The race has a deadline that nobody can pin to a calendar, and that is precisely what makes it so dangerous. Quantum computing is advancing faster than most financial compliance teams can process the implications, and the encryption protecting trillions of dollars in daily transactions was never designed to survive it.
From Theory to Threat Timeline
For years, “quantum threat” was treated as a horizon problem — important but distant. That posture is changing. IBM’s 2025 Heron processor demonstrated over 5,000 qubits with meaningfully improved error-correction rates, and Google’s internal roadmap — portions of which were reported by Nature in late 2025 — targets fault-tolerant logical qubits capable of running Shor’s algorithm at scale by the late 2020s. Shor’s algorithm, when run on a sufficiently powerful quantum machine, can factor large prime numbers efficiently, breaking RSA and elliptic-curve cryptography (ECC) — the twin pillars of modern financial security.
The National Institute of Standards and Technology (NIST) finalized its first post-quantum cryptography (PQC) standards in August 2024, publishing FIPS 203, 204, and 205 covering lattice-based and hash-based algorithms. The implicit signal: migration cannot wait for quantum computers to arrive. By the time a “cryptographically relevant quantum computer” (CRQC) exists, adversaries using “harvest now, decrypt later” strategies will already hold encrypted data gathered years earlier.
Banks Are Moving — But Unevenly
JPMorgan Chase disclosed in its 2025 annual report that it has begun piloting CRYSTALS-Kyber, one of the NIST-selected algorithms, across select internal systems. HSBC and Deutsche Bank have joined the Financial Services Information Sharing and Analysis Center (FS-ISAC) working group on PQC migration, which published its first industry roadmap in February 2026.
The challenge is not just replacing algorithms. Financial infrastructure is deeply layered: SWIFT messaging, card network protocols, core banking systems, and HSM (hardware security module) firmware all embed cryptographic assumptions that took decades to standardize. Ripping and replacing them requires coordination across thousands of counterparties.
Smaller institutions face a starker gap. A survey by the Bank Policy Institute released in March 2026 found that 61 percent of mid-size U.S. banks had not yet begun formal PQC impact assessments. Many cited resource constraints and lack of clear regulatory timelines. The Federal Reserve and OCC have issued guidance encouraging readiness planning but have stopped short of hard deadlines — a posture that industry observers say may need to harden by 2027.
The Harvest-Now Problem and Its Urgency
The most underappreciated risk is retrospective: encrypted data being exfiltrated today remains a liability once a CRQC exists. Intelligence agencies and well-resourced criminal groups are believed to be stockpiling encrypted financial communications specifically for future decryption. Long-lived secrets — multi-decade bond documentation, M&A records, sovereign fund positions — carry particular exposure.
This transforms PQC migration from a future-state problem into a present one. Data sensitivity lifespans often exceed reasonable quantum threat timelines by years. For a financial instrument with a 15-year maturity, cryptographic decisions made today will still matter in 2041.
What Comes Next
NIST is expected to finalize additional PQC standards through 2026, and several cloud providers — AWS, Azure, and Google Cloud — have already introduced hybrid TLS modes combining classical and post-quantum key exchange. Financial regulators in the EU, under the Digital Operational Resilience Act (DORA), are beginning to treat cryptographic agility as a systemic resilience requirement.
The institutions that will navigate this transition best are those treating it as an infrastructure modernization program rather than a security patch. That means crypto-agility: building systems designed to swap algorithms without full re-architecture. It is expensive and unglamorous work. But the alternative — discovering your encryption is broken after a CRQC goes live — is not a recoverable position.
The quantum clock is running. Nobody knows exactly when it strikes, but the consensus among cryptographers is narrowing toward “sooner than comfortable.” For banks, that ambiguity is itself the risk they need to price in now.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.