Quantum technology can revolutionise finance, but create new problems

• Quantum technologies bring significant opportunities to the financial sector but pose cybersecurity risks
• The US National Institute of Standards and Technology has released three post-quantum encryption tools designed to protect a wide range of electronic information from quantum computer attacks
• The Monetary Authority of Singapore has teamed up with major banks to study how Quantum Key Distribution (QKD) can protect data transfers

Whenever you make a bank transaction online or send confidential messages, you can rest assured that your data and sensitive information are protected by cryptographic algorithms. But in roughly 10 years, we may see the emergence of powerful quantum computers that can break current encryption securing everything we do online.

As quantum technologies develop rapidly on the heels of other emerging technologies like artificial intelligence (AI) and machine learning (ML), governments and research institutions worldwide are also racing to put up post-quantum security measures that would safeguard a broad range of electronic information that support the modern economy.

Quantum computers, which use quantum mechanics to solve complex computing problems, are not fully-developed yet. But when they are, they can solve problems that are beyond the capabilities of today’s supercomputers. This makes the technology attractive to industries that need to process large volumes of data to make breakthroughs. The possible applications are endless, ranging from the development of news drugs, supply chain optimisation, and faster creation of models for finance, and even climate.

For the financial sector, quantum computing can revolutionise portfolio management and enhance risk management through improved computation, modelling, and fraud detection. However, it also presents significant challenges as it could render current encryption systems obsolete, thereby endanger financial systems.

Quantum technologies as the next frontier

While the financial sector continues to focus on applying AI to enhance customer experiences and ML to automate low-value and repetitive tasks, quantum computing is considered to be the next technological frontier for enhancing operational performance.

Even with threats around cybersecurity, the industry has been investing heavily to harness the power of quantum computing. The World Economic Forum, in collaboration with the United Kingdom's Financial Conduct Authority (FCA), published a report in January titled 'Quantum Security for the Financial Sector: Informing Global Regulatory Approaches,' which estimates that the financial sector worldwide could invest up to $850 billion in the development of quantum technology over the next 30 years, up from $80 million in 2022.

Sebastian Buckup, member of the executive committee of WEF, said in the report: “The quantum era is fast approaching, and we need a global public-private approach to address the complexities it will introduce.”

While the timeline is uncertain, 60% of regulators surveyed for the report expect quantum computing to significantly impact the industry within seven years. Financial institutions, on the other hand, expect disruption in the industry in 10 years.

Recognising the threat to financial systems and consumers, the report stressed the need for a “harmonised approach to quantum security” involving regulators and industry stakeholders.

“The financial sector relies heavily on encryption to protect sensitive information, the exposure of which could cause significant harm to consumers and markets,” said Suman Ziaullah, head of technology, resilience and cyber at FCA, in the report.

Sebastian Buckup, Member of the Executive Committee, WEF

Suman Ziaullah, Head of Technology, Resilience and Cyber at FCA

US standards agency releases post-quantum encryption standards; MAS experiments with Quantum Key Distribution

Countries at the forefront of quantum technology research and development have already taken action to thwart cybersecurity threats.

In early August, the National Institute of Standards and Technology (NIST) of the US Department of Commerce released the first three finalised post-quantum encryption standards.

In 2016, the NIST formally solicited proposals for quantum-resistant cryptographic algorithms from cryptographers worldwide, selecting four for standardisation and releasing three last month.

The first group of encryption tools was designed to withstand the assault of future quantum computers, which could hack into the security of commonly used digital systems such as email and online banking. ML-KEM safeguards data shared on public networks; ML-SDA defends digital signatures used for identity authentication, and SLH-DSA serves as backup encryption in case ML-DSA vulnerabilities arise.

The fourth standardised encryption algorithm developed by IBM, and called FALCON is scheduled to be released late in 2024.

In an August 13 statement, NIST urged computer system administrators to immediately adopt the first three encryption standards even as it evaluates new algorithms to be prepared for attacks.

In the same month, the Monetary Authority of Singapore (MAS) signed an agreement with four banks—DBS, HSBC, OCBC, and UOB—and two technology firms to study how Quantum Key Distribution (QKD) can protect data transfers.

QKD is a secure communication method for exchanging cryptographic keys that are only known between shared parties.

In the coming months, the MAS and participating banks will experiment with QKD solutions jointly provided by tech partners SPTel and SpeQtral in three areas.

First, they will conduct a proof-of-concept sandbox to evaluate the viability of QKD solutions to financial services. Second, validate the security properties of QKD to prevent unauthorised access. Third, the participants will acquire the necessary skills to implement quantum security solutions.

The collaboration follows other quantum-related initiatives over recent months. In February, the MAS advised financial institutions on cybersecurity risks associated with quantum technology and provided safeguard recommendations. In July, MAS also launched a quantum track under its Financial Technology and Sector Grant Scheme, for which it committed an additional SGD 100 million to support financial institutions building quantum projects and capabilities.

Vincent Loy, assistant managing director (technology) at MAS) said the technology trials would help shape policies on technology and cyber risk management.

Vincent Loy, Assistant Managing Director (Technology), MAS

For partner banks DBS, HSBC, and OCBC, the MAS-led experiment on QKD is in line with their own forward-looking initiatives to safeguard the financial sector against the dangers of the nascent technology.

“In particular, by participating in the development of QKD use cases, we are not only enhancing our defences but also setting new standards for future-proofing our financial systems against bad actors seeking to exploit encryption technology,” said Eugene Huang, group chief information officer at DBS, about the trials.

And Tancy Tan, chief operating officer at HSBC Singapore, said: “Singapore is demonstrating once more to be forward thinking in the exploration and testing of cutting-edge technologies, bolstering the nation’s reputation as a secure and stable financial hub.”

Eugene Huang, Group Chief Information Officer, DBS

Tancy Tan, Chief Operating Officer, HSBC Singapore

Praveen Raina, head of group operations and technology at OCBC, said its partnership with MAS in the experiment supports its talent and infrastructure development agenda in relation to quantum computing. “Quantum technology holds immense potential and relevance for the financial sector especially in mitigating cybersecurity risks. Recognising this, on top of partnering with the wider industry, we are taking proactive steps to invest in talent and infrastructure capabilities in this area.”

For Albert Kho, head of group retail and channels technology and operations at UOB, quantum computing “brings exciting opportunities to elevate the banking experience” so the bank is committed to build a data exchange network resistant to the assault of quantum computers in the future.

Praveen Raina, Head of Group Operations and Technology, OCBC

Albert Kho, Head of Group Retail and Channels Technology and Operations, UOB

BIS proves viability of a quantum-safe financial system

The Switzerland-based Bank for International Settlements (BIS) is another institution leading the research and discussion on the transition to quantum-safe financial systems. In June 2023, BIS announced the conclusion of Project Leap, which proved the viability of a quantum-safe financial system.

The BIS Innovation Hub's Eurosystem Centre launched Project Leap to prepare central banks and the global financial system for the transition to quantum-resistant encryption.

The report on the first phase, "Project Leap: Quantum-proofing the financial system," provides a comprehensive overview of the experiments and initial technical findings. In it, BIS acknowledged that while the timeline large-scale adoption of quantum computing is still uncertain, malicious entities can intercept and store encrypted data now, intending to decrypt it later when quantum computers become powerful enough, in so-called "harvest now, decrypt later" attacks.

Therefore, the financial sector should start a transition phase well in advance to enable the implementation of quantum-resistant encryption schemes.

Project Leap first established post-quantum cryptographic protocols between Banque de France and Deutsche Bundesbank. Then, test payment messages were sent through a quantum-resistant VPN tunnel between servers in Paris and Frankfurt to demonstrate the protection of critical financial data.

More than two central banks will join the project's second phase this year to investigate a more complex IT environment in preparation for real-world scenarios.

Another BIS initiative on quantum-resistant cryptography is Project Tourbillion, for which the BIS Innovation Hub in Switzerland successfully demonstrated that it’s possible to maintain customer privacy when paying with central bank digital currency (CBDC).

Privacy is one of the potential hindrances to the adoption of retail CBDCs because the information of payers like amounts paid and addresses are visible on the public chain, making exposure of identities possible.

Project Tourbillion tested a payment paradigm that keeps payer information private, but not for payees. For example, no merchant, bank, or central bank will receive the personal information of a customer. However, when the payment occurs, the bank receives the identity of the merchant and maintains its confidentiality. The central bank, meanwhile, can see the transaction amount, but it cannot see customer or merchant information.

Taking off from the findings in Project Leap, Project Tourbillion also successfully introduced quantum-proof cryptography to blind signatures, but further research is needed to find new cases and explore viability.

Journey to a quantum-secure economy

In about a decade’s time, industries and regulators worldwide would have to embark on an unprecedented task of transitioning to an economy that can withstand the assault of bad actors taking advantage of quantum technology.

The WEF report proposed four principles that will inform stakeholders' actions throughout this journey while avoiding fragmentation and increasing transparency. The first, reuse and repurpose, encourages the use of existing frameworks to address quantum security risks. For industries, this means following best practices, while for regulators, this means clarifying how frameworks apply to threats and identifying gaps.

Second, to establish non-negotiables, is to define the overarching requirements of industries and regulators to address security threats. These baseline requirements must be customer-focused, technology neutral, and aligned with best practices.

Third, increase transparency by exchanging information on strategies, best practices, and approaches that are evidence-based.

Fourth, avoiding fragmentation calls for cross-border collaboration to harmonise regulation and reduce vulnerabilities.

The report stressed, however, that the roadmap “should not be a race but a strategic journey, with sustained collaboration” among stakeholders worldwide.

“The migration to quantum-safe systems is an unprecedented task for all, so it is important for the community to take a holistic approach and consider multiple quantum-safe solutions to achieve defence in-depth,” Charles Lim, global head, quantum communications and cryptography at JPMorgan Chase & Co. was quoted as saying in the report.

Charles Lim, global head, quantum communications and cryptography, JPMorgan Chase

Quantum technology can make far-reaching changes across industries. In finance, it can transform our daily transactions and how we plan for the future. However, it also poses serious threats to the integrity of financial systems that keeps economies humming.

The conversation around quantum computing has already started in the past few years as governments seek to understand this strange new technology. Moving forward, a coordinated global effort is needed to ensure a secure transition into the so-called quantum era.