The European Central Bank (ECB) is developing a digital euro. Such a digital euro should be “an electronic equivalent to cash”. But will it? It doesn’t look like it, really. Which makes it all the more important to push for better designs for the offline digital euro, and to fight for the continued acceptance of traditional cash.
Work on the digital euro is well underway. It is supported by legislative proposals from the European Commission, about which I blogged a year ago. Here I want to focus specifically on the equivalence of the digital euro to cash.
Let us first discuss the properties of cash, as used to settle a transaction between a payer (a customer wishing to make a payment) and a payee (a merchant accepting payments). Cash is:
Whether these properties are good or bad depends on your perspective. Anonymity, untraceability and permissionlessness are good for people, but government and law enforcement may not like them as much as they make it harder to prevent money laundering (AML) or to fight the financing of terrorism (CFT). On the other hand the bulkiness of cash make laundering significant amounts of money cumbersome and risky.
To what extent do the above properties of cash hold for the digital euro as well? In other words: how equivalent are they, exactly?
The answer to that question depends, of course, on how the digital euro will work. Two flavours of digital euro are foreseen: an online digital euro and an offline digital euro.
Let us first consider the online digital euro. This will essentially be a separate payment account at your bank, that you can use to pay at shops or online like you currently do with your normal bank account, using e.g. a payment card. We can be brief in our analysis here: such an online, account based, digital euro is almost the opposite of cash. It is
For offline digital euro the situation is less clear. In general terms the offline digital euro is envisioned to be a wallet based scheme, where an app on the smartphone stores some digital euro. And without going into any technical detail, certain properties of online digital euro also apply to any offline digital euro almost by definition:
Also, offline digital euro is not bulky at all, and any reasonable implementation should be unforgeable, irreversible (added 2024-02-29) and suffer mostly from systemic risks. Regarding cost, I am unable to make any substantiated comment.
Interestingly, wallet based systems that store digital euro all have to reckon with a risk that is by definition absent from both physical cash and account based systems, namely the risk of double spending. If euro’s are stored as digital data inside in a wallet, there is always (a theoretical) risk that copies of this data are made that would allow a user to spend some euro at least twice. After all, a copy of a digital coin cannot be distinguished from its original. So in principle such a copy has the same value as the original.
There are essentially two ways to prevent double spending. (There are also additional mechanisms to detect double spending afterwards, that we will not discuss here.)
One is to prevent a user form making digital copies of the wallet. This means that some sort of hardware security mechanisms (like smart cards) must be implemented, that prevent the user from tampering with the wallet. The problem is that strong hardware based security is difficult to achieve, and that a wallet containing actual digital euro is a very attractive target for criminals. I would be reluctant to base the overall security of offline digital euro on such a hardware based approach. (Unless a lot of additional transaction monitoring is taking place, that likely will adversely impact anonymity and untraceability.) Interestingly enough, we used to have two competing smart card based payment system in Netherlands in the nineties (Chipper and ChipKnip), which stored monetary value on the smart card that you could then use to pay (offline) at stores. They were essentially extension of the phone cards that you could buy to use in payphones - this was when mobile phones were still rare. It was in use well into the first decade of this century. Both schemes were not anonymous: payments were linked the unique smart card wallet identifiers.
The other mechanism is to prevent a user from successfully using a copy of the wallet. In this case some monitoring will have to take place during each and every payment, that will prevent such a copy from being used. Many digital payment schemes therefore rely on the payee to be online and to check with the payment network whether the money in a wallet that is transferred to it is still fresh and has not already been spent during an earlier transaction (possibly with another merchant). In practice this means that in offline digital payment schemes offline direct wallet to wallet payments (part of the untraceability property of traditional cash) are prohibited. The payee has to clear the payment online, and only then can decide to store the digital money in its own wallet.
Notice how this second mechanism contradicts the fact that the offline digital euro is supposedly offline…
More importantly, the way this second mechanism is implemented will have a strong influence on the remaining properties of the offline digital euro. For example, if a payment made with digital euro needs to be settled by the payee through its bank account, the payee identity (together with the payment amount) is revealed to the bank, breaking payee anonymity and untraceability (to some extent).
More privacy friendly options can be thought of, for example one where received digital money can be settled anonymously in exchange for fresh digital money issued to the payee wallet in return. But the act of settlement will require a network connection to the payment settlement infrastructure that may be hard to make sufficiently private and may thus lead to traces of metadata linked to payment transactions.
Note that the mechanism to preventing double spending does not necessarily rule out payer anonymity, provided the digital money is issued to the wallet in a privacy friendly way (as David Chaum already showed in 1982, and as further explained in this proposal for privacy friendly digital euro).
Another issue is the implementation of holding limits. The proposed regulation mandates strict enforcement of holding limits, out of money laundering concerns, also for offline digital euro. This by definition implies that also the offline digital euro is not entirely private: at least it is known that no user holds more than the holding limit in offline digital euro.
If holding limits are only locally enforced, by the wallet running on the smartphone, this is all that is known and at least some privacy is retained. But if banks issuing offline digital euro to wallets keep track of the total wallet balance, then the offline digital euro is not private.
Privacy would be better protected if, instead of holding limits, there are restrictions on the money flow, i.e. restrictions on the amounts one can pay with offline digital euro per transaction or per day. Similarly, one could restrict the total amount of offline digital euro that could be issued to a wallet per day - similar to restrictions on obtaining cash from ATMs. Such limits can be enforced locally by wallets and issuing banks, without revealing the current wallet balance.
The following table summarises the properties of the different cash and digital euro options. (Updated 2024-02-29).
| Property | Cash | Online euro |
Offline euro |
|---|---|---|---|
| anonymous | v | - | partial |
| untraceable | v | - | partial |
| privacy of balance | v | - | very limited (by law) |
| privacy of amount | v | - | ? |
| permissionless | v | - | - |
| inclusiveness | v | - | - |
| irreversible | v | - | v |
| intrinsic value | v | v | v |
| instantaneous | v | v | v (?) |
| autonomous | v | - | - |
| transaction cost | free | charged | chargable |
| costly | v | shouldn’t be | ? |
| bulky | v | - | - |
| risk | personal | systemic | systemic |
| forgeable | v | - | - |
We see that online digital euro is not equivalent to cash at all, in fact quite the opposite. For offline digital euro important properties of cash (like autonomy, permissionlessness and inclusiveness) do not hold. It is also not private (by law), and other privacy properties of cash (like anonymity and untraceability) will only hold to some extent. Only if all the right design decisions are made, and certain legal constraints related to AML and CFT are lifted, a reasonable compromise can be reached. Again, not all properties of cash can be retained in the digital domain.
It is important to realise that so far the regulation requires the ECB to issue both online and offline digital euro at the same time. In other words, as long as a reliable implementation of the offline digital euro has not been established, the online digital euro cannot be launched. But as the above discussion may have made clear, implementing offline digital euro with all the right properties is not easy at all. And the ECB has already signalled that this may delay the launch of the digital euro. Given the political significance attached to the digital euro, a long delay may not be acceptable. In that case, pressure will increase to launch the online digital euro before the offline digital euro. This should be prevented at all cost: the online digital euro is not like cash at all. And once issued, the ECB may be less inclined to work hard on also implementing an offline digital, given how difficult that probably is going to be.
In summary: the digital euro is not equivalent to cash, and unless all stars align, it will be sufficiently different from cash to be a real replacement of it. This is a severe shortcoming, but every cloud has a silver lining.
The proposal to regulate the legal tender of euro banknotes and coins, that is being discussed in tandem with the proposal for the digital euro, will reestablish cash as a proper and universally accepted means of payment. Cash will have to be accepted essentially everywhere where you can pay by card. In other words: “no cash” signs will be a thing of the past. (This assumes the regulation will not be watered down the extent that it becomes meaningless.)
The European Parliament has an important role to play here. First, to ensure that the launch of the online digital euro is strictly tied to the simultaneous launch of the offline digital euro. And second, to strictly protect the use and acceptance of cash. Otherwise, the push for digital euro will essentially kill cash, and thus kill the only permissionless, inclusive and privacy friendly means of payment we have.
Hello Thank you very much for your informative piece on the digital euro and how it compares to cash. I would be interested to discuss it more. Please let me know.
There were two points that I would like to add: 1. Intrinsic value: this is used in textbooks to describe the market value of the material (the gold, or the material). I think in your article you mean “nominal value” (the value that is printed on the coin)
Best wishes, Jacqueline Haarsma Stichting Ons Geld