The Current State: Inventory and Assessment
As of mid-2026, the largest financial institutions globally are in the cryptographic inventory and threat assessment phase of post-quantum migration. None of the Tier 1 banks have completed production migrations to FIPS 203 or FIPS 204 algorithms for core banking cryptography. Several have completed proof-of-concept deployments, published research on quantum risk, or implemented quantum key distribution experiments on specific network segments. The gap between experimental work and production migration is significant, and the regulatory timeline is beginning to close it.
The banking sector's migration challenge is structurally different from other industries. Bank-grade cryptography spans decades of legacy infrastructure, from SWIFT messaging protocols to ATM PIN encryption to digital certificate chains for internet banking. The attack surface is enormous, the regulatory environment is highly prescriptive, and the cost of a cryptographic failure is systemic rather than organizational. These factors explain why banks are moving deliberately rather than rapidly, and why regulators are beginning to apply pressure to accelerate.
BIS and FSB: Setting the International Framework
The Bank for International Settlements (BIS) published working papers on quantum computing risks to financial infrastructure beginning in 2022. BIS Working Paper No. 1065, "Quantum Computers and the Financial System," assessed that the financial system faces material risk from cryptographically relevant quantum computers and that current timeline estimates, while uncertain, justify immediate migration planning. The BIS analysis identified SWIFT messaging, real-time gross settlement systems, and public-key infrastructure for digital banking as the highest-priority targets for migration.
The Financial Stability Board (FSB), which coordinates global financial regulation across G20 jurisdictions, published quantum computing risk assessment guidance in 2023. The FSB framed quantum risk as a category of operational risk under Basel III/IV frameworks, noting that failure to migrate cryptographic systems before a CRQC becomes available constitutes a systemic risk to financial stability. The FSB's framing is significant because it brings quantum migration within the scope of existing operational risk capital requirements rather than creating a separate regulatory category.
What Major Banks Have Disclosed
JPMorgan Chase has been the most publicly transparent major U.S. bank on post-quantum research. JPMorgan's research team published work on quantum key distribution in 2023 and has engaged actively with NIST's PQC standardization process. The bank's public position is that post-quantum migration is a multi-year enterprise migration program that began in earnest with the NIST standards finalization in August 2024.
HSBC conducted quantum key distribution experiments on live network infrastructure in 2023, using QKD to protect interbank communications between London offices. HSBC's experiment demonstrated technical feasibility but also underscored that QKD is a niche solution for specific high-value links, not a scalable replacement for public-key cryptography across the full banking infrastructure. HSBC's subsequent migration planning has focused on NIST PQC algorithms rather than QKD for broad deployment.
ING published post-quantum testing results in 2022 and 2023, focusing on the performance impact of ML-KEM and ML-DSA on banking application servers. ING's findings, broadly consistent with other industry benchmarks, showed that ML-KEM key generation and encapsulation added acceptable overhead for authentication and session establishment, but that ML-DSA signature verification at high transaction volumes required hardware acceleration or algorithmic optimization to maintain throughput requirements.
The Systems Most at Risk
The banking systems with the highest quantum risk exposure are those that combine long data sensitivity lifetimes with high-value content and current classical algorithm dependence. Four categories stand out.
SWIFT messaging infrastructure underpins virtually all cross-border payments. SWIFT messages are digitally signed and encrypted using RSA and ECC algorithms. A CRQC could retroactively decrypt archived SWIFT traffic, exposing years of interbank payment flows, counterparty relationships, and transaction metadata. SWIFT has published a post-quantum roadmap but has not yet mandated algorithm migration across its network.
Clearing and settlement systems, including those operated by DTCC, LCH, and Eurex Clearing, rely on digital signatures for trade confirmation, netting calculations, and final settlement. These systems process trillions of dollars in daily settlement value. The cryptographic infrastructure protecting these systems was designed in the 1990s and 2000s, when RSA-2048 and ECDSA were considered computationally secure for the foreseeable future.
Digital signatures on securities, including electronically signed bond indentures, derivatives confirmation documents, and custody records, may need to remain verifiable for the lifetime of the instrument, which can extend 30 years or more. Securities signed with ECDSA today must remain legally and cryptographically verifiable in 2056. The harvest-now/decrypt-later threat to these records is direct.
Public key infrastructure for internet banking and mobile applications uses TLS and code signing certificates that are renewed annually or biennially. The short renewal cycles make TLS migration the most tractable near-term migration target in banking. Certificate authorities including DigiCert and Entrust have announced timelines for post-quantum certificate issuance.
Regulatory Guidance: OCC, ECB, and Basel
The OCC (Office of the Comptroller of the Currency) published guidance on managing quantum computing risks in technology risk management examinations in 2024. The OCC's guidance directs national banks and federal savings associations to include quantum computing risk in their technology risk assessments, establish cryptographic inventories, and develop migration roadmaps with specific milestones. The OCC has indicated that quantum migration readiness will be part of examination procedures beginning with 2026 examination cycles.
The European Central Bank's cyber resilience oversight framework, updated in 2024, explicitly references post-quantum cryptography preparedness as a component of cyber hygiene for financial market infrastructures (FMIs). FMIs supervised by the ECB, including major clearing houses and settlement systems, are required to demonstrate PQC migration planning as part of their annual cyber resilience assessments.
Under Basel III/IV's operational risk framework, quantum computing risk qualifies as a technology risk that must be assessed, monitored, and capital-reserved against. The FSB's framing of quantum risk as systemic operational risk means that banks with inadequate migration plans could face higher operational risk capital requirements. This creates a direct financial incentive, separate from regulatory compliance, to accelerate migration planning.
Practical Timeline: What to Expect
Based on public disclosures, regulatory timelines, and the technical scope of banking cryptographic infrastructure, the realistic migration timeline for major banks is as follows. Most Tier 1 institutions will complete cryptographic inventories and threat assessments by end of 2026. Hybrid mode deployment for high-priority systems, particularly internet banking TLS and SWIFT message signing, is expected in 2027-2028. Core banking system migration, including ATM networks, clearing infrastructure, and legacy payment rails, is expected 2029-2032. Full deprecation of classical algorithms is a 2032-2035 outcome for the most conservative institutions.
For blockchain and fintech companies that operate alongside or in partnership with traditional banks, this timeline defines the window for competitive alignment. A blockchain payment network that completes post-quantum migration in 2028 will be positioned to demonstrate compliance when banks begin requiring it of counterparties in 2029-2030. Protecting cryptographic assets from quantum threats is not just a security improvement; in the banking context, it is becoming a prerequisite for institutional partnership.
