Of all the industries exposed to Q-Day, banking and financial services face some of the most acute risks. The entire infrastructure of modern finance — payment processing, interbank settlement, digital signatures on transactions, authentication of customers and counterparties — relies on the same public-key cryptographic foundations that a sufficiently powerful quantum computer could break. And the financial sector's exposure is not merely future-facing: the harvest now, decrypt later threat means that encrypted financial data transmitted today may already be in the hands of adversaries waiting for the technology to catch up.
What makes banking uniquely vulnerable
Financial institutions depend on public-key cryptography at every layer of their operations. RSA and elliptic curve cryptography (ECC) underpin TLS connections to banking apps and websites, authenticate SWIFT interbank messages, sign digital certificates for online banking, and protect the long-term records that regulatory compliance requires. Unlike, say, a consumer website, banks cannot simply swap out cryptographic libraries and redeploy over a weekend. Their systems are deeply integrated, often running on legacy infrastructure decades old, with cryptographic dependencies embedded across thousands of applications and third-party services.
The scale of the problem is vast. A large international bank may have hundreds of thousands of cryptographic endpoints — individual systems, APIs, hardware security modules, VPNs, and certificates — that all need to be inventoried, assessed, and migrated. The Bank for International Settlements estimated in 2024 that the global financial system has cryptographic exposure across more than two billion active TLS certificates, tens of thousands of SWIFT member institutions, and the entire architecture of central bank digital infrastructure.
The immediate risk: harvesting financial data today
The theoretical nature of Q-Day does not mean the risk is only theoretical. State-sponsored actors — particularly those with long-term strategic interests in financial intelligence — are believed to be collecting encrypted financial communications right now, storing them in anticipation of future quantum decryption. Interbank messages, regulatory filings, M&A due diligence communications, and long-term bond transaction records all carry value on a timeline that extends well beyond the few years before Q-Day is expected to arrive.
This means banks that handle sensitive long-lived financial information cannot simply wait until quantum computers are commercially available to begin their migration. By the time a CRQC exists, the window to protect data that has already been harvested will have closed. The question is not "when do we need post-quantum encryption?" but "what data transmitted today has a secrecy requirement that extends past 2029?"
What major financial institutions are doing
The most advanced institutions have already moved from assessment to active migration. SWIFT, the messaging network that processes over $5 trillion in daily interbank transactions, began publishing quantum-readiness guidance in 2023 and has since incorporated post-quantum algorithm testing into its future messaging protocol roadmap. The European Central Bank has listed quantum computing as a key risk in its financial stability assessments and is working with Eurosystem central banks on coordinated migration planning.
Several major U.S. banks — including JPMorgan Chase and Goldman Sachs — have publicly acknowledged active post-quantum cryptography (PQC) programs. JPMorgan published research in 2022 demonstrating a quantum key distribution implementation for financial transactions. HSBC and Barclays have partnered with quantum security vendors to test hybrid classical-quantum encryption schemes for data in transit.
The U.S. Federal Reserve and the Office of the Comptroller of the Currency have both issued guidance urging financial institutions to treat PQC migration as a board-level risk management issue, with the expectation that institutions will have completed cryptographic inventories and begun migrations by 2027 at the latest.
Central bank digital currencies and quantum risk
Central bank digital currencies (CBDCs) introduce a specific dimension of Q-Day risk that is attracting growing attention. CBDCs being designed or piloted today — including the digital euro, the digital yuan, and the digital dollar pilot programs — are being built with cryptographic assumptions that may not hold for their full operational lifetimes. A digital currency system designed today and deployed for 20 years will be operating well past the most conservative Q-Day estimates.
Several central banks, including the Bank of England and the Riksbank, have explicitly stated that post-quantum cryptography must be part of any CBDC design specification. The Bank for International Settlements' Project Tourbillon, a CBDC research initiative, has incorporated quantum resistance as a core design criterion. For systems that will not be replaced or substantially upgraded for a generation, getting the cryptographic foundation right at the outset is critical.
The migration challenge: scale, legacy, and supply chain
The practical challenge facing most banks is not awareness — it is execution. Migrating a major bank's cryptographic infrastructure requires coordinating changes across core banking systems, payment processors, correspondent banking networks, regulatory reporting platforms, and thousands of customer-facing applications. Many of these systems involve third-party vendors whose own upgrade timelines are outside the bank's control.
Legacy infrastructure compounds the problem. Core banking systems at large institutions often run on COBOL-based mainframes installed in the 1980s and 1990s, with cryptographic capabilities that are deeply embedded rather than modular. Replacing the cryptographic layer in such systems is not a software patch — it can require fundamental architectural changes that take years to plan and implement safely.
The NSA's CNSA 2.0 directive provides a useful benchmark: even for the most prepared and well-resourced organizations (U.S. national security agencies), the migration deadline is 2030 — and that deadline was set in 2022 with the explicit understanding that eight years would be barely sufficient. Commercial banks operating on similar infrastructure complexity but without the NSA's resources and mandate should not assume they can begin later and still finish in time.
What a Q-Day-ready bank looks like
The institutions furthest ahead share a common set of practices. They have completed comprehensive cryptographic inventories — systematic catalogues of every system, protocol, and certificate that uses public-key cryptography. They have classified their data by sensitivity and longevity, identifying which datasets require the earliest migration based on their exposure to harvest-and-decrypt attacks. They are running hybrid encryption — using both classical and post-quantum algorithms simultaneously — as a transitional measure that protects against Q-Day without requiring a complete overnight switch.
Critically, they have also extended their quantum risk assessment to their supply chains, requiring major technology vendors and correspondent banking partners to demonstrate their own PQC readiness. A bank that migrates its own systems but continues to exchange unprotected messages with its payment processing partners has not reduced its actual exposure.
For institutions that have not yet started, the guidance from regulators, the NSA, and NIST is consistent: the time to begin a structured migration program is now. The timeline has shortened substantially since 2019, and it has not shown any sign of lengthening.