Bank of Canada Staff Working Paper 2021-67: 'Best Before? Expiring Central Bank Digital Currency and Loss Recovery'

'Best Before? Expiring Central Bank Digital Currency and Loss Recovery'

Charles M. Kahn, Maarten R. C. van Oordt and Yu Zhu

The ability of payments using cash to continue when there is no electricity, network connection or other disruption to the electronic payment infrastructure and systems is a challenge for a CBDC to replicate. An offline ability to use CBDCs could make them more inclusive for those who find the digital world hard to access. This paper considers whether an expiry date on CBDCs would add to the usefulness of CBDCs.

The concept

If cash is lost or damaged, reimbursement is rare. If a CBDC is held off-line and there is no expiry date, then that off-line CBDC can be lost in the same way as cash can be lost. A CBDC offers the opportunity to introduce an expiry date for online balances and to automate personal loss recovery.

The concept is that once an expiry date has been reached, the central bank could automatically reimburse the last recorded account without even the need for a loss claim. To make this administratively straight forward, the expiry date could be automatically refreshed before the money expires whenever a users’ device connects to the network or is used to pay at a point-of-sale terminal with a network connection.

In order to avoid double spending of CBDCs, the value is only held in one place. Consumers will need to choose the optimal distribution of their money between off- and online balances. If the consumer is connected, either balance can be used.

Length of validity

The paper includes considerable work on assessing the optimal length of the expiry period. If a long expiry period is set and the consumer loses their device, then the cost to the consumer is the inconvenience of waiting for the expiry period to end. On the other hand, if there has been an outage, then the delay is less important since the benefit of being able to consumer is valuable.

If the expiry period is too short during an outage, then the costs are higher than too long a period. The paper found that the optimum expiry period is longer rather than shorter because small upward deviations from the optimal duration have only minor welfare effects, while small deviations downward can entail substantial welfare losses.


Central banks will need to exchange information with the device holding the off-line value to determine ownership. The paper considered low- and high-information models. In the low-information model the onus was fully on the payee to deposit off-line digital currency balances before the expiry date. Although this delivered good privacy, it is possible that the payer may be reimbursed for expired funds that a payee failed to deposit in a timely manner.

In the high-information model the payer’s device reveals whether and where funds were spent to the central bank. The payee must still deposit off-line digital currency balances before the expiry date. If the payer ‘prompts’ the central bank, funds will be sent by the central bank to the payee.

Although there are welfare benefits of having automated personal loss recovery, there are some possible trade-offs if privacy compromises are involved. However, it would be straightforward for offline CBDC balances not to be linked to the natural or legal persons and loss recovery could be to a pseudonymous online account. A hybrid system where owners of off-line CBDC balances only benefit from loss recovery if their devices are linked to an on-line account for which ownership is registered.