Published on
June 5, 2026
Quantum Computing in Finance: Compliance Risks
How quantum computing endangers finance: cryptographic breaks, 'harvest now, decrypt later' attacks, opaque models, and vendor risks.
Quantum computing is transforming finance with its ability to solve problems far beyond the reach of classical systems. However, it also introduces serious compliance risks that financial institutions must address. Key challenges include:
- Cryptographic vulnerabilities: Quantum computers can break widely used encryption methods like RSA and ECC, jeopardizing secure transactions and sensitive data.
- "Harvest Now, Decrypt Later" (HNDL) threats: Attackers may intercept encrypted data now, planning to decrypt it once quantum technology matures.
- Regulatory gaps: Current frameworks, like GDPR and SEC regulations, lack post-quantum standards, leaving firms in a gray area.
- Model transparency issues: Quantum-driven financial models can be difficult to explain, conflicting with regulatory requirements for accountability.
- Third-party risks: Many firms rely on vendors for quantum services, which adds complexity to compliance and security.
Key Actions for Financial Firms:
- Conduct a cryptographic inventory to identify vulnerabilities.
- Transition to post-quantum cryptography (PQC) to secure long-lived data.
- Engage with regulators to stay ahead of evolving compliance standards.
- Strengthen vendor contracts to ensure alignment with quantum-safe protocols.
- Update governance frameworks to include quantum risks as part of enterprise-wide risk management.
The timeline to act is shrinking, with deadlines for quantum-safe transitions (e.g., 2031 for NSA systems and 2035 for broader adoption) fast approaching. Firms that integrate quantum risk management into their strategies now will be better positioned to navigate these challenges.
Cryptographic Vulnerabilities and Cybersecurity Challenges
The Post-Quantum Cryptography Threat Landscape
Financial systems heavily depend on RSA and ECC encryption, which are considered secure under classical computing limits. However, quantum computing, powered by Shor's algorithm, poses a serious threat to these encryption methods. Once quantum computers reach a certain capability - referred to as Q-Day - breaking RSA and ECC encryption will become alarmingly fast.
"Q-Day, the moment a quantum computer officially breaks current cryptography, will inevitably bring exposed data, leaked credentials, and compromised systems." - Mike Phillips, Security Architect, Dell Technologies [4]
Experts are divided on when Q-Day might occur. Some believe it could arrive within 5 to 10 years, while others estimate it may take up to 30 years [4]. Meanwhile, the Federal Reserve has highlighted the "Harvest Now, Decrypt Later" (HNDL) strategy as an active threat. This tactic involves intercepting encrypted data now, with the intent to decrypt it later using quantum technology. Financial institutions, particularly those required to retain data for long periods - like loan records or regulatory filings - are at heightened risk.
Regulatory Guidance on Cybersecurity Readiness
Regulators are starting to address these challenges, though the framework is still evolving. The National Institute of Standards and Technology (NIST) has proposed draft post-quantum cryptography standards - FIPS 203 and FIPS 204 - to guide the development of quantum-resistant algorithms [1][2]. The NSA has also set a 2031 deadline for transitioning national security systems, while NIST and the NSA aim for a broader 2035 target for industry-wide adoption [4].
Currently, the U.S. lacks quantum-specific regulations for financial firms. However, existing rules like SEC Regulation S-P (customer data protection), SEC Regulation S-ID (identity theft prevention), and FINRA Rule 4370 (business continuity planning) already require firms to address cryptographic risks, including those posed by quantum computing [5]. Ignoring these vulnerabilities could lead to compliance issues in the near future.
Industry groups are also stepping up. In October 2024, the FS-ISAC released a whitepaper titled "Building Cryptographic Agility in the Financial Sector." Led by Peter Bordow of Wells Fargo and developed with input from over 30 experts, the paper highlights the importance of preparing for quantum threats [6].
"Cryptographic agility is a critical success factor in the long-term journey to protect the world's data from quantum and other emerging threats." - Peter Bordow, Distinguished Engineer / Managing Director of Quantum Security, Wells Fargo [6]
| Jurisdiction | Key Framework | Status |
|---|---|---|
| United States | NIST FIPS 203/204 | Technical Standard (Finalizing) |
| United States | NSA Quantum-Resistant Transition | 2031 Deadline |
| European Union | Digital Operational Resilience Act (DORA) | Binding Regulation |
| International | G7 Hiroshima Quantum Principles | Non-binding Principles |
| Financial Sector | FS-ISAC Crypto Agility Whitepaper | Industry Best Practice |
Quantum-Aware Cybersecurity Controls
The first step for financial firms is conducting a cryptographic inventory to identify all instances of vulnerable encryption. This includes on-premises systems, cloud platforms, and third-party vendors.
"You cannot secure what you cannot see." - Deepak Behal, Information Security Officer, Capital One [4]
Once vulnerabilities are mapped, firms should work toward crypto-agility - the ability to replace encryption algorithms quickly without overhauling their entire infrastructure. Google, for example, has committed to completing its post-quantum cryptography transition by 2029 [4], setting an example of proactive planning.
Third-party risk is another critical area. Many cryptographic functions rely on multiple vendors or open-source libraries, which may not yet be quantum-safe [4]. Financial firms should require clear post-quantum plans from their partners to ensure comprehensive security. Importantly, quantum risk shouldn't be treated as a purely IT issue.
"Frame your post-quantum migration as an enterprise risk issue and integrate it into your overall business strategy." - Jane Yuan, Security Architect, Dell Technologies [4]
sbb-itb-e766981
Data Governance and Privacy Compliance Risks
How Quantum Computing Affects Data Governance
Quantum computing's ability to handle massive and complex datasets is pushing the limits of current governance systems. FINRA has highlighted that quantum advancements are driving a significant increase in data inputs, which strains existing frameworks to validate data sources, ensure quality, and maintain security [5].
But it's not just about handling more data. When quantum-enhanced machine learning is used in financial decision-making, the resulting models become increasingly opaque. This lack of transparency conflicts with regulatory demands for algorithmic accountability. As regulators intensify their scrutiny of automated financial processes, meeting these expectations is becoming more challenging [1]. Additionally, these issues tie directly into privacy obligations, where safeguarding sensitive data is more critical than ever.
Customer Data Privacy and Compliance Obligations
The "harvest now, decrypt later" (HNDL) threat underscores the need to address long-term data confidentiality risks immediately. Long-lived data - like mortgages, regulatory filings, or long-term contracts - must transition to post-quantum cryptography (PQC) as soon as possible to mitigate potential breaches [2] [7].
"Under a 'harvest now, decrypt later' scenario, data may be at risk even if it is intercepted well before the emergence of a CRQC." - G7 Cyber Expert Group [7]
In the U.S., this concern translates into specific compliance risks under SEC Regulation S-P (customer data protection) and SEC Regulation S-ID (identity theft prevention). These regulations require broker-dealers to protect customer information, and vulnerabilities introduced by quantum computing fall directly under these obligations [5]. To meet these requirements, firms need to classify data based on how long it must remain secure and prioritize migrating sensitive data that needs protection beyond 2030 to PQC immediately. Additionally, depending on third-party quantum resources introduces further operational risks that need careful management.
Operational and Third-Party Risk Considerations
Beyond privacy and governance, outsourcing quantum computing capabilities adds another layer of compliance complexity. Building in-house quantum systems is financially impractical for most firms, given the enormous resources required. For instance, a single fault-tolerant quantum computer may need up to one million physical qubits to function reliably [1]. As a result, most institutions will turn to specialized Quantum-as-a-Service (QaaS) providers for cloud-based access. However, this convenience comes with its own set of challenges.
"Firms that use cloud service providers to access quantum computing capabilities retain ultimate responsibility to ensure they comply with securities regulations relating to securing data." - FINRA [5]
To address these risks, firms must ensure that vendor contracts include explicit post-quantum cryptography plans, as recommended by the NCSC's 2028 deadline [3]. Many current outsourcing agreements lack "change-in-standards" clauses, which would require vendors to adopt quantum-safe protocols as standards evolve [3]. Financial institutions should demand detailed PQC roadmaps from all cloud and cryptographic service providers they work with, ensuring they are prepared for the quantum era.
Model Risk and Quantum Algorithm Explainability
Quantum Use Cases in Financial Compliance
Quantum computing is making waves in areas like portfolio optimization, fraud detection, risk modeling, and liquidity management. These technologies promise to boost efficiency but come with new challenges, especially in auditing. For example, a recent pilot program showcased how quantum computing could streamline interbank transaction settlements. While the efficiency gains are clear, the unique nature of quantum outputs complicates traditional auditing methods. This raises pressing questions about how to validate models in a world increasingly influenced by quantum computing.
Model Validation and Regulatory Expectations
Quantum computing doesn’t just shake up encryption and data privacy - it also complicates the validation of financial models. Regulatory frameworks, like the Federal Reserve's SR 11-7 guidance in the United States, were built for conventional systems. These guidelines require firms to independently test models, challenge their assumptions, and meticulously document how their outputs are generated. However, quantum algorithms often produce non-deterministic outputs, making them a poor fit for these established protocols.
"Existing supervisory stress tests assume deterministic architectures; quantum-enhanced systems may introduce non-linearities and verification problems that current legal audit frameworks do not contemplate." - Ammar Zafar, School of Law and Social Justice, University of Liverpool [1]
When quantum-enhanced models are used for high-stakes decisions, their opaque outputs can lead to concerns about due process and liability. Although U.S. regulators haven’t issued specific guidance for quantum computing, the direction is clear: companies using quantum tools in regulated activities should prepare for scrutiny. This means developing validation processes that can handle the uncertainties of quantum outputs. In other jurisdictions, explainability standards are already being extended to quantum-powered models, highlighting the urgency for firms to adapt their validation protocols while meeting current compliance requirements.
Regulatory Gaps and Future Considerations
The challenges of validating quantum models are further compounded by gaps in existing regulations. Key legislation like the EU's Digital Operational Resilience Act (DORA) and the UK's Financial Services and Markets Act 2023 do not yet address the risks introduced by quantum technology [1]. In the U.S., the National Quantum Initiative Act focuses on research and development rather than compliance standards for financial institutions.
This regulatory lag creates a tricky scenario. Early adopters of quantum computing may gain a competitive advantage, but they’re also operating in uncharted territory where rules are still undefined. Additionally, firms with early access to quantum capabilities could gain significant informational advantages over competitors. To navigate this uncertain landscape, proactive engagement with regulators is a smart move. Sharing pilot results, documenting how quantum models behave, and participating in discussions about new standards can help firms stay ahead of compliance challenges as regulations evolve to meet the demands of quantum technology.
Quantum Computing and Financial Services: Strategic Risk, Emerging Opportunity | QuEra
Building a Quantum-Aware Compliance Framework
Quantum Compliance Roadmap: Key Deadlines for Financial Firms (2024–2035)
Adding Quantum Risks to Governance Frameworks
Quantum risk isn’t just an IT issue - it’s a business-wide concern that needs to be managed alongside credit, operational, and market risks.
"Treat post-quantum migration as an enterprise risk issue and tie that migration to the existing business strategy." - Jane Yuan, Security Architect, Dell Technologies [4]
This approach requires organizations to update their Enterprise Risk Management (ERM) frameworks to include cryptographic risks. Boards and senior leadership should receive regular updates on the company’s quantum readiness. As CMS Law points out, "The firms best placed to navigate the quantum horizon will be those that have treated it not as a question for the IT department, but as a legal and governance question for the whole organisation." [3]
A useful tool for planning is Mosca's Inequality. It highlights the urgency: if the time it takes to migrate your systems, plus the time your data needs to stay secure, exceeds the estimated arrival of a quantum computer capable of breaking encryption, you’re already at risk [2]. For financial firms holding long-term data - like 30-year mortgages or decades-long insurance policies - this timeline could be especially tight.
Using these enterprise-level insights, growth-stage firms can create compliance practices that are scalable and actionable.
Compliance Practices for Growth-Stage Firms
Once enterprise quantum risks are assessed, growth-stage firms need to focus on securing their systems through updated vendor contracts and continuity plans. The goal is to create a flexible foundation that avoids the need for a complete overhaul later.
Start by building a cryptographic inventory that maps out all encryption protocols used across on-premises systems, cloud platforms, and third-party tools. Since many growth-stage firms rely heavily on external providers, even a single outdated cryptographic dependency in a third-party library could pose a major risk. Make it a priority to question vendors about their post-quantum migration plans and revise service level agreements to include quantum-safe requirements. For reference, the UK's National Cyber Security Centre has set 2028 as the deadline for organizations to complete their cryptographic inventory and migration plans [3].
Business continuity plans (BCPs) also need an update. Most current BCPs don’t account for encryption standards becoming obsolete. Incorporate quantum-specific scenarios into resilience testing to ensure your organization can respond effectively - something regulators are increasingly expecting.
For firms working with advisors like Phoenix Strategy Group, incorporating quantum risk into financial and strategic planning - particularly during funding rounds or pre-exit stages - can prevent costly compliance gaps when they matter most.
By embedding quantum risks into routine compliance reviews, firms can ensure that cryptographic and vendor management strategies stay aligned with evolving regulations.
A Phased Roadmap for Quantum Compliance Readiness
Transitioning to quantum readiness is a complex process, but a phased approach can help streamline the journey.
| Phase | Timeline | Key Actions |
|---|---|---|
| Phase 1: Awareness & Inventory | Now – 2028 | Identify all cryptographic systems; map long-lived data; establish board-level governance. |
| Phase 2: Pilot & High-Priority Upgrades | 2028 – 2031 | Upgrade critical systems; implement hybrid post-quantum/classical encryption modes; renegotiate vendor contracts. |
| Phase 3: Full Migration | 2031 – 2035 | Complete migration of all legacy and third-party systems; achieve full crypto-agility. |
The shared goal for completing post-quantum cryptography (PQC) migration across the financial sector is 2035, as set by NIST and the G7 [4][3]. The NSA has set a 2031 deadline for national security systems [4], while Google aims to finish its transition by 2029 [4].
Across all phases, crypto-agility is key. This means designing systems that allow cryptographic algorithms to be updated without requiring a full infrastructure overhaul. Firms that prioritize this adaptability now will be ahead of the curve when voluntary guidelines evolve into mandatory regulations, as seen with frameworks like DORA.
Conclusion: Preparing for Quantum Compliance in Finance
Key Takeaways for Financial Firms
The challenges posed by quantum computing - like cryptographic vulnerabilities, data governance, and model risk - demand immediate attention from financial firms. The "Harvest Now, Decrypt Later" threat is particularly urgent. Adversaries are already stockpiling encrypted financial data, waiting for the day quantum computers can break today’s encryption standards. For organizations managing long-term data, such as mortgages or insurance records, the timeline to act is shrinking fast.
Three major risks stand out:
- Cryptographic vulnerabilities: RSA and ECC encryption, which secure most financial transactions, could be rendered ineffective by a powerful quantum computer.
- Data governance and privacy: Regulations like GDPR make firms accountable for protecting customer data, and compromised encryption would directly violate these obligations.
- Model risk: Quantum-enhanced algorithms add complexity, making it harder to meet regulatory expectations for transparency and accountability.
"Failure to act pre-emptively may expose financial infrastructures to retrospective data breaches, regulatory incoherence and cascading market instability." - Ammar Zafar, University of Liverpool [1]
The G7 Cyber Expert Group has set 2035 as the deadline for full adoption of post-quantum cryptography (PQC) across the financial sector, with critical systems needing upgrades between 2030 and 2032 [3]. However, with the intricate nature of cryptographic migration - spanning internal systems, cloud services, and third-party vendors - firms that haven’t started planning are already at risk of falling behind.
Next Steps for Growth-Stage Companies
For growth-stage companies balancing quantum readiness with scaling, fundraising, and regulatory obligations, taking action now is essential. Start with these foundational steps:
- Conduct a cryptographic inventory to identify vulnerabilities in your systems.
- Evaluate vendor PQC roadmaps to ensure their timelines align with your needs.
- Integrate quantum risk management into your governance framework.
"Migration planning must begin irrespective of when cryptographically relevant quantum hardware may be realized." - NIST / ENISA / BIS [2]
This isn’t just an IT issue - it’s a strategic business priority. Partnering with advisors like Phoenix Strategy Group can help embed quantum compliance into broader financial and operational planning. Whether you’re preparing for funding rounds or mapping out an exit strategy, addressing quantum risks proactively ensures that compliance gaps don’t emerge when it matters most. Firms that treat quantum readiness as a core business strategy will be better equipped to navigate tightening regulations and disruptive technological shifts.
FAQs
How can I tell if my data is vulnerable to 'harvest now, decrypt later' attacks?
Your data could be at risk if it relies on long-term confidentiality and is currently safeguarded by cryptographic methods vulnerable to quantum attacks, such as RSA or ECC. To assess your exposure, consider the Mosca inequality: if the combined time required to migrate to post-quantum cryptography and maintain confidentiality surpasses the estimated timeline for quantum computers to become operational, your data becomes susceptible.
A crucial first step is performing a cryptographic inventory. This involves identifying areas where weak encryption is in use, including systems managed by third-party vendors. This proactive approach ensures you know where vulnerabilities lie and can act before quantum computing renders these protections ineffective.
What’s the fastest way to become crypto-agile without rebuilding our whole stack?
To adapt to crypto-agility without overhauling your entire system, consider a phased, risk-based migration approach. Begin by compiling a detailed inventory of your cryptographic assets, pinpointing outdated algorithms such as RSA and ECC that may pose vulnerabilities. Focus on high-risk areas first, especially critical data and records that need to remain secure over long periods. Use hybrid cryptographic schemes to maintain backward compatibility, ensuring the transition is seamless. Phoenix Strategy Group offers expert guidance and technical support to help businesses manage these transitions securely and efficiently.
How should we validate and audit quantum-driven models for regulators?
To ensure quantum-driven models are secure and reliable, it's essential to follow a structured, risk-based process. Here's how to approach it:
- Start with Cryptographic Dependencies: Begin by creating an inventory of all cryptographic dependencies. This helps identify potential "harvest now, decrypt later" risks, where sensitive data could be intercepted and decrypted in the future using quantum capabilities.
- Focus on Critical Systems: Prioritize systems that are most critical to your operations. These should be the first to undergo independent and enhanced testing.
- Strengthen Controls and Policies: Verify that supervisory controls and risk management policies are robust enough to handle the unique challenges posed by quantum technology.
- Use Hybrid Implementations During Transition: As you transition, adopt a mix of classical cryptography and NIST-approved post-quantum algorithms. This hybrid approach ensures continuity while preparing for a quantum-secure future.
- Ensure Auditable Compliance: Maintain a clear, documented compliance process. Work closely with vendors to coordinate pilot validations, ensuring all efforts align with regulatory standards.
- Centralize Oversight: Implement FINRA-style supervision, with written procedures forming the backbone of your oversight strategy. This ensures accountability and consistency throughout the process.
By following these steps, you can build a secure and auditable framework for managing quantum-driven models effectively.
