Professor Mark Perry, Department of Computer Science, Brunel University. Prof. Perry’s research lies in the understanding and use of digital money and currencies to support the design of relevant, useful, and intelligible future financial systems for their users. He has held funding to look at digital payment through alternative/local currencies, Central Bank Digital Currencies where these involve programmable or ‘smart money’ systems, and the use of emerging payment systems in China. The focus of his work is on human behaviour, rather than operations within the banking sector, financial infrastructure, or software systems. Prof. Perry’s research in this area examines issues around the privacy, trust, acceptability, usability, and usefulness of emerging financial technologies. This submission is informed by empirical data collection carried out over the last 8 years at Brunel University, as well as a review of the contemporary academic literature on the subject.





1. The submission address the following questions in the call for evidence: 1) What are the main benefits and risks of a CBDC?, and 2) How should the Bank of England and HM Treasury address concerns over privacy and traceability of payments when exploring CBDC design?, Outside of these topics, I am less well qualified to address the questions posed by the committee.


2. This evidence is prepared in the understanding that there are many variations of what a CBDC may involve, and in the absence of clear indications which of these may be developed in the UK. These variants range from a very limited form in handling Real-Time Gross Settlement (RTGS) across the banking sector, broadly known as ‘wholesale CBDCs’, to its wider use in enabling payments between businesses and individuals in what has been described as ‘retail CBDCs’. The wholesale CDBC sector is intended to operate under highly formatted regulation and governance as a means of settling accounts between financial institutions. The retail form of CBDCs is intended to supplant our current processes of financial exchange that include cash, card payments, cheques, and direct debits in paying for goods and services. This submission addresses factors associated with retail CBDCs, and if deployed, it is anticipated that such a CBDC would account for the vast majority of UK financial transactions.

What are the main benefits and risks of a CBDC?


3. As we are aware from our everyday activities with money as ordinary citizens, money is highly pervasive across our personal and social lives: how we use it, manage it, manipulate it, share it, value it, give it, hide it, talk about it, lend or borrow it (and so on) all provide an extremely important texture to our lives beyond its abstracted use as a medium of exchange, unit of account, or store of value. The forms of payment that we select, how we choose to make payment, how we assess our wealth and debts, who we share information about our financial lives with, how we come together to make collective payments, are activities that citizens may make multiple times every day. These are often not trivial in their operation or outcomes, and may not be best understood as just simple transactions of capital. Economic activity shapes large parts of peoples’ daily life, and both the medium of money transfer and the infrastructures of payment have a direct impact on us, how we act, and how we relate to others. From studies carried out at Brunel and elsewhere, we have considerable evidence that the form of interaction around financial payments can give rise to what is known as extra-economic utility (that is, value beyond the simple exchange of capital; Zelizer, 2011), such as pleasure and playfulness, conversation and sociability, personal reflection, and in making trust judgements about co-transactors (Ferreira, Perry, and Subramanian, 2015).


4. Any form of retail CBDC that prioritises the purely transactional over the interactional will inevitably diminish the personal, social, and cultural value that comes with our existing forms of money and payment (Ferreira and Perry, 2019). A focus on making money transfers more ‘frictionless’, faster, cheaper, and more secure as currently pushed by financial industry advocates, misses these extra-economic factors (Perry and Ferreira, 2018). As such there is a significant economic, personal, and social risk in a) loss of faith in the relevance, trustworthiness, or usefulness of the CBDC resulting in a possible shift to alternative (and perhaps less well regulated) transactional media that do enable what citizen users want or require (eg. physical cash, alternative digital currencies), b) less effective mechanisms for financial management by individuals and (small) businesses, resulting in poor financial judgements being made, and c) an impoverished national social and cultural experience, because the means by which payment is made or financial transfers are settled becomes less visible, and so loses the socio-informational value that current payment formats enable (Lewis and Perry, 2018).


5. The medium of a citizen user’s interaction with a CBDC (eg. via an app or website) are likely to be distinct from the technical infrastructure of that CBDC (whether this is on a blockchain, digital ledger, or another platform), and thus there is an argument to be made that these factors are not relevant to the implementation of the CBDC. Depending on the final infrastructural design of the CBDC system, it may be accessible via a bank’s mobile app, an application developed by the Bank of England for an account held directly by them, or an application developed by a ‘third party’ developer with permissioned access. However, the information that users can access and the process of making payment is directly limited by the implementation of the CBDC in the software restrictions and constraints that it imposes, whether by deliberate access control or simple lack of functionality. In this way, the infrastructure of CBDC is the hinge on which any further access or manipulation of financial records will turn.


6. Our recommendation here is that any implementation of the CBDC infrastructure should allow considerable flexibility in access to the financial data held. A restrictive level of control over data access, or limited functionality could be enormously damaging to the extra-economic, social utility of money, as well as limiting the degree of flexibility in financial operations permitted.


How should the Bank of England and HM Treasury address concerns over privacy and traceability of payments when exploring CBDC design?


7. Our use of money is generally considered a personal and private affair, although it is generally recognised that there are circumstances that require external audit of account information and access to funds. Emerging cryptocurrencies have placed great emphasis on the privacy and the lack of traceability that their services offer users. For a CBDC, this is clearly not plausible as there is likely to be a national need for oversight, for reasons as varied as tracking criminal activity to HMRC monitoring taxable liabilities.


8. In addition to the ability to track financial activity by individuals and organisations, it has been suggested that a CBDC will also offer economically valuable national indicators to track aggregate purchasing information broken down at granular levels to determine real-time inflation, to assess the impact of government policy on economic behaviour, or to allow the ONS to map out or mine a rich national picture of citizen activity from CBDC transactional metadata.


9. Likewise, citizen users of the CBDC may themselves wish for their financial and payments data to be made available to other parties, such as their banks, in credit applications, their accountants, or their family members. There is a wide evidence base showing that financial information sharing, particularly between friends and family, is heavily used and valued, albeit with some concerns over coercive control.


10. Allowing permissioned, third-party access to view or transact on a CBDC account (such as using a unique access token) therefore seems to be a valuable design requirement for a national CBDC. This should be at a level of data granularity set by the account holder (eg. broad categories of purchase or specific items, purchase timeframes or locations, etc.). However, as we note below, this poses questions about making the people or organisations that have access to this private data accountable for their actions, as these are potentially highly intrusive.


11. Privileged access to financial data from the CBDC is therefore useful, both in a mandated form by government (eg. HMRC, ONS, Ministry of Justice), but also via permissioned form by account holders themselves (eg. third party financial services, financial administrators, family, carers). Our qualitative data from China suggests that its citizens are resigned not to expect transactional information to remain private and that the state will have unrestricted access to it, but this should not be assumed to be the case in the UK (or most other democratic nations). There is a broad expectation in the UK that private data remains private from government, institutions, or other people, unless there is an overriding national need for this, or an agreed value for the account holder in making this available to others. Without knowledge of how peoples’ personal data is being used, and their control over who has access to what kind of data, there is likely to be an erosion of citizens’ trust with such a CBDC.


12. Our recommendation here is that where external access to a CBDC account is requested (by legal mandate or explicitly permissioned by the user), that this activity (including the financial details requested) is traceable to the entity making the request by the account holder (with possible exclusions, for example by the security services or with a police warrant). The granularity of this information about any access (who, when, why, what information) should be as high as possible, making the information requester fully accountable for their actions.


13. We further recommend that external account access should be explicitly flagged (eg. with a notification) so that the account holder is made aware that and when their data has been externally accessed.


14. Making CBDC access accountable will not by itself solve the problems of privacy and traceability in a CBDC, but it will provide a more transparent basis for citizen users to build trust in this vital piece of national infrastructure. Not to do so may lead to failure in large scale adoption as citizens worry about their activity being subject to an unaccountable level of surveillance.



Ferreira, J., Perry, M. and Subramanian, S. (2015) Spending Time with Money: from shared values to social connectivity. Proc. ACM CSCW’15, March 14–18, 2015, Vancouver, British Columbia, Canada. ACM Press, New York, NY, USA, p.1222-1234.

Fereirra, J. and Perry, M. (2019) From Transactions to Interactions: Social Considerations for Digital Money. In Lynn, Mooney, Rosati and Cummins (Eds.) Disrupting Finance: Fintech and Strategy in the 21st Century, p. 121-132. Palgrave Macmillan / Springer Nature: Switzerland.

Lewis, M. and Perry, M. (2019) Follow the Money: Managing Personal Finance Digitally. Proc. ACM CHI’19, May 4-9, 2019, Glasgow, UK. ACM Press, New York, NY, USA.

Perry, M. & Ferreira, J. (2018) Moneywork: Practices of Use and Social Interaction around Digital and Analog Money. ACM Transactions on Computer-Human Interaction, 24(6), Article 41, 32 pages.

Zelizer, V. (2011). Economic lives. Princeton: Princeton University Press.


15 October 2021