Post-Quantum Banking: Securing Regulated Institutions for the Cryptographic Transition
Why banking has to move to post-quantum cryptography now
The public-key cryptography that protects today's financial systems has a known expiry date. This white paper sets out the problem facing regulated institutions, the recently finalized NIST post-quantum standards, and how ACM combines post-quantum algorithms, threshold cryptography, and decentralized consensus into a migration path that needs no core surgery.
"Harvest now, decrypt later" makes this a present-day decision
A cryptographically relevant quantum computer does not need to exist today to put a bank's data at risk. Adversaries can capture encrypted traffic and stored records now, retain them, and decrypt them once the hardware matures. This is the "harvest now, decrypt later" risk, and it changes the timeline for action.
For most industries, data loses value quickly. Banking is different. Mortgages, loan files, member and patient identities, account histories, and settlement instructions stay sensitive for years or decades. Records exfiltrated today could still be confidential, and still be damaging, long after a quantum machine can unlock the algorithms protecting them. The retention period of the data, not the arrival date of the hardware, defines the exposure window.
Two cryptographic foundations are affected. Quantum attacks threaten the public-key algorithms used for key exchange and digital signatures, which underpin TLS sessions, code signing, certificate chains, and transaction authorization. The practical consequence is that confidentiality protected today and the integrity guarantees behind signed records are both on the clock. For a regulated institution, that turns quantum readiness into a governance and audit question that examiners will reasonably expect to see addressed.
NIST finalized the post-quantum standards in 2024
The migration is no longer waiting on research. In 2024, NIST published its first finalized post-quantum cryptography standards, giving institutions concrete algorithms to build toward rather than candidates to track.
ML-KEM (FIPS 203)
The Module-Lattice-Based Key-Encapsulation Mechanism standard, derived from CRYSTALS-Kyber, establishes shared secrets for encryption and is the primary tool for protecting data in transit against quantum attack.
ML-DSA (FIPS 204)
The Module-Lattice-Based Digital Signature Algorithm standard, derived from CRYSTALS-Dilithium, provides quantum-resistant signatures for authenticating records, code, and transactions.
SLH-DSA (FIPS 205)
The Stateless Hash-Based Digital Signature Algorithm standard, derived from SPHINCS+, offers a signature scheme built on conservative hash-based assumptions, useful where algorithmic diversity is a requirement.
Because these standards are recent, the right posture is to build on them while preserving the ability to change. ACM aligns to the NIST standards above and designs for crypto-agility, so primitives can be rotated as guidance evolves, rather than hard-coding any single algorithm into systems that have to last.
Post-quantum, threshold keys, and consensus, engineered together
Post-quantum cryptography protects data, but it is one layer. ACM combines it with how keys are held and how transactions reach agreement, so the cryptographic transition strengthens the whole institution rather than a single channel.
Hybrid post-quantum
Classical and NIST-aligned post-quantum algorithms run in combination, preserving proven security while adding quantum resistance and easing a phased rollout that auditors can follow.
Threshold cryptography
Signing authority is split across multiple parties so that no single holder can act alone. A defined quorum is required to authorize an operation, removing single points of compromise from high-value approvals.
Non-custodial key management
Key material is generated and used without concentrating control in one custodian. Institutions retain authority over their own keys, with separation of duties enforced on cryptographic operations.
Decentralized consensus
Transactions and ledger state reach agreement across distributed validators, so integrity does not depend on a single trusted node and records carry verifiable provenance.
Crypto-agility by design
Algorithms are abstracted from the application layer. Approved primitives, key strengths, and hybrid modes are configured centrally and rotated as a controlled change, not a code rewrite.
Protect what lasts first
Long-lived, high-sensitivity data, identity records, loan files, and settlement instructions, receives quantum-safe protection ahead of transient traffic.
A posture you can administer and evidence
For a CISO and an examiner, a quantum-readiness program is judged on whether algorithm choices are controlled, observable, and provable. ACM treats cryptographic policy as governed infrastructure within a regulated-first architecture.
- Standards alignment: the platform builds toward ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205), keeping the stack on the same path regulators and auditors expect.
- Compliance-ready controls: key lifecycle events and algorithm changes are designed to support SOC 2, ISO 27001, PCI-DSS, and HIPAA requirements through tamper-evident audit logs.
- Identity and access: who can view, rotate, or retire keys is bound to roles and your existing SSO, with separation of duties reinforced by threshold approval.
- Living cryptographic inventory: a current, defensible view of where public-key cryptography protects long-lived data, and of remaining quantum exposure.
- Examiner artifacts: the roadmap, control documentation, and migration status reporting needed to evidence a quantum-readiness program during review.
A phased path with no core surgery
Quantum-safe protection is only useful if it reaches where sensitive data actually lives and moves. ACM applies post-quantum primitives at the interfaces a bank already operates, rather than asking you to consolidate them first.
- Keys and HSMs: post-quantum key generation and signing integrate with PKCS#11 and KMIP-style key managers and hardware security modules, so root-of-trust material is protected without abandoning your existing estate.
- Data in transit: hybrid key exchange wraps the TLS and mutual-auth channels carrying core, ledger, and KYC traffic, adding quantum resistance without rewriting the services on either end.
- Records at rest: long-lived stores are re-encrypted under post-quantum-protected keys behind the same APIs your applications already call.
- External rails: where card networks and counterparties still require classical algorithms, hybrid envelopes keep those connections compliant today while you are protected for the day the rails move.
Framed honestly, the outcome is not a certification or a finished migration; the NIST standards are recent and the work is iterative. What ACM delivers is a reviewable program, sequenced by data sensitivity and retention, that aligns the institution to published standards and runs alongside the modern, lower-cost foundation of the ACM banking core and the controls documented under Trust & Security. Deeper technical context, including how threshold and consensus designs are applied across the ecosystem, lives at post-quantum security.
Further reading: related research from the ACM ecosystem is available at papers.hanzo.ai (agentic AI and applied cryptography) and lux.network (tokenized finance and settlement). These are independent works cited as related material, not part of this paper.
Start your quantum-readiness program
Talk to ACM about a post-quantum readiness assessment, a cryptographic inventory, and a migration path engineered for regulated institutions, with no core surgery required.
Request a readiness assessmentFrequently asked questions
Are the NIST post-quantum standards final, and does ACM use them?
Yes. In 2024, NIST finalized its first post-quantum cryptography standards: ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) for digital signatures, and SLH-DSA (FIPS 205) as a hash-based signature alternative. ACM builds toward these standards and designs for crypto-agility, so algorithms can be rotated as guidance continues to evolve. Because the standards are recent, ACM frames its work as aligning to and building on them, not as a completed or certified migration.
What do threshold cryptography and non-custodial key management add beyond post-quantum algorithms?
Post-quantum algorithms protect data confidentiality and signature integrity against future quantum attack. Threshold cryptography splits signing authority across multiple parties so that a defined quorum, rather than any single holder, is required to authorize an operation, removing single points of compromise. Non-custodial key management keeps control of key material with the institution rather than a single custodian. Together they harden how high-value approvals are made, not just how data is encrypted.
Do we have to replace our core to adopt post-quantum banking?
No. ACM uses a phased, hybrid approach that runs post-quantum algorithms alongside classical ones and prioritizes your highest-value, longest-lived data first. Post-quantum primitives attach at the interfaces you already operate, including HSMs, TLS channels, and data stores behind existing APIs, so cryptographic upgrades proceed without ripping out the core or disrupting daily operations.