Cybersecurity

Comments on Fed CBDC Paper

Last month, the Federal Reserve issued a long-awaited discussion paper on the possibility of introducing a central bank digital currency (CBDC) for retail use. The Fed paper calls for comments on the benefits and risk of introducing a U.S. CBDC, as well as on its optimal design. In this post, we respond to each of the 22 questions posed in the discussion paper. For the most part, these responses are based on our previous analyses of CBDC (here and here).

At the outset, we highlight our doubt that the benefits of a U.S. CBDC will exceed the risks. In our view, other, less risky, means are available to achieve all the key benefits that CBDC advocates anticipate. Moreover, we are not aware of sustainable design features that would reduce the risks of financial instability that many analysts agree will accompany the introduction of a digital U.S. dollar.

However, this overall judgment regarding a CBDC’s benefits and risks is sensitive to two considerations that appear in the Fed’s analysis either explicitly or implicitly. First, CBDC may be a less risky alternative to stablecoins, should regulation of the latter prove politically infeasible (see our earlier post). Second, if other highly trustworthy financial jurisdictions (with convertible currencies, credible property rights protections, and free cross-border flow of capital) offer their own CBDC, the case for a U.S. CBDC—as a device to sustain widespread use of the dollar—would become stronger.

Against this background, we applaud the Fed’s conservative approach. Most important, the U.S. authorities are not rushing to act. Instead, they are thinking carefully about the design elements, are actively engaged in public outreach, and have committed not to proceed without first securing broad public support….

Read More

FEMA for Finance

Modern financial systems are inherently vulnerable. The conversion of savings into investment—a basic function of finance—involves substantial risk. Creditors often demand liquid, short-term, low-risk assets; and borrowers typically wish to finance projects that take time to generate their uncertain returns. Intermediaries that bridge this gap—transforming liquidity, maturity and credit between their assets and liabilities—are subject to runs should risk-averse savers come to doubt the market value of their assets.

The modern financial system is vulnerable in a myriad of other ways as well. For example, if hackers were to suddenly render a key identification technology untrustworthy, it could disable the payments system, bringing a broad swath of economic activity to an abrupt halt. Similarly, the financial infrastructure that implements most transactions—ranging from retail payments to the clearing and settlement of securities and derivatives trades—typically relies on a few enormous hubs that are irreplaceable in the short run. Economies of scale and scope mean that such financial market utilities (FMUs) make transactions cheap, but they also concentrate risk: even their temporary disruption could be catastrophic. (One of our worst nightmares is a cyber-attack that disables the computer and power grid on which our financial system and economy are built.)

With these concerns in mind, we welcome our friend Kathryn Judge’s innovative proposal for a financial “Guarantor of Last Resort”—or emergency guarantee authority (EGA)—as a mechanism for containing financial crises. In this post, we discuss the promise and the pitfalls of Judge’s proposal. Our conclusion is that an EGA would be an excellent tool for managing the fallout from dire threats originating outside the financial system—cyber-terrorism or outright war come to mind. In such circumstances, we see an EGA as a complement to existing conventional efforts at enhancing financial system resilience.

However, the potential for the industry to game an EGA, as well as the very real possibility that politicians will see it as a substitute for rigorous capital and liquidity requirements, make us cautious about its broader applicability. At least initially, this leads us to conclude that the bar for invoking an EGA should be set very high—higher than Judge suggests….

Read More

Cyber Instability

When terrorists attacked the World Trade Center on September 11, 2001, they also attacked the U.S. financial system. In addition to destroying critical financial infrastructure, the collapse of the twin towers closed the New York Stock Exchange and disrupted the payments system that links U.S. intermediaries, threatening to shut down banks, ATM machines and credit card operations across the country. Only extraordinary intervention by the Federal Reserve kept the system afloat (see, for example, Rosengren).

We have long argued that financial stability is a vital common resource (see here). As ECB Board member Cœuré suggests in the opening quote, the same applies to financial cybersecurity—the protection of financial information and communications technologies (ICT) and their associated networks from failures and attacks. The events of 9/11 and their aftermath dramatically highlighted the link between stability and cybersecurity. Moreover, because our financial system is so deeply reliant on ICT and on large, global networks, these two objectives are more closely linked than ever before: ensuring one means guarding the other.  

In this post, we highlight the pervasiveness of cyberthreats as a source of operational risk in finance. Consistent with the Presidential Policy Directive 21 and a recent Presidential Executive Order aimed at strengthening cybersecurity, the U.S. government has designated financial services infrastructure as critical to national and economic security (see here). Nevertheless, numerous challenges—ranging from the availability of reliable data to the ever-changing nature of the attacks themselves—make the goal of safeguarding financial ICT networks very difficult. To be effective, cybersecurity efforts require mechanisms for preventing successful attacks, limiting their impact, and promoting quick, reliable recovery. Reducing vulnerability and contagion while boosting cyberresilience is a very tall order….

Read More