P-money
Cash is dying, but privacy doesn’t have to die with it. Recent research by Ahnert, Hoffmann, Monnet, and Patel (2025) in the Journal of Financial Economics introduces a framework that changes how we think about privacy in the digital economy: P-money, D-money, and C-money.
Why Privacy Matters When Cash Disappears
Indonesians increasingly pay online using QRIS at warungs, credit card on Tokopedia, GoPay for ojek. Cash still exists, but convenience wins. The problem: conventional digital payments (Visa, Mastercard, e-wallet to e-wallet transfer) create permanent records. Every transaction reveals not just what you bought, but when, where, and increasingly, why. This data becomes the currency itself and then sold to advertisers, used for credit scoring, potentially leaked in breaches. Privacy isn’t about hiding illegal activity. It’s about controlling who knows you. Cash provided this naturally. Digital payments don’t, unless we designed for it.
Three Types of Digital Money
Ahnert et al. (2025) distinguish three architectures:
- P-Money (Privacy-Preserving): Payment data is fragmented across parties. No single entity sees the complete picture. Think: cash, or systems where your bank knows you paid Rp 50,000 but not to whom, while the merchant’s bank knows they received Rp 50,000 but not from whom.
- D-Money (Data-Rich): One platform sees everything. GoPay knows every warung you visit, every time you top up, every failed transaction. This enables personalized credit (PayLater) but at total privacy cost.
- C-Money (Consumer-Controlled): You choose what data to share. Open banking APIs let you grant temporary access to transaction history for loan applications, then revoke it. Privacy as permission, not architecture. The trade-off: P-money protects privacy but limits credit access. D-money maximizes credit but eliminates privacy. C-money balances both but requires constant user decisions.
Implementation Paths and CBDCs
Central banks worldwide are exploring CBDCs (Central Bank Digital Currency). China’s digital yuan operates as D-money because the People’s Bank sees all transactions. The Bahamas’ Sand Dollar and proposed Fed designs explore P-money structures using privacy-preserving cryptography. The technical challenge: How do you prevent money laundering (requires transaction visibility) while preserving citizen privacy? Ahnert’s framework suggests tiered systems—small transactions get P-money privacy, large ones require D-money disclosure.
QRIS: Accidental Privacy Architecture
Indonesia’s QRIS operates as unintentional P-money. The system fragments data:
- Your bank (issuer) sees: outflow of Rp 50,000
- Merchant’s bank (acquirer) sees: inflow of Rp 50,000
- Merchant sees: payment received, limited customer data
- No party has your complete purchase history Compare to GoPay: one database, full visibility, targeted ads. QRIS’s “inefficiency” is a privacy feature. The fragmentation isn’t a bug, it’s what prevents surveillance capitalism. This matters for Indonesia’s UU PDP (Personal Data Protection Law). QRIS’s distributed architecture complicates joint controller accountability but provides structural privacy. E-wallets must ask permission to use your data. QRIS doesn’t collect it in the first place.
The Path Forward
Payment privacy isn’t binary. Ahnert’s framework shows we can design systems that balance privacy, credit access, and compliance. Indonesia’s QRIS accidentally demonstrates this. The question isn’t whether to choose privacy or convenience. It’s which architecture best serves our values. As cash disappears, that choice becomes permanent. Better to make it deliberately than let platforms decide for us.
This research informs my ongoing study on privacy perceptions in Indonesia’s QRIS system. Follow updates at wayan.me