The day a quantum computer becomes powerful enough to break the encryption that secures most digital banking — payments, logins, client records, contracts, and the connections between institutions.
The Issue
Before the plan, the problem. Nearly everything banking does — moving money, verifying identity, keeping records private — rests on encryption that a sufficiently powerful quantum computer will eventually break. That day has a name, Q-day, and while nobody can put it on a calendar, the experts who track it agree it is close enough that preparation has to start now. In plain terms: what Q-day is, what it breaks, and when to expect it.
Two guarantees fail: that what we encrypt stays private, and that a digital signature proves who signed it. Wire instructions, statements, software updates, and counterparty identity all lean on those two.
Current best estimates from industry experts — Gartner, Google, and the national-security community — put the window at 2029–2035. The exact date is unknowable, so the plan below does not depend on one.
Q-day is best understood not as a date to watch for, but as three phases the bank will live through — one we are in already, one that arrives overnight, and one that stretches for years. Each calls for a different set of decisions.
Before Q-Day
The ability to break today's encryption will not arrive with an announcement — there is no visible moment to plan around. The only defensible assumption is that the risk is already live: encrypted traffic captured today can be stored and read later, once the capability exists.
The Public Q-Day
Public acknowledgment changes the threat very little — sophisticated adversaries will precede the announcement. What changes overnight is the environment: legal standards harden, regulators issue expectations, lawsuits take shape, and counterparties start demanding proof.
The Lag Period
Between public acknowledgment and broad availability of the capability, everyone knows the threat is real but the ecosystem is unevenly protected. A bank finished internally by 2029 could spend up to six years exchanging data with parties whose protections it cannot fully verify.
Fails retroactively. Traffic harvested today is decrypted later — the exposure has already begun. The fix — quantum-safe key exchange — is deployable now, which makes it the first workstream.
Fails in real time. Forged signatures and impersonated counterparties only become possible once a working machine exists — nothing can be stolen in advance. Signature and certificate migration can follow the longer 2035 retirement timeline.
Why It Matters
Four consequences follow — two already live today, two that arrive the day the threat is publicly acknowledged.
Adversaries store encrypted traffic now and read it once capable. Anything that must stay private for more than roughly ten years — client records, strategic positions, long-lived credentials — is effectively exposed at the moment of capture. A data-classification problem, not a forecasting problem.
Banks are, at their foundation, institutions of trust. The strategic objective is not merely technical migration — it is preserving client and counterparty confidence through a transition the whole sector must navigate on an uncertain clock.
Regulators, boards, plaintiffs, and counterparties will ask the same question on the same day: show us the program. Institutions that cannot produce documented, evidenced progress face liability disproportionate to their actual readiness.
Directors, counsel, or clients may demand we stop exchanging data with any party lacking post-quantum controls. Understandable — and operationally unsurvivable. The tiered regime exists so this decision never becomes all-or-nothing.
Migration Milestones
The clock below is not ours — it is being set by standards bodies, regulators, and the industry's largest technology firms. Expert surveys now put the odds of a capable quantum computer within ten years at 28–49%, the highest recorded, and Google has committed to finish its own migration by 2029. These are the dates the market will measure us against.
Every counterparty, vendor, law firm, and processor the bank touches during this window is a potential exposure path — which is why the third-party regime, not just internal migration, is the center of gravity.
The Strategy — Three Levels
The strategy operates at three levels simultaneously. Each is independently valuable; together they are self-reinforcing.
Build every system to swap algorithms without re-architecture. The first generation of post-quantum algorithms may itself need replacing, so the durable asset is not any one algorithm — it is how quickly we can change. Agility is what keeps the 2029 target resilient to moved timelines, broken assumptions, and evolving standards.
The design problem is collective motion without perfect consensus — fifteen institutions will not agree on every detail. Three nested commitments, each adoptable independently, none surrendering autonomy:
Exchanging proof on announcement day is already too late. The alignment to build now: what evidence banks share with one another in advance and on what cadence — inventory, milestones met, independent validation — and whether we test together before the day comes, running joint exercises with critical counterparties and third parties to prove quantum-safe connections hold. On the day itself, the sector should be re-confirming evidence it already holds, not requesting it.
No single institution — including the largest — holds sufficient leverage over core processors, market utilities, messaging networks, or cloud providers. Vendors can deprioritize any one bank's bespoke questionnaire; they cannot deprioritize a common requirement embedded simultaneously in the renewal cycles of their largest clients. And one standard evidence package is cheaper for a vendor to produce than fifteen different ones — the demand becomes a simplification.
Comfort is defined in advance, not negotiated in a crisis. From vendors we will require a current cryptographic inventory delivered on schedule, milestones met and evidenced, quantum-safe channels on every connection with the bank, and audit rights honored — with a pre-planned replacement path that activates when the proof does not arrive.
The Third-Party Engagement — Control Layers by Tier
Tiering: how sensitive × how long it matters × how hard to replaceOur exposure travels with our data — every third party we exchange sensitive information with becomes part of the bank's quantum risk, whether or not their own systems are ready. Engagement is therefore risk-based: the more sensitive the data, the longer it matters, and the harder the vendor is to replace, the stronger the controls we apply.
Delivery of the cryptographic inventory on a milestone timeline, transparency obligations, audit rights, and termination triggers tied to missed milestones — negotiated now, while renewal leverage exists.
Quantum-safe key exchange required on every channel with the bank. Deployable today — ends the store-now, read-later threat for data in motion even where the vendor's own systems lag.
Application-layer encryption applied before data leaves the bank — confidentiality no longer depends on the vendor's readiness at all.
The vendor works on data the bank never fully releases. A scalpel, not a policy — hosted environments do not scale and import the vendor's operational risk.
The bank is a third party to its own institutional clients — the same proof will be demanded of the bank, likely earlier than the sector demands it of vendors. Building the evidence package first is what earns the credibility to lead the task force, and the same investment becomes a commercial differentiator with every client relationship that starts asking the question. After public Q-day, all of them will.
Questions for Executives
Preparedness shows up in the answers, not the plan. Challenges for every program and line of business — readiness, third parties, customers, resourcing, and the assumptions, timelines, and dependencies underneath them.