What if you knew that in four years’ time you might run into serious trouble, and that acting today would not only reduce the impact but also significantly lower the cost?

Last week, we hosted two dinners, one of them dedicated to Quantum Safe Authentication, organised together with Wultra. Around the table sat a diverse group of banking executives. Some came from risk and security functions, others from digital transformation, innovation, and fraud prevention. That diversity proved invaluable. The discussion moved fluidly between topics: from the ongoing battle against fraud to the delicate balance between friction and frictionless customer journeys, and from risk management to the challenge of measuring and prioritising emerging threats.

One of those emerging threats is the fact that, for all our communication and authentication, we use cryptographic algorithms that may no longer be valid in a not-so-distant future (as you may have read in a previous blog).

Quantum computing changes the assumption that our security technology keeps our digital communication and authentication safe. With sufficient computing power, a quantum computer could, theoretically, break many of the cryptographic systems that protect digital identities, authentication mechanisms, and encrypted communications today.

Practically, this means that authentication mechanisms based on those cryptographic primitives could be compromised. In the most extreme cases, attackers might impersonate customers, breach accounts, and authorise transactions. The issue would not be confined to a single bank or system: it would jeopardise the entire digital trust infrastructure.

What’s worse is that information, like login credentials or identity information, may already be stolen today because of its value tomorrow (known as “Harvest Now, Decrypt Later” or HNDL). For sectors such as banking, where sensitive data retains value over many years, this creates a time-delayed vulnerability.

It feels somewhat like the so-called Y2K (the Millennium Bug, if you remember), as a few people shared, when nothing disastrous happened, really. It provided some comfort to the group, but the truth is that the comparison doesn’t quite hold: the industry prepared for Y2K, knowing the deadline was 31 December 1999, but when will anyone have a production-ready, scalable, and stable quantum computer? No one truly knows, so which date should we aim to prepare for?

Quantum-safe security does not require quantum computers

Quantum computing may be science fiction, but preparing for a quantum-safe environment isn’t.

We do not need quantum computers to build quantum-safe systems. Post-quantum cryptography (PQC - new cryptographic algorithms designed to resist quantum attacks) can already run on today’s infrastructure. In other words, the technology to prepare for a quantum future already exists. The real challenge is not technological but architectural: ensuring that systems are crypto-agile, capable of switching cryptographic algorithms when needed, and embedded in authentication solutions that can evolve without requiring massive disruption.

Bear with me, we are almost at the essence of my writing.

Let me summarise this one more time: we know we can expect trouble, and we know only very few are prepared. For those who are not, the effort to be prepared is significant.

We also know that most banks have a heavy roadmap in the context of digital identity, with PSR/PSD3 and the EU Mobile Identity Wallet coming, probably before the first risky quantum computer. Wouldn’t it make sense, though, to include crypto agility on that roadmap?

Why banks are not moving - yet

When we asked who has quantum safety on their roadmap, the response was almost unanimous. Close to no one included it in their plans.

So, we asked another question: now that you know what has been discussed and understand the risks and how to manage them, will you put it on your roadmap? Close to no one confirmed.

Curious as Andrew and I are, we asked the deeper question of why that is. That brings me to the essence of this piece of writing.

Banks have so much on their plate that they would rather wait until the regulator sees the sense of urgency. What surprised me most was that this view was shared across the table. It did not come only from business leaders focused on growth or innovation. It also came from risk professionals. The common sentiment was clear: banks will move decisively when the regulator signals urgency.

In other words, the trigger for action is expected to come from outside the organisation.

Put differently: who are we serving: the regulator, or the client?

The real problem may be the capacity to change

This raises an interesting strategic additional question. If everyone waits for regulation before acting, are we preparing for the future, or simply reacting to it when it becomes unavoidable?

The irony is that the discussion also revealed something else. Preparing for quantum-safe authentication does not necessarily require a radical transformation today. Much of it comes down to architectural choices: ensuring crypto-agility, designing systems that can switch algorithms when necessary, and embedding future-proof thinking into projects that are already underway.

In other words, the real opportunity is not about predicting when quantum computing will arrive. It is about ensuring that when it does, the transition will be manageable rather than disruptive.

And that returns us to the initial question. If you knew a problem might arise in four to five years, and addressing it now would lessen both the risk and the expense, would you wait for the regulator to compel you? Or would you quietly begin preparing while there is still time?

What does this hesitation tell us about the current state of change inside banks? Quite a lot, I believe. The sheer number of transformations banks are dealing with today (regulatory change, digital transformation, fraud prevention, AI, legacy modernisation) creates a form of institutional stress.

That pressure makes organisations cautious. It pushes them to focus on what is immediately required rather than what might be strategically wise.

As a result, innovation in non-competitive fields, such as security architecture, often stalls until there is either regulatory pressure or noticeable competitive movement. Banks recognise that collaboration and anticipation would be sensible in these areas, but the burden of ongoing change programmes makes it hard to take the lead.

In that sense, the discussion about quantum-safe authentication was not only about cryptography. It was also a reflection of a broader challenge facing the industry: Is the real constraint the capacity to change?

Or is it, perhaps, an unwillingness to change until someone else moves first, be it a competitor or the regulator?

Because if the latter is true, the challenge facing the industry may not be quantum computing at all.

It may simply be our own inertia.

In this episode, Rik and Andrew reflect on some of the more surprising aspects of the dinner discussions, during which Andrew shows his age by "being there" for the Y2K bug preparations (while Rik admits he was probably sitting at home, not old enough to join the millennium parties 🫣). Watch below or follow along on your favourite podcast platform here (and don't forget to subscribe!).