- An offline central bank digital currency (CBDC) is a digital complement to bank notes. It enables transactions without the internet while still allowing online purchases when internet connectivity is available.
- The design of an offline CBDC depends on the duration of the offline period. Intermittent offline refers to a temporary internet outage, such as that caused by a failure of telecommunications infrastructure. Extended offline refers a lengthy and indeterminate outage, likely caused by a storm or other weather event. It also refers to the situation in remote regions that do not have reliable or affordable internet.
- Regardless of the length of the offline period, an offline CBDC must be spent or transferred using a digital device—for example, a smartphone with a custom application, or a purpose-designed universal access device (UAD).
- An offline CBDC offers users benefits such as enhanced resilience and better accessibility features. It could also preserve the privacy typically associated with offline payments.
- To minimize the risk of theft or loss, an offline CBDC may require secure hardware with controls to guard against unauthorized tampering, as well as a user-specific personal identification number (PIN), password or biometric authentication stored on the device itself.
- A balance must be struck between compliance, security requirements and user needs. A suitable balance may be defined by optimally selecting limits on holdings, transaction amounts and the duration of offline functionality. Adopting a security posture in terms of limits, controls and functionality, where risks are sufficiently mitigated, is still a challenge for technology available today.
The Bank of Canada has been conducting research to determine under what conditions a CBDC would be necessary and which design features would be relevant for Canadians with diverse payment needs and circumstances.
In recent years, new technologies have allowed for the rapid growth of digital and electronic payment methods (Huynh, Nicholls and Nicholson 2019). However, little has changed for offline payments, and bank notes remain the only commonly used payment method that does not require an internet connection. Moreover, no single payment method allows users to transact seamlessly both offline and online.
An offline CBDC that allows two users to transact while neither is connected to the internet could complement bank notes. Additionally, as a digital product,1 an offline CBDC could reduce frictions between payment methods and allow for funds to be spent online when connectivity resumes. Or it could be used in the same ways as a typical digital means of payment. Offline functionality would offer users enhanced resilience, a high level of security and privacy, and increased accessibility. Considerations for offline functionality drive many features of the overall design of a CBDC system.
Thinking about offline payments
A CBDC system can be designed to function offline in two distinct ways. In each case, the duration of the offline period informs key design features and technology underpinnings and determines user functionality. End users must interact with the offline CBDC system through a device that offers offline functionality—either a stand-alone custom device or a smartphone with a built-in application. Note that offline functionality does not preclude online purchases. For instance, a consumer could receive funds offline in one transaction and, in a subsequent transaction, seamlessly order items at an online store or request a taxi through an online app. Figure 1 depicts the two types of offline functionality under consideration.
Figure 1: Two types of offline functionality
Figure 1: Two types of offline functionality
An intermittent offline CBDC system could allow users to continue to transact during shorter, intermittent offline periods when the internet is temporarily unavailable. Offline capability in such a system augments an online CBDC solution. At the time of a transaction, the payee lays claim to a portion of the payor’s CBDC funds (clearing). The payor attests to this, thereby locking those funds from further spending by the payor. The actual transfer of funds (settlement) occurs later, when either the payor or the payee resumes connectivity with the online system. Since the online CBDC system records the final state of transactions and balances, settlement is deferred until internet connectivity resumes and the system updates.
An extended offline CBDC system could allow users to transact during longer offline periods, when an internet connection is persistently unavailable or undesirable. An extended offline system is a distinct ecosystem supported by dedicated devices with a local store of funds. Devices with extended offline functionality can perform peer-to-peer payments without being connected to the internet. Funds are settled at the end of the transaction, ensuring that the payee is the sole owner of funds at the end of the transfer. Funds are also transitive—the payee can spend them in a follow-on transaction without waiting to send or receive an update from the remote service. Users could use an extended offline solution as a primary financial vehicle for day-to-day transactions. Table 1 outlines the benefits and drawbacks of the two systems, and Box 1 presents a deeper discussion around settlement.
Table 1: Summary of benefits and drawbacks of different types of offline functionality
(+) allows use of a smartphone to make offline transfers
(+) permits offline payments during times of internet outage without preparation
|(-) is non-transitive—funds received offline cannot be re-spent until the offline system is synchronized online|
|Extended offline||(+) is transitive—funds received offline can be re-spent without synchronizing with the online system||(-) requires preparation to acquire or register a device and load funds|
An offline CBDC system, whether intermittent or extended, requires an end-user device to make payments. This could be the user’s smartphone with functionality supported by a custom application, especially in the case of an intermittent offline system. However, some users may not have access to smartphones. And in the case of extended offline, a more durable end-user device with extended battery life may be required during long periods without power. A UAD could be engineered to be offline-first, with some form of online connectivity—either direct or piggy-backed (such as through a smartphone). Additionally, an offline-first UAD may be desirable for users who still wish to transact online but want assurance that their funds are stored in their own possession. With an offline-first UAD, funds could be lost if the device were damaged, misplaced or stolen.
Box 1: Settlement of offline payments
Box 1: Settlement of offline payments
Decisions around settlement2 affect how and when the finalization of a CBDC payment occurs. Settlement may be instant, meaning it happens in real time at the point of transaction. Or it may be deferred, meaning an offline payment is finalized only when the user reconnects to the online system.
Which type of settlement is appropriate depends on the degree of transitivity desired in the system. Transitivity is the ability to immediately re-spend funds that are received offline, without connecting to the internet. For funds to be transitive offline, each transaction must be fully settled and finalized in real time, transferring ownership from payor to payee.
An intermittent offline CBDC where funds are not local to the device requires deferred settlement since payors will generate claims that payees can later redeem when synchronizing with the online system. If funds are allowed to settle instantly—before synchronization—potential discrepancies between the offline and online systems could lead to double spending. Embedding a transaction history for later reconciliation could enable transitivity, where funds are re-spent without an actual transfer of ownership, but it introduces counterparty and double-spending risks as participants are unable to validate the history at the time of transaction. Furthermore, storage is limited on secure hardware. These factors may reduce the viability of instant settlement in the short to medium term. In the future, it may become possible to offer adequate security guarantees with software protections that do not rely on hardware support.
An extended offline CBDC where funds are local to the device can support instant settlement so that ownership is transferred at the time of the transaction and transitivity is available to users during longer offline periods. In this case, settlement will happen purely offline and will not require synchronization with an online system.
Maintaining a resilient method of payment
A CBDC that operates offline is more resilient than other electronic methods of payment because it does not require an internet connection. As a result, consumers can continue to transact when conventional methods, such as credit and debit cards, are unavailable because of an internet failure.
Offline systems designed to function for short periods of time (intermittent) or longer durations (extended) address different use cases for different users. During intermittent offline periods—such as those caused by brief satellite outages, loss of connectivity due to the user’s temporary location, and lack of reliable internet access—a user may rely on funds that are available as an offline CBDC. They may use the internet, when available, to manage aspects of their wallet, such as loading a balance. But they could also use a CBDC to make regular transactions when they are without internet access.
During extended periods with no internet connectivity, which could be the result of severe weather or other adverse conditions or a lack of accessible or affordable internet, a user could rely on an extended offline CBDC system to make payments. For example, a user in a remote region with limited internet connectivity could use a CBDC to make purchases at the point of sale. Another user might prepare for an ice storm by obtaining a CBDC while connected to the internet and storing it offline long-term, to be used later if needed.
Multiple layers of protection are required to promote resilience and maintain a secure CBDC system. While any form of CBDC carries certain risks, offline functionality introduces new hazards. These include disconnection from the internet and the introduction of physical hardware that may be accessed by malicious actors.3 Threats may appear similar to those faced by an online system, such as attempts to increase funds without permission, to spend the same funds more than once (double spending), and to duplicate devices or modify limits. However, in an offline system, these threats are mitigated by countermeasures situated at the device level. Beyond devices, how the money is represented and transferred must be designed carefully so that defeating the protections on a single device does not compromise the integrity of the system (Allen et al. 2020). Similarly, the amount of money a single device can hold offline may be limited to keep the level of risk appropriate (European Central Bank 2022). This area requires further investigation.
The duration of offline periods and the location of stored funds are key considerations in maintaining a secure and resilient CBDC system. For example, a system designed to provide intermittent offline functionality may only need to store secret information (such as private keys) to facilitate offline payment transactions. In contrast, extended offline solutions are full-fledged CBDC systems capable of operating as a self-enclosed ecosystem of payments. Consequently, solutions and devices supporting extended offline functionality will need to store credentials and information to facilitate a wider range of payment tasks, such as adding new funds, maintaining limits on balance and transaction maximums, and managing transactions (e.g., viewing the history of past transactions, budgeting). This greater variety of tasks exposes the extended offline ecosystem to a larger threat landscape.
A range of approaches exist to address the risks present in offline solutions. Mature technology options involve verifying secret information such as a shared secret or digital credentials, including variations of a classic public key infrastructure (Van Damme et al. 2009; Christodorescu et al. 2020). Such solutions present the risk that extracting a private key from any one device could lead to a proliferation of cloned or counterfeit devices in the marketplace, which would in turn threaten the integrity of the system. Emerging technology options, such as secret-free hardware and physical unclonable functions (Fragkos et al. 2020), can mitigate these risks by using device-specific challenges and responses to authenticate and detect cloned versions of the hardware. Crowd-sourcing trust from neighbouring devices can add an extra layer of authentication for defence in depth (Fragkos et al. 2022). Diagnostic information stored locally on devices, or gathered through infrastructure services or portals, can aid in post-mortem forensic analysis after an adverse event. Gathered information could feed into a continuous-monitoring framework that tracks emerging threats across the CBDC ecosystem and the greater financial market infrastructure. Although many of these technologies and best practices are already widely deployed in the payments landscape, the threshold for adequate protection in a CBDC system is high. A multi-layer approach comprising hardware, software and cryptography must be considered (Office of Science and Technology Policy 2022).
Making payments universally accessible
A CBDC that functions offline provides a payment option that remains accessible to users who lack a reliable, consistent internet connection. Though bank notes are still widely used and accepted, minimal advances have been made in offline payment technology in recent years. Users who do not have access to a reliable or affordable internet connection—those in remote regions, for example—may be limited in their choice of payment instruments. While an intermittent offline solution would maintain accessibility for users who experience a temporary outage, those with a prolonged lack of internet access require support for transitive payments. This additional functionality drives fundamental design decisions about how money is represented, stored, transacted and settled in an extended offline solution.
A CBDC that functions offline may help address barriers to financial inclusion and reduce frictions between payment methods. A key feature of an offline CBDC is that users can also spend their funds online when they do have access to the internet. In the current payments landscape, a typical user must have access to digital payment methods, such as a debit card or credit card, to benefit from the increased choices offered by e-commerce. Moreover, if they receive funds offline (i.e., as cash), they must have access to financial services to deposit these funds before re-spending them online, or they must use an alternative means of payment, such as a credit card. Barriers to acquiring a debit or credit card may go beyond access to the internet or financial services. However, a CBDC that allows consumers to make payments fluidly across online and offline scenarios would help reduce some of these frictions.
An offline CBDC could be designed to preserve the privacy typically associated with cash payments, thus furthering accessibility and inclusivity. Individuals may wish to safeguard privacy because of their personal situation and the types of transactions they make or because they lack typical credentials (i.e., they could be a minor or a tourist). Examples of such circumstances include a parent giving a child money for a simple purchase such as lunch, or a user wanting discretion around certain transactions such as medical expenses. To accommodate these circumstances, an offline CBDC could be designed to be non registered—that is, it could be a bearer instrument with limited associated personal data. However, this would mean a trade-off between privacy and protection. While local authentication methods such as a PIN or biometrics may be available for users to protect themselves against theft, lack of registration means users who lose their devices or give their PIN to someone else may not have recourse to recover their lost or stolen funds.
An offline CBDC will need to be compliant with existing legislation on illicit activities. Malicious actors may be incentivized to exploit an offline CBDC as a tool to conduct activities that contravene anti–money laundering, anti–terrorist financing and other applicable legislation. Limits on balances held offline, transaction amounts and length of time disconnected from the internet are examples of rules-based compliance that may be enforced on both registered and non-registered forms of offline CBDC. Non-registered solutions are more likely to be abused for criminal activities, so they would carry limits that are lower than the registered offerings. For both registered and non-registered solutions, however, it is possible that the alignment of the offering with the legal framework may limit the desirability of the product among users. Further research is being conducted in this area.
A combination of visual security indicators and other accessibility features would help build confidence in the security and usability of offline devices. The physical nature of a UAD device makes it especially vulnerable to cloning, counterfeiting and fraudulent services that are emerging for funding, defunding and registration functions. The ultimate aim of these actions is to deceive legitimate users and steal their CBDC funds. An application or device that runs offline does not benefit from the reassurance of a regular internet connection. The offline device, and any messages that may be communicated through its interface, must be carefully designed to clearly inform users of risks and allow them to adjust their behaviour to minimize exposure to theft and fraud. These warnings could be presented on the device visually as an icon or colour pattern that is easily interpreted and clear for all users. Ultimately, security considerations will drive the form and functionality of an offline CBDC, and the technology that would make an offline CBDC possible is currently under investigation.
Considering public policy perspectives
Support for offline payments in CBDC has garnered attention in multiple jurisdictions around the globe, as countries consider new ways to enhance resilience and inclusion. Notably, research from the International Monetary Fund suggests that in many cases, the ability to function without access to the internet will be a “make or break” feature for a CBDC (Kiff 2022). Some central banks, such as Sweden’s Riksbank, have recently released exploratory research considering the capability of a CBDC to replicate the offline features typically associated with cash (Armelius, Claussen and Hull 2021). Other researchers, such as those in South Korea (Chu et al. 2022), are more actively considering the security requirements that would be necessary for an offline CBDC. And the People’s Bank of China has launched a pilot of its offline digital yuan, which takes the form of a hard wallet, resembling a typical chip and PIN credit card (Alper 2021).
Policy implications and commercial technology support will influence system features and user adoption given that extended offline solutions remain challenging to execute. While some central banks have deployed extended offline devices as part of a pilot, no commercial, turn-key solutions are available to implement extended offline functionality. From a financial risk perspective, concerns exist that an extended offline solution may become a target for fraud and financial crime. These concerns, in addition to security concerns, mean that extended offline functionality implies some risk. To mitigate these risks, some approaches propose that payments do not settle until devices return online, essentially offering only intermittent offline functionality. Others suggest robust limits as a means to address risks, but these limits come at the expense of restricting certain use cases. In both scenarios, the appeal for consumers is diminished, which may hurt adoption in the long run. Central banks must understand the technology underpinning any extended offline solution because they have to stand behind the devices they issue and assume the risks involved in deployment and circulation. While technology can mitigate risks, and risks will evolve as technology matures, acceptance of the remaining risks will have to align with policy goals.
- 1. For more information on the technology approach for CBDC, see Shah et al. (2020).[←]
- 2. The Committee on Payment and settlement Systems (2003, 45) defines settlement as “an act that discharges obligations in respect of funds or securities transfers between two or more parties.”[←]
- 3. Extended offline functionality may require the underlying secure hardware to be trusted and enrolled in the system.[←]
Allen, S., S. Capkun, I. Eyal, G. Fanti, B. Ford, J. Grimmelmann, A. Juels, K. Kostiainen, S. Meiklejohn, A. Miller, E. Prasad, K. Wüst and F. Zhang. 2020. “Design Choices for Central Bank Digital Currency: Policy and Technical Considerations.” Brookings Institution. Global Economy & Development Working Paper No. 140.
Alper, T. 2021. “Further Details of ‘Offline’ Chinese Digital Yuan ‘Hard Wallet’ Emerge.” Crypto News, January 13, 2021.
Armelius, H., C. A. Claussen and I. Hull 2021. “On the Possibility of a Cash-Like CBDC.” Sveriges Riksbank Staff Memo.
Christodorescu, M., W. Gu, R. Kumaresan, M. Minaei, M. Ozdayi, B. Price, S. Raghuraman, M. Saad, C. Sheffield, M. Xu and M. Zamani. 2020. “Towards a Two-Tier Hierarchical Infrastructure: An Offline Payment System for Central Bank Digital Currencies.”
Chu, Y., J. Lee, S. Kim, H. Kim, Y. Yoon and H. Chung. 2022. “Review of Offline Payment Function of CBDC Considering Security Requirements.” Applied Sciences 12 (9): 4488.
Committee on Payment and Settlement Systems. 2003. A Glossary of Terms used in Payments and Settlement Systems. Bank for International Settlements.
European Central Bank. 2022. “Progress on the Investigation Phase of a Digital Euro.”
Fragkos, G., C. Minwalla, J. Plusquellic and E. E. Tsiropoulou. 2020. “Artificially Intelligent Electronic Money.” IEEE Consumer Electronics Magazine PP (99): 1-8.
Fragkos, G., C. Minwalla, J. Plusquellic and E. E. Tsiropoulou. 2022. “Local Trust in Internet of Things Based on Contract Theory.” Sensors (Basel) 22 (6): 2393.
Huynh, K., G. Nicholls and M. Nicholson. 2019. “2018 Merchant Acceptance Survey.” Bank of Canada Staff Analytical Note No. 2019-31.
Kiff, J. 2022. “Taking Digital Currencies Offline.” International Monetary Fund.
Office of Science and Technology Policy. 2022. Technical Design Choices for a U.S. Central Bank Digital Currency System. United States Government: Washington, DC.
Shah, D., R. Arora, H. Du, S. Darbha, J. Miedema and C. Minwalla. 2020. “Technology Approach for a CBDC.” Bank of Canada Staff Analytical Note No. 2020-6.
Van Damme, G., K. Wouters, H. Karahan and B. Preneel. 2009. “Offline NFC Payments with Electronic Vouchers.” In MobiHeld '09: Proceedings of the 1st ACM workshop on Networking, systems, and applications for mobile handhelds, 25–30. Conference in Barcelona, Spain; August 17, 2009. New York: Association for Computing Machinery.
Avis d’exonération de responsabilité
Les notes analytiques du personnel de la Banque du Canada sont de brefs articles qui portent sur des sujets liés à la situation économique et financière du moment. Rédigées en toute indépendance du Conseil de direction, elles peuvent étayer ou remettre en question les orientations et idées établies. Les opinions exprimées dans le présent document sont celles des auteurs uniquement. Par conséquent, elles ne traduisent pas forcément le point de vue officiel de la Banque du Canada et n’engagent aucunement cette dernière.