How to Design a CBDC for Cross-Border Payments

introduction

DESIGN PRINCIPLES

Introduction to Cross-Border CBDC Architecture

A technical guide to the core architectural components and interoperability models required for a Central Bank Digital Currency (CBDC) to function across national borders.

A cross-border CBDC is not a single currency but a system of systems connecting domestic central bank infrastructures. The primary design challenge is enabling seamless value transfer between potentially incompatible national ledgers while preserving monetary sovereignty and regulatory compliance. Key architectural models include: a common multi-CBDC platform (mCBDC), interlinked domestic systems, and a single global CBDC. The Bank for International Settlements (BIS) categorizes these as mCBDC Bridge, Interlinking, and Single Rulebook models, each with distinct governance and technical trade-offs.

The mCBDC Bridge model, exemplified by projects like Project mBridge, uses a common distributed ledger platform shared by participating central banks. This platform acts as a corridor network for cross-border transactions, settling payments in wholesale CBDC. Smart contracts automate compliance checks like anti-money laundering (AML) and capital flow management. A critical technical component is an Atomic Cross-Chain Swap protocol, ensuring that a payment on one domestic ledger is finalized only when the corresponding credit on the foreign ledger is confirmed, eliminating settlement risk.

Implementing atomicity often involves Hash Time-Locked Contracts (HTLCs) or more advanced cryptographic protocols like Adaptor Signatures. In an HTLC-based bridge, the payer locks funds with a cryptographic hash. The payee must present the preimage (the data that generates that hash) to claim the funds within a set time window. This creates a conditional payment that is either completed atomically or refunded. Code for a simplified HTLC condition in a smart contract might check: require(sha256(preimage) == hashLock && block.timestamp < timeout, "Claim failed");.

Interoperability requires standardized APIs and data formats. The ISO 20022 messaging standard is becoming the common language for cross-border payments, defining structured data fields for payer, payee, amount, and purpose of payment. A cross-border CBDC system must translate domestic ledger transactions into ISO 20022-compliant messages for the corridor network. This layer also handles currency conversion, which can be managed by a decentralized foreign exchange market built into the platform or through predefined central bank arrangements.

Governance and legal frameworks are as critical as the technology. A cross-border system must define rules for dispute resolution, transaction finality, and liability in case of technical failure. The architecture must support privacy-enhancing techniques like zero-knowledge proofs for regulatory reporting, allowing authorities to verify compliance without exposing all transaction details to all parties. This balances the need for transparency with data protection, a key concern for both individuals and sovereign states.

For developers, building prototypes involves selecting a ledger platform (e.g., Corda, Hyperledger Fabric, or a permissioned Ethereum variant), designing token and smart contract standards, and integrating with existing national payment systems (RTGS). Testing must simulate network partitions, oracle failures for forex rates, and adversarial scenarios to ensure resilience. The end goal is a system that reduces settlement times from days to seconds, lowers costs, and increases transparency in the global financial system.

prerequisites

PREREQUISITES AND FOUNDATIONAL KNOWLEDGE

How to Design a CBDC for Cross-Border Payments

Designing a Central Bank Digital Currency (CBDC) for cross-border use requires a deep understanding of blockchain interoperability, monetary policy, and international regulatory frameworks. This guide outlines the core technical and economic prerequisites.

A foundational prerequisite is selecting the appropriate distributed ledger technology (DLT) architecture. For cross-border functionality, the system must support interoperability with other ledgers and CBDC networks. Options include permissioned blockchains like Hyperledger Fabric or Corda for controlled access, or a hybrid model combining a private settlement layer with public blockchain bridges for transparency. The choice impacts scalability, finality, and the ability to integrate with existing real-time gross settlement (RTGS) systems. Key technical considerations include transaction throughput (targeting 1,000-10,000 TPS), sub-second finality for settlement, and robust digital identity frameworks for participant verification.

Understanding monetary policy and regulatory compliance is non-negotiable. A cross-border CBDC must be designed with embedded regulatory controls, often called a "two-tier" or "hybrid CBDC" model, where the central bank issues the digital currency but intermediaries handle customer-facing services. This requires programmable features for enforcing jurisdictional rules, such as transaction limits, wallet tiers, and automated compliance checks for Anti-Money Laundering (AML) and Counter-Financing of Terrorism (CFT). Designers must model how the CBDC interacts with domestic monetary policy tools like interest rates and reserve requirements in a multi-currency context.

The core of cross-border functionality lies in interoperability protocols. This involves designing or adopting standards for atomic cross-chain settlement to eliminate Herstatt risk. Key models include: 1) Single ledger with multi-currency capabilities, like the Bank for International Settlements' (BIS) Project mBridge prototype. 2) Interlinked domestic CBDC systems using bridges and hash-time-locked contracts (HTLCs). 3) A common settlement layer acting as a "network of networks". Each model has trade-offs between centralization, liquidity fragmentation, and governance complexity that must be evaluated against policy goals.

Security and resilience are paramount. The system must be resilient to double-spending attacks, consensus failures, and cyber attacks. This involves implementing robust cryptographic key management (often using Hardware Security Modules - HSMs), designing for business continuity and disaster recovery, and establishing clear liability frameworks for operational failures. For cross-border payments, data privacy becomes complex, requiring designs that can reconcile transparency for regulators with confidentiality for users, potentially using zero-knowledge proofs or other privacy-enhancing technologies (PETs).

Finally, successful design requires active collaboration through international standard-setting bodies. Engagement with the Financial Stability Board (FSB), the Committee on Payments and Market Infrastructures (CPMI), and the International Organization for Standardization (ISO) is crucial for developing common messaging formats (like ISO 20022), technical interfaces, and legal frameworks. Piloting through sandbox environments and proof-of-concepts (e.g., Project Dunbar, Project Jura) is the essential final step to test design assumptions regarding liquidity management, foreign exchange conversion, and 24/7 operational readiness before any production launch.

key-concepts

CBDC ARCHITECTURE

Core Technical Concepts

Foundational technical components required to build a secure, efficient, and interoperable Central Bank Digital Currency for international settlements.

Choosing a Ledger Architecture

The core infrastructure decision determines scalability, privacy, and control. Permissioned DLTs like Hyperledger Fabric or Corda offer privacy and governance for central banks, while hybrid models can leverage public blockchains for final settlement. Key considerations include:

Throughput: Must handle >10,000 transactions per second for retail CBDCs.
Finality: Requires deterministic, legal-grade settlement finality.
Interoperability: The ledger must support cross-chain communication protocols for foreign exchange.

Implementing Programmable Payments

Smart contracts enable automated, conditional cross-border transactions, reducing counterparty risk and operational costs. Use cases include:

Atomic Delivery-vs-Payment (DvP): A payment in CBDC automatically triggers release of a digital asset (e.g., a bond) on another ledger.
Time-locked Escrow: Funds are held until customs documentation is verified via an oracle.
FX Rate Pegging: Automatic conversion at a pre-agreed rate using a decentralized oracle feed. Implementation requires a secure, audited smart contract environment like Solidity for EVM-based systems or a dedicated financial contract language.

Designing for Interoperability

A CBDC must interact with other CBDCs, legacy RTGS systems, and commercial bank money. This requires standardized interoperability protocols.

Messaging Standards: Adopt ISO 20022 for payment messaging embedded on-chain.
Bridge Mechanisms: Use hashed timelock contracts (HTLCs) or trusted relayers for atomic swaps between heterogeneous ledgers.
Interledger Protocols: Frameworks like the SEPA Instant Credit Transfer scheme or the BIS Project mBridge model provide blueprints for multi-CBDC arrangements.

Ensuring Privacy & Regulatory Compliance

Balance user privacy with regulatory oversight (AML/CFT). Technical approaches include:

Zero-Knowledge Proofs (ZKPs): Users can prove transaction compliance (e.g., source of funds) without revealing underlying data. ZK-SNARKs are used in systems like Zcash.
Tiered Identity: Pseudonymous for low-value retail, identified for wholesale and large transactions.
Auditability: Provide regulators with cryptographic "view keys" or use privacy-enhancing technologies that allow for selective disclosure. This is a core feature of the e-Krona's proposed design.

Integrating with Foreign Exchange (FX) Markets

A cross-border CBDC must facilitate seamless currency conversion. This involves building or connecting to on-chain FX liquidity pools.

Automated Market Makers (AMMs): Central banks or authorized dealers can provide liquidity in CBDC/XCBDC pairs, similar to Uniswap v3's concentrated liquidity.
Oracle Networks: Secure price feeds (e.g., Chainlink) are required for pegged smart contracts and settlement.
Continuous Linked Settlement (CLS) On-Chain: Replicate the risk reduction of traditional CLS using smart contracts for payment-vs-payment (PvP) settlement, a concept tested in Project Dunbar.

Technical Resources & Prototypes

Explore existing research and code from major central bank experiments.

BIS Innovation Hub: Reports and prototypes from Projects mBridge, Dunbar, and Jura.
MIT Digital Currency Initiative: Open-source research on CBDC architectures, including the "OpenCBDC" system.
Hyperledger Labs: The "CBDC Framework" project provides a modular toolkit for building and testing CBDC solutions. These resources offer practical codebases and design patterns for developers.

EXPLORE

ARCHITECTURE

CBDC Interoperability Model Comparison

Comparison of technical models for connecting CBDC systems across borders, focusing on settlement finality, governance, and technical complexity.

Feature	Single-Ledger Model	Interoperability Layer	Linked CBDC Networks
Settlement Finality	Atomic (DvP)	Atomic via Hashed Timelock Contracts (HTLCs)	Conditional (requires correspondent settlement)
Technical Complexity	High (shared infrastructure)	Medium (protocol bridges)	Low (bilateral links)
Governance Model	Centralized (consortium)	Decentralized (permissioned validators)	Bilateral (central bank agreements)
Cross-Border Transaction Latency	< 1 sec	2-5 sec	10-60 sec
Requires Common Technical Standard
Liquidity Fragmentation Risk
Example Implementation	Project mBridge (BIS)	Quant Overledger	Jasper-Ubin (Phase 1)

technical-architecture

TECHNICAL ARCHITECTURE AND COMPONENT DESIGN

How to Design a CBDC for Cross-Border Payments

Designing a Central Bank Digital Currency (CBDC) for cross-border payments requires a layered architecture that balances central bank control with interoperability and compliance. This guide outlines the core components and design considerations.

A cross-border CBDC system is fundamentally a multi-currency ledger accessible to authorized financial institutions across jurisdictions. The core architecture is typically layered: a wholesale CBDC (wCBDC) layer for interbank settlements, an interoperability layer for connecting disparate national systems, and a governance layer for rule enforcement. Unlike domestic retail CBDCs, the cross-border design must prioritize atomic Delivery versus Payment (DvP) and Payment versus Payment (PvP) settlement to eliminate Herstatt risk. Key reference models include the Bank for International Settlements (BIS) Project mBridge platform and the European Central Bank's exploratory work on a digital euro for international use.

The interoperability layer is the most critical technical challenge. It must translate between different national CBDC protocols, legal frameworks, and messaging standards like ISO 20022. Two primary models exist: a common multi-CBDC platform (a shared ledger like mBridge) and bilateral linking of domestic systems via APIs and smart contracts. The common platform model, often built on distributed ledger technology (DLT) such as Hyperledger Besu or Corda, provides a single source of truth for transactions. Smart contracts on this layer automate compliance checks for Anti-Money Laundering (AML), Counter-Terrorist Financing (CTF), and foreign exchange controls, executing rules defined in the governance layer.

For the settlement layer, consider a Real-Time Gross Settlement (RTGS) system enhanced with DLT. Here, central banks issue wCBDC as digital tokens representing claims on the central bank. A Hash Time-Locked Contract (HTLC) is a foundational cryptographic primitive for cross-chain atomic swaps, which can be adapted for atomic PvP between two different CBDC ledgers. The contract locks funds in cryptographic puzzles, ensuring that either both legs of a foreign exchange trade settle simultaneously or funds are returned. This eliminates counterparty settlement risk, a major hurdle in current correspondent banking.

Identity and access management are paramount. Participants—central banks and commercial banks—require digital certificates or decentralized identifiers (DIDs) verified by a trusted root. Transactions must be pseudonymous to the network but identifiable to regulators via privacy-enhancing technologies (PETs) like zero-knowledge proofs. For example, a bank could prove it is not transacting with a sanctioned entity without revealing the counterparty's full identity to all network nodes. This balances transparency for oversight with operational privacy.

Finally, the governance layer encodes the legal and policy rules. This involves rulebooks translated into machine-executable logic. A governance smart contract could manage participant onboarding, currency inclusion, and dispute resolution. The technical design must allow for sovereign control; each central bank must retain full authority over its monetary policy and the issuance of its digital currency on the shared platform. The architecture should be protocol-agnostic where possible, allowing for upgrades and the integration of future CBDC designs without fracturing the network.

ARCHITECTURE PATTERNS

Implementation Examples and Code Snippets

Two-Tier Retail CBDC with Programmable Features

A hybrid or synthetic CBDC involves commercial banks issuing liability-backed tokens on a public-permissioned ledger, regulated by the central bank. This enables retail cross-border payments with embedded compliance.

Technical Architecture:

Regulatory Smart Contract: Enforces KYC/AML rules and transaction limits programmed into the token's logic.
Bridge to Legacy Systems: An oracle network (e.g., Chainlink) feeds FX rates and sanctions list updates on-chain.
Programmable Payments: Allows for conditional transactions, such as releasing funds only upon proof of delivery from a trade platform.

solidity
// Simplified CBDC token with transfer restrictions
contract ProgrammableCBDC is ERC20 {
    address public regulator;
    mapping(address => uint256) public dailyLimit;

    function transfer(address to, uint256 amount) public override returns (bool) {
        require(amount <= dailyLimit[msg.sender], "Exceeds daily limit");
        require(!sanctionsList[msg.sender], "Sender sanctioned");
        // FX conversion logic via oracle would be called here
        _transfer(msg.sender, to, amount);
        return true;
    }
}

ARCHITECTURE COMPARISON

Compliance and Risk Mitigation Matrix

Key compliance and operational risk trade-offs for three common CBDC cross-border design models.

Risk & Compliance Factor	Direct Access Model	Intermediated Model	Multi-CBDC Platform
AML/CFT Transaction Monitoring
Real-time Sanctions Screening
Settlement Finality	Immediate	Deferred (Bank hours)	Immediate
Counterparty Credit Risk	Low (Central Bank)	High (Correspondent Bank)	None (DvP)
Operational Resilience	Centralized point of failure	Distributed, but fragmented	Shared, redundant infrastructure
Data Privacy & Sovereignty	Full visibility for issuer	Limited by intermediaries	Governed by platform rules
Cross-Jurisdictional Legal Compliance	Bilateral agreements required	Leverages existing bank compliance	Multilateral legal framework required
Transaction Cost for End-User	$0.10 - $0.50	$25 - $50	$0.50 - $5.00

resource-links

DESIGNING CBDCS FOR CROSS-BORDER PAYMENTS

Essential Resources and References

Key technical frameworks, standards, and research initiatives that inform how to design a CBDC capable of interoperating across jurisdictions while meeting regulatory, settlement, and operational constraints.

BIS mCBDC Bridge and Project Dunbar

The Bank for International Settlements (BIS) leads the most advanced real-world experimentation on cross-border CBDCs. Project Dunbar and the broader mCBDC Bridge initiative test shared settlement platforms operated by multiple central banks.

Key design insights for developers:

Multi-ledger vs single shared ledger tradeoffs and how governance changes across models
Use of hashed timelock contracts (HTLC-like mechanisms) for atomic PvP and DvP settlement
Liquidity-saving mechanisms that reduce prefunding requirements across currencies
Role-based access controls separating central banks, commercial banks, and operators

Dunbar involved the Reserve Bank of Australia, Bank Negara Malaysia, Monetary Authority of Singapore, and South African Reserve Bank. Code artifacts and architecture diagrams illustrate how wholesale CBDCs can interoperate without a single issuing authority controlling the full system. This is the most concrete reference for cross-border CBDC settlement design today.

EXPLORE

ISO 20022 Messaging for CBDC Interoperability

ISO 20022 is the dominant financial messaging standard for cross-border payments and is already mandated for SWIFT and many RTGS systems. CBDC platforms that ignore ISO 20022 risk isolation from existing payment rails.

What to extract for CBDC design:

Message schemas for credit transfers, FX legs, and reconciliation events
Rich structured data fields that support compliance, sanctions screening, and reporting
Mapping strategies between on-ledger events and off-ledger payment messages
Alignment with SWIFT gpi and domestic RTGS modernization programs

For cross-border CBDCs, ISO 20022 is typically used as an interoperability layer, not a settlement layer. Many pilots wrap ledger transactions with ISO 20022 messages at the gateway level. Developers should study pain.001, pacs.008, and camt message families when designing CBDC APIs and messaging bridges.

EXPLORE

FATF Guidance and the Travel Rule

Cross-border CBDCs must comply with Financial Action Task Force (FATF) standards, especially the Travel Rule, which requires originator and beneficiary information to move with transfers.

Design considerations driven by FATF:

How identity data is linked to wallets without exposing PII on a shared ledger
Separation of transaction data vs compliance data using encrypted payloads or secure enclaves
Threshold-based reporting logic for retail vs wholesale CBDC use cases
Interoperability with VASP and banking compliance systems

FATF guidance strongly influences whether a CBDC can be used internationally at all. Many CBDC pilots fail not on throughput or latency, but on unresolved compliance architecture. Developers should treat Travel Rule data flows as first-class system components, not add-ons.

EXPLORE

Interledger Protocol (ILP) for Atomic Cross-Border Settlement

The Interledger Protocol (ILP) is a neutral protocol designed to connect independent ledgers while preserving atomicity of value transfer. Several central bank researchers reference ILP concepts when discussing CBDC interoperability.

Relevant ILP concepts for CBDCs:

Atomic cross-ledger settlement without requiring shared consensus
Connectors that manage liquidity across currency domains
Cryptographic escrow using conditional transfers
Clear separation between ledger implementation and interoperability logic

ILP is not a CBDC solution by itself, but it provides a well-documented model for moving value across sovereign systems. For cross-border CBDC architects, ILP helps answer the question: how do two central banks settle directly without merging ledgers or trusting a single operator?

EXPLORE

CBDC DESIGN

Frequently Asked Questions (FAQ)

Technical questions on architecting Central Bank Digital Currencies for efficient, secure, and interoperable cross-border payments.

The core distinction lies in the participants and settlement layer. A wholesale CBDC (wCBDC) is restricted to financial institutions like commercial banks and central banks. It acts as a settlement asset on a permissioned ledger, used for interbank transfers and large-value transactions. This model, exemplified by Project mBridge, focuses on improving the correspondent banking network's efficiency.

A retail CBDC (rCBDC) is accessible to the general public and businesses. For cross-border payments, this introduces significant complexity, requiring direct interoperability between different countries' retail systems, robust identity verification (KYC/AML), and managing foreign exchange exposure for end-users. Most current cross-border CBDC pilots prioritize the wholesale model due to its narrower scope and lower risk profile.

conclusion-next-steps

IMPLEMENTATION PATH

Conclusion and Next Steps for Developers

This guide has outlined the core technical architecture for a cross-border CBDC. The next step is to build and test a prototype.

Designing a cross-border CBDC requires a multi-layered approach. The interoperability layer is the most critical, as it dictates how value moves between heterogeneous ledgers. A unified ledger model, where central banks maintain separate wholesale CBDC ledgers connected via a common settlement layer (like BIS Project mBridge), is emerging as a leading design pattern. This contrasts with direct central bank-to-central bank integrations, which create a complex web of bilateral links. The chosen model must support atomic Delivery versus Payment (DvP) and Payment versus Payment (PvP) to eliminate settlement risk.

For developers, the next step is to implement a minimum viable network (MVN). Start by setting up permissioned blockchain nodes using a framework like Hyperledger Besu or Corda, configured for your domestic wholesale CBDC ledger. The core smart contract logic should manage: - Issuance and redemption controls - Real-time gross settlement (RTGS) functionality - Transaction privacy modules (e.g., zero-knowledge proofs) - Compliance hooks for regulatory reporting. Use a sandbox environment like the BIS Innovation Hub's Project Rosalind API framework to simulate interactions with foreign central bank ledgers and test cross-border payment flows.

Testing must be rigorous and phased. Begin with unit tests for core ledger functions, then progress to integration tests simulating a corridor with one other central bank. Finally, conduct network resilience tests under high load and partial outage scenarios. Key performance indicators (KPIs) to measure include: transaction finality (target: sub-10 seconds), throughput (transactions per second), and operational costs. Engage with the ISO 20022 standards body early to ensure your payment message formats are compatible with existing financial infrastructure.

The development roadmap should be iterative. Phase 1 could be a closed-loop simulation between two central banks. Phase 2 might introduce a limited set of commercial banks as participants on each domestic ledger. Phase 3 would involve piloting with real-value transactions in a controlled environment. Throughout this process, continuous engagement with legal experts is required to navigate jurisdictional challenges and data privacy laws like GDPR, which impact how transaction data is stored and shared across borders.

To continue your research, explore the technical documentation for live projects. The Bank for International Settlements (BIS) publishes in-depth reports on Project mBridge, Project Dunbar, and Project Jura. The Digital Currency Monetary Authority (DCMA) provides specifications for its Universal Monetary Unit (UMU) reference model. Engaging with these resources and contributing to open-source financial infrastructure projects will provide the practical experience needed to advance in the field of CBDC development.