Best before: Personal loss recovery for offline digital cash

Charles M. Kahn, Maarten van Oordt, Yu Zhu 18 February 2022



Many central banks seek to design digital cash substitutes that facilitate offline payments (Group of Seven Central Banks 2020).1 Offline payment capability seems a crucial feature to ensure that central bank digital currency would serve the transaction needs of all – including those who live in remote areas with poor network connectivity and the 10% or so of the world population that the World Bank (2019) estimates not to have access to electricity. Offline payment capability is also a helpful feature to ensure resilience since it can serve as a backstop when disruptions occur, including those originating from natural hazards, cyber attacks, and geopolitical conflicts.

A challenging design issue for a digital cash substitute is how to enable offline payments functionality without allowing for ‘double-spending’. Double-spending refers to the ability of a user to successfully spend the same balances multiple times. With physical cash, double-spending is prevented by a simple mechanism: once you pay with a banknote, you no longer have physical possession of the note. Achieving the same simple property for offline digital cash balances stored on a chip in a payment card or phone is not without its security challenges.

Losing digital cash

One problematic aspect is that the features necessary to rule out double-spending in a payment system for offline payments also cause digital currency balances to be subject to loss events. To see why, let’s consider two properties that balances available for offline payments need to satisfy in order to prevent double-spending: (1) uniqueness and (2) separation.

The uniqueness property requires that digital currency balances available for offline spending must be stored uniquely in a single device. It is easy to see the necessity of this. If the converse were true, then one could store a single balance of digital currency on two different offline devices at the same time. Two persons could each take one of the two devices and pay in two different offline stores. By definition, the offline stores cannot verify in a central ledger whether the funds have been spent before.

The separation property requires the offline digital currency balances to be isolated from potential funds that can be spent without the offline device. This prevents someone from trying to double-spend funds by transferring funds to an offline device, then spending the same balances online without the device, and finally spending the balances on the device at an offline location. 

The uniqueness and separation properties imply that a system that completely prevents double-spending must store the balances for offline spending in a user’s device only, and nowhere else. As a consequence, users may lose offline digital currency balances due to the accidental loss, theft or failure of their devices. Even a backup cannot be permitted. A malicious user could pretend to have lost a device with offline digital cash and use the backup to restore the balance on a second device, which would violate the uniqueness property.

Offline payment trilemma

We summarise the foregoing discussion by positing an offline payment trilemma (Figure 1). A payment scheme can have only two out of the three following properties: offline payment capability, no double-spending, and no loss of funds when devices are lost. Physical cash allows for offline payments and prevents double-spending, but losing a banknote means the funds are gone. Paper cheques also allow for offline payments. Although losing a paper cheque does not immediately mean the funds are gone, double-spending cannot be fully prevented as someone can attempt to pay with an uncovered cheque. A typical debit card does prevent double-spending, but it does so by requiring the payment terminal to be online. 

Figure 1 The offline payment trilemma 

Personal loss recovery

The prospect of losing the digital cash stored on their devices is not particularly appealing to users. Giving a precise estimate of the cost imposed on users is difficult, but survey evidence suggests that the annual probability of consumers losing their offline digital cash balances stored in a secure element in a payment card or phone could be somewhere in a range between 8% and 16% (Kahn et al. 2021). In low-interest environments, even the lower end of this range would impose a substantial cost on consumers when compared to the opportunity cost in terms of lost interest that is typically considered in Baumol-Tobin-like inventory models for cash demand.2 

In a recent paper (Kahn et al. 2021), we explore a feature that could substantially reduce the cost to users of potential digital cash losses: automated personal loss recovery through an expiry date. The digital cash of consumers who enabled this feature could not be spent offline after its expiry date. However, on expiry these consumers would automatically receive the same amount of funds back into their online account without having to file a claim. Since digital cash that remains unspent after its expiry date cannot be spent in the future, it would be completely without risk to the central bank to reimburse the owner. To further simplify end-user experience, the expiry date could automatically be refreshed before the digital cash expires whenever a user’s device connects to the network or is used to pay at a point-of-sale terminal with a network connection (Figure 2).

Figure 2 Screen mock-up of a CBDC app with personal loss recovery 


Digital cash demand

In a formal economic model, we show that offering the option of personal loss recovery could have a substantial positive impact on the consumer demand for digital cash. The reason is straightforward: the ability to reimburse individuals for personal losses once the lost digital currency expires reduces the cost of losses from the full amount to the inconvenience of temporarily not being able to access the funds (until after they expire). 

However, the length of the time to expiry plays a key role. An expiry date that is too soon is inconvenient – stores in offline locations are likely to decline digital cash that is about to expire – but an expiry date too far in the future slows down the reimbursement of lost digital cash as the central bank would need to wait until after the expiry date. Our model also suggests a strong asymmetry in terms of setting the optimal expiry date. There is a high cost associated with an expiry date that is shorter than optimal, while the cost of setting an expiry date somewhat longer than optimal is limited. In other words, it is better for the central bank to err with an expiry date that is too far in the future than one that is too close. 

Concluding remarks

Our analysis shows that automated loss recovery for digital cash through an expiry date could provide substantial benefits to consumers. A potentially important aspect that we consider in the paper is privacy in payments (Garratt and Van Oordt 2021, Borgonovo 2021). While our model does not explicitly account for privacy preferences, results in our paper do suggest that a digital cash that provides more privacy may achieve a higher level of social welfare despite weaker loss recovery. Finally, some consumers may feel uncomfortable with expiring digital cash for reasons that are outside of our economic model. It might therefore be beneficial to consider providing an option to allow users to opt out from automated loss recovery at their own financial risk.

Authors’ note: Views expressed do not necessarily reflect official positions of the Bank of Canada. The screen mock-up in Figure 2 is partly based on image 22864711 by VectorStock/Sergeyyy.


Agur, I, A Ari and G Dell’Ariccia (2020), “Designing Central Bank Digital Currencies”,, 19 May.

Auer, R and R Böhme (2020), “CBDC Architectures, the Financial System, and the Central Bank of the Future",, October 29.

Allen, S ,S Čapkun, I Eyal, G Fanti, B Ford, J Grimmelmann, A Juels, K Kostiainen, S Meiklejohn, A Miller, E Prasad, K Wüst and F Zhang (2020), “Design choices for central bank digital currency”,, September 4.

Alvarez, F and F Lippi (2009), “Financial Innovation and the Transactions Demand for Cash”, Econometrica 77(2): 363-402.

Bech, M and R Garratt (2017), “Central Bank Cryptocurrencies”, BIS Quarterly Review, September: 55-70.

Bofinger, P and T Haas (2021), “Central Bank Digital Currencies Risk Becoming a Gigantic Flop”,, February 1.

Borgonovo, E, S Caselli, A Cillo, D Masciandaro and G Rabitti (2021), “Central Bank Digital Currencies, Cryptocurrencies, and Privacy: What Experiments Tell Us”,, October 31. 

Fatás, A (2021), “The Conflict Between CBDC Goals and Design Choices”,, May 3. 

Garratt, R and M Van Oordt (2021), “Privacy as a Public Good: A Case for Electronic Cash”, Journal of Political Economy 129(7): 2157-2180. 

Group of Seven Central Banks (2020), “Central Bank Digital Currencies: Foundational Principles and Core Features”, Bank for International Settlements. 

Grothoff, C and T Moser (2021), “How to Issue a Privacy-preserving Central Bank Digital Currency”, SUERF Policy Brief 114.

Kahn, C, M Van Oordt and Y Zhu (2021), “Best Before? Expiring Central Bank Digital Currency and Loss Recovery”, Bank of Canada Staff Working Paper 2021-67. 

Kosse, A (2013), “The Safety of Cash and Debit Cards: A Study on the Perception and Behavior of Dutch Consumers”, International Journal of Central Banking 33: 77-98.

Miedema, J, C Minwalla, M Warren and D Shah (2020), “Designing a CBDC for Universal Access”, Bank of Canada Staff Analytical Note 2020-10.

Minwalla, C (2020), “Security of a CBDC”, Bank of Canada Staff Analytical Note 2020-11.

Niepelt, D (2021), “Central Bank Digital Currency: Considerations, Projects, Outlook”,, November 24.

World Bank (2019), “World Bank Global Electrification Database: Access to Electricity (% of population)” (accessed 31 January 2021).


1) For discussions of other important design choices for central bank digital currency see, among others, Bech and Garratt (2017), Agur et al (2020), Allen et al (2020), Miedema et al (2020), Minwalla (2020), Auer and Böhme (2021), Bofinger and Haas (2021), Fatás (2021), Grothoff and Moser (2021), and Niepelt (2021).

2) Alvarez and Lippi (2009) include the probability of cash theft – which is one potential source of cash losses – when estimating the cost of carrying cash in their inventory model. Kosse (2013) provides empirical evidence on the relationship between perceived safety and cash use.



Topics:  Financial regulation and banking Monetary policy

Tags:  Digital cash, loss recovery, CBDC, digital currency, digital wallet

Professor emeritus of Finance and Economics, University of Illinois

Associate Professor, VU Amsterdam

Research Advisor, Bank of Canada


CEPR Policy Research