This opportunity is closed for applications

The deadline was Tuesday 1 November 2022
Bank of England

Central Bank Digital Currency (CBDC) Proof of Concept and Research Offline payments

6 Incomplete applications

4 SME, 2 large

9 Completed applications

4 SME, 5 large

Important dates

Published
Tuesday 18 October 2022
Deadline for asking questions
Tuesday 25 October 2022 at 11:59pm GMT
Closing date for applications
Tuesday 1 November 2022 at 11:59pm GMT

Overview

Off-payroll (IR35) determination
Contracted out service: the off-payroll rules do not apply
Summary of the work
Bank of England require a proof of concept for offline payments in a Central Bank Digital Currency
Latest start date
Tuesday 15 November 2022
Expected contract length
Max 5 months
Location
No specific location, for example they can work remotely
Organisation the work is for
Bank of England
Budget range
200-250,000 (inc VAT)

About the work

Why the work is being done
Offline payments are one of the most complicated elements of a potential UK CBDC and require thoughtful consideration and design. It could increase acceptance and resilience of CBDC but heighten the risk of double spend as there is no online connectivity to verify the provenance of the money. This project will increase the Bank's knowledge and understanding of how offline CBDC payments could work. It will do this by building one or more proof of concepts to explore what the opportunities, limitations and risks associated with offline CBDC payments, while meeting policy goals of preventing AML, counterfeiting/double spend, while preserving privacy identity and increasing access. A final report and presentation will also be delivered highlighting the role of secure hardware in offline payments and the future technological roadmap for secure hardware.

The proof of concepts need to be completed in time to be integrated into phase 2 api of the BIS's project Rosalind in February 2023 however the final report can follow after February.
https://www.bis.org/about/bisih/topics/cbdc/rosalind.htm
Problem to be solved
* The PoCs will demonstrate how offline CBDC payments can be achieved with finality and irrevocably
* The PoCs will demonstrate the key design considerations (e.g.token/account, protocol and messaging for payment between devices)
* The project team must Identify the key APIs required to support offline transactions and deferred synchronisation on the CBDC core ledger for inclusion in Project Rosalind's API specification and asapt their proof of concepts accoringly
* The PoCs must Integrate with the Project Rosalind API phase 2 in February 2022
* The POCs will demonstrate how offline CBDC can detect double spend and enforce AML while preserving privacy
* The PoCs and final report will demonstrate how can secure hardware protect against double spend attacks
* The final report will explain the future technology roadmap and developments that may improve offline CBDC payments"
Who the users are and what they need to do
* As a member of the CBDC technology team at the Bank of England I need to be able demonstrate an offline CBDC payments solution integrated into Project Rosalind API
* As a member of the CBDC technology team I need to understand the design considerations around offline payments and how double spend and money laundring can be mitigated while still preserving privacy
* As a member of the CBDC technology team I need to understand the future technology roadmap could assist in the development of offline CBDC payments
* As the Bank of England I need to be able to publish a report on the output of this project in order to contribute to the dialog on CBDC design and keep the market informed on our development
Early market engagement
Any work that’s already been done
No previous work has been conducted by the Bank in this space
Existing team
The existing team that will be interacting with this project consists of a Principal architect, a solution architect, project analyst & technical writer. The supplier's team is expected to carry out all of the project work but have regular progress and design meetings with the CBDC technology team to monitor and guide the project. The technology team will also be expected to deploy the developed demonstrations on Bank infrastructure
Current phase
Alpha

Work setup

Address where the work will take place
Bank of England, Threadneedle st, London, EC2R 8AH
and remote in UK
Working arrangements
The supplier will be required to carry out the work at their offices. Regular project meetings can be carried out either hybrid or face to face as desired by the program team. An initial kick off workshop, mid point check in and final demo will be conducted within the Bank of England's offices.

Travel Expenses will be billed to the Bank of England upon agreement between the vendor and Bank of England. The same will happen with prior agreement for hardware required to complete the demonstrations i.e. smart cards, phones etc.
Security clearance
You may need to organise security clearance should access to Bank environments be required as part of the project

Additional information

Additional terms and conditions
Suppliers must comply with Bank's security controls as part of the engagement. These will be distributed to suppliers within the clarification questions section within 48 hours.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Demonstrate experience developing digital payments solutions (1)
  • Demonstrate experience developing solutions which use secure hardware (1)
  • Demonstrate experience with mobile application development and storing secrets on mobile (1)
  • Demonstrate experience delivering new services and components which are integrated into existing digital services via API integrations (1)
  • Demonstrate experience working in an environment that is compliant with AML regulations (1)
  • Demonstrate experience with applying cryptography for meeting privacy and non repudiation requirements (1)
  • Demonstrate experience using or developing protocols for inter device communication in an offline environment (1)
  • Demonstrate experience with digital currency solutions with or without blockchain involvement (1)
Nice-to-have skills and experience
  • Demonstrate experience developing solutions which use digital identity (0.5)
  • Demonstrate experience with ISO20022 payments standards (0.5)
  • Demonstrate experience in preventing hardware based threats or attacks (0.5)
  • Demonstrate experience in research and development for secure hardware (0.5)
  • Demonstrate experience in research and development capabilities for payments (0.5)
  • Demonstrate experience in research and development capabilities for digital identity (0.5)

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
3
Proposal criteria
  • How well will the PoC (s) demonstrate how offline CBDC payments can be achieved with finality and irrevocability (4)
  • How well do the POC (s) demonstrate the key design considerations (e.g. token/account, protocol and messaging for payment between devices) (4)
  • Do key APIs identified to support offline transactions and deferred synchronisation on the CBDC core ledger for inclusion in Project Rosalind's API specification (4)
  • How well do the proposed PoC (s) and final report will demonstrate how can secure hardware protect against double spend attacks (4)
  • How will the proposed final report will explain the future technology roadmap and developments that may improve offline CBDC payments (4)
  • How well does the proposal demonstrate multiple offline CBDC designs for comparison (5)
  • How well does the proposed PoC re-integrate and can be re-used into other environments (e.g. Project Rosalind) (5)
  • How much of the project's developed PoC, IP and derived knowledge does the Bank get to keep and reuse (5)
  • How well do the PoC (s) demonstrate how offline CBDC can detect double spend and enforce AML while preserving privacy (4)
Cultural fit criteria
  • Demonstrates how knowledge and experience is shared with other team members (3.3)
  • Demonstrate your ability to deliver in an open, collaborative way (3.3)
  • Have a clear and comprehensive approach to diversity and inclusion (3.3)
Payment approach
Fixed price
Additional assessment methods
Presentation
Evaluation weighting

Technical competence

65%

Cultural fit

10%

Price

25%

Questions asked by suppliers

1. "How well do the proposed PoC (s) and final report will demonstrate how can secure hardware protect against double spend attacks (4)
Can this be clarified, please? It seems to be asking offline hardware to perform online reconciliation (unless intended to protect against double-spend attacks on a single device/terminal).
"
We'd like to see evidence of the extent to which secure hardware can prevent a double spend attack on a local device.
2. "Regarding this question: Demonstrate experience in preventing hardware based threats or attacks.
Can you clarify if ‘hardware based’ implies, an attack using hardware, an attack exploiting hardware vulnerabilities or using hardware to mitigate against an attack?
"
By 'hardware-based attacks' we mean attacks that exploit vulnerabilities in hardware e.g. to run a double spend attack.
3. Is there any prior documentation that can be shared with us for this opportunity ?
There is no prior documentation to share. This is part of a new set of projects and PoCs.
4. Are bidders able to subcontract elements of the project to a partner supplier?
Yes. In the second phase of the procurement following initial essential and nice to have evaluation you are able to state the subcontractors you intend to deliver aspects of the service
5. As part of the proposal criteria section, suppliers are requested to submit a written response to a set of questions. When logging into the portal, there does not seem to be an option to respond. Please could you confirm how suppliers should respond to these criteria?
"For this first stage the responses are against the essential and nice to have skills. Please follow the supplier guidance for the DOS5 framework or contact Crown Commercial Services Email:
info@crowncommercial.gov.uk

Telephone:
0345 410 2222

For support.

There is a subsequent second stage which suppliers will be asked for a written response against the proposal criteria stated in the DOS5 notice. This will be distributed to the downselected suppliers at this point via e-mail."
6. "The RFP states that “the PoCs must Integrate with the Project Rosalind API phase 2”. Please clarify the scope and context of these APIs:
a. Who (in terms of business role in the CBDC ecosystem) exposes them, and who consumes them?
b. What is their scope (e.g., full ecosystem lifetime, or just end-user transactions)?
c. Where possible, the style, design criteria, or example APIs would be very useful to determine the shape and size of the APIs required to fulfil the brief, if these could be shared?
"
"a. Rosalind APIs are exposed by the Bank of England for consumption by the PIP (or the offline wallet provider in this use case).
You will be expected to identify the APIs required to support offline transactions and deferred synchronisation on the core ledger.
7. "The RFP states that “the PoCs must Integrate with the Project Rosalind API phase 2”. Please clarify the scope and context of these APIs:
b. What is their scope (e.g., full ecosystem lifetime, or just end-user transactions)?
b. APIs is the full system lifecycle, including account management as well as end-user transactions. The APIs are open to consumption by the offline wallet provider.
8. The RFP states that “the PoCs must Integrate with the Project Rosalind API phase 2”. Please clarify the scope and context of these APIs:
c. Where possible, the style, design criteria, or example APIs would be very useful to determine the shape and size of the APIs required to fulfil the brief, if these could be shared?
c. The Rosalind APIs cannot be shared at this point in time as they are still being developed and we don't want to unduly influence the solutions. They will be shared with the successful vendor. However for context they are RESTFUL http based APIs
9. Is it correct that the PoC should provide both a front end and a back end, or is it limited to back-end communication with each other, via the Rosalind APIs and extensions thereof?
Both a front-end and a back-end. Our expectation is that the backend will communicate with the APIs from the central bank while the front end should be demonstrating the offline transfers.
10. Please can you confirm if this scope of work is limited to mobile applications?
Not at all. PoCs that demo across different devices e.g. smart phones and smart cards are encouraged
11. Is there a preference on the technology to be used for the PoCs?
PoCs that demo across different devices e.g. smart phones and smart cards are encouraged
12. Is there any assumption that an individual could have multiple accounts or devices?
A user may have multiple offline accounts and devices, but not necessarily so for this PoC.
13. Please can you outline whether you see a role in validating offline transactions?
We'd like to explore how offline transactions might be validated and settled in real time.