The CBDC Design Space

The CBDC Design Pyramid organizes design decisions into hierarchical layers. Decisions at lower layers constrain options at higher layers. Like building construction, you can't change the foundation after building the walls.

THE CBDC DESIGN PYRAMID

/
/
/ AC
/ CESS
/--------\ Layer 5: Who can use it? How?
/TECHNOLOGY
/------------\ Layer 4: What systems power it?
/ ARCHITECTURE
/----------------\ Layer 3: How is it structured?
/ OPERATORS
/--------------------\ Layer 2: Who runs it?
/ POLICY
/------------------------\ Layer 1: Why does it exist?

Each layer builds on layers below.
Decisions at lower layers constrain higher layers.
```

The foundation layer answers: Why are we building this?

LAYER 1: POLICY FOUNDATION

Why Foundation Matters:
These policy decisions constrain everything above.
If policy requires cash-like privacy, technology
must support it.
If policy prohibits bank disintermediation,
architecture must prevent it.
```

The second layer answers: Who runs the system?

LAYER 2: OPERATORS

The third layer answers: How is the system structured?

LAYER 3: ARCHITECTURE

The fourth layer answers: What systems power the CBDC?

LAYER 4: TECHNOLOGY

The top layer answers: Who can use it and how?

LAYER 5: ACCESS

The pyramid helps analyze any CBDC:

PYRAMID ANALYSIS PROCESS

- What problem is it solving?
- What constraints are stated?
- What does success look like?

- Who runs what?
- What's the governance structure?
- Where does liability sit?

- Direct or intermediated?
- Single or multi-tier?
- How do components connect?

- What's the ledger type?
- Centralized or distributed?
- What are key technical features?

- Who can use it?
- What ID is needed?
- What limits exist?

CONSISTENCY CHECK:
Do higher layers align with lower layer decisions?
Does access model match policy goals?
Does technology enable stated architecture?

---

The most fundamental CBDC distinction is between retail and wholesale applications. This choice affects everything.

RETAIL VS. WHOLESALE: THE CORE DISTINCTION

Example: "Anyone can hold digital euros for daily payments"

Example: "Banks settle with each other using digital central bank money"

THE KEY DIFFERENCE:
Retail: Public access to central bank money
Wholesale: Institutional access (which already exists via reserves)
```

RETAIL CBDC CHARACTERISTICS

Policy Complexity:
HIGH - touches every citizen, political implications
```

WHOLESALE CBDC CHARACTERISTICS

Policy Complexity:
LOWER - affects institutions, not direct public
```

WHY RETAIL VS. WHOLESALE MATTERS

DIFFERENT PROBLEMS:

• Public access to digital central bank money

• Payment efficiency for consumers

• Financial inclusion

• Cash replacement

• Interbank settlement efficiency

• Cross-border payment infrastructure

• Securities settlement

• Reserve management

DIFFERENT CHALLENGES:

• Scale: Must handle consumer volumes

• UX: Must be usable by everyone

• Privacy: Public expectations

• Politics: Voter concerns

• Integration: Must work with existing infrastructure

• Compliance: Institutional regulatory requirements

• Governance: Inter-institutional agreements

• Standards: International compatibility

DIFFERENT TIMELINES:

• Less politically controversial

• Easier to pilot (fewer users)

• More incremental (enhance existing)

• Faster to implement

• More politically contentious

• Harder to pilot (need scale)

• More disruptive (new paradigm)

• Slower to implement

Many countries explore both, but separately:

COMBINED APPROACH: RETAIL AND WHOLESALE

Model: Separate systems serving different purposes

- Retail: e-CNY (public digital currency)
- Wholesale: Cross-border pilots (mBridge)
- Different architectures, different purposes

- Retail: Digital Euro (public)
- Wholesale: Exploring separately
- Sequential approach (retail first)

- Wholesale: Project Ubin (advanced)
- Retail: No current plans
- Focus on institutional innovation

- Different requirements, different solutions
- Wholesale can move faster
- Retail can be more cautious
- Reduced complexity per system

- Potential integration challenges later
- Duplicated infrastructure
- Coordination overhead

---

Once retail CBDC is chosen, the next major decision is distribution architecture: does the central bank serve customers directly, or through intermediaries?

DIRECT MODEL: CENTRAL BANK ↔ PUBLIC

┌────────────────┐
│ CENTRAL BANK │
│ │
│ - Issues CBDC │
│ - Holds accts │
│ - Processes │
└───────┬────────┘
│
┌─────────────┼─────────────┐
│ │ │
┌────▼───┐ ┌────▼───┐ ┌────▼───┐
│ User A │ │ User B │ │ User C │
└────────┘ └────────┘ └────────┘

Every citizen has account directly with central bank.
Central bank provides all services.
No commercial bank intermediation for CBDC.

Advantages of Direct Model:

DIRECT MODEL ADVANTAGES

Disadvantages of Direct Model:

DIRECT MODEL DISADVANTAGES

INTERMEDIATED MODEL: CENTRAL BANK ↔ INTERMEDIARIES ↔ PUBLIC

┌────────────────┐
│ CENTRAL BANK │
│ │
│ - Issues CBDC │
│ - Wholesale │
│ - Policy │
└───────┬────────┘
│
┌─────────────┼─────────────┐
│ │ │
┌────▼───┐ ┌────▼───┐ ┌────▼───┐
│ Bank A │ │ Bank B │ │ PSP C │
│ │ │ │ │ │
│Wallets │ │Wallets │ │Wallets │
└───┬────┘ └───┬────┘ └───┬────┘
│ │ │
┌──────┼──────┐ │ ┌──────┼──────┐
│ │ │ │ │ │ │
User User User User User User User

Central bank serves intermediaries.
Intermediaries serve public.
Two-tier (or multi-tier) structure.

Advantages of Intermediated Model:

INTERMEDIATED MODEL ADVANTAGES

Disadvantages of Intermediated Model:

INTERMEDIATED MODEL DISADVANTAGES

Reality is often more complex than pure models:

HYBRID DISTRIBUTION MODELS

- Normally through banks
- Central bank provides basic account for unbanked
- Fallback option

- Banks for full-feature accounts
- PSPs for basic accounts
- Multiple paths to access

- Banks for CBDC distribution
- Fintechs for wallet services
- Central bank for core ledger
- Each does what they do best

- Multiple intermediary types compete
- Central bank sets minimum standards
- Market determines winners
- Users choose provider

MOST COMMON APPROACH:
Two-tier with multiple intermediary types

The two-tier intermediated model has become the default:

WHY TWO-TIER IS THE DEFAULT

- Banks are politically powerful
- Direct model threatens banks
- Path of least resistance

- Central banks aren't equipped for retail
- Building capability would take years
- Banks already have infrastructure

- Distributed operational risk
- Bank failure = limited impact
- Central bank failure = system failure

- Current system is two-tier (cash + deposits)
- CBDCs follow familiar pattern
- Evolutionary, not revolutionary

CONSENSUS VIEW:
"Central banks should do what central banks do.
Banks should do what banks do.
CBDC doesn't change this division of labor."

CRITICAL TAKE:
Two-tier may be pragmatic, not optimal.
It preserves existing power structures.
More innovative models face political barriers.

---

The final critical dichotomy is how users access CBDC: as tokens (bearer instruments) or accounts (identity-linked balances).

TOKEN VS. ACCOUNT: THE FUNDAMENTAL QUESTION

THE ANALOGY:

• I don't need to know who you are

• You prove you have valid $100

• Transaction complete

• I need to identify you as John Smith

• System checks your identity

• Then processes transaction

TOKEN-BASED CBDC

How It Works:
┌────────────┐ ┌────────────┐
│ Token │──────→│ Token │
│ (valid $10)│ │ (valid $10)│
│ Sender has │ │ Receiver │
└────────────┘ └────────────┘

Advantages:

TOKEN MODEL ADVANTAGES

Disadvantages:

TOKEN MODEL DISADVANTAGES

ACCOUNT-BASED CBDC

How It Works:
┌────────────────────────────────────────┐
│ CENTRAL LEDGER │
│ │
│ Alice (verified) : Balance $1,000 │
│ Bob (verified) : Balance $500 │
│ Carol (verified) : Balance $2,000 │
└────────────────────────────────────────┘

Advantages:

ACCOUNT MODEL ADVANTAGES

Disadvantages:

ACCOUNT MODEL DISADVANTAGES

Most CBDC designs combine elements:

TIERED ACCESS MODEL

TIER 1: TOKEN-LIKE (LOW VALUE)
┌─────────────────────────────────────┐
│ Limits: $500 per transaction        │
│ KYC: None or minimal                │
│ Privacy: High (no identity link)    │
│ Features: Basic payments only       │
│ Recovery: Limited (bearer nature)   │
└─────────────────────────────────────┘

TIER 2: BASIC ACCOUNT (MEDIUM VALUE)
┌─────────────────────────────────────┐
│ Limits: $5,000 per transaction      │
│ KYC: Basic (phone number, simple ID)│
│ Privacy: Moderate                   │
│ Features: Standard account features │
│ Recovery: Available                 │
└─────────────────────────────────────┘

TIER 3: FULL ACCOUNT (HIGH VALUE)
┌─────────────────────────────────────┐
│ Limits: None                        │
│ KYC: Full verification              │
│ Privacy: Low (full compliance)      │
│ Features: All features              │
│ Recovery: Full support              │
└─────────────────────────────────────┘

- Low-value = high privacy (like cash)
- High-value = full compliance (like banks)
- User chooses tier based on needs
- Regulators get compliance where it matters

MOST CBDCs ARE ACCOUNT-BASED

THE HONEST ASSESSMENT:
Pure token CBDC faces regulatory barriers.
Most CBDCs will be account-based with
token-like tiers for small transactions.
Cash-like privacy at scale is politically
difficult to achieve.
```

---

✅ The Design Pyramid provides a systematic framework—organizing decisions hierarchically helps ensure consistency from policy through implementation.

✅ Retail and wholesale are fundamentally different—they solve different problems, face different challenges, and often need different solutions.

✅ Two-tier intermediated model dominates for pragmatic reasons—banks are politically powerful, central banks lack retail capability, and evolutionary change is easier than revolutionary.

✅ Account-based models are more common than token-based—regulatory requirements and implementation simplicity favor accounts.

⚠️ Whether two-tier is optimal or merely expedient—it may preserve inefficiencies for political reasons.

⚠️ Whether tiered models can truly deliver privacy—regulators may erode low-tier privacy over time.

⚠️ How wholesale and retail CBDCs will eventually integrate—separate development may create compatibility challenges.

📌 Assuming design choices are purely technical—every choice in the pyramid has political and economic implications.

📌 Ignoring the path dependency—early choices constrain later options. Foundation decisions are very hard to change.

📌 Expecting innovation from conservative institutions—central banks and banking systems favor incremental change.

CBDC design involves fundamental choices that shape everything else. The Design Pyramid, retail/wholesale distinction, direct/intermediated distribution, and token/account models are the building blocks. Most CBDCs converge on similar patterns (retail, two-tier, account-based) not because these are optimal but because they're politically feasible and operationally conservative. Understanding why these patterns dominate—and what alternatives exist—is essential for evaluating any CBDC project.

---

Assignment: Apply the CBDC Design Pyramid to analyze a specific CBDC project, systematically documenting decisions at each layer.

Requirements:

Part 1: Select a CBDC
Choose one of: Digital Euro, China e-CNY, India e-Rupee, Nigeria eNaira, or Brazil DREX.

Part 2: Pyramid Analysis (3 pages)

For each layer of the pyramid, document:

• Stated motivations

• Legal framework/legislation

• Success criteria (if defined)

• Political constraints

• Who operates the core system?

• Who provides customer-facing services?

• What governance structure exists?

• Where does liability sit?

• Retail, wholesale, or both?

• Direct, intermediated, or hybrid?

• Single-tier or multi-tier?

• Key system components

• Ledger type (centralized, DLT, hybrid)

• Known technical specifications

• Infrastructure approach

• Token-based, account-based, or hybrid?

• KYC requirements

• Holding/transaction limits

• Available interfaces

Part 3: Consistency Assessment (1 page)

• Do higher layers align with lower layers?

• Do design choices match stated motivations?

• Are there apparent contradictions?

• What trade-offs were made?

• Completeness of pyramid analysis (40%)

• Accuracy of design descriptions (25%)

• Insight in consistency assessment (25%)

• Clarity and organization (10%)

Time Investment: 3-4 hours
Value: Mastering the pyramid framework enables systematic analysis of any CBDC project.

---

1. Design Pyramid Question:

Why does the CBDC Design Pyramid place "Policy Foundation" at the base?

A) Because policy is the most important layer
B) Because policy decisions are made first chronologically
C) Because policy decisions constrain all layers above them
D) Because central banks are policy institutions

Correct Answer: C
Explanation: The pyramid structure indicates that lower layers constrain higher layers. Policy decisions (like "privacy must be preserved" or "banking system must not be disrupted") determine what architecture is possible, which determines what technology is appropriate, which determines what access models work. If policy requires cash-like privacy, you can't choose account-based access that eliminates privacy. The foundational nature is about constraint, not just sequence (B) or importance (A) or institutional identity (D).

---

2. Retail vs. Wholesale Question:

A central bank announces it will launch a CBDC for interbank settlement only, allowing banks to hold digital central bank money for settling large-value transactions. This is an example of:

A) Retail CBDC with direct distribution
B) Retail CBDC with intermediated distribution
C) Wholesale CBDC
D) Hybrid CBDC with tiered access

Correct Answer: C
Explanation: Wholesale CBDCs are for financial institutions only (banks, in this case), used for interbank settlement (large-value transactions between banks), not for public access. This description exactly matches wholesale CBDC characteristics. Retail CBDCs (A, B) are for general public use. A hybrid CBDC (D) would involve both wholesale and retail components or tiered public access.

---

3. Distribution Model Question:

Why has the two-tier intermediated model become the default for retail CBDCs?

A) It is technically superior to direct models
B) It preserves the banking system's role and leverages existing infrastructure
C) Central banks are legally prohibited from serving the public directly
D) The public prefers dealing with banks rather than central banks

Correct Answer: B
Explanation: The two-tier model dominates for pragmatic reasons: it avoids disrupting the politically powerful banking sector, and it leverages banks' existing customer infrastructure, KYC systems, and service capabilities. Central banks also lack retail banking expertise. Technical superiority (A) isn't established—direct models could be more efficient. Legal prohibition (C) isn't universal. Public preference (D) isn't the driving factor in design choices.

---

4. Token vs. Account Question:

Which CBDC access model would BEST support a policy requirement for "cash-equivalent privacy for small transactions and offline capability"?

A) Account-based with full KYC
B) Token-based or token-like tier for small amounts
C) Account-based with tiered transaction limits
D) Wholesale-only CBDC

Correct Answer: B
Explanation: Cash-equivalent privacy means transactions shouldn't be linked to identity—this is the defining characteristic of token-based models (bearer instruments, verify the token not the person). Offline capability is also more naturally supported by token models (self-contained value). Account-based models (A, C) inherently link transactions to identity, making cash-equivalent privacy impossible. Wholesale CBDC (D) is for institutions, not the public making small transactions.

---

5. Design Consistency Question:

A CBDC project states its primary motivation is "financial inclusion for unbanked populations." The design requires full identity verification, smartphone-only access, and continuous internet connectivity. What does this indicate?

A) The design is well-aligned with the stated motivation
B) Technical constraints make inclusive design impossible
C) There is likely a gap between stated motivation and actual priorities
D) Financial inclusion always requires strict identity verification

Correct Answer: C
Explanation: Unbanked populations typically lack identity documents (making full verification exclusionary), smartphones (making smartphone-only access exclusionary), and reliable internet (making continuous connectivity exclusionary). A design with these requirements explicitly excludes the target population. This suggests the stated motivation (inclusion) doesn't match actual priorities (perhaps transaction monitoring or modernization for already-banked). B is incorrect—inclusive designs are possible. D is incorrect—tiered KYC can enable inclusion. A is clearly wrong given the analysis.

---

For Next Lesson:
In Lesson 4, we survey the global CBDC landscape—who's building what, where are they in the process, and what patterns emerge across different countries and regions.

---

End of Lesson 3

Total words: ~5,700
Estimated completion time: 55 minutes reading + 3-4 hours for deliverable

---

Course 58: CBDC Architecture & Design
Lesson 3 of 20
XRP Academy - The Khan Academy of Digital Finance