Limiting the impacts of future financial crime: Fraudulent exploitation of Central Bank Digital Currencies (CBDCs)

The scope and prevalence of fraud in the UK remains one of the greatest challenges facing the financial services sector.

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

Numerous commentators note that fraud will worsen as criminals seek to exploit the growing number of avenues open to them, including artificial intelligence, the ability to operate internationally, and the ever-increasing number of consumers occupying digital financial work

At the time of writing, fraud is estimated to account for over 40 per cent of all crime in England and Wales, and fraud in the UK increased substantially in 2023. As a result, numerous efforts are being deployed, such as new protections for victims of APP fraud, limiting the ability to ‘spoof’ numbers, and new measures to confirm payee details. While these measures are essential, they also highlight the increasing sophistication of criminals who adapt as financial innovations unfold. 

Broader steps have also been taken. Following the UK’s Global Fraud Summit Communiqué  in March 2024, which highlighted the importance of tackling fraud, draft resolution CTOC/COP/2024/L.6 was tabled at the twelfth Conference of the Parties to the United Nations Convention against Transnational Organized Crime. The resolution calls upon parties to consider organised fraud as a serious crime. This approach is a positive step toward a position whereby financial crime policy is more proactive rather than reactive; yet, as the adoption of digital financial services and products grows, especially digital payments, the perpetuation of fraud will continue to be a growing concern. 

One particular concern emanating from the movement toward digital payments is the risk of fraud transcending central bank digital currencies (CBDCs). Quantifying the risk is difficult, as many CBDCs are still in the developmental phase, with the few in operation having a limited customer base. Yet, the question remains: if CBDCs take off, how could they be exploited by criminals?

Thus, it is crucial to consider the overarching design principles that will insulate us against CBDC-denominated fraud and crime. In my last blog post, I concluded by saying we should discuss which elements of CBDC design should be prioritised. Thus, I have outlined three core considerations.

Holding limits: 

Credit card fraud, APP scams, and pig butchering scams, to name but a few, rely on victims’ access to funds. The larger the amount held, the more interested fraudsters are. CBDC holding limits are undecided, with current estimates for the UK sitting around £10,000-£20,000. However, it may be advisable to introduce lower limits to deter fraudsters, as the reward may not be worth the risk or effort.

Interoperability with cash:

A final UK CBDC model has yet to be developed. However, efforts should be made to ringfence interoperability with cash. CBDCs, which seek to offer a digital representation of cash, will be a novel payment option that could appeal to countless users. A considerable uptake will undoubtedly pique criminal interest. Consequently, should bad actors successfully exploit users or the underlying infrastructure, limiting the cashing-out options is essential. 

Invalidation:

In 2004, the provisional IRA was accused of being behind the £26.4m Norther Bank heist. Following the incident, Norther Bank, who had the authority to issue Norther Ireland-denominated notes, said they would invalidate the serial numbers on the stolen cash by issuing £240 million in new notes with different serial numbers, new logos and colours. This novel solution meant using the stolen cash was much more complicated. This same principle should be incorporated into the UK CBDC model. If an individual is defrauded, the CBDC architecture should offer the protocol to instantaneously invalidate the transferred funds and issue new serial numbers. If operational, this would deter fraudsters, but only if UK CBDCs cannot be transferred internationally or cashed out. 

Like all emerging crime types, anticipation is complex, and we cannot foresee all the tools and tactics criminals will use. However, we can and should take broad action to limit our exposure and make criminal exploits more burdensome, expertise-dependent, and time-consuming. 

Area of expertise: