Quantum Computing Is Coming to UK Finance: What Banks and Fintechs Need to Know Now

ยท

,

The threat is not arriving the day a working cryptographically-relevant quantum computer switches on. The threat is already here, embedded in data being harvested right now by state-level actors who plan to decrypt it later. That is the uncomfortable reality at the centre of what the National Cyber Security Centre (NCSC) has been trying to communicate to UK financial services organisations for the past two years, with limited success. Quantum computing UK finance businesses need to take seriously is not a five-year problem. It is a planning problem that starts today.

Most banks, fintechs, and payment processors are still treating quantum as a research curiosity rather than an operational risk. That is a mistake. The window between now and when post-quantum cryptography must be fully deployed is narrowing faster than most technology roadmaps in financial services are built to accommodate.

City of London financial office at dusk illustrating quantum computing UK finance businesses security risks
City of London financial office at dusk illustrating quantum computing UK finance businesses security risks

Why Quantum Breaks the Encryption That Protects Financial Data

Modern financial systems rely heavily on public-key cryptography, specifically RSA and elliptic-curve cryptography (ECC), to protect transactions, authenticate users, and secure communications between institutions. Both of these schemes depend on mathematical problems that classical computers cannot solve in any useful timeframe. A sufficiently powerful quantum computer running Shor’s algorithm can crack both in hours or days. The moment that machine exists, every piece of data protected by RSA or ECC becomes readable.

The more insidious version of this threat is known as “harvest now, decrypt later”. Sophisticated adversaries, including nation-state actors, are already intercepting and stockpiling encrypted data: transaction records, client communications, authentication tokens, interbank settlement data. The encryption protecting it today is uncrackable. In ten to fifteen years, or possibly sooner, it may not be. For financial services firms holding sensitive long-term customer data, this is an existential compliance issue, not a theoretical one.

What the NCSC Is Actually Advising UK Financial Services

The NCSC published its post-quantum cryptography guidance in 2023 and has since updated its migration timelines. Its current position is that UK organisations in critical sectors, which explicitly includes finance and payments infrastructure, should begin cryptographic inventory work immediately and aim to have a migration plan in place before 2028. Full migration to post-quantum cryptographic standards is recommended by no later than 2035, though the NCSC has signalled that this deadline may be pulled forward depending on quantum hardware progress.

The specific standards the NCSC recommends aligning with are those published by the US National Institute of Standards and Technology (NIST), which finalised its first set of post-quantum cryptography standards in 2024. The three primary algorithms, CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium plus FALCON for digital signatures, are now considered production-ready. UK firms have no technical reason to wait. You can read the NCSC’s full guidance on post-quantum cryptography at ncsc.gov.uk.

Financial technology professional working on post-quantum cryptography migration relevant to quantum computing UK finance businesses
Financial technology professional working on post-quantum cryptography migration relevant to quantum computing UK finance businesses

Where Most UK Financial Firms Currently Stand

Honestly, most are behind. A 2025 survey by the UK Finance trade body found that fewer than 30 percent of member institutions had completed a formal cryptographic inventory. Without that inventory, you cannot even know which systems are vulnerable, let alone begin migration. Legacy infrastructure compounds the problem significantly. Older core banking platforms, sometimes running on decades-old architecture, use hardcoded cryptographic libraries that were never designed to be swapped out. Retrofitting them is not a software update; it is closer to open-heart surgery.

Fintechs, paradoxically, have both an advantage and a disadvantage here. Their stacks are newer and more modular, making cryptographic agility more achievable in principle. But many fintech firms are not yet thinking about this at board level, treating it as a future infrastructure concern rather than a current strategic risk. That gap in governance will bite them when regulators begin mandating post-quantum readiness, which the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) are expected to formalise guidance on within the next two years.

Cryptographic Agility: The Framework That Actually Matters

The practical answer to the quantum threat is not simply swapping one algorithm for another once. It is building systems that can swap cryptographic primitives without major re-engineering. This concept, called cryptographic agility, should be the governing principle behind every infrastructure investment financial firms make right now. If you are commissioning a new API gateway, a new payment processing module, or upgrading your identity and access management stack, the ability to update cryptographic algorithms at configuration level rather than code level should be a hard requirement in every specification.

This is also where the digital communications layer intersects with quantum risk in ways that operations teams sometimes overlook. Secure email infrastructure, encrypted API communications between institutions, and signed transaction logs all depend on cryptographic standards that will be compromised. A firm that has secured its core banking system but left its email infrastructure running on legacy public-key encryption has a gap. UK-based technology tools built around internet and computer security, such as the free email testing service offered by Mail Tester (mail-tester.co.uk), already reflect the increasing awareness among tech support and technology professionals that even routine digital communications channels require proper cryptographic validation. Ensuring that email authentication records, DKIM signing, and encrypted transmission are correctly configured is a basic-hygiene step that sits within the broader push to audit every layer of digital infrastructure before post-quantum migration begins. Firms that ignore the communications stack whilst hardening their core systems are creating blind spots.

The Business Decisions That Need to Happen Before 2028

There are four concrete decisions that quantum computing UK finance businesses should be making in the next twelve to twenty-four months, regardless of where they sit on the maturity curve.

First: complete a cryptographic inventory. Map every system, service, and integration that uses public-key cryptography. This is non-negotiable. You cannot migrate what you cannot find.

Second: assess supplier and third-party exposure. Your own systems may be relatively modern, but if your payment processor, cloud provider, or software vendor is running RSA-dependent infrastructure, your exposure extends to theirs. Third-party risk questionnaires need a quantum section now.

Third: begin hybrid cryptography deployments where practical. Running a post-quantum algorithm alongside a classical one in parallel provides protection today without requiring full migration. CRYSTALS-Kyber in hybrid mode is already supported by major TLS libraries and is production-viable.

Fourth: engage your board and audit committee. Quantum risk needs to sit in the same risk register as cyber risk, operational risk, and regulatory risk. It is not an IT department footnote; it is a governance issue with regulatory implications. The FCA’s operational resilience framework already encompasses systemic cryptographic vulnerabilities under its broader definition of important business services.

What Good Preparation Actually Looks Like

Barclays, HSBC, and NatWest have all publicly referenced post-quantum cryptography work in their technology strategy disclosures over the past two years. Smaller fintechs and building societies have less visibility, which does not mean the work is happening. In many cases it is not.

Preparation does not require enormous capital expenditure upfront. It requires rigour. Cryptographic inventory software exists. Open-source post-quantum libraries are available and battle-tested. The standards are finalised. What is generally missing is internal prioritisation, which is a leadership and governance problem, not a technology one. The firms that start the migration work methodically now will face a manageable, phased transition. Those that wait for a regulatory deadline or, worse, a quantum computing breakthrough announcement, will face an emergency with no clean options.

The broader technology ecosystem is already moving. Cloud providers including AWS and Google Cloud have quantum-safe key management options in production. Hardware security module vendors are shipping post-quantum compatible firmware. The infrastructure supply side is ready. The demand side, meaning the decisions made inside UK financial institutions, is the remaining bottleneck. And for quantum computing UK finance businesses, that bottleneck needs to close soon.

Frequently Asked Questions

How close are we to a quantum computer that can break current encryption?

Most estimates from credible research institutions suggest a cryptographically-relevant quantum computer is ten to fifteen years away, though some timelines are being revised downward. The NCSC advises UK organisations not to wait for this milestone, as the ‘harvest now, decrypt later’ threat means data captured today could be decrypted once such a machine exists.

What is post-quantum cryptography and is it ready to use?

Post-quantum cryptography refers to algorithms designed to resist attacks from quantum computers. NIST finalised its first set of post-quantum standards in 2024, including CRYSTALS-Kyber and CRYSTALS-Dilithium, both of which are considered production-ready and are already supported by major software libraries and cloud platforms.

What is the NCSC's official deadline for migrating to post-quantum cryptography?

The NCSC currently recommends that critical sector organisations, including financial services firms, have a migration plan in place before 2028 and complete full migration by no later than 2035. However, the NCSC has indicated this timeline may be accelerated depending on advances in quantum hardware.

What should UK fintechs do first to prepare for quantum risk?

The most important first step is completing a cryptographic inventory: identifying every system, API, and third-party integration that currently uses RSA or elliptic-curve cryptography. Without this baseline, prioritising migration work is impossible. Fintechs should also add quantum readiness criteria to supplier and third-party risk assessments.

Will the FCA or PRA require UK financial firms to comply with post-quantum cryptography standards?

Formal regulatory mandates from the FCA and PRA have not yet been published, but both bodies are expected to issue guidance within the next two years. Post-quantum readiness is already implicitly covered under the FCA’s operational resilience framework, and firms should treat proactive preparation as regulatory risk management.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *