also enhance money laundering and terrorist financing risks,” the group illustrated.

In developing a framework, the BIS recommended that risk categories span process-related risks, technological risk (including interoperability and integration), third party risk (where due diligence remains important) and business continuity (including crime, national disasters and the risk that payment systems would be rendered unavailable).

“Central banks may have to work in partnership with the private sector (suppliers, vendors or other intermediaries) and other government agencies to promote best practices and risk models to ensure resilience. They also need to establish the ‘right to audit’ or due diligence’ processes to assess the operation of functions allocated to third parties,” the BIS said.

We note that the debate over the timing, development and even eventuality of (at least some) CBDCs continues to swirl. As reported just a few weeks ago, Mastercard said that widespread adoption of digital currencies — at least the retail form of CBDCs — faces headwinds due in part to consumer comfort with traditional forms of money. Ashok Venkateswaran, Mastercard’s blockchain and digital assets lead for Asia Pacific, told CNBC in an interview in mid-November that consumers are largely satisfied with using traditional payment mechanisms and rails already in place.