The International Monetary Fund just published its most practical guidance yet for running a central bank digital currency when connectivity is flaky, or indeed gone entirely. The Fintech Note, “Technology Solutions to Support Central Bank Digital Currency with Limited Connectivity” (2025/005), maps the option space for “offline CBDC,” grades trade-offs, and sets out a procurement checklist that supervisors can take straight into vendor RFPs. If you’ve been following the BIS Innovation Hub’s Project Polaris work on offline CBDC, you’ll recognise many of the design pillars, only now they’re codified in an IMF framework that many finance ministries treat as a default playbook.
Why care now? Because an offline CBDC isn’t an edge case. It’s about inclusion (people without reliable data plans), resilience (keeping payments running through disasters), and trust (cash-like options when systems fail). The Bank of Canada has framed it exactly that way in its ongoing digital-dollar research: an offline feature complements cash by letting two users pay each other with no network connection, then sync later.
What “offline CBDC” actually means
The IMF distinguishes between (a) one-party offline (either payer or payee is offline) and two-party offline (both devices offline), and between short outages (minutes/hours) and extended ones (days). Those distinctions matter because the double-spend risk and the operational burden change with the duration and the number of disconnected parties. The BIS arrives at the same conclusion: there is no one-size-fits-all; central banks must tune design choices to local risks and habits.
At a high level, the IMF clusters solutions into three families:
- Secure-element / smart-card stored value: tamper-resistant chips on cards, wearables or SIMs that hold a balance and decrement offline via NFC.
- Device-to-device value transfer: phones or dedicated hardware wallets exchange signed tokens via Bluetooth/NFC/QR, protected by a secure enclave or applet.
- Voucher/receipt schemes: the payer generates a one-time cryptographic voucher that the payee redeems later which is useful where hardware security is weak.
Each approach must address the same fundamentals: double-spend containment, counterfeit resistance, privacy, key management, power consumption, total cost of ownership, and UX that works for low-literacy users.
The risk controls the IMF and BIS keep repeating
1) Spend limits and ageing. Place caps on how much value any device can hold and how much can move before it reconnects. Add a “time-to-live” so offline tokens expire if they don’t sync—shrinking the fraud window.
2) Hardware-anchored security. Use secure elements (SE), trusted-execution environments (TEE) or dedicated cards to protect keys and balances against tampering. The BIS documents how central banks evaluated SE and TEE options during workshops with a dozen solution vendors.
3) Tiered KYC. Allow higher offline limits for fully verified users and tiny limits for basic wallets to preserve access and privacy.
4) Conditional finality. Treat offline transfers as final for the users (they walk away believing the payment is done) but conditional for the ledger until devices sync. Reconciliation rules—who absorbs a loss if conflicts appear—must be explicit and consistently enforced.
5) Privacy by design. “Cash-like” privacy must be enforced by cryptography, not just policy. The IMF points to blind signatures and zero-knowledge proofs to hide payer identity on small transactions while leaving a narrow path for lawful traceability; BIS emphasizes privacy budgets and on-device risk checks.
Form factors: phones, cards, wearables—or all of the above?
The IMF avoids mandating hardware, but nudges authorities to meet users where they are:
- Entry-level smartphones dominate in many markets, so app size and battery draw matter.
- Feature phones & cards reach deeper into rural areas; a smart-card + low-cost reader combo can enable two-way offline with minimal training.
- Wearables (bands, watches) add convenience in transit/retail, but increase distribution and replacement costs.
Project Polaris adds the operational fine print that often gets missed: secure-element life-cycle management (issuance, revocation, replacement) and device attestation (proving a wallet is genuine and untampered) quickly become the long pole that separates a polished pilot from national scale.
The synchronisation problem (and why it drives everything else)
The longer a device stays offline, the higher the risk that someone spends the same value twice. That reality drives almost every other design decision:
- Keep offline windows short (e.g., 24–72 hours) unless value is tiny.
- Use on-device risk scoring (e.g., block a third offline payment if the first two haven’t synced).
- On reconnection, run conflict resolution, first-seen-wins or hierarchy-based rules, then update risk databases.
Both IMF and BIS stress that these rules must be transparent to users and intermediaries; nothing erodes trust faster than mysterious reversals.
Costs, power, and the inclusion lens
Offline CBDC is an inclusion play—so total cost of ownership must reflect real-world constraints: secure chips, distribution, agent networks, customer support, and device replacement when lost or stolen. The IMF authors emphasise that unit costs (for cards and secure elements) fall only at scale—so pilots should test logistics and support models, not just cryptography. BIS Polaris goes further and urges central banks to specify energy budgets per transaction in RFPs; if a wallet drains a phone battery during an outage, it defeats the purpose.
Legal plumbing: tokens, title and loss allocation
“Offline” blurs lines between bearer instruments and account claims. The IMF’s companion Fintech Note on private-law aspects of token-based CBDC warns that legislators should clarify title transfer, good-faith acquisition, and loss/theft rules—especially when no online ledger records the moment of exchange. Without that clarity, disputes migrate from servers to courts.
How this differs from “just use cash” (and why it shouldn’t kill cash)
Critics sometimes ask: if you want offline and private, why not keep banknotes? The IMF’s answer is not to replace cash; it’s to complement it. An offline CBDC can:
- Interoperate with online commerce the moment devices reconnect.
- Embed programmability (e.g., escrow until a delivery sensor pings).
- Fit into tiered KYC without forcing everyone onto full-ID rails.
Still, both IMF and BIS caution that cash access should remain, especially for vulnerable groups. Offline CBDC is not a mandate to shut ATMs or teller windows.
What pilots and vendors are teaching supervisors
The IMF paper synthesises lessons from implementations ranging from smart-card stored value to secure-element phone wallets and voucher-based designs. In parallel, the BIS captured insights from workshops with 12 vendors and 6 observing central banks, highlighting that governance (who certifies devices? who patches firmware? what’s the incident-response SLA?) is as critical as cryptography. The practical takeaway for policymakers: insist on open standards and portability to avoid single-vendor lock-in for the next decade.
Procurement checklist for central banks (lifted straight from IMF/BIS)
If you’re drafting an RFP, the IMF note and BIS guides effectively hand you the headings. At minimum, ask vendors to:
- Define the offline envelope: one-party vs. two-party offline; maximum offline duration; caps; expiry and sync rules.
- Demonstrate double-spend controls: device counters, conflict resolution, audit trails, and user protection in edge cases.
- Evidence hardware security: secure-element specs, tamper resistance, device attestation, revocation and replacement workflows.
- Quantify performance & energy: latency targets, failure modes, battery impact on low-end devices.
- Prove privacy: cryptographic method (blind signatures/zk-proofs), thresholds for “cash-like” anonymity, and lawful-access process.
- Show inclusion UX: offline onboarding options, agent-assisted flows, low-literacy UI, and cash-in/out.
- Map legal fit: how title, loss, and good-faith acquisition are treated when the ledger was offline.
Each item is spelled out in the IMF Fintech Note (2025/005) and cross-referenced in the BIS Polaris handbook, so bidders can’t claim ambiguity.
Where this lands on the global CBDC timeline
IMF and BIS surveys expect as many as 15 CBDCs live by 2030, with many pilots focusing on wholesale use at first. But retail projects are increasingly treating offline capability as must-have rather than “nice-to-have,” both for resilience and inclusion. Expect to see offline modules specified in central-bank tenders and sandbox scoring, and expect scrutiny to concentrate on privacy and loss-allocation rules as pilots scale.
Bottom line: The IMF’s new offline CBDC note doesn’t crown a single technology. It does something more valuable: it defines the trade-space, warns where risks pile up, and explains how to evaluate vendors against security, resilience, inclusion and privacy. Pair it with the BIS Project Polaris guides and you have a practical blueprint for bringing cash-like confidence to a digital currency—even when the network is dark.