logo

Building resilience for a quantum-ready financial system

Building resilience for a quantum-ready financial system
Author
Written by Nanda Lakhwani
  • Nov 27, 2025
  • 14 min read

Quantum computing is still emerging, but its security implications have entered the financial system’s planning horizon. Banks and regulators are now confronting the multi-year task of mapping cryptographic exposure, modernising architecture and coordinating ecosystem-wide migration to quantum-safe standards

Quantum computing—long treated as a distant research frontier—is now close enough to reshape how financial institutions plan for security and operational continuity. Progress in hardware, the formalisation of post-quantum cryptographic standards and the growing sophistication of threat actors are pushing these issues into the mainstream of industry and supervisory agendas.

At the Singapore FinTech Festival (SFF) 2025, conversations converged around timelines, operational constraints, cryptographic inventories, supply-chain dependencies and the practicalities of re-architecting systems carrying decades of technical debt. The urgency is reinforced by clearer expectations. Ray Harishankar, IBM Fellow for Quantum Safe Technology, noted that the past decade has seen “much more progress in quantum computing than in the previous 20 years”, with IBM on track to deliver its first fault-tolerant quantum system in “the 2029 timeframe”.

Although first-generation fault-tolerant systems will not immediately threaten today’s public-key cryptography, authorities including the United States National Security Agency (NSA) and the United Kingdom National Cyber Security Centre (NCSC) now place the threat window in the early to mid-2030s—near enough for institutions handling long-lived sensitive data.

The more immediate problem is that attackers have already adapted. “Motivated bad actors are exfiltrating information today with absolutely no way of decrypting it, in the hope that sometime in the future they will,” Harishankar warned. This “harvest now, decrypt later” incentive shifts the cost of inaction squarely into the present: data stolen today may still be sensitive when quantum capabilities mature.

For banks, which manage customer identities, market-infrastructure logs, long-dated settlements and insurance records, the implications are structural. Quantum-safe transition intersects with cloud modernisation, application programming interface (API) governance, artificial intelligence (AI) deployment and the evolution of cross-border payment schemes, demanding disciplined governance and infrastructure alignment beyond cybersecurity teams alone.

Ray Harishankar
IBM Fellow, Quantum Safe

Visibility and cryptographic mapping

The foundational challenge is visibility. The Monetary Authority of Singapore (MAS) has emphasised that most institutions still lack a complete understanding of where cryptographic functions reside across systems, vendors, APIs, mobile clients and legacy platforms. This becomes untenable as institutions prepare for post-quantum cryptography (PQC) adoption.

Hart Montgomery, chief technology officer of Linux Foundation Decentralised Trust and executive director of the Post-Quantum Cryptography Alliance, noted that cryptographic functions are often deeply embedded and inconsistently implemented. First attempts at inventories routinely reveal weaknesses that matter long before quantum hardware matures: outdated hash functions, short RSA keys, expired certificates or divergent configurations across business lines. “An inventory gives you a factual baseline,” Montgomery said. “You can’t prioritise or sequence a migration plan if you don’t know what you’re running.” An incomplete inventory can delay algorithm retirement, complicate vendor alignment and create uneven risk exposure across business units.

IBM has spent years addressing this challenge. Harishankar described how IBM’s discovery tooling scans codebases and network traffic to detect cryptographic usage, feeding results into a cryptography bill of materials (C-BOM), now aligned with the CycloneDX standard. This allows institutions to map dependencies not only internally but across vendors, cloud providers and payment-rail partners.

Regulators around the world—including MAS, the NSA, the United States National Institute of Standards and Technology (NIST) and the NCSC—echo the same requirement: catalogue cryptographic assets, identify vulnerable algorithms and assess substitutability.

Among banks, HSBC and UOB have taken early steps. HSBC Singapore chief operating officer Tancy Tan said the bank is building crypto-agility and visibility across core functions, forming the basis for subsequent PQC and hybrid-model pilots. UOB group chief information security officer Tobias Gondrom noted that the bank identified quantum-safe transition as an emerging risk years ago, enabling earlier planning.

One under-recognised risk is the inconsistency of hybrid deployments. Montgomery cautioned that if institutions combine classical and quantum-safe algorithms in incompatible patterns, “uncoordinated hybrid deployments can disrupt interoperability across payment networks”—especially as systems become more interconnected.

Tobias Gondrom
Group Chief Information Security Officer, UOB

Agility and architectural readiness

Once visibility is established, the next priority is architecture. The financial sector is converging around the principle of cryptographic agility: the ability to change algorithms or key types without rewriting business logic.

Montgomery called agility the most important determinant of whether post-quantum transition will be orderly or chaotic. Abstraction layers must encapsulate cryptographic functions behind stable interfaces so future algorithm swaps require configuration changes, not code refactoring.

Harishankar emphasised that institutions should embed these abstraction layers now, as PQC standards will continue evolving. Preparing early reduces operational risk when standards stabilise and ensures compatibility across cloud, vendor and payment-rail environments.

Performance trade-offs are unavoidable. PQC signatures and keys are significantly larger than their RSA or elliptic-curve cryptography (ECC) equivalents, which can introduce latency into real-time payment rails and increase bandwidth demands across mobile and API-driven channels.

Tan argued that agility is not a performance luxury but an architectural requirement. “Quantum readiness is not about predicting hardware breakthroughs but ensuring the bank has the governance, architecture and talent to adapt,” she said.

Talent is a bottleneck. There is global scarcity of cryptographers, engineers familiar with PQC, and specialists fluent in both modern cloud architecture and legacy mainframes. Gondrom added that many institutions have not undertaken cryptographic transitions at scale since the shift from Data Encryption Standard (DES) to Advanced Encryption Standard (AES), creating operational gaps.

Gondrom also highlighted dependence on evolving protocol standards. While NIST has selected initial PQC algorithms, the Internet Engineering Task Force (IETF) is still updating transport-layer protocols to support them, making transition inherently staged and iterative.

Tancy Tan
Chief Operating Officer, HSBC Singapore

Governance and supervisory alignment

Quantum-safe readiness has moved firmly into the domain of operational-risk governance. MAS integrates quantum-related risks into its broader resilience framework alongside cloud concentration, AI governance and third-party dependencies. Boards are expected to ensure governance structures, escalation mechanisms and expertise are adequate to support multi-year cryptographic migration.

HSBC’s governance model reflects this shift. Tan said its quantum centres of excellence in the United Kingdom and Singapore guide architecture, standards and capability building across the bank.

Gondrom noted that governance now extends across borders. UOB aligns its ASEAN operations under Singapore’s Technology Risk Management (TRM) framework to reduce fragmentation. Rapid threat-intelligence sharing—often within minutes, within Singapore’s banking landscape—is now a baseline expectation across the sector.

Harishankar stressed that cryptographic migration should be treated as a governed organisational programme. Inventories, C-BOMs and algorithm-retirement plans require executive ownership, and governance must include vendors, cloud providers and interbank partners. Quantum risk must align with frameworks governing cloud, cyber and operational continuity. This becomes even more critical as cryptographic dependencies extend across borders and into shared payment rails, where weaknesses can propagate across institutions and jurisdictions.

Cross-border payment rails and systemic dependencies

Quantum-safe readiness must be coordinated across payment schemes, clearing systems and interoperability frameworks. Southeast Asia’s real-time infrastructures—such as PayNow–DuitNow, PromptPay and QRIS—depend on consistent cryptographic standards across jurisdictions.

Harishankar pointed to IBM’s collaboration with the Emerging Payments Association Asia (EPAA)—whose members include ANZ, Commonwealth Bank, HSBC, PayPal Australia, Standard Chartered and others—as part of early post-quantum transition efforts. The consortium formed because “payments is so regional” and requires an understanding of the “regional nuances” that shape how transactions flow across borders. EPAA has since grown to around 40 members, reflecting the scale and interconnectedness of the challenge.

Gondrom added that attackers increasingly target ecosystem dependencies such as telcos, merchants and customer interfaces, often using AI-driven phishing and impersonation because they “choose the easiest path”.

MAS’ Operational Resilience Framework and TRM guidance stress that cloud reliance, vendor concentration and emerging technologies must be managed under a unified operational-resilience framework. Institutions remain fully accountable for continuity even when operating across shared systems.

Distributed-ledger technologies introduce further complexity. The Global Financial Technology Network (GFTN) has noted that tokenised market infrastructures rely heavily on ECC. Without coordinated PQC migration, immutable ledgers face unique risks because historical signatures cannot be rotated.

GFTN also warns that inconsistent PQC adoption across different DLT protocols could create interoperability gaps across token-bridging networks, wholesale central bank digital currency (CBDC) pilots and cross-border settlement channels, reinforcing the need for ecosystem-wide coordination rather than isolated upgrades.

Hart Montgomery
Chief Technology Officer, Linux Foundation Decentralised Trust & Executive Director, Post-Quantum Cryptography Alliance

QKD sandbox and practical limits

While PQC replaces RSA and ECC with quantum-resistant algorithms, quantum key distribution (QKD) uses quantum physics to generate and exchange encryption keys. Each sits at a different layer of the security stack and serves distinct functions.

Few regulators have tested QKD at scale, and MAS is among them. Together with DBS, UOB, OCBC, SPTel and SpeQtral, MAS has completed a trial evaluating whether QKD could secure customer data, branch links and data-centre corridors within production-adjacent environments under the National Quantum-Safe Network (NQSN).

The published findings highlight key limitations: the need for tamper-resistant trusted nodes, complex vendor integration and the limited practicality of QKD outside fixed point-to-point corridors. These constraints reinforce the conclusion that QKD is suitable for controlled, high-value links, but PQC remains necessary for all public-facing and large-scale systems.

Gondrom summarised this directly: “We cannot deploy QKD between us and every single customer.” Because QKD is restricted to fixed corridors, it cannot secure bank-to-customer or API-driven communication channels. PQC is therefore unavoidable for the broader financial system. Tancy added that the trial has paved the way for future collaboration on quantum-safe pathways for the region’s financial sector.

Europe’s Banque de France—working with the BIS Innovation Hub—is examining a similar “sovereign shield” concept to harden cross-border payment links between Paris, Frankfurt and the Eurosystem’s evolving infrastructure. The project is exploring quantum-safe protections for high-value settlement corridors within the eurozone, where real-time gross settlement (RTGS), securities and instant-payment infrastructures converge under shared governance. As with Singapore’s trials, the focus is on securing critical interbank links that support wholesale payments and market-infrastructure operations.

Early value creation through quantum-inspired computing

Quantum-related progress is not purely defensive. Lisa Schröder, accelerator director for Singapore at QAI Ventures—a specialist deep-tech investor focused on quantum and advanced computation—observed that financial institutions are already benefiting from quantum-inspired optimisation techniques deployable on classical hardware.

During QAI’s hackathon with DBS, teams tested approaches for fraud detection, ESG-aware portfolio optimisation, liquidity-risk modelling and scenario generation. Schröder cited Multiverse’s work with Moody’s Analytics to accelerate valuation workloads as evidence that early production-grade use cases are emerging.

HSBC is also experimenting. Tan noted that these techniques map naturally to the bank’s optimisation and modelling workloads—from Monte Carlo acceleration to liquidity-risk analysis—showing that early quantum value is surfacing in data- and compute-intensive risk functions well before scalable hardware arrives. She added that HSBC’s pilot with IBM delivered a 34% improvement in predicting bond-trade outcomes in the European credit market, reinforcing the potential for quantum-inspired models to enhance classical analytics in production-adjacent settings.

Lisa Schröder,
Singapore Accelerator Director, QAI Ventures

Towards a credible and coordinated transition

A coherent roadmap for quantum-safe transition is beginning to take shape across the industry. The journey starts with visibility: institutions must build comprehensive cryptographic inventories and establish a factual baseline of vulnerabilities before any migration plan can be sequenced. From there, the focus shifts to architecture. Banks need to encapsulate cryptography behind stable interfaces, embed agility into system design and enforce disciplined documentation to ensure future algorithm changes can be executed without deep code rewrites.

The roadmap then extends into the supply chain. Vendors, cloud partners and payment-rail providers must demonstrate that their systems can support post-quantum cryptography, as institutions cannot progress if their dependencies lag behind. Ultimately, success depends on ecosystem alignment—coordinating migration sequencing, interoperability standards and cross-border dependencies across increasingly interconnected financial infrastructures.

The transition will not unfold in a straight line. Post-quantum and classical cryptography will coexist for years, and quantum key distribution will remain confined to specific, tightly controlled corridors.

Because PQC introduces larger keys and signatures, institutions must redesign payment and authentication flows to prevent latency and throughput degradation; these performance penalties will not disappear on their own and must be engineered out through architectural and protocol optimisation, while talent shortages in cryptography and legacy system engineering will continue to press on timelines.

Yet despite these constraints, a pragmatic consensus is emerging: quantum-safe readiness must be treated as an integral component of operational resilience, not as a discretionary or experimental technical initiative. Institutions that embed this mindset early will be best positioned to manage the decade-long transition ahead.

A sector beginning to move

At SFF 2025, Harishankar observed that enterprises are increasingly “pulling” rather than vendors “pushing” the quantum-safe agenda. Tan highlighted strategic alignment across banks, telcos, researchers and regulators. Schröder pointed to Singapore’s emerging role as the launchpad for Europe–Asia quantum and AI commercialisation.

Yet readiness across the region remains uneven. Singapore is beginning coordinated migration planning, while other ASEAN jurisdictions remain in early assessment phases. Progress depends on regulatory clarity, institution size and digital-infrastructure maturity.

Institutions that act early—building complete inventories, embedding abstraction layers and aligning vendors and payment partners now rather than waiting for standards to finalise—will be best positioned for the decade ahead.