The real reason banks are transitioning to post-quantum cryptography now
- Johan Steyn
- 13 hours ago
- 4 min read
It’s not panic, it’s programme management: long timelines, deep dependencies, and high-stakes trust.
Audio summary: https://youtu.be/jyAdWcKPy5M
Follow me on LinkedIn: https://www.linkedin.com/in/johanosteyn/
When people hear “quantum computing”, they often assume the threat is decades away. That is precisely why serious financial institutions are acting now. Post-quantum cryptography is not a switch you flip when a new machine arrives. It is a multi-year migration across thousands of systems, vendors, and integrations that underpin payments, trading, identity, mobile banking, and customer data.
In January 2026, the G7 Cyber Expert Group, co-chaired by the U.S. Treasury and the Bank of England, published a transition roadmap urging early, coordinated action across the financial sector. The quiet message is simple: the technology timeline and the financial system’s change timeline do not match, so waiting is the riskiest strategy.
CONTEXT AND BACKGROUND
Post-quantum cryptography (PQC) refers to encryption methods designed to resist attacks from sufficiently powerful quantum computers. The concern is not that quantum computers will suddenly “hack the bank” overnight. The concern is that some of today’s widely used public-key cryptography could be broken in the future, undermining the confidentiality and authenticity that modern finance depends on.
What makes this particularly urgent for banks is how deeply cryptography is embedded. It sits in the background of everything: secure web connections, app logins, device authentication, payment messages, digital signatures, certificate chains, and long-term archives. Unlike a consumer app update, cryptography changes ripple through performance, interoperability, compliance, and operational resilience.
That is why regulators and industry bodies are increasingly framing PQC as a stability and migration issue. Europol recently highlighted practical approaches to prioritising migration in financial services, focusing on which systems are both high-risk and slow to change.
INSIGHT AND ANALYSIS
Here is the uncomfortable truth: most financial firms cannot “do PQC” quickly even if they want to. Core banking platforms are often decades old. Payment rails are interconnected with third parties. Vendor release cycles are slow and heavily regulated. Testing windows are constrained because downtime is expensive and reputationally dangerous. Even the most capable institutions rely on suppliers for hardware security modules, operating systems, network appliances, and cloud services.
This is exactly why boards are now asking a different question. Not “When will quantum computers arrive?” but “How long will it take us to transition safely?” In other words, the key risk is not the theoretical moment quantum breaks a cryptographic primitive. The key risk is being forced into rushed change across mission-critical systems because you delayed the planning and the inventory work.
You can see this shift in mainstream financial infrastructure discussions. In December 2025, Finextra reported on BIS and central bank work with SWIFT and others testing post-quantum cryptography in payments, surfacing the real-world challenges of implementing quantum-safe approaches in high-stakes, interoperable systems. That is the point: payments are a shared ecosystem. Your readiness depends on your counterparties.
Commercial networks are also pushing the conversation from theory to execution. Mastercard’s 2025 white paper on migration to post-quantum cryptography emphasises that financial institutions should begin exploring quantum-safe alternatives now, precisely because the journey involves operational and strategic complexity, not just new algorithms.
And then there is the governance angle. In October 2025, Bloomberg reported warnings from capital markets voices that the window to act is narrowing and that regulators may need to prod firms to bolster defences. Whether you agree with every part of that framing or not, it reflects a broader reality: quantum readiness is becoming a board-level expectation.
IMPLICATIONS
For financial leaders, the first practical move is not to buy a “quantum-safe product”. It is to build a credible migration programme. That means a cryptographic inventory, an understanding of where public-key cryptography lives, and a prioritised plan aligned to refresh cycles and vendor roadmaps. If you cannot answer “Where are we exposed?” you cannot manage the risk.
For regulators and policymakers, the priority is to avoid a fragmented, last-minute scramble that increases systemic risk. Coordinated roadmaps help, but they must translate into milestones, supplier accountability, and shared testing approaches. The G7 roadmap is valuable precisely because it treats PQC as a coordinated transition problem, not a vendor marketing exercise.
For South Africa and other emerging markets, the message is straightforward: you cannot opt out. Your banks interoperate globally, your vendors are global, and your customers’ data has a long shelf life. Starting early is how you spread cost, reduce disruption, and protect trust.
CLOSING TAKEAWAY
Post-quantum cryptography is not about fear of quantum computers. It is about respecting the reality of financial infrastructure: slow-moving, deeply interconnected, and unforgiving of rushed change. The firms moving now are doing so because they understand something many technology debates ignore: in finance, the upgrade cycle is the clock that matters. The smartest posture is boring and disciplined: inventory, prioritise, align to refresh cycles, and pressure suppliers to prove readiness. The future rarely arrives neatly on schedule, but your migration plan can.
Author Bio: Johan Steyn is a prominent AI thought leader, speaker, and author with a deep understanding of artificial intelligence’s impact on business and society. He is passionate about ethical AI development and its role in shaping a better future. Find out more about Johan’s work at https://www.aiforbusiness.net
Comments