In brief

  • The Bank of Canada issued a new staff analytical note analyzing the risks of issuing a CBDC.
  • It analyzes the risks of users holding their own tokens or entrusting them to third-party services.
  • The authors believe the government should look at liability in the case of token loss.

“Not your keys, not your crypto” is a rallying cry for the security-minded. But it also creates a legal and logistical challenge to creating a central bank digital currency.

That’s the thread running through a new staff analytical note issued by the Bank of Canada today, examining the security risks for a hypothetical token-based CBDC. The paper, written by University of Illinois professor Charles Khan and Bank of Canada staffer Francisco Rivadeneyra, claims that, “The safety of CBDC will...depend on the competition between providers of aggregation solutions and the interaction of individual security protocols chosen by each supplier.”

The short, methodical staff note, which doesn't necessarily reflect Bank of Canada's official stance, begins with the obvious: Digital currency users can lose their private keys and, thus, their cryptocurrency holdings. That stands somewhat in contrast to banks. If you get locked out of your online Bank of America account, you can typically call and prove you’re the owner to get back access.

The note’s authors assume that, for this reason, a lot of CBDC users—many of whom would be coming to digital currency with little prior knowledge—would turn to outside services to manage their cryptocurrency keys.

At which point the liability issues get tricky. Holders could use a wallet service, but if that service fails or if the user loses that password, the user is on the hook for losses. Regulated exchanges are convenient because they operate more like banks; there’s an active third party. But, unlike banks, exchanges don’t typically have deposit insurance.

And since this would be money issued by the Canadian government, the government needs to determine how to regulate intermediaries.

While the authors don’t necessarily think account providers (read: exchanges) would be negligent or fly the coop in case of theft—they “might have a competitive incentive to absorb some of the losses”—they do also raise the possibility of regulations that “limit the losses account providers can pass on to users.” 

Ultimately, the authors argue that the central bank should consider “limiting balances or transfers, modifying liability rules or imposing security protocols on storage providers.”

One idea they teasingly pose is for a “CBDC that is universally accessible but that can be stored only at approved intermediaries.”

The Bank of Canada has been developing a central bank digital currency since February, though it said it would only turn to a CBDC if physical cash was severely reduced or if companies increasingly turned to cryptocurrency to handle payments.