Please enter keywords
Will Digital RMB Violate Privacy?
Latest Interpretation from the Head of China’s Digital Currency Project
Date:04.01.2021 Author:MU Changchun, CF40 Guest Member; Director, the Digital Currency Research Institute of the People's Bank of China

Abstract: According to the author, controllable anonymity is an important feature of digital RMB, which reflects a balance between public’s needs for reasonable privacy protection and the needs to prevent money laundering, terrorist financing, tax evasion and other illegal and criminal activities.

I. Anonymity: Protection of User Privacy is of the Highest Level among Existing Payment Instruments

Mu Changchun pointed out that in the concept of controllable anonymity, anonymity means to meet the needs of reasonably anonymous payment and privacy protection.

Current payment instruments, whether it's bank cards or Wechat Pay, Alipay, are all linked with bank accounts which require real name registration, and as a result they cannot satisfy anonymity needs. The loose coupling between digital RMB and bank accounts can technologically enable anonymity of small-amount transactions. To meet various payment needs, wallets are assigned with different transaction limits based on KYC levels.

An anonymous wallet corresponds to the lowest KYC level. A mobile phone number is all the information needed to open such an account. Of course, its daily balance and maximum transaction amount are capped at the lowest level to meet the needs of daily micro-payments. To make transactions of a larger amount, the wallet will need to be upgraded. In other words, KYC requirements will become more stringent as the balance and payment limit go up. This design is meant to protect user privacy and at the same time guard against the risk of large suspicious transactions.

"Some say the central bank can use mobile phone numbers to get users’ information from telecom operators. This is actually a misunderstanding.” Mr Mu pointed out, “Although the payment departments of telecom operators are also involved in the research and development of digital RMB, laws and regulations prevent them from disclosing customer information to the central bank and other third parties. Of course, they are not allowed to provide such information to their own departments operating digital RMB. Therefore, a wallet that is opened with a mobile phone number would remain completely anonymous to the People’s Bank of China and operating institutions.”

The design of sub wallets can also help protect personal privacy.

People participating in pilot rollouts may have noticed a detail: a sub wallet can be opened under the digital RMB wallet and connected to e-commerce platforms. Previously, when shopping on the e-commerce platforms, people have to submit all payment information when paying through gateways or fast payment schemes. As a result, the platforms can get a complete set of information, including those they have no business knowing, just like grocery vendors have no business knowing your credit card’s CVV code when you buy a cabbage from them.

In contrast, when users pay with digital RMB, their payment information will be packaged and encrypted before sent to e-commerce platforms through sub wallets. That will protect users’ core private information from the platforms.

“In addition, we have adopted many technologies and systems to protect user privacy, such as ID anonymization among digital wallets which ensures that personal data remains anonymous to the counterparty, operator and other commercial institutions.” Mu explained that in strict accordance with applicable laws, regulations and specifications including the Cybersecurity Law, Civil Code, and Information Security Technology—Personal Information (PI) Security Specification, the introduction of digital RMB will be accompanied by sound systems for personal information protection and internal control, with all customer information de-identified and secured according to related management procedures.

“In one word,” said Mu, “digital RMB offers the highest level of privacy protection among all currently available payment tools.”

II. Controllable: Anonymity on the Basis of Risk Controllability is An International Consensus

“The other part of ‘controllable anonymity’ is ‘controllable’,” noted Mu. “While meeting reasonable needs for anonymity, we should also remain capable of fighting against crimes. We must strike a proper balance in between, or there will be big problems.”

First, the anonymity of the central bank digital currencies (CBDCs) is conditional on risk controllability. Complete anonymity would be too risky to materialize.

Agustín Carstens, General Manager of the Bank for International Settlements (BIS), pointed out in his remarks titled “Digital Currencies and the Future of the Monetary System” that complete anonymity is a “chimera” and a completely anonymous system will not exist. According to him, “the vast majority of users would accept for basic information to be kept with a trusted institution – be that their bank or public authorities”, and “some form of identification is crucial for the safety of the payment system, preventing fraud, supporting anti-money laundering and combating the financing of terrorism (AML/CFT).” There has to be a balance between convenience and traceability.

Similarly, the possibility for complete anonymity is also overruled in Central Bank Digital Currencies: Foundational Principles and Core Features, a report co-authored by the BIS and seven central banks including the European Central Bank and the US Federal Reserve. The report stresses: “Some have argued that the main benefit a CBDC could bring would be some level of anonymity for electronic payments…Full anonymity is not plausible. While anti-money laundering and combating the financing of terrorism (AML/CFT) requirements are not a core central bank objective and will not be the primary motivation to issue a CBDC, central banks are expected to design CBDCs that conform to these requirements.”

Second, exploration of CBDC anonymity should not counter regulations that crack down on money laundering (ML), terrorism financing (TF) and tax evasion, among other illegal activities. The Financial Action Task Force (FATF) also attaches importance to the design of CBDCs in preventing against these irregularities. According to the FATF Report to the G20 Finance Ministers and Central Bank Governors on So-Called Stablecoins: “CBDCs could present greater ML/TF risks than cash. CBDCs could be made available to be used by the general public in retail payments or as accounts and, in theory, allow for anonymous peer-to-peer transactions. In this scenario, the CBDC would be acting as an instrument with the liquidity and anonymity of cash, but without the limitations on portability that come with physical cash…As they would be backed by the central bank of a jurisdiction, they potentially could be widely accepted and widely used. This combination of anonymity, portability and mass-adoption would be highly attractive to criminals and terrorists for ML/TF purposes.”

The FATF made it clear: "Once a CBDC is established, financial institutions, designated non-financial businesses and professions and VASPs that deal in the CBDC will have the same AML/CFT obligations as they do with fiat currencies or cash. A customer transacting using a CBDC will have the same customer due diligence obligations as if it was an electronic transaction using fiat currency."

It is safe to say that complete anonymity has never been a concern for CBDC in any country. Rather, there appears to be an international consensus on controllable anonymity in compliance with anti-money laundering, counter-terrorist financing and anti-tax evasion regulations.

With mobile phone numbers being the only information needed to set up a digital wallet, how can we prevent criminal abuse of digital RMB without knowing who the real users are?

Mu Changchun suggested that if big data analysis points to such behaviors, for example, a telecom fraud, the central bank will refer the case and all available evidences to law enforcement authorities, who will then legally collect user information from telecom operators or banks. This way, we can tackle crimes and allow for legitimate anonymity at the same time.

What would happen if we place too much emphasis on privacy protection, and as a result, weaken the capability of digital RMB to combat crimes or raise the crime-fighting cost?

Mr. Mu said that even Bitcoins are not completely anonymous, but due to the high cost of user information tracing, Bitcoins might be used in the trafficking of drugs, arms, human, etc. He also cited USDT’s illegal use in online gambling in China.

If you want to open an account in the traditional bank account system, the bank would need to acquire your name, ID number, the term of validity, contact number and other five key information. Despite such strict identification and continuous risk control through due diligence and cross-validation, criminals always find their way to abuse bank accounts and electronic payments to carry out online gambling and telecom frauds.

There are approximately one million online fraudsters in China, causing over 100-billion-yuan direct losses every year. Online gambling is so rampant that the police cracked 7200 relevant cases in 2019.

Excessive anonymity might give leeway to criminal activities, said Mu.

A design featuring anonymous small-amount transactions and traceable large transactions could assure consumers of asset security in case of digital RMB-related telecom frauds.

That’s why it is the international consensus to achieve anonymity on the basis of risk controllability. For the sake of financial security and stability, central banks and international organizations tend to explore CBDC anonymity under the precondition of risk prevention, and therefore any design that fails to comply with anti-money laundering, counter-terrorist financing and anti-tax evasion requirements will be ruled out.

Download PDF at: