Module 02 ended on an obstacle: the cleanest safe money is central-bank money, but the public cannot hold it, and the narrow bank that would pass it through gets blocked at the central bank's own gate. There is a more direct answer — let the central bank issue digital money to the public itself. A central-bank digital currency is the public version of the narrow bank: a digital equivalent of cash, free of private credit risk, available to everyone. It is also the most consequential and contested innovation in this track, because the same feature that makes it powerful — letting people hold central-bank money directly — is exactly what could destabilize the banks. We examine what a CBDC is, the design choices that decide everything, the global state of play, and the hard issues of disintermediation, privacy, and programmability.
Module 02 left us with a clean idea and a frustrating obstacle. The cleanest safe money is central-bank money — reserves — because the central bank cannot run out of the currency it issues. A narrow bank would give the public access to that safety by holding deposits entirely as reserves and passing them through. But a narrow bank needs an account at the central bank to do that, and the central bank can refuse, as it did to TNB. The safest money exists; the public just cannot reach it.
A central-bank digital currency removes the middleman from that sentence. Instead of a private narrow bank holding reserves on the public's behalf, the central bank issues digital money to the public directly. You would hold a claim on the central bank itself — the same institution that issues physical cash — but in digital form, usable for everyday electronic payments. No private bank stands between you and the safest money in the system. It is, in the most literal sense, a digital version of the banknote: public money you can hold and spend electronically.
Frame it against the classic track's Module 03 table and the point is exact. Cash is risk-free but not digital. Reserves are risk-free and digital but restricted to banks. Bank deposits are digital and available but carry credit risk. The missing cell — risk-free, digital, available to everyone — is precisely what a CBDC fills. It is the public, state-issued answer to the same root cause the narrow bank attacks privately: the fusion of money and credit. Hold a CBDC and you hold money that is not a claim on any leveraged lender at all.
A central-bank digital currency is central-bank money — like cash — issued to the public in digital form. It is the public version of the narrow bank: it fills the missing cell of risk-free, digital, universally available money by letting people hold a claim on the central bank directly, with no private lender in between. It is a public-institutional innovation — a new kind of state-issued money, not a private product.
The single most common confusion in this area is that "CBDC" names two quite different projects with very different stakes. Separating them is the first step to thinking clearly.
The distinction matters because almost all the promise and almost all the danger live on the retail side. Wholesale CBDC is a plumbing improvement few people will ever notice. Retail CBDC would change what money the public can hold — and in doing so would reach directly into the deposit base that funds the entire banking system. That is why a wholesale project sails through quietly while a retail project triggers fierce debate. Keep the two separate, and notice which one any given country is actually building.
A CBDC is not one thing but a bundle of design decisions, and the decisions matter far more than the label. Two CBDCs built on opposite choices would be almost different inventions. Three choices do most of the work.
Account-based or token-based? An account-based CBDC works like a bank account at the central bank: identity is tied to the account, and payments move balances between identified holders. A token-based CBDC works more like digital cash: value sits in a digital "note" that can be passed along, potentially with more anonymity. The choice shapes everything about privacy and how closely the system resembles cash versus a bank account.
Direct or intermediated (two-tier)? In a direct model, the public holds accounts at the central bank itself, and the central bank handles every transaction — a vast operational and political role no central bank really wants. In the far more common intermediated or two-tier model, the central bank issues the CBDC but private firms (banks, payment providers) handle the customer-facing accounts, apps, identity checks, and service. The money is the central bank's; the relationship is the intermediary's. Almost every serious retail CBDC design is two-tier, precisely to avoid the central bank becoming everyone's retail bank.
Remunerated or not, and capped or not? Does the CBDC pay interest, and is there a limit on how much any person can hold? These sound like technical footnotes but they are the master controls on the disintermediation danger of Section 5. A CBDC that pays attractive interest and has no holding cap would pull deposits out of banks aggressively; one that pays no interest and caps balances at a modest level behaves more like cash and leaves the banks largely intact. The holding cap, in particular, is the single most important dial — it is how designers try to get the safe-money benefit without draining the banking system.
"CBDC" describes a spectrum, not a single design. Account-vs-token sets the privacy character; direct-vs-intermediated sets who the public deals with (almost always private intermediaries, two-tier); and remuneration-and-holding-caps set how hard it pulls deposits out of banks. The same word can name a cash-like, capped, privacy-respecting instrument or a powerful, surveilled, deposit-draining one. Always ask which design before judging.
CBDC is no longer hypothetical. A large majority of the world's central banks are researching or piloting one, a handful have launched, and the leaders are — true to Module 01's thesis — disproportionately emerging markets, while the largest rich-country central banks move slowly and skeptically.
| Country / area | Status | Notable feature |
|---|---|---|
| 🇨🇳 China (e-CNY) | Large-scale pilot | The most advanced major-economy retail CBDC; two-tier, used in many cities; intended partly to counter private payment apps |
| 🇧🇸 Bahamas (Sand Dollar) | Launched (2020) | One of the first live retail CBDCs; aimed at reaching scattered island populations underserved by banks |
| 🇳🇬 Nigeria (eNaira) | Launched (2021) | An early large-country launch — but adoption has been very low, a cautionary tale about building money no one chooses to use |
| 🇯🇲 Jamaica (JAM-DEX) | Launched (2022) | Small-economy retail CBDC focused on financial inclusion |
| 🇮🇳 India (e-rupee) | Pilot | Phased retail and wholesale pilots in a country already strong in digital payments via UPI |
| 🇪🇺 Euro area (digital euro) | Preparation phase | A deliberately cautious, privacy-conscious, holding-capped design still under political debate |
| 🇺🇸 United States | Research only; politically contested | No decision to issue; significant political opposition on privacy and government-overreach grounds |
Two patterns are worth drawing out. First, the leaders are mostly emerging markets and small economies — the Bahamas, Nigeria, Jamaica, with China the major-economy exception — because the inclusion problem is more acute there and the incumbent system less entrenched, exactly the leapfrog logic of Module 01. Second, the rich-country giants are the most reluctant: the United States has made no decision and faces strong political opposition, and the euro area is moving deliberately and cautiously. The contrast is the now-familiar one — necessity drives adoption at the periphery while entrenched, well-functioning incumbent systems and political resistance slow it at the center.
The deepest worry about retail CBDC is the same one that haunts narrow banking, and it is worth seeing that the two innovations share the same Achilles' heel. If the public can hold central-bank money directly, why keep money in a commercial bank at all? In calm times, people might shift a meaningful share of their deposits into the perfectly safe CBDC, draining the cheap deposit funding banks use to lend (Module 02's disintermediation problem, now driven by a public instrument rather than a private one).
In a crisis it is worse, and sharper. Recall the bank run of the classic track: depositors flee a shaky bank for safety. Today that safety is awkward to reach — you can withdraw cash, but moving millions into physical notes is impractical. A retail CBDC would make the safest possible destination available instantly, digitally, at the tap of a phone. At the first sign of trouble, depositors could move money out of commercial banks and into the central bank's own money in seconds — a digital run to the central bank, faster and more total than any classic run, because the refuge is now frictionless and unlimited in safety. The very feature that makes CBDC valuable in normal times — frictionless access to risk-free money — is what could accelerate a panic.
This is why the design choices of Section 3 are not technicalities but the whole ballgame. The holding cap is the primary defense: limit each person to a modest CBDC balance and you preserve a cash-like convenience while making it impossible to drain the banking system or stage a wholesale digital run. Paying no interest helps too, removing the incentive to park large sums there. The cautious designs — the digital euro's planned caps, for instance — are explicitly engineered around this danger. The honest summary is that retail CBDC's core benefit and its core danger are the same property, and the entire art of designing one is keeping the benefit while capping the danger.
If the disintermediation worry is about stability, the privacy worry is about power, and it is the issue that most animates public opposition to CBDC — especially in rich democracies. Physical cash has a profound, underappreciated property: it is private and anonymous. When you pay with a banknote, no central record is created; the state does not see the transaction. Cash is the last widely used form of money that leaves no digital trace.
A retail CBDC, depending entirely on its design, could erase that. An account-based CBDC run by the state could in principle create a record of every transaction every citizen makes — a complete, searchable ledger of the population's economic life, held by a government arm. In a country with weak rule of law, that is a surveillance instrument of extraordinary power; even in a strong democracy, the mere existence of such a ledger is a temptation and a target. This is the heart of the political opposition to CBDC in the United States and elsewhere: the fear that public digital money becomes public financial surveillance.
Crucially, this is a design choice, not an inevitability — which is why Section 3's account-vs-token decision matters so much. Designers can build in privacy: token-based designs that behave more like digital cash, tiered systems where small everyday payments are anonymous and only large ones are traced, intermediated models where private firms (not the state) hold the identity data, and legal firewalls limiting what the central bank may see. The digital euro, for instance, is being designed with explicit privacy protections precisely to answer this fear. A CBDC can be built to preserve much of cash's privacy — or to destroy it entirely. The technology does not decide; the design does, and the design reflects the politics and values of the society building it.
The third issue is the most futuristic and the most double-edged. Because a CBDC is software, money held in it could in principle be programmable — its use governed by rules written into the money itself. This is a capability physical cash simply does not have, and it cuts in two directions so sharply that the same feature is, to some, the technology's promise and, to others, its menace.
On the benign side, programmability could make government payments precise and efficient: relief payments that reach citizens instantly and verifiably, subsidies that can only be spent on intended categories (food, education), aid that cannot be skimmed in transit, stimulus designed to expire if not spent so it actually circulates. Proponents see less fraud, less leakage, and faster, fairer delivery of public money.
On the alarming side, the same mechanism is a tool of control unprecedented in the history of money. Money that can be restricted to certain purposes can also be restricted from certain purposes, certain people, or certain times. A programmable currency could, in the wrong hands, refuse to buy disfavored goods, expire to force spending, be switched off for a targeted individual, or enforce political conditions on a citizen's own money. The line between "subsidy that can only buy food" and "money that the state controls how you spend" is a matter of who holds the switch and under what rules. For critics, programmability turns money from a neutral medium into an instrument of behavioral control, and that prospect is the deepest objection to CBDC of all.
Central-bank digital currency is the most consequential innovation in this track because it operates at the root: it is public money that unbundles money from credit, fills the missing cell of risk-free digital money, and could reshape the relationship between citizens, banks, and the state. It is also the most contested, because its three hard issues are not incidental bugs but direct expressions of its power. The disintermediation danger is the flip side of its safety; the privacy danger is the flip side of its digital nature; the programmability danger is the flip side of its software nature. In each case the benefit and the risk are the same property viewed from opposite sides — which is why the design choices, not the concept, decide whether a given CBDC is a public good or a hazard.
The even-handed verdict the course asks for is therefore unusually concrete here. A CBDC is neither the liberation its boosters promise nor the dystopia its critics fear; it is a powerful instrument whose character is set entirely by its design — capped or uncapped, account or token, surveilled or private, programmable-by-whom under what rules. The right question is never "is CBDC good or bad?" but "which design, governed by whom, with what legal limits?" That is Module 01's stance made vivid: an innovation as trade-offs, to be judged case by case.
Notice that the two innovations so far — the narrow bank and the CBDC — are both attempts to fix banking from the money side, by changing what money is and who issues it. Both run through the central bank and the state. The track now turns to a completely different front: innovations that leave the conventional money system in place and instead attack the moat — the gated, near-oligopoly structure of the classic track's Module 06 — by competing with the incumbents from the outside. The next module takes up the neobanks and the banking-as-a-service model: the private firms that, unable to cross the moat, found a way to rent their way across it and bring real competition and access to a sheltered industry.
Six questions on central-bank digital currency — what it is, the design choices, the global picture, and the three hard issues. The questions test the reasoning rather than recall of any single country's status.