Trust, Privacy, and Adoption: A Global Policy Framework for Central Bank Digital Currencies

Abstract

Central Bank Digital Currencies (CBDCs) have transitioned from theoretical concepts to operational realities across multiple jurisdictions. While they promise improved payment efficiency and financial inclusion, public trust, privacy, and user adoption have emerged as the critical determinants of success. Users fear that CBDCs could enable government surveillance, while regulators require sufficient oversight to prevent illicit finance, which creates a fundamental tension between privacy and compliance. This paper addresses the question: how can policymakers craft a global policy framework for retail CBDCs that balances user privacy and trust with necessary regulatory oversight, in order to maximize public adoption? Employing a structured narrative synthesis of peer-reviewed empirical literature and case analysis of four major CBDC implementations, the Bahamas Sand Dollar, Nigeria’s eNaira, China’s e-CNY, and the proposed digital euro, the study develops a seven-component global policy framework organized across four architectural layers. We additionally formulate seven testable propositions linking each framework component to adoption and trust outcomes, providing a structured agenda for future quantitative research. Evidence from randomized survey experiments shows that strong privacy safeguards raise adoption willingness by up to 60, underscoring that privacy is not merely a civil liberty concern but a prerequisite for widespread CBDC success. The comparative cross-case assessment suggests that broader alignment with the proposed framework components appears conceptually consistent with more favorable trust and adoption patterns across the cases examined.

1. Introduction

Central Bank Digital Currencies (CBDCs), digital forms of sovereign money issued by central banks, are rapidly transitioning from exploratory projects to operational reality. As of 2025, over 95% of central banks globally are engaged in CBDC research, and surveys indicate that up to 24 countries could have a retail CBDC in circulation by the end of 2030 [1,2]. Nations including the Bahamas, Nigeria, and the Eastern Caribbean Currency Union have already launched retail CBDCs, while China’s digital yuan (e-CNY) is in an advanced pilot reaching over 260 million users, and the Eurozone is progressing toward a possible digital euro by 2028. Motivations are diverse: emerging economies emphasize financial inclusion and payment resilience, while advanced economies focus on monetary sovereignty as cash use declines and private stablecoins proliferate [2].

Despite this momentum, a fundamental challenge has emerged. A CBDC, by its nature, enables granular data collection on transactions in a way that physical cash does not [3]. If poorly designed or mismanaged, this capability creates serious risks to financial privacy, potentially enabling unwarranted government surveillance of citizens’ spending behavior [4]. As the International Monetary Fund (IMF) explicitly warns, ‘CBDC data use could pose risks to privacy, which, in turn, can undermine the trust in central bank money’ [5]. Such concerns are not abstract; they directly determine whether people will adopt a CBDC. In the European Central Bank’s (ECB) 2021 public consultation, the largest CBDC survey conducted in a major jurisdiction, where 43% of respondents identified privacy as the most important feature of a potential digital euro, far exceeding security (18%) or cross-border usability (11%) [6].

At the same time, central banks and governments have legitimate obligations to ensure CBDCs cannot facilitate money laundering, terrorist financing, tax evasion, or sanctions circumvention [7]. Anti-money laundering (AML) and countering the financing of terrorism (CFT) regulations require some degree of transaction transparency. Balancing these regulatory imperatives with individuals’ right to financial privacy is the fundamental design challenge of the CBDC era [8]. If a CBDC offers full anonymity comparable to cash, it may facilitate criminal abuse at scale; if it offers no privacy, it risks rejection as an instrument of surveillance [9]. The challenge is to find a solution where privacy and regulatory utility coexist, a mutually beneficial outcome that neither sacrifices civil liberties nor enables illicit finance [5] (Murphy, 2024).

This paper addresses the core research question: How can policymakers craft a global policy framework for retail CBDCs that balances user privacy and trust with necessary regulatory oversight, in order to maximize public adoption? Despite a rapidly growing literature on CBDC design, no existing framework integrates privacy-by-design principles, legal governance mechanisms, privacy-enhancing technologies, and international coordination into a globally applicable standard supported by formally testable research propositions [10]. This paper aims to fill that gap. Our contribution is threefold: (1) a structured narrative synthesis of the empirical literature linking privacy to CBDC trust and adoption; (2) a seven-component, four-layer global policy framework derived inductively from that synthesis and comparatively assessed across four cross-national case studies; and (3) seven testable research propositions broadly consistent with measurement models, providing a rigorous agenda for future empirical research.

The remainder of the paper proceeds as follows. Section 2 describes the methodology. Section 3 reviews the background on global CBDC development and adoption drivers. Section 4 examines privacy concerns and their impact on public trust. Section 5 analyzes how privacy and regulatory oversight can be reconciled, drawing on four case studies. Section 6 presents the global policy framework and linked research propositions. Section 7 discusses implementation challenges. Section 8 presents limitations and directions for future research. Section 9 concludes with policy recommendations.

2. Methodology

2.1. Research Design and Literature Search

This study employs a structured narrative synthesis combined with comparative case analysis to develop a conceptual and policy-oriented framework for trustworthy retail Central Bank Digital Currency (CBDC) design. The methodological approach follows the principles of narrative synthesis outlined by Popay et al. and Rodgers et al. [11,12], which are particularly appropriate for interdisciplinary research domains characterized by heterogeneous evidence, diverse methodological traditions, and evolving policy environments. Unlike formal systematic reviews or meta-analyses, the objective of this study is not to estimate pooled quantitative effects, but rather to integrate fragmented evidence from economics, finance, information systems, public policy, law, and digital governance in order to derive a theoretically grounded and policy-relevant framework.

The literature search was conducted between [Month Year] and [Month Year] using three major academic databases: Scopus, Web of Science, and Google Scholar. Additional institutional and policy documents were identified through targeted searches of publications issued by the Bank for International Settlements (BIS), International Monetary Fund (IMF), European Central Bank (ECB), Financial Action Task Force (FATF), World Bank, G7, Organisation for Economic Co-operation and Development (OECD), and selected national central banks.

The search strategy employed combined Boolean keyword structures integrating themes relating to CBDCs, privacy, trust, governance, regulation, adoption, and digital payment systems. Representative combined search query included:

((“central bank digital currency” OR “CBDC”) AND (“privacy” OR “data protection” OR surveillance))”

Or

((“central bank digital currency” OR “CBDC”) AND (“trust” OR adoption OR acceptance OR “user intention”))

Or

((“central bank digital currency” OR “CBDC”) AND (“privacy-by-design” OR “privacy enhancing technolog*” OR “zero knowledge proof” OR ZKP))

Or

((“central bank digital currency” OR “CBDC”) AND (governance OR regulation OR “AML” OR “KYC” OR “financial inclusion”))

The search focused primarily on studies published between 2018 and 2025, reflecting the rapid acceleration of global CBDC development during this period. Earlier foundational studies were included selectively where conceptually relevant to privacy governance, digital payments, or monetary system design.

To improve transparency and reproducibility, explicit inclusion and exclusion criteria (

Table 1. Inclusion and Exclusion Criteria.

Inclusion Criteria	Exclusion Criteria
English-language publications	Non-English publications
Studies published between 2018 and 2025	Publications outside the study period, unless foundational
CBDC-related privacy, trust, governance, adoption, and regulatory studies	Cryptocurrency-only studies unrelated to sovereign CBDCs
Peer-reviewed journal articles	Opinion pieces and non-analytical commentary
Working papers and institutional reports from recognized organizations	Duplicate records
Empirical, conceptual, comparative, and policy-oriented studies	Publications with limited relevance to retail CBDC governance
Retail CBDC focus	Wholesale CBDC-only studies unless conceptually relevant

) were applied during the screening process. Included sources comprised: (1) peer-reviewed journal articles; (2) working papers and conference papers from recognized institutions; (3) official reports, consultation papers, and technical publications from central banks and international organizations; and (4) empirical, theoretical, policy, and comparative studies directly related to CBDC privacy, trust, adoption, governance, financial inclusion, or regulatory architecture. Excluded materials included non-English publications, opinion articles lacking analytical content, cryptocurrency-only studies unrelated to sovereign digital currencies, duplicate records, and publications with limited relevance to retail CBDC governance.

The literature identification and screening process proceeded in four stages. First, an initial database search yielded approximately 317 records. Second, duplicate and clearly irrelevant records were removed following title and abstract screening. Third, a full-text eligibility assessment was conducted based on thematic relevance to CBDC privacy, trust, governance, adoption, and regulatory design. Finally, approximately 100 sources were retained for the final narrative synthesis and comparative analysis. Figure 1 presents a PRISMA-style overview of the literature search and screening process adapted for narrative synthesis research.

Given the interdisciplinary and policy-oriented nature of the topic, quality appraisal was conducted using a relevance-and-credibility approach rather than formal risk-of-bias scoring. Priority was given to peer-reviewed empirical studies, highly cited conceptual contributions, official institutional publications, and sources with direct analytical relevance to CBDC privacy and adoption dynamics. Particular emphasis was placed on methodological rigor, institutional credibility, policy significance, and cross-jurisdictional applicability.

The retained literature and case evidence were subsequently coded thematically using an inductive comparative approach. Recurrent themes relating to privacy-by-design, legal safeguards, institutional trust, tiered data access, privacy-enhancing technologies, transparency and communication, operational resilience, and international coordination were identified iteratively across the literature and case evidence. These themes were then consolidated into higher-order conceptual categories through repeated cross-case comparison and triangulation with existing institutional principles proposed by the BIS, IMF, FATF, G7, and ECB. This iterative synthesis process ultimately informed the derivation of the paper’s seven-component, four-layer policy framework.

2.2. Case Study Selection and Comparative Analytical Approach

To complement the narrative synthesis, this study incorporates a comparative case analysis of four prominent retail CBDC initiatives: the Bahamas Sand Dollar, Nigeria’s eNaira, China’s e-CNY, and the proposed digital euro. The cases were selected purposively rather than randomly in order to capture substantial variation across governance structures, institutional trust environments, privacy architectures, regulatory philosophies, economic development levels, and CBDC implementation stages. The intention of the case comparison is interpretive and illustrative rather than statistically representative [11,12].

The Bahamas Sand Dollar was selected as the world’s first nationwide retail CBDC implementation and as an example of a small-island developing economy emphasizing financial inclusion and payment resilience. Nigeria’s eNaira represents a large emerging economy characterized by comparatively lower institutional trust, financial inclusion challenges, and controversial implementation dynamics linked to cash-shortage policies [13]. China’s e-CNY was included because it constitutes the world’s most technologically advanced large-scale CBDC pilot operating within a highly centralized governance and surveillance environment [14,15]. The proposed digital euro represents an advanced democratic regulatory context characterized by strong privacy legislation, institutional accountability, and extensive public consultation mechanisms. Collectively, these four cases provide analytically useful variation across political systems, privacy models, and stages of CBDC development [16,17].

The comparative analysis focused on seven framework dimensions derived from the literature synthesis: (1) privacy-by-design architecture; (2) legal and regulatory safeguards; (3) tiered and proportionate data access; (4) deployment of privacy-enhancing technologies; (5) public transparency and stakeholder engagement; (6) security and operational resilience; and (7) international coordination and standards alignment. Evidence for each dimension was obtained from central bank publications, policy reports, technical documents, consultation papers, institutional analyses, and peer-reviewed academic literature.

The case assessment presented in Section 6.3 is designed as an interpretive comparative mapping exercise rather than a formal quantitative index. Accordingly, the scoring symbols (✓, ~, ✗) represent broad qualitative judgments based on publicly available evidence rather than precise numerical measurements. A score of ✓ indicates substantial evidence that a framework component is explicitly addressed within the CBDC design or governance structure; ~ indicates partial or evolving implementation; and ✗ indicates limited evidence, absence, or design characteristics inconsistent with the framework principle. The assessment is intended to facilitate conceptual comparison across cases rather than establish definitive rankings or causal relationships [18,19].

Importantly, adoption indicators across the four cases are not directly equivalent and should therefore be interpreted cautiously. The Bahamas and Nigeria provide observable usage and wallet activation data from live retail deployments, whereas China’s e-CNY primarily provides pilot-scale transaction and wallet statistics within a state-managed ecosystem. By contrast, the digital euro remains at the preparatory and legislative stage and therefore lacks realized adoption outcomes. Consequently, the comparative analysis does not seek to establish empirical causality between framework compliance and adoption performance. Rather, it aims to explore whether broad patterns observed across the cases appear conceptually consistent with the trust, privacy, and adoption relationships identified in the literature synthesis.

Given the limited number of cases, differences in political and economic contexts, and uneven availability of comparable public data, the case analysis should be interpreted as exploratory and theory-building in nature. The primary purpose of the comparative assessment is therefore to illustrate the practical relevance of the proposed framework across diverse CBDC environments and to identify dimensions suitable for future empirical investigation as additional CBDC adoption data become available globally.

2.3. Framework Derivation and Proposition Development

The seven-component policy framework was derived inductively from the literature synthesis and case analysis, then illustratively assessed against existing international standards [5]. Following Whetten’s [19] framework-building logic, we formulate one testable research proposition for each framework component. Each proposition identifies a directional relationship between the component and adoption or trust outcomes, specifies a mediating or moderating mechanism, and indicates an appropriate econometric measurement strategy. An expanded illustrative implementation matrix translating the proposed framework components into potential governance mechanisms, institutional actors, and indicative policy outcomes is provided in Appendix A

Table A2. Illustrative Policy Framework Implementation Matrix.

Framework Component	Illustrative Mechanisms	Governance Actors	Indicative Outcomes
Privacy-by-Design	ZKPs, homomorphic encryption, differential privacy	Central banks, technology providers, privacy experts	Enhanced transaction confidentiality and user privacy
Legal & Regulatory Safeguards	Privacy legislation, judicial oversight, data protection rules	Legislators, regulators, privacy authorities	Greater legal clarity and institutional accountability
Tiered Data Access	Risk-based KYC, low-value anonymity thresholds	Central banks, financial institutions, AML authorities	Improved balance between privacy and compliance
Transparency & Public Communication	Public consultations, transparency reports, education campaigns	Central banks, civil society, media	Improved public trust and stakeholder engagement
Security & Operational Resilience	Encryption protocols, cybersecurity audits, resilience testing	Technology providers, cybersecurity agencies	Stronger operational reliability and system integrity
International Coordination	Cross-border standards, interoperability frameworks	BIS, IMF, FSB, central banks	Improved interoperability and regulatory harmonization
Continuous Evaluation & Oversight	Independent audits, policy reviews, stakeholder feedback	Regulators, academic experts, oversight bodies	Adaptive governance and long-term institutional legitimacy

. The propositions constitute directional hypotheses, not confirmed empirical findings, providing a roadmap for future quantitative testing as more CBDCs launch and panel data accumulate.

2.4. Limitations of Methodology

As a narrative synthesis, this paper cannot produce precise effect sizes or confirm causal claims. Case study evidence is drawn primarily from early-stage pilot data, limiting generalization. The literature reviewed is predominantly English-language and draws heavily from Western institutional sources, underrepresenting Global South perspectives. These limitations are addressed in detail in Section 8.

3. Literature Review: CBDC Development, Trust, and Adoption

3.1. The Global Rise of CBDCs and the Trust Imperative

The rapid global expansion of CBDC programs has been driven by a convergence of motivations. The Bank of International Settlements reports that over 95% of central banks are actively investigating CBDCs, with pilot projects having tripled in three years. Central banks view CBDCs as essential to preserving the ‘fundamental anchor of trust in the monetary system’ as digital transactions replace cash and private stablecoins expand [20]. Trust in central bank money has traditionally rested on value stability, legal backing, and universal acceptance. With CBDCs, technological trust factors enter the equation: users must trust the digital system’s reliability, security, and integrity. A CBDC perceived as prone to outages, hacks, or data abuses will rapidly lose public confidence. The BIS reports (BIS 2023a) [2] accordingly identify information security and operational resilience as non-negotiable prerequisites for any credible CBDC. Furthermore, building trust is paramount for CBDC adoption, as evidenced by studies indicating that household acceptance is significantly influenced by institutional trust and confidence in the currency’s underlying system [21]. This heightened reliance on trust necessitates transparent policymaking, robust privacy-by-design principles, and clear communication regarding data collection and protection practices to foster public confidence in CBDCs as tools of empowerment rather than control [22].

3.2. User Adoption Drivers and Barriers

User adoption ultimately determines a CBDC’s policy success [23]. A systematic review of 78 adoption studies identifies a consistent set of determinants. On the positive side, users may adopt CBDCs for convenience, lower transaction costs, offline payment capability, and financial inclusion, particularly access to cheaper cross-border remittances. On the barrier side, privacy concerns are the most consistently identified deterrent across studies, followed by low institutional trust, cybersecurity fears, and limited public awareness. Auer et al. [24] establish that institutional trust in the central bank is a significant moderator of adoption intent across country contexts, while Bijlsma et al. [25] suggest through a survey experiment that privacy is the strongest stated preference, with loss of privacy perceived as the primary cost of CBDC adoption.

The pivotal experimental evidence is provided by Choi et al. [26] whose randomized controlled experiment across the euro area and the United States found that presenting a CBDC with strong privacy safeguards raised adoption willingness by up to 60%. Critically, the experiment also found that communicating privacy features to users had an independent positive effect on adoption willingness, separate from the features themselves, suggesting that transparency about privacy design is itself a trust-building mechanism. These findings are summarized in

Table 2. Survey Data on Privacy Concerns and CBDC Adoption Intentions.

Survey Question/Metric	Response Category	Percentage (%)	Sample Size	Source/Year
Primary Privacy Concern	Government surveillance	43%	5240	ECB Public Consultation (2021)
	Loss of anonymity	52%	5240	ECB Public Consultation (2021)
	Data breaches	38%	3800	BIS Survey (2023)
	Commercial exploitation	28%	3800	BIS Survey (2023)
Trust in CBDC (General)	High trust	28%	8500	Multi-country survey (2023)
	Medium trust	44%	8500	Multi-country survey (2023)
	Low trust	28%	8500	Multi-country survey (2023)
Adoption Intention with Strong Privacy	Definitely would adopt	45%	6200	Academic study (2024)
	Probably would adopt	37%	6200	Academic study (2024)
	Unlikely to adopt	18%	6200	Academic study (2024)
Adoption Intention without Privacy	Definitely would adopt	8%	6200	Academic study (2024)
	Probably would adopt	10%	6200	Academic study (2024)
	Unlikely to adopt	82%	6200	Academic study (2024)
Most Important CBDC Feature	Privacy protection	41%	4500	IMF Study (2023)
	Security	32%	4500	IMF Study (2023)
	Ease of use	18%	4500	IMF Study (2023)
	Low fees	9%	4500	IMF Study (2023)
Willingness to Share Data with Government	Comfortable	15%	7100	Privacy International (2023)
	Somewhat comfortable	28%	7100	Privacy International (2023)
	Uncomfortable	57%	7100	Privacy International (2023)

alongside other key empirical studies informing this paper.

3.3. Privacy Concerns and Their Dimensions

Privacy in payments refers to the ability to transact without unnecessary disclosure of personal information. Cash currently provides the benchmark; physical cash leaves no digital record linking a transaction to a specific identity [27]. CBDCs, depending on design, could either approximate cash’s privacy or centralize personal financial data to an unprecedented degree [3]. Public anxiety about CBDC privacy operates along three analytically distinct dimensions.

First, mass surveillance fears: concerns that every transaction could be recorded, enabling intrusive monitoring of spending habits, political affiliations, or religious activity. These fears are not abstract. Critics have characterized poorly designed CBDCs as constituting ‘the end of financial privacy [28]. Second, cybersecurity risk: concentrating sensitive personal financial data in a central system creates a high-value target for malicious actors; high-profile data breaches across sectors have amplified public awareness of this risk [4]. Third, custodianship distrust: surveys consistently indicate that citizens trust commercial banks more than government agencies with personal financial data, partly due to concerns about government intent and political use of financial information [25]. The interaction of these three dimensions explains why privacy concerns operate as a threshold condition: unless users are satisfied on all three counts, adoption intent remains low regardless of other CBDC benefits [29].

3.4. Privacy-by-Design as a Foundational Response

The concept of privacy-by-design (PbD), developed by Cavoukian and published in a book edited by Yee et al. [30] and codified in the European Union’s General Data Protection Regulation, advocates embedding privacy into system architecture from the outset rather than treating it as an afterthought (EU, 2016). In a CBDC context, PbD implies data minimization, default privacy protections, and end-to-end security throughout the information lifecycle. Murphy [5] articulates seven PbD principles specifically for CBDCs: proactive privacy anticipation; privacy as the default setting; privacy embedded rather than integrated; full functionality without unnecessary trade-offs; end-to-end security; visibility and transparency enabling external verification; and user-centricity giving individuals control over their data. Implementing these principles constitutes a credible signal to the public that privacy is taken seriously and the experimental evidence reviewed above suggests that this signal directly translates into higher willingness to adopt [31] (Elliott et al., 2022).

Kyriazis et al. [32] examine how traditional banking intermediaries and emerging financial technologies interact under conditions of financial stress, with particular attention to institutional trust, financial-system transformation, and technology adoption dynamics. This perspective is relevant to the present study because it reinforces the importance of institutional credibility and governance structures in shaping the acceptance of digital financial innovations.

The main empirical findings identified in the literature are summarized in

Table 3. Summary of Key Empirical Studies on CBDC Privacy and Adoption.

Study	Source	Methodology	Key Finding
Choi et al. [26]	BIS Working Paper No. 1147	Randomized controlled experiment; N = 2000+ (Euro Area & US)	Privacy safeguards raise CBDC adoption willingness by up to 60%; communicating privacy features has an independent, significant positive effect
Singh & Yadav [33]	Central Bank Review, 25 (1)	Systematic review of 78 CBDC adoption studies (2010–2023)	Regulatory frameworks and user risk perceptions (including privacy) are the two most consistent adoption determinants across studies
Bijlsma et al., [25]	DNB Working Paper No. 709	Survey experiment; N = 1800 (The Netherlands)	Privacy is the strongest stated preference; loss of privacy is perceived as the primary cost of CBDC adoption
Garratt & Oordt, [9]	BIS Working Paper No. 976	Theoretical welfare analysis of CBDC privacy design	Conditional privacy—anonymity for small, traceability for large transactions—dominates both extremes on welfare grounds
Agur et al., [34]	Journal of Monetary Economics, 125	Theoretical model of CBDC design & competition	Excessive data collection drives users toward anonymous private alternatives, reducing systemic monetary benefits
Auer et al., [24]	BIS Working Paper No. 880	Cross-country comparative analysis of CBDC motivations	Institutional trust in the central bank is a significant moderator of adoption intent
Murphy, [5]	IMF Fintech Notes 2024/004	Normative analysis; high vs. low data-intensity CBDC models	Privacy-by-design and proportionate data governance can reconcile privacy with AML/CFT; 7 PbD principles proposed

, while

Table 4. Comparative Positioning of Existing CBDC Governance Frameworks and the Contribution of the Present Study.

Framework/Study	Main Focus	Key Limitations	Contribution of the Present Study
BIS (2020–2023) CBDC Principles	Foundational policy principles for CBDC design, interoperability, and financial stability	Limited emphasis on operational privacy governance and adoption behavior	Integrates privacy governance, institutional trust, adoption dynamics, and operational policy architecture into a unified framework
IMF CBDC Policy Frameworks	Regulatory governance, financial inclusion, and macro-financial implications	Limited integration of privacy-enhancing technologies and behavioral adoption mechanisms	Combines legal safeguards, PETs, institutional trust, and adoption propositions within a single analytical structure
FATF Digital Asset Guidance	AML/CFT compliance and transaction monitoring standards	Strong compliance orientation with limited focus on citizen privacy expectations and trust formation	Introduces a balanced privacy–compliance model through tiered access and proportional governance principles
ECB Digital Euro Studies	Privacy preferences, offline payments, and public consultation	Primarily focused on the European institutional context and digital euro implementation	Develops a globally adaptable multi-layer governance framework applicable across diverse CBDC environments
Existing Academic CBDC Governance Literature	Fragmented discussions on privacy, surveillance, adoption, or technical architecture	Limited integration across technical, legal, institutional, and international dimensions	Proposes a seven-component, four-layer framework linking governance design, privacy architecture, and adoption expectations
Present Study	Integrated CBDC privacy and governance framework	Exploratory and theory-building in nature; requires future empirical testing	Synthesizes interdisciplinary literature and comparative case evidence into a comprehensive policy-oriented framework with associated propositions and operational measurement models

positions the present study relative to existing CBDC governance frameworks.

4. Conceptual Framework: The Privacy-Trust-Adoption Conceptual Chain

Drawing on the literature synthesis, Figure 2 presents the conceptual model that underpins this paper’s framework. CBDC design quality, operationalized as compliance with the seven framework components proposed in Section 6, operates through two parallel mediating pathways: (1) technical privacy, encompassing privacy-by-design implementation, deployment of privacy-enhancing technologies, and tiered data access mechanisms; and (2) institutional privacy, encompassing legal safeguards, judicial oversight, and accountability mechanisms. These two mediating channels generate user-level perceptions of privacy protection and institutional trustworthiness, respectively, which jointly determine CBDC adoption intent. The model identifies three moderating variables: transparency and communication (Component 5), security and resilience (Component 6), and international coordination (Component 7), which amplify or constrain the effectiveness of the privacy design components.

Table 5. Selected Retail CBDC Projects-Privacy Design Approaches and Adoption Outcomes.

CBDC (Country)	Status	Privacy Design Approach	Adoption & Trust Outcome
Sand Dollar (Bahamas)	Live (Oct 2020)	Tiered KYC: Tier I = phone verification, small cap limit; Tier II = full KYC. Data routed through licensed intermediaries; central bank does not hold personal retail data directly.	Slow uptake: ~120 k wallets (pop. ~400 k); $2.1 M (~0.5% of cash) active for 3 years. No major privacy controversies. Barriers: convenience and merchant acceptance [35,36].
eNaira (Nigeria)	Live (Oct 2021)	Four-tier wallets: Tier 1 = national ID-linked phone; higher tiers = bank verification (BVN). Central bank can see all ledger transactions. Privacy protections not clearly communicated to users.	Very low adoption: 0.5% usage after one year; 98.5% of wallets never activated. Surveillance fears compounded by coercive cash-scarcity policy caused severe trust deficit and public backlash [37]
Digital Yuan (e-CNY) (China)	Pilot (~2020+)	‘Controllable anonymity’: Commercial banks handle KYC; PBoC sees anonymized inter-institutional flows unless legal unmasking triggered. State retains de-anonymization capability via back-end certification centers.	Large-scale pilot: 261 M+ wallets; >$13B in transactions by 2022. Moderate domestic trust. International observers note surveillance potential; human rights groups remain concerned [38,39].
Digital Euro (Eurozone)	Development (pilot~2024–25)	GDPR-aligned privacy-by-design: Intermediated by private banks under EU data protection law. ECB commits to minimizing central-bank data visibility. Offline mode under design. Pseudonymous tokens and data segregation proposed.	High interest, high skepticism: 43% of 2021 ECB consultation respondents cited privacy as top concern (security: 18%). Success hinges on credible institutional privacy commitments [40,41].

presents selected retail CBDC projects, and their privacy design approaches across different jurisdictions and

Table 6. Privacy-Enhancing Technologies for CBDCs.

Technology	Privacy Benefit	Technical Maturity	Implementation Complexity	Performance Impact	Current CBDC Use	Limitations
Zero-Knowledge Proofs (ZKP)	Prove transaction validity without revealing details	High (e.g., zk-SNARKs)	High	Moderate computational overhead	Experimental (EU research)	• Computational intensity • Requires specialized expertise
Homomorphic Encryption	Compute on encrypted data	Moderate	Very High	High computational cost	Research phase	• Performance limitations • Complex implementation
Blind Signatures	Issuer cannot link withdrawal to spending	High	Moderate	Low	Considered for offline euro	• Requires trusted setup • Limited to specific use cases
Secure Multi-Party Computation (MPC)	Distributed computation without data sharing	High	High	Moderate	Pilot projects	• Coordination complexity • Network overhead
Differential Privacy	Statistical privacy for aggregated data	High	Moderate	Low to Moderate	Analytics in e-CNY	• Accuracy trade-offs • Parameter tuning needed
Pseudonymization	Replace identifiers with pseudonyms	Very High	Low	Minimal	Widely used (Sweden e-Krona)	• Re-identification risks • Not true anonymity
Hardware Security Modules (HSM)	Secure key storage and operations	Very High	Moderate	Minimal	Standard practice	• Physical security dependency • Cost
Tokenization	Replace sensitive data with tokens	Very High	Low to Moderate	Minimal	Common in payment systems	• Token management overhead • Mapping database required
Tiered Architecture	Different privacy levels by transaction size	High	Moderate	Minimal	Bahamas, Nigeria, Jamaica	• Complexity in threshold management • Potential for circumvention
Offline Capability	Transactions without network (like cash)	Moderate	High	N/A (offline)	EU Digital Euro proposal	• Double-spending prevention • Security challenges

summarizes selected privacy-enhancing technologies discussed in the CBDC literature and highlights their potential governance relevance, technical maturity, and implementation challenges within emerging digital currency ecosystems.

This model makes several theoretical contributions. First, it distinguishes between technical privacy and institutional privacy as analytically separable mechanisms. It is evident that the eNaira case indicates that technical tiering without institutional accountability produces trust failure [13], while the e-CNY case illustrates that technical sophistication without legal safeguards is insufficient for global applicability [42]. Second, the model situates transparency as a moderator rather than a direct antecedent, consistent with [26] experimental finding that communicating privacy features has an independent effect separate from the features themselves. Third, the inclusion of international coordination as a boundary condition reflects the gravity-model logic underlying Proposition 7: jurisdictions’ adoption benefits from high-privacy CBDC design are partially attenuated by cross-border regulatory arbitrage when international standards are absent [43].

In particular, unlike Kyriazis et al. [32] which focus on competition between banking intermediaries and emerging technologies under financial stress conditions, our paper develops a dedicated policy framework for CBDCs, specifically addressing the privacy–trust–adoption nexus, and provides a seven-component architecture with formally specified research propositions. Furthermore, our study integrates technical, legal, institutional, and international dimensions into a unified framework, which has not been addressed in prior literature.

5. Case Evidence: CBDC Privacy Design and Adoption Outcomes

5.1. Balancing Privacy with Regulatory Oversight

AML/CFT regulations under the Financial Action Task Force (FATF) framework require transaction transparency and Know Your Customer (KYC) verification. Full anonymity in a widely used CBDC could enable large-scale financial crime, making complete anonymity untenable as a design choice [44]. However, it is critical to distinguish between data required for compliance and general mass surveillance (Figure 3). Existing financial systems provide an established precedent that commercial banks collect identity information and monitor for suspicious transactions, but do not expose customer activities publicly, and law enforcement requires legal authorization to access detailed records [45]. A well-designed CBDC can operate on analogous principles where data collected proportionately, held securely by intermediaries, and disclosed to authorities only under defined legal processes [5,46].

Tiered KYC structures allow high privacy for low-value transactions, while higher transaction amounts require progressive identity verification [47]. Privacy-enhancing technologies (PETs) protect user data during transactions, and tools such as Zero-Knowledge Proofs enable compliance without revealing personal information [48]. In addition, pseudonymous token systems conceal real identities on the core ledger, although licensed intermediaries can access user identities when necessary [49]. Table 6 presents these approaches as implemented (or planned) across the four case study CBDCs, alongside their adoption and trust outcomes.

5.2. Cross-Case Analysis

5.2.1. Bahamas Sand Dollar

The Sand Dollar’s tiered KYC model grants partial anonymity at Tier I (phone verification, small value cap) and requires full KYC for Tier II, protecting privacy by routing all data through licensed financial institutions rather than concentrating it at the central bank [50]. This design has not generated major privacy controversies. However, adoption remains very low, at approximately $2.1 M in circulation (0.5% of cash) after three years, with roughly 120,000 wallets among a population of 400,000 [35,51]. The primary barriers appear to be convenience and merchant acceptance rather than trust per se, suggesting that once baseline privacy is credibly established, other adoption barriers become binding [52].

5.2.2. Nigeria eNaira

Nigeria’s eNaira offers the paper’s most instructive cautionary case [38]. Despite a technically tiered four-wallet design, the Central Bank of Nigeria failed to communicate privacy protections clearly to the public [53,54]. This omission, compounded by coercive cash-scarcity policies intended to accelerate CBDC adoption, created a severe institutional trust deficit. One year after launch, 98.5% of wallets had never been used, and only 0.5% of Nigerians had adopted the eNaira [55]. The case indicates three critical lessons: technical design cannot substitute for institutional trust-building; coercive adoption strategies are counterproductive; and privacy communication is an independent determinant of adoption, not merely a secondary consideration [53].

5.2.3. China e-CNY

China’s ‘controllable anonymity’ model is technically sophisticated, commercial banks handle KYC at the wallet level, the People’s Bank of China (PBoC) sees only anonymized inter-institutional flows in normal operation, and de-anonymization requires activation of dedicated back-end infrastructure [14]. As of late 2025, the system has processed more than 3.4–3.48 billion transactions, with a cumulative value exceeding 16.7 trillion yuan (approximately $2.3–2.4 trillion), reflecting rapid growth and an increase of more than 800% since 2023. The user base has expanded to hundreds of millions of wallets, supported by integration with major payment platforms and deployment across more than 20 pilot regions. However, its international credibility rests on a fragile institutional foundation; without judicial independence or robust civil liberties protections, users have no reliable legal assurance that state de-anonymization capability will be constrained by law [15]. International observers and human rights organizations note the surveillance potential as a serious concern. The case of e-CNY illustrates that technical privacy without institutional accountability fails the standard required for a globally applicable framework [56].

5.2.4. Digital Euro

The proposed digital euro benefits from the strongest institutional privacy framework of the four cases. GDPR compliance is legally mandated; the ECB has committed publicly to minimizing central-bank data visibility and European Parliament scrutiny provides democratic accountability over design choices [16]. The ECB’s 2021 consultation, which placed privacy at the top of public priorities, has directly shaped design decisions, including the proposed offline payment capability and pseudonymous token architecture [57]. While no adoption data yet exists, the euro area’s strong privacy culture and robust legal framework position it well to serve as a global standard, provided that technical design delivers on institutional commitments [58]. Recent legislative progress in 2025–2026, including the Council’s agreement on the digital euro framework, reinforces its role in enhancing strategic autonomy, payment system resilience, and monetary sovereignty [17]. At the same time, the ECB has advanced into the next technical preparation phase, targeting a potential issuance around 2029, with pilot testing expected as early as 2027, contingent on regulatory approval.

6. A Global Policy Framework for Trustworthy CBDCs: Components and Propositions

6.1. Framework Architecture

Building on the literature synthesis and case analysis, this section presents a seven-component global policy framework for retail CBDCs. The framework is organized across four architectural layers (Figure 4): first, a Foundational Layer (Components 1 & 2) that sets non-negotiable privacy architecture and legal commitments; Second, an Operational Layer (Components 3 & 4) that translates principles into practical technical mechanisms; third, a Credibility Layer (Components 5 & 6) that builds the institutional trust converting design quality into adoption willingness; and fourth, a Coordination Layer (Component 7) that prevents regulatory arbitrage and sets the global floor. The framework is intended as a set of minimum standards against which CBDC designs can be benchmarked, not a rigid specification. For each component, a formally stated research proposition links the component to testable adoption or trust outcomes.

6.2. Framework Components and Research Propositions

6.2.1. Component 1: Privacy-by-Design as a Foundational Principle

Privacy must be embedded in CBDC technology and governance architecture from the outset. The privacy-by-design (PbD) philosophy requires that the system automatically protect personal data without requiring user action [59]. Operationally, this entails data minimization, mandatory PET deployment where technically feasible, full end-to-end data security, and no unnecessary trade-off between privacy and regulatory functionality [5,60]. Central banks should conduct independent privacy impact assessments at early design stages and publish results publicly [5]. The global framework would encourage all CBDC projects to document their PbD implementation and conform to standardized, independently auditable cryptographic protocols.

Proposition 1

(Privacy-by-Design (PbD) → CBDC Adoption). CBDCs that embed privacy-by-design principles, including data minimization, default privacy settings, and end-to-end data security, will demonstrate significantly higher public adoption rates compared to CBDCs that treat privacy as an ex post add-on, controlling for GDP per capita, financial inclusion rate, and institutional trust [5,61].

• Model Specification

  A_(it) = α + β₁PbD_(it) + β₂X_(it) + μ_i + ε_(it)

  (1)

  where:

  PbD_(it) = Σ (k = 1 to K) w_k d_kit

  (2)
• Variable Definitions
  A_(it) = CBDC adoption rate in jurisdiction i at time t (% active wallets/eligible population)
  PbD_(it) = Privacy-by-Design (PbD) compliance index; weighted sum of K binary design indicators (d_kit)
  d_kit = Binary indicator (=1 if CBDC satisfies design criterion k at time t, 0 otherwise)
  w_k = Criterion weight (equal weighting as default; confirmatory factor analysis used in robustness checks)
  X_(it) = Control variables, including GDP per capita, financial inclusion rate, mobile penetration, and institutional trust
  μ_i = Jurisdiction fixed effects (captures time-invariant unobserved heterogeneity)
  ε_(it) = Idiosyncratic error term

6.2.2. Component 2 (Legal Safeguards → Institutional Trust): Robust Legal and Regulatory Safeguards

Technical privacy measures alone cannot establish public trust; legal frameworks must explicitly protect CBDC user data. Countries should update central bank laws, payment laws, or constitutional provisions to define CBDC users’ privacy rights, including prohibiting the sharing of personal transaction data with other government agencies without judicial due process [62]. Data retention limits should be legislated, and routine unflagged transaction records should be automatically deleted after a defined period (90–180 days) rather than accumulated indefinitely [63]. Periodic public disclosure of data access events, regular independent audits, and model legislative language aligned with OECD Privacy Principles and Council of Europe Convention 108 are recommended [5].

Proposition 2.

The existence of legally binding data protection provisions specifically governing CBDC transaction data including judicial access controls, retention limits, and independent audit requirements, will significantly increase citizens’ reported institutional trust in the CBDC issuer [5,9,25].

• Model Specification

  T_(it) = α + β₁LS_(it) + β₂T^cb_(it) + β₃X_(it) + μ_i + ε_(it)

  (3)

  where:

  LS_(it) = γ₁JO_(it) + γ₂DR_(it) + γ₃OA_(it) + γ₄SR_(it)

  (4)
• Variable Definitions
  T_(it) = Public institutional trust score (survey-based, 0–100 scale; e.g., Eurobarometer/Afrobarometer)
  LS_(it) = Legal safeguards index (composite of sub-components listed below)
  JO_(it) = Judicial oversight (1 if data access requires a court order, 0 otherwise)
  DR_(it) = Data retention limit (1 if unflagged records are automatically deleted within ≤180 days, 0 otherwise)
  OA_(it) = Open audit (1 if an independent annual privacy audit is published, 0 otherwise)
  SR_(it) = Statutory rights (1 if CBDC privacy rights are codified in primary legislation, 0 otherwise)
  T^cb_(it) = Pre-existing trust in the central bank (lagged by one period to avoid simultaneity bias)
  X_(it) = Control variables, including rule-of-law index, press freedom score, and GDP per capita
  μ_i = Jurisdiction fixed effects (captures time-invariant unobserved heterogeneity)
  ε_(it) = Idiosyncratic error term
  Note: Equations (3) and (4). Measurement model for Proposition 2 (Ordered logit with Legal Safeguards composite index; mediation via perceived privacy).

6.2.3. Component 3: Tiered and Proportionate Data Access

CBDC design should be guided by the principle of proportionality, whereby the degree of data access and regulatory oversight corresponds to the risk profile and value of transactions [64]. Low-value, low-risk transactions should be afforded maximum privacy, whereas higher-value or suspicious transactions warrant progressively greater levels of scrutiny [65]. This principle is operationalized through tiered KYC structures, in which a baseline tier enables pseudonymous usage for low-value transactions, while higher tiers require graduated identity verification in line with a risk-based regulatory approach [3].

Importantly, the inclusion of a Tier 0 level is characterized by fully anonymous, hardware-based, and very-low-value transactions. That provides a critical pathway for financial inclusion, particularly for unbanked and underserved populations lacking formal identification [66]. Such a design ensures that CBDCs do not inadvertently exclude vulnerable groups while maintaining compliance with broader financial integrity objectives [67].

Figure 5 presents the proposed three-tier architecture. At the policy level, the framework recommends the adoption of indicative transaction thresholds calibrated to country-specific conditions, including national income levels, financial inclusion metrics, and existing cash-reporting limits. This approach enables jurisdictions to balance privacy, inclusion, and regulatory compliance within a coherent and adaptable CBDC design.

Proposition 3

(Tiered KYC → Adoption (Moderated by Financial Exclusion). Implementation of a tiered KYC structure in which low-value transactions are subject to minimal identity requirements will positively moderate the relationship between CBDC availability and adoption among unbanked and privacy-sensitive user segments, with the moderating effect strongest in jurisdictions with the highest financial exclusion rates [9,33].

• Measurement model for Proposition 3

  A_(it) = α + β₁TK_(it) + β₂FE_(it) + β₃(TK_(it) × FE_(it)) + β₄X_(it) + μ_i + ε_(it)

  (5)
• Variable Definitions
  A_(it) = CBDC adoption rate (see Proposition 1)
  TK_(it) = Tiered KYC index (0 = no tiers; 1 = two tiers; 2 = three or more tiers including an anonymous floor)
  FE_(it) = Financial exclusion rate (% of adult population without a formal bank account; World Bank Findex)
  TK_(it) × FE_(it) = Interaction term capturing whether tiering disproportionately increases adoption in financially excluded populations
  β₃ = Moderation coefficient (expected sign: β₃ > 0, indicating that tiered KYC is more effective where financial exclusion is higher)
  X_(it) = Control variables, including smartphone penetration, GDP per capita, and AML regulatory stringency index
  μ_i = Jurisdiction fixed effects
  ε_(it) = Idiosyncratic error term

6.2.4. Component 4. Deployment of Privacy-Enhancing Technologies

This framework strongly advocates the deployment of advanced cryptographic privacy-enhancing technologies (PETs), including Zero-Knowledge Proofs (ZKPs), Secure Multi-Party Computation (MPC), homomorphic encryption, and hardware-based secure elements, to reconcile the inherent tension between privacy and regulatory oversight [68]. Rather than prescribing specific technologies that may quickly become obsolete, this CBDC framework adopts a technology-neutral approach by providing a recommended toolkit accompanied by clearly defined use cases and maturity assessments [69].

A central requirement of this approach is verifiability. PET implementations must be subject to independent auditability, either through open-source transparency or external technical review, ensuring that the claimed privacy guarantees are credible and not merely declarative [70]. This requirement is essential for building public trust and institutional legitimacy (Figure 6). Supporting this, the BIS Innovation Hub’s Project Tourbillon has indicated the technical feasibility of integrating mechanisms such as blind signatures and ZKPs at scale [71].

Figure 6 illustrates the spectrum of applicable PETs within the proposed framework.

Proposition 4.

CBDCs that deploy verifiable privacy-enhancing technologies, particularly Zero-Knowledge Proofs for compliance verification, will achieve significantly higher adoption willingness among technically informed and privacy-sensitive user segments compared to CBDCs relying solely on policy-based privacy assurances [5,34].

• Measurement model for Proposition 4

  W_ij = α + β₁PET_ij + β₂TL_i + β₃(PET_ij × TL_i) + β₄X_ij + ε_ij

  (6)

  where:

  PET_ij = Σ (m = 1 to M) PET_ij^m, such that PET_ij^m ∈ {0,1}

  (7)
• Variable Definitions
  W_ij = Adoption willingness of individual i for CBDC design j (stated preference, 1–7 Likert scale)
  PET_ij = PET deployment score for CBDC design j (0–3: none/single PET/multiple PETs/independently audited PETs)
  PET_ij^m = Binary indicator for deployment of PET type m (e.g., ZKP, MPC, homomorphic encryption)
  TL_i = Technical literacy score of respondent i (standardized digital skills index)
  PET_ij × TL_i = Interaction term testing whether PET effects are stronger for technically literate users
  β₃ = Moderation coefficient (expected β₃ > 0; PETs are more valued by technically literate users)
  X_ij = Control variables, including age, income, prior digital payment experience, and country fixed effects
  ε_ij = Idiosyncratic error term
• Estimation Strategy

The estimation strategy for Proposition 4 uses a discrete choice experiment where respondents evaluate randomized CBDC design vignettes with varying PET features, allowing clean identification of each technology’s effect on adoption willingness. Alternatively, Structural Equation Modelling (SEM) can test the pathway (PET → Perceived Privacy → Adoption Willingness) from PET deployment through perceived privacy to adoption willingness, separating the direct and indirect effects. Both approaches are complementary and suitable for future empirical testing.

6.2.5. Component 5: Public Transparency and Stakeholder Engagement

Choi et al. [26] experiment’s showed that communicating privacy features to users has an independent, statistically significant positive effect on willingness to adopt, separate from the features themselves. The global framework therefore requires comprehensive, plain-language public communication strategies explaining what data is and is not collected, how it is protected, and what rights users have. Central banks should provide accessible dashboards giving individuals visibility into their own data footprint, and should offer user-configurable wallet privacy settings (Figure 7). Ongoing public consultation mechanisms modelled on the ECB’s 2021 exercise must be institutionalized as regular processes, not one-off events. Functioning grievance and redress mechanisms are mandatory for maintaining accountability [72].

Proposition 5

(Transparency & Communication → Trust → Adoption (Mediation). Central banks that provide transparent, plain-language communication about CBDC privacy features and maintain ongoing public consultation mechanisms will achieve higher levels of perceived institutional trustworthiness and significantly greater adoption willingness, with the effect of transparency communication mediated by institutional trust [24,26].

• Measurement model for Proposition 5:

  T_it = α₁ + β₁TR_it + β₂X_it + ε_it¹

  (8)

  A_it = α₂ + β₃TR_it + β₄T_it + β₅X_it + ε_it²

  (9)
• Indirect effect:

  IE = β₁ × β₄

  (10)
• Variable Definitions
  TR_it = Transparency index (composite of sub-indicators listed below)
  TR_it¹ (Disclosure) = 1 if a plain-language privacy notice is publicly available
  TR_it² (Consultation) = 1 if a structured public consultation is conducted pre-launch
  TR_it³ (Dashboard) = 1 if a real-time user data-footprint dashboard is provided
  TR_it⁴ (Redress) = 1 if a formal grievance mechanism exists with published response rates
  T_it = Institutional trust score (mediator; survey-based, 0–100 scale)
  A_it = CBDC adoption rate (outcome variable)
  IE = Indirect (mediated) effect of transparency on adoption through trust (estimated with bootstrap confidence intervals)

6.2.6. Component 6: Security and Operational Resilience

Privacy and security are two sides of the same trust coin: a CBDC that is private but insecure will fail as surely as one that is secure but invasive [73]. The global framework specifies baseline cybersecurity standards (encryption, multi-factor authentication, continuous monitoring, incident response) and requires regular penetration testing and independent security audits [4,13]. Operational resilience provisions like offline payment capability, backup systems, and disaster recovery plans must be mandatory. Critically, the framework commits to maintaining cash as a legal fallback for as long as significant user segments require it, removing the fear of forced digital dependence that contributed to the eNaira’s rejection in Nigeria [74].

Proposition 6

(Security Incidents → Trust Loss (Asymmetric/Loss Aversion)). Demonstrable security incidents or outages in a CBDC system will produce asymmetric trust losses, larger in magnitude than equivalent positive trust gains from transparency efforts, consistent with loss aversion theory applied to monetary systems, with the asymmetry attenuated by high-quality incident response and disclosure [24,25,75].

• Measurement model for Proposition 6:

  ΔT_it = α + β₁INC_it + β₂REC_it + β₃(INC_it × REC_it) + β₄X_it + ε_it

  (11)
• Asymmetry Test: |β₁| ≫ coefficient of equivalent positive event
• Variable Definitions
  ΔT_it = Change in trust score from period t − 1 to t (first-differenced trust)
  INC_it = Security incident dummy (1 if a confirmed breach or outage occurs in period t, 0 otherwise)
  REC_it = Recovery quality index (0–1 scale measuring response speed, disclosure transparency, and remediation effectiveness)
  INC_it × REC_it = Interaction term testing whether higher-quality recovery mitigates trust loss
  β₁ = Expected coefficient < 0 (security incidents reduce trust)
  β₃ = Expected coefficient > 0 (effective recovery partially offsets trust loss)
  X_it = Control variables, including prior trust level, media coverage intensity, and incident severity
  ε_it = Idiosyncratic error term

6.2.7. Component 7: International Coordination and Standards Alignment

Given that money crosses borders, CBDC privacy standards cannot be developed in national isolation. The framework promotes interoperability of privacy and data standards for cross-border transactions, including common messaging standards analogous to ISO 20022 [76]. Bilateral and multilateral CBDC data exchange agreements should be modeled on Mutual Legal Assistance Treaties. personal data shared only on formal legal request, not routinely. The 13 Public Policy Principles for Retail CBDCs already identify data privacy as a core principle; the framework builds on this foundation to provide actionable guidelines [2]. Joint endorsement by the BIS Committee on Payments and Market Infrastructures (Committee on Payments and Market Infrastructures et al., 2022) [71] and the IMF would give the framework institutional weight and create a global standard against which all CBDC projects can be benchmarked.

Proposition 7

(Absence of International Coordination → Regulatory Arbitrage). The absence of internationally coordinated CBDC privacy standards is likely to create conditions for cross-border regulatory arbitrage, whereby transaction flows are diverted toward jurisdictions with weaker privacy protections. Such fragmentation risks undermining both the financial integrity of the global payment system and the adoption potential of higher-privacy CBDC frameworks, particularly within multi-jurisdictional payment corridors au [5,24,65].

• Measurement model for Proposition 7

  ARB_ijt = α + β₁ΔPS_ijt + β₂FLOW_ijt + β₃(ΔPS_ijt × FLOW_ijt) + β₄X_ijt + μ_ij + ε_ijt

  (12)

  where:

  ΔPS_ijt = PS_jt − PS_it

  (13)
  Note: privacy standard differential between corridor countries i and j
• Variable Definitions
  ARB_ijt = Arbitrage proxy; share of cross-border CBDC transaction volume routed through lower-privacy jurisdictions in corridor i–j
  ΔPS_ijt = Privacy standard differential (privacy index of country j minus country i)
  PS_it = Privacy standards index for country i at time t (composite of C1–C6 compliance scores)
  FLOW_ijt = Cross-border CBDC transaction flow volume between countries i and j (log-normalized)
  ΔPS_ijt × FLOW_ijt = Interaction term testing whether larger privacy gaps amplify arbitrage in high-volume corridors
  β₁ = Expected coefficient > 0 (greater privacy differentials increase arbitrage routing)
  μ_ij = Corridor-pair fixed effects
  X_ijt = Control variables, including bilateral AML agreements, FATF mutual evaluation scores, and exchange rate volatility
  ε_ijt = Idiosyncratic error term
  Note: The proposed measurement model for Proposition 7 is a gravity-model panel with corridor fixed effects and staggered law entry serving as a natural experiment for identification.

6.3. Comparative Mapping of Framework Components Across CBDC Cases

Table 7. Comparative Mapping of Framework Components Across Selected CBDC Cases.

Framework Component	Bahamas Sand Dollar	Nigeria eNaira	China e-CNY	EU Digital Euro	Illustrative Evidence Basis
Privacy-by-Design Architecture	✓	✗	✓	✓	privacy architecture disclosures; CBDC design papers
Legal & Regulatory Safeguards	✓	✗	✗	✓	CBDC legislation; GDPR provisions; judicial oversight provisions
Tiered & Proportionate Data Access	✓	✓	✓	~	tiered KYC structure; wallet verification levels
Privacy-Enhancing Technologies	~	✗	✓	✓	ZKP references; anonymization mechanisms; technical architecture
Public Transparency & Engagement	~	✗	~	✓	public consultations; communication strategy; user guidance
Security & Operational Resilience	✓	✗	✓	✓	cybersecurity reports; offline payment capability; operational disclosures
International Coordination & Standards	~	~	✗	✓	BIS principles; interoperability initiatives; international policy alignment
✓ = substantial evidence of alignment with framework components, ~ = partial or evolving alignment ✗ = limited evidence or limited alignment with framework components

Note. The comparative mapping is based on publicly available policy documents, central bank publications, technical reports, consultation papers, and peer-reviewed academic literature available as of 2025. The symbols represent interpretive qualitative assessments rather than formal quantitative measurements. The table is intended to facilitate conceptual comparison across CBDC governance approaches and should not be interpreted as a statistically validated ranking or causal evaluation framework.

presents an interpretive comparative mapping of the proposed framework components across the four CBDC cases examined in this study: the Bahamas Sand Dollar, Nigeria’s eNaira, China’s e-CNY, and the proposed digital euro. The purpose of this comparison is not to establish empirical validation or causal inference, but rather to explore how differing CBDC governance approaches appear to align with the framework dimensions identified through the literature synthesis.

The comparative mapping suggests notable variation across the four CBDC initiatives. The proposed digital euro appears most closely aligned with the framework’s legal, institutional, and privacy-governance dimensions, particularly regarding privacy-by-design principles, legal safeguards, public consultation, and data protection commitments under the GDPR framework. China’s e-CNY demonstrates comparatively advanced technical implementation and operational sophistication, especially in relation to tiered access structures and transaction infrastructure, but raises ongoing questions concerning institutional accountability, legal oversight, and surveillance risks within highly centralized governance environments. Detailed jurisdictional privacy characteristics are summarized in Appendix A

Table A1. Comparison of CBDC Privacy Features Across Jurisdictions.

Jurisdiction	CBDC Name	Privacy Model	Anonymity Level	KYC Requirements	Data Storage	Transaction Limits	Key Privacy Features
Bahamas	Sand Dollar	Tiered Privacy	Partial (low-value)	Tiered (basic to full)	Distributed (wallets)	$500 (basic), unlimited (full KYC)	• Anonymous small transactions
							• Wallet-based privacy
							• No central transaction database
China	e-CNY (Digital Yuan)	Controlled Anonymity	Limited	Mandatory for all wallets	Centralized (PBOC)	Varies by wallet tier	• “Anonymity to merchants, not state”
							• Government access permitted
							• Real-name verification required
European Union	Digital Euro (Proposed)	Privacy-by-Design	High (offline), Low (online)	EU AML standards	Hybrid (distributed ledger)	€3000 (offline), higher (online)	• Offline anonymity option
							• GDPR compliance
							• Privacy-preserving technologies
							• No central holding of personal data
Nigeria	eNaira	Standard KYC	Minimal	Mandatory (3 tiers)	Centralized (CBN)	₦50,000 (tier 1), ₦500,000 (tier 2)	• Tiered wallet system
							• Bank-mediated access
							• Standard banking privacy
Sweden	e-Krona (Pilot)	Privacy-Preserving	Moderate	Standard KYC	Distributed	Under development	• Privacy-enhancing technologies
							• Pseudonymization
							• Limited data retention
Jamaica	JAM-DEX	Tiered Approach	Partial	Tiered KYC	Hybrid	J$50,000 (basic tier)	• Small-value anonymity
							• Progressive verification
							• Financial inclusion focus

.

By contrast, Nigeria’s eNaira appears comparatively weaker across several framework dimensions, particularly in relation to public communication, institutional trust, transparency mechanisms, and perceived privacy safeguards. Existing evidence suggests that these factors may have contributed to limited public engagement and low active usage following launch. However, given the presence of multiple confounding institutional, economic, technological, and political variables, the comparison should not be interpreted as establishing direct causal relationships between framework compliance and adoption outcomes [13].

The Bahamas Sand Dollar occupies an intermediate position within the comparative mapping. Its design incorporates several foundational privacy and inclusion features, including tiered KYC structures and intermediary-based architecture, yet its adoption trajectory also highlights the importance of broader ecosystem factors such as merchant acceptance, infrastructure readiness, and payment convenience beyond privacy considerations alone [50,77].

Figure 8 and Figure 9 provide visual representations of the comparative assessment. Figure 8 offers an illustrative positioning of the selected CBDC initiatives across privacy-design intensity and observed adoption contexts, while Figure 8 presents a qualitative radar-style comparison of framework dimensions across the four cases. These visualizations are intended to support conceptual interpretation and comparative discussion rather than serve as formal empirical measurements or statistically validated indices.

Overall, the comparative assessment provides preliminary exploratory support for the argument that privacy governance, institutional trust, transparency, and operational design are closely interconnected within retail CBDC ecosystems. Nevertheless, the findings remain interpretive and theory-building in nature. Additional longitudinal evidence, larger comparative samples, and future quantitative testing will be necessary before stronger empirical conclusions regarding causality or framework effectiveness can be established.

Table 8. Summary of Research Propositions—Components, and Measurement Models.

#	Proposition	Proposition Statement	Measurement Approach	Evidence Base
P1 linked to C1	Privacy-by-Design → higher adoption	CBDCs embedding PbD principles indicate significantly higher adoption rates than those treating privacy as an ex post add-on.	Two-way FE panel OLS; PbD compliance index; IV using pre-CBDC privacy law	Choi et al., Yee [26,30]
P2 linked to C2	Legal Safeguards → higher institutional trust	Legally binding CBDC data protection provisions significantly increase citizens’ reported trust in the CBDC issuer.	Ordered logit/OLS; LS composite index; mediation via perceived privacy	Garratt & van Oordt, Bijlsma et al. [9,25]
P3 linked to C3	Tiered Data Access → inclusion + privacy adoption	Tiered KYC positively moderates CBDC adoption among unbanked and privacy-sensitive segments.	FE panel with TK × Financial Exclusion interaction; marginal effects	Singh & Yadav (2025), FATF [33,78]
P4 linked to C4	Privacy-Enhancing Technologies → higher tech-literate adoption	CBDCs with verifiable PETs achieve higher adoption willingness among technically literate users.	Conjoint/discrete choice experiment; PET score × Technical Literacy interaction	Agur et al., BIS [34,75]
P5 linked to C5	Transparency & Engagement → trust	Transparent privacy communication has an independent positive effect on adoption willingness, mediated by institutional trust.	Baron-Kenny mediation; bootstrapped indirect effects (5000 draws)	Choi et al., ECB [26,79]
P6 linked to C6	Security & Resilience → asymmetric trust loss	Security incidents produce asymmetric trust losses larger in magnitude than equivalent positive trust gains from transparency.	Event-study DiD; asymmetry test; incident × recovery interaction	Auer et al., BIS (2023b) [24,75]
P7 linked to C7	International Coordination → regulatory arbitrage	Absence of coordinated privacy standards generates cross-border regulatory arbitrage, undermining high-privacy CBDC adoption.	Gravity-model panel with corridor FE; staggered law entry as natural experiment	BIS, FATF [75,78]

Note. FE = Fixed Effects; OLS = Ordinary Least Squares; DiD = Difference-in-Differences; IV = Instrumental Variable.

consolidates all seven research propositions, their associated framework components, directional hypotheses, recommended measurement approaches, and evidence bases. Together, these propositions constitute a comprehensive, empirically grounded research agenda for future quantitative testing. As CBDC deployment expands and panel data accumulates across jurisdictions, it will become feasible to test each proposition in a comparative cross-national setting using the measurement models specified in Equations (1)–(13).

7. Discussion

7.1. Divergent Legal Regimes and the Limits of a Global Framework

Countries vary fundamentally in their attitudes toward privacy and state authority. Liberal democracies with strong civil-liberties traditions, most notably EU member states, are likely to adopt stringent privacy protections readily, as the digital euro’s GDPR-anchored trajectory indicates. By contrast, more authoritarian contexts prioritize state visibility, as China’s e-CNY illustrates. This divergence sets a practical ceiling on what a voluntary global framework can achieve: it cannot compel jurisdictions to value privacy equally [80]. The practical consequence may be a bifurcated global CBDC landscape. Some currencies are broadly consistent with privacy and democratic accountability, others with surveillance [81]. Users and businesses engaging in cross-border transactions may develop preferences for privacy-respecting CBDCs, creating market and reputational pressure on less privacy-protective issuers [82]. Proposition 7 formalizes this dynamic: the standard differential between jurisdictions generates arbitrage flows that ultimately attenuate adoption benefits for high-privacy CBDCs. International peer review mechanisms within G20 and FATF frameworks [71,78] represent the most viable countervailing pressure.

7.2. Technological Complexity and Implementation Risk

Incorporating advanced PETs and secure offline functionality introduces non-trivial implementation risk. ZKP systems may contain cryptographic vulnerabilities; hardware secure elements can be physically tampered with; offline transaction capabilities create potential for double-spending if not carefully engineered. The eNaira case indicates that technical complexity without adequate user interface design and communication produces adoption failure; technical sophistication is no guarantee of public uptake [54]. The framework’s insistence on verifiable, independently audited PETs (Component 4) and incremental deployment strategies addresses this risk. Quantum computing poses a longer-term structural threat to current cryptographic assumptions [83]; the framework accordingly mandates cryptographic agility and the architectural capacity to upgrade algorithms without complete system replacement. Central banks should establish bug bounty programs and maintain transparent incident response plans, as public confidence in response capacity is itself a trust asset [20].

7.3. Financial Integrity and the Proportionality Principle

A persistent counterargument from law enforcement and regulatory perspectives is that strong privacy protections create exploitable blind spots for financial crime [84]. The framework’s response is proportionality (Component 3): truly anonymous transactions are confined to values below existing cash-reporting thresholds, where tolerance for anonymous cash transactions already exists. For larger transactions, lawful de-anonymization under judicial oversight remains available. Modern AI-based anomaly detection on anonymized transaction graphs can identify suspicious patterns without requiring mass individual identification, triggering targeted investigation only where genuinely warranted [85]. This approach can actually provide better financial intelligence than physical cash and leaves no record whatsoever while protecting ordinary users far more effectively than fully traceable digital systems. The Bahamas Sand Dollar indicates that a privacy-first CBDC design can coexist with adequate AML compliance without generating financial integrity failures [36].

7.4. Financial Inclusion and Privacy as Complementary Goals

A potential concern is that privacy-preserving designs relying on sophisticated cryptography or smartphone-based interfaces may inadvertently exclude the unbanked populations that CBDCs are intended to serve. The framework’s Tier 0 (hardware wallet/NFC card, no KYC, very small value cap) addresses this directly, providing a cash-equivalent, anonymous option accessible without formal identity or smartphone. Critically, the evidence suggests privacy and inclusion are complementary rather than competing: marginalized groups—migrant workers, political minorities, informal-sector participants—often value financial privacy most highly precisely because they face the greatest risks from data exposure [33]. Proposition 3 formalizes this complementarity, predicting that tiered access disproportionately benefits both unbanked and privacy-sensitive segments simultaneously.

8. Limitations and Future Research Directions

This study is subject to several limitations that should guide interpretation and point toward priority areas for future research. First, as a normative framework paper, the seven propositions constitute directional hypotheses rather than confirmed empirical findings. The framework has not been tested against adoption outcomes in a controlled research setting. Future research should operationalize framework compliance as a quantitative composite index and test its association with CBDC adoption rates and trust scores across a larger cross-national panel as more CBDCs launch. The measurement models in Equations (1)–(13) provide a concrete starting point for this research program.

Second, the empirical evidence base remains thin. Most CBDC pilots are at early stages with limited rigorous adoption data and few independent evaluations. The Bahamas, Nigeria, and China cases provide useful directional evidence, but confounding institutional factors like pre-existing trust levels, political context, concurrent cash policies limit causal inference. Longitudinal panel studies tracking adoption and trust over CBDC maturation cycles of five to ten years would substantially strengthen the evidence base for the causal claims implied by the propositions.

Third, the literature reviewed is predominantly English-language and draws heavily from Western institutional sources (ECB, BIS, and IMF). Global South perspectives, where CBDCs may offer the greatest financial inclusion potential but also where institutional trust deficits are most acute, are underrepresented. Future research should prioritize low and middle-income country contexts, including deeper analyses of the Eastern Caribbean DCash project, and emerging CBDC programs in South Asia, Southeast Asia, and Sub-Saharan Africa, where the adoption barriers and privacy concerns may differ substantially from those documented in Western contexts.

Fourth, this paper focuses exclusively on retail CBDCs. Wholesale CBDCs, operating between financial institutions rather than directly with the public, raise distinct but related privacy issues, particularly around interbank data sharing in cross-border payment corridors. The international coordination component (Component 7) applies to both contexts, but a dedicated analysis of wholesale CBDC governance is beyond this paper’s scope.

Fifth, the technological landscape is evolving rapidly. Advances in ZKP computational efficiency, hardware secure element design, and quantum-resistant cryptography may substantially alter the PET spectrum presented in Figure 5 within five years. The framework should accordingly be treated as a living document subject to regular institutional review, a dynamic standard rather than a fixed specification.

9. Conclusions

The advent of central bank digital currencies presents a historic opportunity to modernize sovereign money for the digital era, but this opportunity can only be realized if CBDCs earn and maintain public trust. Trust, in this context, is inseparable from privacy. Existing survey evidence, public consultations, and emerging pilot experiences broadly suggest that privacy protection is among the most influential factors shaping public attitudes toward CBDC adoption. The Nigerian eNaira experience illustrates some of the implementation and trust challenges that may emerge when concerns regarding transparency, institutional trust, user engagement, and perceived privacy protections are insufficiently addressed. The digital euro’s GDPR-anchored and consultation-oriented governance trajectory provides an illustrative example of how privacy-oriented CBDC design principles are being institutionally operationalized within a democratic regulatory environment.

This paper makes three principal contributions. Theoretically, it develops a conceptual model linking CBDC design quality to adoption through privacy perceptions and institutional trust, distinguishing technical privacy and institutional privacy as analytically separable mediating mechanisms. Normatively, it proposes a seven-component, four-layer global policy framework providing an integrated architecture from foundational privacy design to international coordination, a level of actionable specificity absent from existing institutional guidance [60]. Methodologically, it formulates seven formally stated, future-oriented and operationally structured research propositions with broadly consistent measurement models, translating the framework into a testable empirical agenda that future researchers can engage directly as CBDC data accumulates.

For central bankers and policymakers, the primary implication is that engaging with the public early, continuously, and authentically is not optional. It is constitutive of CBDC success. Issuing a retail CBDC places a central bank in a fundamentally new relationship with individual citizens: not merely as guardian of currency value, but as custodian of sensitive personal financial data and provider of a public digital service. This new role demands proactive privacy stewardship, genuine democratic accountability, and measurable technical commitments that can be independently verified. The framework’s illustrative assessment across four cases suggests that where these conditions appear more credibly institutionalized, comparative evidence suggests comparatively more favorable public engagement and adoption environments. The proposed framework should therefore be interpreted as an exploratory and integrative policy-oriented analytical structure intended to support future empirical research, comparative policy evaluation, and evolving CBDC governance discussions. For the international community, it is recommended that the IMF, BIS, and World Bank jointly develop detailed CBDC privacy and trust guidelines, building on the evidence synthesized here, and incorporate them into financial sector technical assistance programs. The Financial Stability Board should incorporate CBDC design standards into its ongoing fintech oversight mandate. Attaining CBDC privacy rights is not only a matter of civil liberties but also a prerequisite for the technology to deliver on its economic promise of a more efficient, inclusive, and trustworthy monetary system.