Share:
Loading...
Your bank account is protected by encryption that would take a conventional computer millions of years to crack. That sounds reassuring – and right now, it is. The problem is that a sufficiently powerful quantum computer could break the same encryption in hours. That computer doesn't exist yet at the scale required, but every major bank, government agency, and financial institution is preparing for the day it might. What they're building toward is called quantum-resistant encryption, and understanding it helps explain a significant shift happening inside the financial system right now.
This isn't a distant theoretical concern being moved to the top of the priority list for no reason. It's a response to a real and accelerating timeline – one that has prompted the US government to set formal standards and pushed global banks to begin upgrading systems years before the threat is expected to fully materialize.
To understand why quantum computers pose a threat, it helps to understand what current encryption actually does.
When you log into your bank, send a payment, or check your investment account, your data is scrambled using a mathematical process that turns readable information into unreadable code. The scrambling relies on problems that are extraordinarily difficult to solve – specifically, the mathematical challenge of factoring very large numbers into their prime components. For example, multiplying two large prime numbers together is easy. Figuring out which two prime numbers were multiplied together when you're only given the result is, for a conventional computer, computationally impractical at sufficient key sizes. The two most widely used systems in banking – RSA and elliptic curve cryptography – both rely on this kind of mathematical difficulty as their security foundation.
The key insight is that current encryption isn't secured by a physical lock. It's secured by a math problem that would take too long to solve to be worth attempting. Everything changes if the math problem becomes solvable in a reasonable timeframe.
A conventional computer processes information in bits – each one is either a 0 or a 1. A quantum computer uses quantum bits, called qubits, which can exist in both states simultaneously through a property called superposition. Combined with another quantum property called entanglement, this allows a quantum computer to explore many possible solutions to a problem at the same time rather than checking them one by one.
For most everyday computing tasks – browsing the internet, running software, streaming video – this doesn't matter. Quantum computers aren't faster at general tasks. But for specific categories of mathematical problems, including exactly the kind of factoring problem that underpins RSA encryption, quantum computers are theoretically capable of exponential speedups. A well-known quantum algorithm called Shor's algorithm, developed in 1994, can factor large numbers dramatically faster than any conventional approach. On a sufficiently powerful quantum computer, it would break RSA encryption that would otherwise take millions of years to crack.
The catch is "sufficiently powerful." Current quantum computers are noisy, error-prone, and operate with far fewer qubits than would be needed to run Shor's algorithm against real-world banking encryption keys. But the trajectory of quantum computing development has accelerated significantly, and the concern in the financial security community isn't that it will happen tomorrow – it's that it could happen within a decade or two, which is a very short window given how long it takes to upgrade the financial system's foundational security infrastructure.
Here's the risk that makes this genuinely urgent even before quantum computers are powerful enough to break encryption in real time.
Sophisticated actors – nation-states being the primary concern – can intercept and store encrypted financial communications and data today, with the intention of decrypting them later once quantum computing capability has advanced sufficiently. This is called a "harvest now, decrypt later" attack, and it means that data being transmitted right now could be vulnerable to future decryption even if today's encryption is perfectly secure today.
For most personal banking transactions, this may not matter much – your mortgage payment from 2025 isn't particularly sensitive a decade from now. But for high-value financial transactions, long-term contractual agreements, sensitive regulatory communications, and any data that retains value or sensitivity over time, the harvest-now-decrypt-later risk is real and consequential. This is one of the primary reasons financial institutions aren't waiting for quantum computers to arrive before beginning the transition.
Quantum-resistant encryption – also called post-quantum cryptography (PQC) – refers to cryptographic algorithms that are designed to be secure against both conventional computers and quantum computers. Rather than relying on the mathematical difficulty of factoring large numbers (which quantum computers can overcome), these algorithms are built on different mathematical foundations that remain hard to solve even for quantum systems.
The leading approaches involve problems from areas like lattice-based cryptography, hash-based cryptography, and code-based cryptography – mathematical structures where the known quantum algorithms don't provide a meaningful speedup. To use a rough analogy: if RSA is a combination lock that a quantum computer can open quickly because it can try all combinations simultaneously, lattice-based cryptography is a different kind of lock with a different mechanism that doesn't benefit from that simultaneous-trial approach.
In August 2024, the US National Institute of Standards and Technology (NIST) finalized its first set of post-quantum cryptographic standards after an eight-year evaluation process involving cryptographers worldwide. The standards – covering algorithms named ML-KEM, ML-DSA, and SLH-DSA – represent the official recommended foundation for quantum-resistant security in the US. These standards matter because they give financial institutions a clear, vetted set of algorithms to migrate toward rather than each developing their own approach.
The financial sector has several characteristics that make early adoption of post-quantum cryptography particularly important.
The sheer scale and age of banking infrastructure is the starting point. Major banks run systems built over decades, with layers of technology that don't get replaced quickly. Migrating encryption across an entire global bank – covering every transaction, every communication channel, every database, every connection with partner institutions and regulators – is an enormous multi-year undertaking. Beginning that process now, while the threat window is still ahead of them, is more manageable than scrambling after quantum computing capability has actually arrived.
Regulatory pressure is also building. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance urging critical infrastructure sectors – including financial services – to begin post-quantum migration planning immediately. The Financial Stability Board and other international regulatory bodies have flagged quantum computing as a systemic risk to financial stability that warrants proactive attention. For regulated institutions, guidance from these bodies isn't optional reading.
Several major banks have already begun pilot programs. JPMorgan Chase has been testing quantum-resistant cryptography in live financial transaction environments and published research on quantum key distribution (a related but distinct quantum security technology). HSBC, IBM, and the European Central Bank have similarly been conducting research and pilot implementations. These aren't public relations announcements – they represent the early stages of genuine infrastructure migration that will take years to complete.
In the near term, the honest answer is: very little changes for you as a customer. The migration to quantum-resistant encryption happens at the infrastructure level. You won't need a new password, a new app, or a new account. The protocols protecting your transactions will be updated under the hood, similar to how banks have periodically upgraded encryption standards in the past without customers needing to do anything.
The longer-term implication is more significant: the transition represents a necessary investment in keeping your financial data secure as computing power evolves. Banks that manage this transition well maintain the security foundation that makes online banking, digital payments, and mobile investing trustworthy. Banks that delay face the possibility of operating on infrastructure that sophisticated attackers can eventually compromise.
It's also worth noting that quantum-resistant encryption is a defense against a future threat, not a response to a current attack. Your online banking is secure today. This is the financial system doing what sound infrastructure management requires – preparing for a foreseeable risk before it becomes an active one.
Post-quantum cryptography is mathematically promising but not without uncertainty. The algorithms NIST has standardized are the best available candidates based on current mathematical understanding, but cryptography has historically produced surprises – algorithms that seemed secure were later found to have weaknesses. One of the NIST candidate algorithms was broken during the evaluation process itself. The field continues to evolve, and the standards will likely be revisited as understanding develops.
The migration itself also introduces transition risks. Running old and new encryption systems in parallel during a changeover period creates complexity, and complexity creates potential vulnerabilities. The financial industry's experience with previous cryptographic transitions – from DES to AES, from SHA-1 to SHA-256 – suggests these transitions are manageable but require careful execution.
Quantum computing's own timeline remains genuinely uncertain. The technology is advancing, but predicting when a cryptographically relevant quantum computer will exist is difficult, and expert estimates range from a decade to several decades. The uncertainty cuts both ways: the threat may arrive faster than expected, or slower – but the cost of preparing too early is much lower than the cost of being unprepared.
Do I need to do anything to protect my accounts from quantum threats?
No action is required from individual customers. Banks and financial institutions handle cryptographic security at the infrastructure level. Your responsibility remains the same as always: use strong, unique passwords, enable two-factor authentication, and be alert to phishing attempts. The quantum-resistant transition happens entirely on the institution's side.
Is quantum computing a current threat to my bank account?
Not right now. No quantum computer currently exists that is capable of breaking the encryption protecting real-world financial systems. The concern is forward-looking – building defenses ahead of when that capability might arrive, and protecting long-lived sensitive data from harvest-now-decrypt-later attacks.
What's the difference between quantum-resistant encryption and quantum encryption?
These are different things. Quantum-resistant encryption (post-quantum cryptography) is classical encryption built on math that quantum computers can't easily break. Quantum encryption – specifically quantum key distribution (QKD) – uses quantum physics itself to secure communications, making eavesdropping detectable. Both are being explored in financial security research, but post-quantum cryptography is the more immediately practical and scalable approach for most banking applications.
How long will the transition take?
Industry estimates suggest a full transition of large financial institutions could take a decade or more given the scale and complexity of their systems. NIST's 2024 finalization of standards was a critical milestone that gives institutions a stable target to migrate toward, and many have already begun. The process is a marathon, not a sprint.
The shift to quantum-resistant encryption is one of the most significant infrastructure upgrades in the history of financial security, even though most customers will never notice it happening. It's the kind of work that only becomes visible when it isn't done – when a future threat arrives and the systems meant to protect your money turn out to be unprepared. The banks moving now are making a long-term bet that being early is worth the cost of the transition. Given what's at stake, it's a reasonable bet to make.
NIST – Post-Quantum Cryptography standards finalization (August 2024) – https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
CISA – Post-Quantum Cryptography initiative and migration guidance – https://www.cisa.gov/quantum
JPMorgan Chase – Quantum computing and cryptography research – https://www.jpmorgan.com/technology/technology-blog/quantum-key-distribution
Financial Stability Board – Quantum computing and financial stability – https://www.fsb.org/2024/11/the-financial-stability-implications-of-quantum-computing/
NIST – Post-Quantum Cryptography project overview – https://csrc.nist.gov/projects/post-quantum-cryptography
IBM – Quantum computing and financial services – https://www.ibm.com/thought-leadership/institute-business-value/en-us/report/quantum-financial-services
