The CBDC Unknown Unknown What the BIS Innovation Hub Built, What It Handed Off, and What Gets Decided Before Anyone Elected Sees the Architecture

"FSA BIS Series — The Architecture of Global Banking Power"

The CBDC Unknown Unknown

What the BIS Innovation Hub Built, What It Handed Off, and What Gets Decided Before Anyone Elected Sees the Architecture

FSA BIS Series — Post 4

By Randy Gipe & Claude | 2026

Forensic System Architecture Applied to the Architecture of Global Banking Power

◆ Human / AI Collaborative Investigation

This is a new kind of investigative work. Randy Gipe directs all research questions, editorial judgment, and structural conclusions. Claude (Anthropic) assists with source analysis, hypothesis testing, and drafting. Neither produces this alone.

We publish this collaboration openly because transparency about method is inseparable from integrity of analysis. FSA — Forensic System Architecture — is the intellectual property of Randy Gipe.

FSA BIS Series:   Post 1 — The Institution Nobody Covers  |  Post 2 — The Basel Accords as Capital Architecture  |  Post 3 — Who Benefits: The Conversion Layer  |  Post 4 — The CBDC Unknown Unknown [You Are Here]  |  Post 5 — The Synthesis

Posts 1 through 3 mapped an institution that has governed global banking for fifty years through architecture most people have never examined. The BIS survived a vote to liquidate it at Bretton Woods. It processed gold for Nazi Germany and called it legal obligation. It rebuilt its influence after World War II by becoming technically indispensable to European monetary reconstruction. Each time it was challenged, it expanded its usefulness. This post documents the next expansion — and it is the largest in the institution's history. The BIS Innovation Hub is designing the infrastructure of programmable sovereign digital money. Ninety-one percent of the world's central banks are building CBDCs. A platform the BIS created and then handed off to five central banks — one of them the People's Bank of China, accounting for 95% of transaction volume — processed $55.49 billion in cross-border settlements by late 2025, up from $22 million in 2022. The architecture of how money moves across borders, who can use it, under what conditions, with what surveillance, and subject to what programmable restrictions is being decided right now. In working groups. Without public minutes. By the institution this series has been mapping. This is the Unknown Unknown the series has been building toward.

The Scale of What Is Being Built

The starting number is the one that reframes everything that follows.

91% of the world's central banks actively exploring CBDCs — BIS Survey, August 2025 93 central banks surveyed. 72 in advanced stages: development, pilot, or live launch. 137 countries representing 98% of global GDP involved. Source: Atlantic Council CBDC Tracker, 2025.

The CBDC transition is not a future possibility. It is a present construction project. The decisions being made now — about architecture, privacy, programmability, cross-border interoperability, and the governance of the platforms that will carry sovereign digital money — are the decisions that will determine the monetary infrastructure of the twenty-first century. Most of those decisions are being made in institutions with no democratic accountability to any electorate. The most consequential of them are being made in, or in direct collaboration with, the Bank for International Settlements.

This post maps what the BIS Innovation Hub built, what it handed off and to whom, and what the architecture of those decisions means for the people whose money will eventually run on it.

The BIS Innovation Hub — What It Is and What It Produced

The BIS Innovation Hub was established in 2019 with centers in Basel, Hong Kong, Singapore, London, Stockholm, and Eurosystem hubs. Its mandate: identify and develop public goods in technology for the global financial system. It is funded by the BIS, governed by the BIS, and answers to the central banks that own the BIS. It has no external oversight from any elected government, no public board, and no accountability mechanism accessible to any non-central-bank institution.

In six years of operation, the Innovation Hub has produced a portfolio of CBDC projects that, taken together, constitute the most complete architectural blueprint for the future of sovereign digital money ever assembled in a single institution. Four projects define the architecture:

◆ Operational — Handed Off 2024

Project mBridge

Multi-CBDC cross-border payment platform. Built with PBOC, HKMA, BOT, CBUAE. Saudi Arabia added June 2024. BIS exited October 2024. Now independently governed by the five participating central banks. $55.49 billion processed by late 2025.

◆ Proof of Concept — Dec 2025

Project Rialto

Tokenized wholesale CBDC for instant cross-border settlement using DLT and automated market makers for FX. Technical report published December 2025. Architecture documented. Not yet in pilot phase.

◆ Research Framework — Ongoing

Project Polaris

Offline CBDC functionality for crisis resilience and unbanked population access. Security framework and offline payment handbooks published. Raises the sharpest financial inclusion vs. surveillance tradeoff in the entire CBDC portfolio.

◆ Privacy Architecture — Ongoing

Project Aurum 2.0

Tiered privacy architecture for retail CBDC. Developed with HKMA. Balances transaction anonymity for small-value payments against regulatory traceability for large-value and suspicious transactions. The architecture that determines what governments can see.

Each project addresses one dimension of the same fundamental question: what does programmable sovereign digital money look like, and who controls the rules? The BIS Innovation Hub has spent six years answering that question at the architectural level. The answers are now embedded in platforms that are operational, in handbooks that are published, and in frameworks that other central banks are adopting as they build their own systems.

Project mBridge — The Cascade Marker

Post 1 of this series introduced mBridge as the cascade marker — the project whose trajectory most clearly reveals the BIS's institutional pattern of building influence through technical indispensability, then stepping back once the architecture is established. The full picture is now available.

◆ mBridge — Complete Architecture as of March 2026

What it is: A multi-currency cross-border payment platform built on a bespoke distributed ledger — the mBridge Ledger — that allows participating central banks to issue their own digital currencies and settle cross-border transactions directly, without correspondent banks, without SWIFT, and without the U.S. dollar as an intermediary currency.

```

$55.49 billion

Total transactions processed by late 2025. Up from $22 million across 160 transactions in 2022 pilots. A 2,500-fold increase in three years.

~95%

Share of mBridge transaction volume accounted for by China's e-CNY. The platform is, in practice, a renminbi cross-border settlement system with multilateral architecture.

Seconds / 50% cost reduction

Settlement time vs. SWIFT's days. Cost reduction vs. correspondent banking. The technical case for adoption is real — and that is precisely the architecture the BIS EPU pattern established in 1950.

Who governs it now: The five participating central banks — PBOC, HKMA, BOT, CBUAE, SAMA — operating through a steering committee with decentralized, peer-to-peer governance. Over 30 observers including the ECB, the Federal Reserve Bank of New York's Innovation Center, the IMF, and the World Bank have input roles but no operational standing.

The BIS's exit: Described as a "graduation" when the BIS fully transferred control in October 2024. The BIS framed mBridge as a "public good" and shifted focus to its next project — Agorá, a tokenized wholesale settlement platform with Western central banks. The BIS built the architecture, established the governance framework, wrote the rulebook, and handed it to the operators. The pattern is the EPU rehabilitation of 1950 — made visible in real time.

What the participating central banks say they will do with it: PBOC: accelerate international expansion for trade settlement, particularly energy and commodities. SAMA: petroyuan integration and reducing SWIFT dependence. CBUAE and BOT: de-risking for regions losing correspondent banking. HKMA: broader private sector involvement. The stated purposes are legitimate. The aggregate architectural consequence — a cross-border payment infrastructure where China's currency constitutes 95% of volume, governed by five central banks, outside the dollar system, with no formal accountability to any elected government — is the FSA finding.

```

◆ The Saudi Arabia Addition — Why June 2024 Is the Geopolitical Inflection Point

Saudi Arabia's addition as a full mBridge participant in June 2024 is the single data point in the entire CBDC story that most directly connects the architecture of programmable money to the architecture of global geopolitical power.

Saudi Arabia is the world's largest oil exporter. Oil is priced and settled in U.S. dollars. The petrodollar system — in which oil exporters accumulate dollar reserves that are recycled into U.S. Treasury markets — is a foundational pillar of dollar reserve currency status. For decades, that system has been a primary mechanism of U.S. financial and geopolitical leverage.

SAMA joined mBridge in June 2024 specifically to enable RMB-denominated oil and gas settlements with China — bypassing the dollar system, bypassing SWIFT, and using a platform that the BIS built and handed to the PBOC as the dominant operator. The platform that the Bank for International Settlements designed as a "public good" for cross-border payment efficiency is now the infrastructure through which the most consequential alternative to the petrodollar system is being built. Neither the BIS's founding documents nor any of its public statements describe this as a mandate of the institution. The architecture produced it as an emergent consequence of the design choices the Innovation Hub made between 2019 and 2024.

The Programmability Question — The Decision Nobody Has Named

Of all the architectural decisions being made in CBDC working groups without public deliberation, the programmability question is the most consequential for ordinary people. It is also the least examined in public discourse — because it requires understanding both the technical architecture and the political economy of money simultaneously, and the institutions best positioned to explain it are the ones building it.

◆ What Programmable Money Is — Stated Without Euphemism

A programmable CBDC is a digital currency whose transactions can be conditioned on external rules enforced automatically by software. This is not hypothetical. It is confirmed as a design feature in operational systems.

China's e-CNY has confirmed programmability in live pilots: expiration dates on stimulus payments — money that ceases to exist if not spent by a specified date. Merchant restrictions — money that can only be spent at approved vendors. Geographic restrictions — money that can only be spent in specified locations. Time restrictions — money that can only be spent during specified hours.

Kazakhstan's Digital Tenge and Brazil's Drex have confirmed programmability for conditional use. No BIS document explicitly rules out programmability for any national CBDC implementation. BIS Working Paper 1306 (2025) acknowledges the risks: privacy erosion, potential for what the paper calls "rent extraction" by the issuing authority, and the fundamental question of whether a currency that can be programmed to expire or be restricted is still money in the constitutional and legal sense that existing monetary frameworks assume.

The programmability question is not being decided at the level of elected governments debating monetary policy. It is being decided at the level of technical architecture by central bank engineers implementing design frameworks that the BIS Innovation Hub developed. By the time any legislature debates whether CBDCs should be programmable, the architecture that makes programmability possible — or makes it impossible to avoid — will already be built into the infrastructure. That is the window this series named in Post 1. The window is closing.

Project Aurum 2.0 — Who Sees What

The privacy architecture of retail CBDCs is the other dimension of the programmability question — and it is the dimension that directly determines the surveillance capacity of governments that issue them. Project Aurum 2.0, developed by the BIS Innovation Hub in collaboration with the Hong Kong Monetary Authority, is the most detailed published architecture for managing this tradeoff. It is worth examining precisely.

Tier

What the Central Bank Sees

What Authorities Can Access

Tier 1
Small-value transactions

Aggregate data only. No personal identification. Pseudonymized records held by intermediaries, not central bank.

Conditional access via warrant process. AML/CFT triggers required for de-anonymization.

Tier 2
Mid-value / flagged

Pseudonymized transaction data. Intermediaries hold identity linkage. Central bank receives patterns.

Enhanced due diligence. Regulatory access without full warrant in flagged cases.

Tier 3
High-value / suspicious

Full transaction traceability. Identity linkage accessible. AML/CFT full disclosure regime.

Direct regulatory access. Authorities can trace complete transaction history.

The HKMA's stated position on this architecture is "managed anonymity" — balancing user privacy for low-risk transactions against regulatory access for compliance purposes. The architecture uses zero-knowledge proofs and pseudonymization to provide genuine privacy protection at Tier 1. Full transaction anonymity is technically achievable at the small-value tier.

◆ FSA Anomaly — The Architecture Determines the Default

Project Aurum 2.0 is a thoughtful privacy architecture. The FSA observation is not that the architecture is designed to surveil — it is that the architecture determines what surveillance is possible, and that determination is being made in a BIS Innovation Hub working group with the HKMA, not by any elected parliament debating privacy rights in a digital monetary system.

The tiered architecture assumes the existence of Tier 3 — full traceability for high-value and suspicious transactions — as a design requirement. Every CBDC system built on this framework inherits that assumption. The question of what counts as "suspicious," what transaction value triggers enhanced scrutiny, and who has access to the de-anonymization process are governance questions. They will be answered by the central banks implementing the system. They are being pre-answered by the architectural choices embedded in the framework.

A government with authoritarian tendencies implementing a CBDC on the Aurum architecture does not need to change the architecture to expand surveillance. It needs to change the threshold definitions. The architecture accommodates the change. That is the FSA finding about Project Aurum 2.0 — not that the BIS designed a surveillance system, but that it designed a framework whose surveillance capacity is determined by parameters that future governments can adjust without altering the underlying infrastructure.

Project Polaris — The Financial Inclusion Knife Edge

Project Polaris is the BIS Innovation Hub's framework for offline CBDC functionality — the technical architecture that allows digital currency to be transacted without an internet connection, for use in areas with limited connectivity or during crisis scenarios. It is also the project with the sharpest tension between the two most compelling arguments about CBDCs simultaneously.

The financial inclusion argument is genuine: 1.3 billion adults globally remain unbanked as of 2024, according to the World Bank Global Findex. Many live in areas with limited internet connectivity. An offline-capable CBDC — functioning like digital cash, usable without a smartphone or bank account — could reach populations that the existing digital financial infrastructure has not reached. Polaris's offline payment handbooks describe exactly this possibility.

The surveillance argument is equally genuine: offline CBDC functionality requires synchronization when connectivity is restored. That synchronization produces a complete record of every transaction conducted offline — with whom, for what, at what time — uploaded to the central system the moment the device connects. For a person whose transaction record could put them at risk — a political dissident, a member of a persecuted minority, a person in an abusive relationship, anyone conducting lawful activity their government has chosen to criminalize — offline CBDC offers not the anonymity of physical cash but a complete, time-stamped, unavoidable audit trail uploaded automatically upon reconnection.

The Polaris framework acknowledges this tension. It does not resolve it. The resolution is left to implementing central banks — who will make it in the context of their own legal frameworks, political environments, and relationships with the populations they govern. The BIS Innovation Hub built the knife. The implementing institution decides which edge faces the user.

The Interoperability Architecture — Who Controls the Rules of Cross-Border Digital Money

mBridge is not the only cross-border CBDC interoperability platform under development. It is the only one operational at scale. The competitive landscape reveals the architectural stakes.

THE INTEROPERABILITY LANDSCAPE — MARCH 2026

mBridge: Operational. $55.49B processed. PBOC dominant at 95% of volume. Five central bank governance. BIS designed, now independently managed.

Project Agorá: BIS-led, with Western central banks (Fed, ECB, Bank of England, Bank of Japan, Bank of Korea, Bank of Mexico, Swiss National Bank). Tokenized wholesale settlement. Design phase. The Western-aligned counterweight to mBridge — also BIS-designed.

Project Nexus: BIS framework for interlinking national fast payment systems and CBDCs. Multi-jurisdictional. Design phase.

IMF XC Platform: Centralized ledger approach. Subject to IMF member government oversight — the only major CBDC interoperability platform with formal elected government accountability.

SWIFT CBDC Connector: In beta with 38 financial institutions. Incumbent infrastructure adapting rather than being replaced.

The FSA observation: Two of the three most advanced cross-border CBDC interoperability platforms — mBridge and Agorá — were designed by the BIS Innovation Hub. One has been handed to central banks with China as the dominant operator. One remains under BIS coordination with Western central banks. The BIS has positioned itself as the architectural designer of both sides of the emerging bifurcation in global cross-border payment infrastructure. The institution that survived Bretton Woods by becoming technically indispensable has done it again — at the level of the monetary system itself.

The Democratic Accountability Gap — Named Precisely

◆ The Accountability Architecture — What Exists and What Doesn't

The U.S. Congress has held hearings on CBDCs — including House Financial Services Committee sessions in March 2025 and Senate Banking Committee hearings across the preceding years. Those hearings examined the Federal Reserve's potential CBDC role, stablecoin regulation, and privacy concerns. The CBDC Anti-Surveillance Act has been introduced in the House.

No congressional hearing has specifically examined the BIS Innovation Hub's role in designing the global CBDC architecture. No elected legislature in any jurisdiction has formally reviewed the Innovation Hub's project portfolio. No parliamentary committee has examined what decisions were made in BIS working groups that will constrain the design choices available to national legislators when they eventually debate their own CBDC frameworks.

The contrast with other multilateral institutions is structural. IMF CBDC work — including the XC Platform — is subject to oversight by the IMF's Board of Governors, which includes representatives of member governments. World Bank technology initiatives are subject to member government board approval. The BIS Innovation Hub operates with the same legal immunity and institutional insulation documented in Post 1 of this series — no national court jurisdiction, no external audit requirement, no obligation to publish working group minutes or make design rationales available for public review.

The architecture of programmable money — who can use it, under what conditions, with what privacy protections, subject to what programmable restrictions, settling across borders through which governance frameworks — is being designed in an institution that is accountable to no electorate. That is not a claim about intent. It is a description of the architecture of accountability itself. And it is the most consequential Unknown Unknown in the entire BIS series.

The Unknown Unknown Protocol — Boundary Markers

FSA's Unknown Unknown Protocol requires the investigator to mark the boundaries of what is knowable from public evidence — and name what lies beyond those boundaries without filling them with speculation. This is the most important section of Post 4. These are genuine gaps, not rhetorical questions.

◆ FSA Unknown Unknown Protocol — CBDC Architecture Boundaries ```

What the public evidence establishes: The BIS Innovation Hub designed mBridge, handed it to five central banks, and described the transfer as a graduation. China's e-CNY accounts for 95% of mBridge transaction volume. Saudi Arabia joined in June 2024 to enable RMB-denominated energy settlements. No BIS document rules out programmability. Project Aurum 2.0 embeds surveillance capacity that future governments can expand by adjusting threshold parameters. No elected legislature has examined the BIS Innovation Hub's architectural decisions.

Has the BIS Innovation Hub's steering committee — or any working group it convened — made specific recommendations about programmability that are not in public documents? The BIS publishes project reports. It does not publish working group deliberations. The decisions that shaped the architecture predate the published outputs. Those deliberations are not in the public record.

What is the actual decision-making process within the mBridge steering committee as of March 2026? The governance framework describes decentralized peer-to-peer decision-making. At 95% of transaction volume, does the PBOC have effective veto power through transaction weight even without formal voting power? The answer is not in any public document.

Have any of the 30+ mBridge observers — including the Federal Reserve Bank of New York's Innovation Center — formally communicated concerns about the platform's governance or China's dominant transaction share to their home governments? If so, those communications are not public. The observers participate. They observe. What they report internally is not disclosed.

When Project Agorá produces a Western-aligned cross-border CBDC platform under BIS coordination, will mBridge and Agorá be interoperable — or will the world's cross-border CBDC infrastructure bifurcate into two non-interoperable systems aligned with competing geopolitical blocs? The BIS has not published an answer. The answer has not been formally put to any elected government for decision.

What programmability constraints, if any, will be embedded in the cross-border settlement protocols that govern how CBDCs move between mBridge and Agorá? If a programmable restriction on a CBDC issued by one country prevents its use for certain purposes in another country's jurisdiction, who governs that rule? The architecture does not yet have a public answer. The architecture is being built.

These are the boundaries. FSA marks them. The investigation cannot cross them with available evidence. What it can say is that the decisions being made inside those boundaries — in BIS working groups, in mBridge steering committee sessions, in Innovation Hub project meetings — will determine the monetary architecture of the twenty-first century. And the people whose money will run on that architecture have no mechanism to observe those decisions, no representative in the rooms where they are made, and no formal right to contest the outcomes before they are embedded in infrastructure that will be technically very difficult to redesign.

```

"The BIS built the architecture of cross-border digital money. It handed the most advanced platform to five central banks — one of them the dominant operator by transaction volume. It is designing the Western-aligned alternative simultaneously. No parliament voted on either. The window to examine this before the architecture is complete is not closing. It has mostly closed. What remains open is the question of whether anyone with democratic authority will look through it before it does."

The Numbers — Assembled

91% of central banks actively exploring CBDCs — BIS Survey, August 2025 72 in advanced stages. 137 countries representing 98% of global GDP involved. The transition is not approaching. It is underway.

$55.49B mBridge transactions processed by late 2025 — up from $22M in 2022 2,500-fold increase in three years. Settlement in seconds at half the cost of SWIFT. The technical case for adoption is the same as the EPU case in 1950.

~95% of mBridge volume accounted for by China's e-CNY The multilateral platform is, in practice, a renminbi cross-border settlement system with multilateral architecture and decentralized governance.

$2.37T China's e-CNY transactions processed — 3.48 billion transactions, 230 million users by November 2025 Full national rollout targeted 2026 with interest-bearing features. Programmability confirmed in live pilots: expiration dates, merchant restrictions, geographic restrictions.

1.3B Adults globally unbanked — World Bank Global Findex 2025 The financial inclusion argument for CBDCs is real. Project Polaris's offline functionality could reach this population — and produce a complete transaction audit trail uploaded automatically upon reconnection.

0 Parliamentary or congressional hearings specifically examining BIS Innovation Hub's CBDC architectural decisions The most consequential monetary architecture decisions of the twenty-first century are being made without formal democratic oversight of the institution making them.

What Post 5 Does

Post 4 has named the Unknown Unknown that the entire series has been building toward. Post 5 assembles the complete picture — fifty years of BIS architecture, three rounds of Basel standards, and a CBDC construction project that is rewriting the infrastructure of sovereign money — and answers the question the series has been asking since Post 1.

Not: is the BIS corrupt? It is not. Not: is central bank coordination unnecessary? It is not. Not: are CBDCs inherently dangerous? They are not.

The question Post 5 answers is structural: what is the BIS, understood as a complete architectural system? What does it do — not what does it say it does, but what does the evidence show it structurally produces? And what does the answer mean for the people whose money, credit, and monetary sovereignty run through it?

That is what the synthesis is for.