April 24, 2025 • 22 mins
Quantum computing is an entirely new way of processing information, and it has the power to solve extremely difficult computational problems much more quickly than binary computers. As the technology continues to advance, the latest episode of the ABA Banking Journal Podcast — sponsored by Intrafi’s Banking with Interest — explores how payments and banking might be affected by the technology. Among other topics, the episode addresses:
- Applications for quantum computing in liquidity management and other complex payment and settlement chains.
- The risks quantum computing poses to current encryption technology and the timeframe over which current encryption might be compromised.
- The emergence of “quantum-safe cryptography.”
- The risk of decryption quantum computing poses to data harvested in past breaches.
- Emerging regulatory expectations for quantum computing-related risk management.
This episode is presented by Intrafi’s Banking with Interest.
Resources:
- Nacha’s report on quantum computing and payments
- FS-ISAC podcast on post-quantum cryptography
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Peter Tapling (00:01):
quantum Computing offers the ability to solve those
kinds of problems much more quickly.
I don't think we're gonna ever runinto a quantum computer at your local
target store when you buy your bagof chips and two cans of Coke, but
where quantum computing will excelis in these really, really hard
problems with many, many variables.
(00:22):
So if you look at a network like the,the Chips wire Network operated by
the clearinghouse, where there are,you know, 40 or 50 participants, each
of them have different positions.
Each of them have insand outs all day long.
One of the reasons that thatsystem works so well is because
it can optimize the liquidity.
Evan Sparks (00:40):
From the American Bankers Association, this is the
A BA Banking Journal podcast.
Welcome back.
I'm Evan Sparks.
Today's episode is presented by Intrafi'sBanking with Interest Podcast, and
we are talking about the future ofpayments, both near term, long term.
What is going on in innovationin the payment space?
There's obviously.
A lot of, a lot of things going on andpayments change happens on a really
(01:03):
long time horizon, but there are somereally exciting developments that are
out there in the payments industrythat bankers need to be aware of.
And so to talk with us about those,I have two two experts in the field.
One is Peter taping.
Peter is managing directorof P Tap Advisory.
He's a board member of the Faster PaymentsCouncil and he was the project team
lead for the Quantum Payments Projectat nachas Payments Innovation Alliance.
(01:27):
Peter, welcome to back to the show.
Peter Tapling (01:30):
Thank you for having me
Evan Sparks (01:31):
and one of our more recent guests, Steve Keneally.
Steve is Senior Vice President forpayments policy here at a BA and someone
I go to to get when I, whenever I need toget marginally more smart than I, than I
am, which is an easy thing because I'm notvery smart on any payments, policy issues.
So, Steve, welcome back.
Steve Kenneally (01:47):
Oh, thanks for having me on.
Evan Sparks (01:49):
So I wanna start off by talking a little bit
about quantum quantum payments.
And I'm gonna get in way over my headhere because, you know, I've got a, got a,
some go back to my college physics classeshere we've got you know, the basic concept
of computer-based payments is, is this,you know, the binary bit of on or off.
(02:11):
And.
I don't understand how it all works,but I know in the world of quantum
computing, we're able to make decisions,make process information on a basis
of the, the sub-atomic particles.
And, and and I'm not going totorture our listeners by making them
listen to me explain this anymore.
So, Peter, why don't I throw it to you?
Quantum computing, what'sthe, how does it work?
(02:33):
And then we'll get a dig intohow it affects affects banking.
Peter Tapling (02:38):
I, I, I think we should let you go for another 30 minutes.
I'd love to hear that conversation.
Yeah.
Hey, so you know, I I, I alwayspreface this conversation to, to
remind people that if they go back topre-internet and somebody talk to them
about internet banking, they wouldsay, oh my God, we can't do that.
Like, we don't understand it, right?
And so quantum computingis a new technology.
(03:00):
There are new concepts involved.
You don't need to understandall of the concepts.
The most important thing.
But, you know, piggybacking on yourcollege physics class comment quantum
computing is a form of computingthat has become possible through
the exploitation of quantum physics.
(03:21):
And there are some characteristicsin quantum physics that enable
a quantum computer to operateon something called a qubit.
Where you, you are correct.
Today we operate on bits,which are ones and zeros.
So imagine a qubit beingmore like a dimmer switch.
It can be a one or it can be azero, or it can be any position
(03:41):
in between at any given time.
Suffice it to say, what quantum computingenables is it enables the solution of very
hard problems and particular to payments.
We rely heavily in payments, indigital payments on encryption.
Encryption generally is symmetricencryption or asymmetric encryption.
(04:05):
Asymmetric encryption counts onthe fact that certain numbers
are really hard to guess.
And traditional computers could takethousands or millions of years to guess.
The keys involved in asymmetric key.
Cryptography, quantum computing, whenfully realized, will be able to make
(04:26):
those guesses in a matter of minutes.
And so that's the threat that quantumcomputing can pose to payments,
particularly relative to cryptography.
Quantum computing offersa whole lot of promise.
We can create better models for managingliquidity across complex payment flows.
We can create, you know, we're all,anybody who has a 401k program is used
(04:50):
to the to the Monte Carlo model, wherewe're gonna run your outcome in your
retirement, you know, a thousand times andcome up with what the average might be.
Problems that are very difficultfor traditional computers to process
can potentially be solved morequickly with quantum computers.
Yeah,
Evan Sparks (05:07):
so I know we have talked on this podcast before with folks from our,
you know, office of Innovation about,and, and, and with our cybersecurity
experts about some of the scary challengesthat quantum computing poses to bank
cybersecurity and to our current defenses.
If, if it's, if it gets a lot easierfor the bad guys to break through,
can you walk us through some ofthe, the positive use cases for
(05:29):
quantum computing and payments.
I mean, we, we've, you know,talked about, we've been talking
about faster payments for decades.
We've been talking about howwe can kind of navigate through
some of these, you know.
Did the eliminate some of the friction?
Although I know in certain caseswith the rise of certain kinds of
fraud, we are like, well, let'sbring some friction back in here.
But you know, we're talking aboutwhat are the what are the, some of
(05:52):
the use cases for quantum computingin terms of accelerating in efficiency
and innovation in the payment space?
Peter Tapling (05:58):
Sure.
So the problems that quantum computingexcels at where, where it can
solve those problems better than atraditional computer are problems that
have many variables, and that thereis an opportunity for optimization.
And so earlier, I mentioned theconcept of, of liquidity management.
So if you look at a network like the,the Chips wire Network operated by
(06:21):
the clearinghouse, where there are,you know, 40 or 50 participants, each
of them have different positions.
Each of them have insand outs all day long.
One of the reasons that thatsystem works so well is because
it can optimize the liquidity.
Today, that's a relatively difficultprocess for the existing computing to be
able to manage, and so quantum computing.
(06:43):
Quantum Computing offers theability to solve those kinds
of problems much more quickly.
I recognize those are notdirectly related to payments.
Like, you know, I don't think we'regonna ever run into a quantum computer
at your local target store when you buyyour bag of chips and two cans of Coke.
But you, you, where quantum computingwill excel is in these really, really
(07:05):
hard problems with many, many variables.
Evan Sparks (07:09):
In one sense, I wonder to what extent does this affect the overall,
the whole function of clearing whereyou have these, like central hubs of
that information gets passed through.
If you, if you can streamline theability to process and analyze
data, can you also distribute it?
Peter Tapling (07:26):
Possibly you know, it turns out that one of the things
that quantum computers are not goodat are dealing with text and numbers.
So we're never going to see a quantumcomputer acting as our word processor
or replacing our Excel spreadsheet.
Quantum computers don't have the conceptof state, so they can't, they can't do.
(07:47):
One third of a problem, stop and thinkabout it, and then pick it up and do
the next two thirds of the problem.
Once they start working out a problem,they gotta go all the way through.
And so again, they work very wellfor very hard optimization problems.
But I think we're still gonna see for mostof what we do in payments, we're still
going to be using traditional computing.
I think where the opportunities existare the, are, are those back office
(08:10):
processes related to optimization?
Steve Kenneally (08:14):
The key for 99% of the bankers out there that are
listening is, don't overthink this.
You can get wrapped around the axlethinking about, you know, entanglement
theory and interference and quibbversus qubits versus quidditch.
But all what, what you reallyneed to focus on is that the
encryption you're relying on now.
(08:36):
You're not gonna be able to relyon it in the next 3, 5, 7 years.
And that's the other challenge.
There's no hard deadline like inY 2K where you, where you have
the timeline, where, you know,I have five years to get ready.
So year five we'll do the study.
Year four we'll hire the vendor.
Year three we'll start implementing,and two we'll do the testing.
(08:59):
There's, there's, thereis that little bit of, of.
Uncertainty out therewith when this is going.
Yeah.
Peter Tapling (09:05):
That uncertainty can cause procrastination.
Yeah.
The, in in quantum computing land, we, wesay that this threat will become evidence.
The point at which this threat will becomeevident is, is referred to as Y two Q,
the, the year in which quantum computingbecomes commercially viable to a point
to create this threat to cryptographyand, the there, Michael Moscow's been
(09:30):
presenting at NSC and nist and part ofthe team that pulled together the post
quantum quantum safe algorithms saidthat it's between 2030 and 2032, right?
Five to seven years.
But think about it.
If it's 2030, we're already in 2025.
You don't have any money inthis year's budget to do it.
(09:52):
We're in April, so in the next twomonths, you're gonna have to come up with
the money in the 2026 budget to do it.
And one of the challenges of this is thatencryption is always a two-sided game.
I can encrypt things, butsomebody else has to decrypt them.
And so it truly is kind of a wholeof industry activity that everyone
(10:13):
needs to understand that this isa priority and then put in place.
A long-term strategy for gettingfrom where we are today to getting
to a point where we are operatingin a quantum safe environment.
The good news is it's not a hard cutover.
Y 2K, we had no, we had no choice, right?
Y 2K, January 1st, 2000 was going tohappen no matter what we did, right?
(10:37):
In this case, you can actuallyrun traditional cryptography and
quantum safe cryptography alongsideeach other for a period of time.
Okay?
Evan Sparks (10:46):
Yeah.
All right.
I wanna come back to this in justa second, but I'm gonna take a
minute and thank our sponsor here.
This episode is sponsored by BankingWith Interest, a podcast from
Intrafi, featuring in-depth analysisand insight into the policy changes
reshaping the banking industry withinsightful interviews and previews
of pending policy challenges.
The podcast is an essentiallisten for anyone connected to
the financial services industry.
Banking With Interest is hostedby Rob Blackwell, an award-winning
(11:07):
former journalist with more than twodecades of experience as an expert
on financial services policy, who'snow Chief Content Officer and Head
of External Affairs with Intrafi.
You can find out more about the podcastand and how you can access it@Intrafi.com.
That's I-N-T-R-A-F i.com.
And thanks again to the Bankingwith Interest podcast from Intrafi
for sponsoring this episode.
So coming back to thisconversation on the one hand.
(11:31):
We don't have a, we don't have a, thishard deadline, but on the other hand, we
have an uncertain period in which somedayquantum computing could break most banks',
cryptography, and we don't encrypt.
Most banks or de could figureout how to decrypt most banks
you know, records and data.
And we don't know when that is,but once it happens, it happens.
(11:52):
So what's the so it sounds likethe, the pressure should be on to.
Devote more attention to this on upfrontrather than, you know, planning towards
some future, you know, 20 32 deadline.
Steve Kenneally (12:05):
Yeah, and that's a real challenge for a lot of banks.
'cause a lot of banks when it comes totechnology projects or compliance, you
know, they operate because the regulatorssay you have to do X before y date.
And so they do do the planning there.
This is a case where, you know, you're,you're gonna have to get ahead of that.
And what, what should you be doingversus what are you required to do?
(12:26):
'cause this hasn't filtered downto the US' regulatory agencies yet.
The G seven put out some guidancetelling the World Central Banks," this
needs to be on your priority list." Wehaven't seen any rules come out yet.
I know nist, the National Instituteof Standards, has been working on
this for years, but they're not a bankregulatory agency, so I don't, Peter,
(12:48):
is there any indication on when wemight see rules or guidance on this?
Peter Tapling (12:53):
I, I would think that you're gonna, you're gonna, you're
gonna begin to see guidance that'sasking you what you're doing about it.
You're gonna see your regulators begincoming in your door and saying, Hey,
what's your plan for relatively quickly?
And, and here's my reasoning behindthis nist, which you mentioned, NIST
has already created, they've alreadyblessed three or four or five.
(13:14):
Post quantum algorithms, quantumsafe encryption algorithms.
So the technology exists to havethis quantum safe cryptography.
By the way, quantum safecryptography actually operates
on traditional computers, right?
So you don't need a quantum computerto run a quantum safe algorithm.
What it means is that the algorithmis an algorithm that's harder for
(13:35):
the quantum computer to guess, right?
Harder to guess the keys.
So you use a traditional computer,apply quantum safe cryptography,
and your cryptography is safe fromthe threat of of quantum breach.
NIST came out with those with thosealgorithms FIPS federal Information
Processing Standards the FIPS Group cameout, and I, I don't, I have to tell you
(13:58):
on this call, I don't know if it wasFIPS or if it was nist, but somebody
said that as guidance for the federalgovernment, the federal government
agencies should be quantum safe by.
I think the number is 2032.
I wanna make that analogy because if youremember the NIST Cybersecurity framework.
The NIST cybersecurity framework wasnot anything that was applied to banks.
(14:21):
To Steve's point, NIST is nota banking regulatory agency.
They can't tell banks to do anything.
But then FIPs came out and FIPs said,Hey, federal government agencies, you
all need to be operating under the NISTCybersecurity Framework by a certain date.
What happens is the regulatorslook at that and they're like,
well, if this is good enough for.
(14:41):
All federal government agencies, whichincludes the Fed and the Bureau of Fiscal
Service, then financial institutions.
This is a great touchstone forperhaps how you should be behaving.
And so in the early days aroundthe NIST Cybersecurity framework,
the regulatory activities reallywere reflected as your regulators
showing up at your bank and saying.
(15:01):
Have you reviewed the NISTcybersecurity framework and how
do your policies map to that?
So that's where it starts.
It starts with them asking questions.
It doesn't start with them coming in andsaying, are you quantum safe right now?
Steve Kenneally (15:14):
Oh, Peter, a follow up to that?
So, so what would be a good answerin 2025 for a bank to give to an
examiner that says, what are youdoing about quantum computing threats?
Peter Tapling (15:25):
You know, interesting, one of the things that we're trying to
do in the project team and, and Steve isan active participant in the participant
in the payments Innovation Alliance,quantum Payments team, project team.
We we're really focused on awareness.
We do a lot of these podcasts anda lot of, we've written a couple
papers, we have resources available.
NIST has resources available,CISA has resources available.
(15:48):
So I think directly answering yourquestion, Steve, I. Today the best answer
was B, we understand it's a problem.
We've assigned someone the task ofunderstanding what it is we need to do
and in what timeframe we need to do it.
I think that if a regulator camein in April or May of 2025, and
that was your answer, you're gonnabe ahead of probably 80% of the
(16:12):
financial institutions out there.
Evan Sparks (16:15):
I think Steve, maybe the one question that a bank should
ask back, I, I, although I, I don'tsuppose I'd recommend it, is, you
know, what are you doing on this?
If, if the regulators are stillwaiting on guidance from, from, from
a, from on high end if the examinersare still waiting from guidance
on, on high end, their agencies.
Steve Kenneally (16:33):
It's, it's always a slippery slope asking a
regulator a question like that.
Evan Sparks (16:37):
Yeah.
Yeah.
How much of this Steve or Peter,how much of this for the community
banks is gonna be at addressedby, at the vendor level for them.
Community bank, CEO, or Chief RiskOfficer who's being asked about this,
or chief Information security officer.
You know, how much of this is somethingthat they need to deal with within the
bank, and how much of this is somethingthat they're gonna have to deal with at
(16:58):
the core or some other security provider.
Peter Tapling (17:02):
Yeah, great question.
And for all banks, banks of all sizes,all the way up to JP Morgan Chase, they
employ hundreds, thousands of serviceproviders and the activities that you will
undertake will largely be an inventory,meaning understanding where is it that
we're using cryptography, and then basedon that inventory a prioritization,
(17:24):
what are my, where, where are my family?
Where are the crown jewels, right?
What are I trying to protect?
And then a prioritization ofwho is it that I need to talk
to, to say where are we on thisroad towards being quantum safe?
Earlier you said, Steve, like,what, what, what would be the
best thing right now, 2025?
You know, if the first step is thatinventory and identifying who I need to
(17:47):
talk to, then a pretty obvious secondstep is getting on the phone with your
providers and saying, what's your plan?
Because some of your providerswon't have one, and your question
will start them down the path.
I predict that many of the largerproviders, the, the, the, the core
processors, the payment providers,et cetera, et cetera, they have
someone working on this already.
(18:08):
But it would be good for you to know that.
Steve Kenneally (18:10):
Yeah, and like with any big projects, when you're dealing with
the core already vendors, it's good tobe at the top of the line and not at
the end of the line when it comes togetting changes implemented by them.
Evan Sparks (18:21):
So start those conversations early, especially if you're relying
on them to help you understandand navigate these challenges.
Peter Tapling (18:28):
Yeah, and, and you know, this is mu much of what will
change will be behind the scenes.
It will be networking kind of stuff.
But I don't know if you recall, Idon't know if either of you are old
enough to be back When the internetcame out and we had HTTP and it was
several years before we had H-T-T-P-S.
Yes, right.
(18:48):
Which added the, the, the,the cryptography around
protecting the channel.
When that happened, there were manyconversations about, well, how slow
will my connection get as every packetis being encrypted and decrypted.
We don't have any of thoseconversations anymore.
We just assume it works.
We bought enough hardware,et cetera, et cetera.
And so I think this is one ofthose projects that we'll get a
(19:11):
ton of visibility until everythinggets in place, and then everyone
will just assume it exists.
Steve Kenneally (19:18):
Yeah.
Yeah.
And sort of the, the, the other concern,you know, the nightmare scenario was
sort of the, the zombie breach whereyou may have been breached five years
ago or somebody else may have beenbreached, that has your customer's
personal information, and they weren'table to decrypt that that file.
When Quantum comes around, maybe theywill be able to, to harvest that data
that was actually stolen five years ago.
(19:41):
Right.
So that's something else.
" Peter Tapling (19:42):
Harvest now, decrypt later." Is well, what this is referred
to as in, in, in the risk business.
But yeah, any breach that you've readabout in the newspaper where they
said, we stole, you know, X hundredsof thousands of customer records,
where the response from the partythat was breached was, well, it's
okay because it was all encrypted.
That is potentially at risk now, remember?
(20:03):
The, the quantum risk that we'retalking about to cryptography is
around asymmetric key cryptography.
Most data at rest is encryptedusing a symmetric algorithm.
But the symmetric keys are almostalways protected using an asymmetric.
Package.
Right?
A asymmetric key package.
(20:24):
So it's, it's a, it's, it could be farmore complicated, but yes, there is
a harvest now decrypt later threat.
And so, you know you certainly don'twant to be one of the parties that
gets breached, and you don't want tobe in a position of saying, oh, well,
you know, we're gonna be quantum safe.
And because we're quantumsafe, all that data that was
breached in the past is now safe.
(20:44):
That's not true.
If it was breached earlier.
Evan Sparks (20:50):
Well, Steve or Peter, any concluding thoughts before
we end the conversation today?
Peter Tapling (20:54):
I would say I, I'm gonna give ho Oh, go ahead.
I'm gonna, I'm gonna go, I'm gonnagive homework to every banker on
the phone, which is go ask somebodyin your organization, what are we
doing relative to quantum computing?
Steve Kenneally (21:08):
I think that's exactly it with the idea being, how are you
going to answer the bank examiner whenthey ask, what are you doing about this?
Have you assigned somebodyto, to be responsible?
Have you talked to your cores?
Have you started doing anybudget planning for 26, 27, 28?
You know, ha, have an answer.
And more importantly,start, start preparing.
I.
Evan Sparks (21:29):
I haven't done any of those things, but I have listened
to a really good podcast episodeabout the subject, so, you know.
Peter Tapling (21:34):
Well, there you go.
We have one now.
Right?
I, I will say that the all of thework that we're doing with the
Quantum Payments project team atthe Alliance is freely available
for download at alliance.nacha.org.
Evan Sparks (21:47):
Perfect.
I was gonna, I was gonna plug that to gocheck out, check out the, the great report
from Peter's, Peter's working group.
That was something that wasvery informative for me.
I, we also have resources onquantum computing on@aba.com in
our Office of Innovation area.
I. And then there are resources on, onhow quantum computing affects the affects
cybersecurity and cryptography from thefinancial services information sharing
(22:08):
and analysis center at fsisac.com.
So a lot of resources out therefor bankers who are, who want to be
able to go to answer the question,what are you doing about quantum
quantum computing in the near term?
Thanks again to both of youfor being on the show today.
Thanks to our listener, or thanks toour, our sponsor for this episode banking
With Interests, a podcast from Intrafi.
(22:30):
We you can find this episode in previousepisodes at aba.com/banking journal,
and you can find all the, of the otheradditional resources that we talked
about at, at on, on aba.com as well whilelinked to several of them on the show
notes for this pa for for this show.
Thanks so much for listening and we'llbe back with you again very soon.
quantum Computing offers the ability to solve those
kinds of problems much more quickly.
I don't think we're gonna ever runinto a quantum computer at your local
target store when you buy your bagof chips and two cans of Coke, but
where quantum computing will excelis in these really, really hard
problems with many, many variables.
(00:22):
So if you look at a network like the,the Chips wire Network operated by
the clearinghouse, where there are,you know, 40 or 50 participants, each
of them have different positions.
Each of them have insand outs all day long.
One of the reasons that thatsystem works so well is because
it can optimize the liquidity.
Evan Sparks (00:40):
From the American Bankers Association, this is the
A BA Banking Journal podcast.
Welcome back.
I'm Evan Sparks.
Today's episode is presented by Intrafi'sBanking with Interest Podcast, and
we are talking about the future ofpayments, both near term, long term.
What is going on in innovationin the payment space?
There's obviously.
A lot of, a lot of things going on andpayments change happens on a really
(01:03):
long time horizon, but there are somereally exciting developments that are
out there in the payments industrythat bankers need to be aware of.
And so to talk with us about those,I have two two experts in the field.
One is Peter taping.
Peter is managing directorof P Tap Advisory.
He's a board member of the Faster PaymentsCouncil and he was the project team
lead for the Quantum Payments Projectat nachas Payments Innovation Alliance.
(01:27):
Peter, welcome to back to the show.
Peter Tapling (01:30):
Thank you for having me
Evan Sparks (01:31):
and one of our more recent guests, Steve Keneally.
Steve is Senior Vice President forpayments policy here at a BA and someone
I go to to get when I, whenever I need toget marginally more smart than I, than I
am, which is an easy thing because I'm notvery smart on any payments, policy issues.
So, Steve, welcome back.
Steve Kenneally (01:47):
Oh, thanks for having me on.
Evan Sparks (01:49):
So I wanna start off by talking a little bit
about quantum quantum payments.
And I'm gonna get in way over my headhere because, you know, I've got a, got a,
some go back to my college physics classeshere we've got you know, the basic concept
of computer-based payments is, is this,you know, the binary bit of on or off.
(02:11):
And.
I don't understand how it all works,but I know in the world of quantum
computing, we're able to make decisions,make process information on a basis
of the, the sub-atomic particles.
And, and and I'm not going totorture our listeners by making them
listen to me explain this anymore.
So, Peter, why don't I throw it to you?
Quantum computing, what'sthe, how does it work?
(02:33):
And then we'll get a dig intohow it affects affects banking.
Peter Tapling (02:38):
I, I, I think we should let you go for another 30 minutes.
I'd love to hear that conversation.
Yeah.
Hey, so you know, I I, I alwayspreface this conversation to, to
remind people that if they go back topre-internet and somebody talk to them
about internet banking, they wouldsay, oh my God, we can't do that.
Like, we don't understand it, right?
And so quantum computingis a new technology.
(03:00):
There are new concepts involved.
You don't need to understandall of the concepts.
The most important thing.
But, you know, piggybacking on yourcollege physics class comment quantum
computing is a form of computingthat has become possible through
the exploitation of quantum physics.
(03:21):
And there are some characteristicsin quantum physics that enable
a quantum computer to operateon something called a qubit.
Where you, you are correct.
Today we operate on bits,which are ones and zeros.
So imagine a qubit beingmore like a dimmer switch.
It can be a one or it can be azero, or it can be any position
(03:41):
in between at any given time.
Suffice it to say, what quantum computingenables is it enables the solution of very
hard problems and particular to payments.
We rely heavily in payments, indigital payments on encryption.
Encryption generally is symmetricencryption or asymmetric encryption.
(04:05):
Asymmetric encryption counts onthe fact that certain numbers
are really hard to guess.
And traditional computers could takethousands or millions of years to guess.
The keys involved in asymmetric key.
Cryptography, quantum computing, whenfully realized, will be able to make
(04:26):
those guesses in a matter of minutes.
And so that's the threat that quantumcomputing can pose to payments,
particularly relative to cryptography.
Quantum computing offersa whole lot of promise.
We can create better models for managingliquidity across complex payment flows.
We can create, you know, we're all,anybody who has a 401k program is used
(04:50):
to the to the Monte Carlo model, wherewe're gonna run your outcome in your
retirement, you know, a thousand times andcome up with what the average might be.
Problems that are very difficultfor traditional computers to process
can potentially be solved morequickly with quantum computers.
Yeah,
Evan Sparks (05:07):
so I know we have talked on this podcast before with folks from our,
you know, office of Innovation about,and, and, and with our cybersecurity
experts about some of the scary challengesthat quantum computing poses to bank
cybersecurity and to our current defenses.
If, if it's, if it gets a lot easierfor the bad guys to break through,
can you walk us through some ofthe, the positive use cases for
(05:29):
quantum computing and payments.
I mean, we, we've, you know,talked about, we've been talking
about faster payments for decades.
We've been talking about howwe can kind of navigate through
some of these, you know.
Did the eliminate some of the friction?
Although I know in certain caseswith the rise of certain kinds of
fraud, we are like, well, let'sbring some friction back in here.
But you know, we're talking aboutwhat are the what are the, some of
(05:52):
the use cases for quantum computingin terms of accelerating in efficiency
and innovation in the payment space?
Peter Tapling (05:58):
Sure.
So the problems that quantum computingexcels at where, where it can
solve those problems better than atraditional computer are problems that
have many variables, and that thereis an opportunity for optimization.
And so earlier, I mentioned theconcept of, of liquidity management.
So if you look at a network like the,the Chips wire Network operated by
(06:21):
the clearinghouse, where there are,you know, 40 or 50 participants, each
of them have different positions.
Each of them have insand outs all day long.
One of the reasons that thatsystem works so well is because
it can optimize the liquidity.
Today, that's a relatively difficultprocess for the existing computing to be
able to manage, and so quantum computing.
(06:43):
Quantum Computing offers theability to solve those kinds
of problems much more quickly.
I recognize those are notdirectly related to payments.
Like, you know, I don't think we'regonna ever run into a quantum computer
at your local target store when you buyyour bag of chips and two cans of Coke.
But you, you, where quantum computingwill excel is in these really, really
(07:05):
hard problems with many, many variables.
Evan Sparks (07:09):
In one sense, I wonder to what extent does this affect the overall,
the whole function of clearing whereyou have these, like central hubs of
that information gets passed through.
If you, if you can streamline theability to process and analyze
data, can you also distribute it?
Peter Tapling (07:26):
Possibly you know, it turns out that one of the things
that quantum computers are not goodat are dealing with text and numbers.
So we're never going to see a quantumcomputer acting as our word processor
or replacing our Excel spreadsheet.
Quantum computers don't have the conceptof state, so they can't, they can't do.
(07:47):
One third of a problem, stop and thinkabout it, and then pick it up and do
the next two thirds of the problem.
Once they start working out a problem,they gotta go all the way through.
And so again, they work very wellfor very hard optimization problems.
But I think we're still gonna see for mostof what we do in payments, we're still
going to be using traditional computing.
I think where the opportunities existare the, are, are those back office
(08:10):
processes related to optimization?
Steve Kenneally (08:14):
The key for 99% of the bankers out there that are
listening is, don't overthink this.
You can get wrapped around the axlethinking about, you know, entanglement
theory and interference and quibbversus qubits versus quidditch.
But all what, what you reallyneed to focus on is that the
encryption you're relying on now.
(08:36):
You're not gonna be able to relyon it in the next 3, 5, 7 years.
And that's the other challenge.
There's no hard deadline like inY 2K where you, where you have
the timeline, where, you know,I have five years to get ready.
So year five we'll do the study.
Year four we'll hire the vendor.
Year three we'll start implementing,and two we'll do the testing.
(08:59):
There's, there's, thereis that little bit of, of.
Uncertainty out therewith when this is going.
Yeah.
Peter Tapling (09:05):
That uncertainty can cause procrastination.
Yeah.
The, in in quantum computing land, we, wesay that this threat will become evidence.
The point at which this threat will becomeevident is, is referred to as Y two Q,
the, the year in which quantum computingbecomes commercially viable to a point
to create this threat to cryptographyand, the there, Michael Moscow's been
(09:30):
presenting at NSC and nist and part ofthe team that pulled together the post
quantum quantum safe algorithms saidthat it's between 2030 and 2032, right?
Five to seven years.
But think about it.
If it's 2030, we're already in 2025.
You don't have any money inthis year's budget to do it.
(09:52):
We're in April, so in the next twomonths, you're gonna have to come up with
the money in the 2026 budget to do it.
And one of the challenges of this is thatencryption is always a two-sided game.
I can encrypt things, butsomebody else has to decrypt them.
And so it truly is kind of a wholeof industry activity that everyone
(10:13):
needs to understand that this isa priority and then put in place.
A long-term strategy for gettingfrom where we are today to getting
to a point where we are operatingin a quantum safe environment.
The good news is it's not a hard cutover.
Y 2K, we had no, we had no choice, right?
Y 2K, January 1st, 2000 was going tohappen no matter what we did, right?
(10:37):
In this case, you can actuallyrun traditional cryptography and
quantum safe cryptography alongsideeach other for a period of time.
Okay?
Evan Sparks (10:46):
Yeah.
All right.
I wanna come back to this in justa second, but I'm gonna take a
minute and thank our sponsor here.
This episode is sponsored by BankingWith Interest, a podcast from
Intrafi, featuring in-depth analysisand insight into the policy changes
reshaping the banking industry withinsightful interviews and previews
of pending policy challenges.
The podcast is an essentiallisten for anyone connected to
the financial services industry.
Banking With Interest is hostedby Rob Blackwell, an award-winning
(11:07):
former journalist with more than twodecades of experience as an expert
on financial services policy, who'snow Chief Content Officer and Head
of External Affairs with Intrafi.
You can find out more about the podcastand and how you can access it@Intrafi.com.
That's I-N-T-R-A-F i.com.
And thanks again to the Bankingwith Interest podcast from Intrafi
for sponsoring this episode.
So coming back to thisconversation on the one hand.
(11:31):
We don't have a, we don't have a, thishard deadline, but on the other hand, we
have an uncertain period in which somedayquantum computing could break most banks',
cryptography, and we don't encrypt.
Most banks or de could figureout how to decrypt most banks
you know, records and data.
And we don't know when that is,but once it happens, it happens.
(11:52):
So what's the so it sounds likethe, the pressure should be on to.
Devote more attention to this on upfrontrather than, you know, planning towards
some future, you know, 20 32 deadline.
Steve Kenneally (12:05):
Yeah, and that's a real challenge for a lot of banks.
'cause a lot of banks when it comes totechnology projects or compliance, you
know, they operate because the regulatorssay you have to do X before y date.
And so they do do the planning there.
This is a case where, you know, you're,you're gonna have to get ahead of that.
And what, what should you be doingversus what are you required to do?
(12:26):
'cause this hasn't filtered downto the US' regulatory agencies yet.
The G seven put out some guidancetelling the World Central Banks," this
needs to be on your priority list." Wehaven't seen any rules come out yet.
I know nist, the National Instituteof Standards, has been working on
this for years, but they're not a bankregulatory agency, so I don't, Peter,
(12:48):
is there any indication on when wemight see rules or guidance on this?
Peter Tapling (12:53):
I, I would think that you're gonna, you're gonna, you're
gonna begin to see guidance that'sasking you what you're doing about it.
You're gonna see your regulators begincoming in your door and saying, Hey,
what's your plan for relatively quickly?
And, and here's my reasoning behindthis nist, which you mentioned, NIST
has already created, they've alreadyblessed three or four or five.
(13:14):
Post quantum algorithms, quantumsafe encryption algorithms.
So the technology exists to havethis quantum safe cryptography.
By the way, quantum safecryptography actually operates
on traditional computers, right?
So you don't need a quantum computerto run a quantum safe algorithm.
What it means is that the algorithmis an algorithm that's harder for
(13:35):
the quantum computer to guess, right?
Harder to guess the keys.
So you use a traditional computer,apply quantum safe cryptography,
and your cryptography is safe fromthe threat of of quantum breach.
NIST came out with those with thosealgorithms FIPS federal Information
Processing Standards the FIPS Group cameout, and I, I don't, I have to tell you
(13:58):
on this call, I don't know if it wasFIPS or if it was nist, but somebody
said that as guidance for the federalgovernment, the federal government
agencies should be quantum safe by.
I think the number is 2032.
I wanna make that analogy because if youremember the NIST Cybersecurity framework.
The NIST cybersecurity framework wasnot anything that was applied to banks.
(14:21):
To Steve's point, NIST is nota banking regulatory agency.
They can't tell banks to do anything.
But then FIPs came out and FIPs said,Hey, federal government agencies, you
all need to be operating under the NISTCybersecurity Framework by a certain date.
What happens is the regulatorslook at that and they're like,
well, if this is good enough for.
(14:41):
All federal government agencies, whichincludes the Fed and the Bureau of Fiscal
Service, then financial institutions.
This is a great touchstone forperhaps how you should be behaving.
And so in the early days aroundthe NIST Cybersecurity framework,
the regulatory activities reallywere reflected as your regulators
showing up at your bank and saying.
(15:01):
Have you reviewed the NISTcybersecurity framework and how
do your policies map to that?
So that's where it starts.
It starts with them asking questions.
It doesn't start with them coming in andsaying, are you quantum safe right now?
Steve Kenneally (15:14):
Oh, Peter, a follow up to that?
So, so what would be a good answerin 2025 for a bank to give to an
examiner that says, what are youdoing about quantum computing threats?
Peter Tapling (15:25):
You know, interesting, one of the things that we're trying to
do in the project team and, and Steve isan active participant in the participant
in the payments Innovation Alliance,quantum Payments team, project team.
We we're really focused on awareness.
We do a lot of these podcasts anda lot of, we've written a couple
papers, we have resources available.
NIST has resources available,CISA has resources available.
(15:48):
So I think directly answering yourquestion, Steve, I. Today the best answer
was B, we understand it's a problem.
We've assigned someone the task ofunderstanding what it is we need to do
and in what timeframe we need to do it.
I think that if a regulator camein in April or May of 2025, and
that was your answer, you're gonnabe ahead of probably 80% of the
(16:12):
financial institutions out there.
Evan Sparks (16:15):
I think Steve, maybe the one question that a bank should
ask back, I, I, although I, I don'tsuppose I'd recommend it, is, you
know, what are you doing on this?
If, if the regulators are stillwaiting on guidance from, from, from
a, from on high end if the examinersare still waiting from guidance
on, on high end, their agencies.
Steve Kenneally (16:33):
It's, it's always a slippery slope asking a
regulator a question like that.
Evan Sparks (16:37):
Yeah.
Yeah.
How much of this Steve or Peter,how much of this for the community
banks is gonna be at addressedby, at the vendor level for them.
Community bank, CEO, or Chief RiskOfficer who's being asked about this,
or chief Information security officer.
You know, how much of this is somethingthat they need to deal with within the
bank, and how much of this is somethingthat they're gonna have to deal with at
(16:58):
the core or some other security provider.
Peter Tapling (17:02):
Yeah, great question.
And for all banks, banks of all sizes,all the way up to JP Morgan Chase, they
employ hundreds, thousands of serviceproviders and the activities that you will
undertake will largely be an inventory,meaning understanding where is it that
we're using cryptography, and then basedon that inventory a prioritization,
(17:24):
what are my, where, where are my family?
Where are the crown jewels, right?
What are I trying to protect?
And then a prioritization ofwho is it that I need to talk
to, to say where are we on thisroad towards being quantum safe?
Earlier you said, Steve, like,what, what, what would be the
best thing right now, 2025?
You know, if the first step is thatinventory and identifying who I need to
(17:47):
talk to, then a pretty obvious secondstep is getting on the phone with your
providers and saying, what's your plan?
Because some of your providerswon't have one, and your question
will start them down the path.
I predict that many of the largerproviders, the, the, the, the core
processors, the payment providers,et cetera, et cetera, they have
someone working on this already.
(18:08):
But it would be good for you to know that.
Steve Kenneally (18:10):
Yeah, and like with any big projects, when you're dealing with
the core already vendors, it's good tobe at the top of the line and not at
the end of the line when it comes togetting changes implemented by them.
Evan Sparks (18:21):
So start those conversations early, especially if you're relying
on them to help you understandand navigate these challenges.
Peter Tapling (18:28):
Yeah, and, and you know, this is mu much of what will
change will be behind the scenes.
It will be networking kind of stuff.
But I don't know if you recall, Idon't know if either of you are old
enough to be back When the internetcame out and we had HTTP and it was
several years before we had H-T-T-P-S.
Yes, right.
(18:48):
Which added the, the, the,the cryptography around
protecting the channel.
When that happened, there were manyconversations about, well, how slow
will my connection get as every packetis being encrypted and decrypted.
We don't have any of thoseconversations anymore.
We just assume it works.
We bought enough hardware,et cetera, et cetera.
And so I think this is one ofthose projects that we'll get a
(19:11):
ton of visibility until everythinggets in place, and then everyone
will just assume it exists.
Steve Kenneally (19:18):
Yeah.
Yeah.
And sort of the, the, the other concern,you know, the nightmare scenario was
sort of the, the zombie breach whereyou may have been breached five years
ago or somebody else may have beenbreached, that has your customer's
personal information, and they weren'table to decrypt that that file.
When Quantum comes around, maybe theywill be able to, to harvest that data
that was actually stolen five years ago.
(19:41):
Right.
So that's something else.
" Peter Tapling (19:42):
Harvest now, decrypt later." Is well, what this is referred
to as in, in, in the risk business.
But yeah, any breach that you've readabout in the newspaper where they
said, we stole, you know, X hundredsof thousands of customer records,
where the response from the partythat was breached was, well, it's
okay because it was all encrypted.
That is potentially at risk now, remember?
(20:03):
The, the quantum risk that we'retalking about to cryptography is
around asymmetric key cryptography.
Most data at rest is encryptedusing a symmetric algorithm.
But the symmetric keys are almostalways protected using an asymmetric.
Package.
Right?
A asymmetric key package.
(20:24):
So it's, it's a, it's, it could be farmore complicated, but yes, there is
a harvest now decrypt later threat.
And so, you know you certainly don'twant to be one of the parties that
gets breached, and you don't want tobe in a position of saying, oh, well,
you know, we're gonna be quantum safe.
And because we're quantumsafe, all that data that was
breached in the past is now safe.
(20:44):
That's not true.
If it was breached earlier.
Evan Sparks (20:50):
Well, Steve or Peter, any concluding thoughts before
we end the conversation today?
Peter Tapling (20:54):
I would say I, I'm gonna give ho Oh, go ahead.
I'm gonna, I'm gonna go, I'm gonnagive homework to every banker on
the phone, which is go ask somebodyin your organization, what are we
doing relative to quantum computing?
Steve Kenneally (21:08):
I think that's exactly it with the idea being, how are you
going to answer the bank examiner whenthey ask, what are you doing about this?
Have you assigned somebodyto, to be responsible?
Have you talked to your cores?
Have you started doing anybudget planning for 26, 27, 28?
You know, ha, have an answer.
And more importantly,start, start preparing.
I.
Evan Sparks (21:29):
I haven't done any of those things, but I have listened
to a really good podcast episodeabout the subject, so, you know.
Peter Tapling (21:34):
Well, there you go.
We have one now.
Right?
I, I will say that the all of thework that we're doing with the
Quantum Payments project team atthe Alliance is freely available
for download at alliance.nacha.org.
Evan Sparks (21:47):
Perfect.
I was gonna, I was gonna plug that to gocheck out, check out the, the great report
from Peter's, Peter's working group.
That was something that wasvery informative for me.
I, we also have resources onquantum computing on@aba.com in
our Office of Innovation area.
I. And then there are resources on, onhow quantum computing affects the affects
cybersecurity and cryptography from thefinancial services information sharing
(22:08):
and analysis center at fsisac.com.
So a lot of resources out therefor bankers who are, who want to be
able to go to answer the question,what are you doing about quantum
quantum computing in the near term?
Thanks again to both of youfor being on the show today.
Thanks to our listener, or thanks toour, our sponsor for this episode banking
With Interests, a podcast from Intrafi.
(22:30):
We you can find this episode in previousepisodes at aba.com/banking journal,
and you can find all the, of the otheradditional resources that we talked
about at, at on, on aba.com as well whilelinked to several of them on the show
notes for this pa for for this show.
Thanks so much for listening and we'llbe back with you again very soon.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Therapy Gecko
An unlicensed lizard psychologist travels the universe talking to strangers about absolutely nothing. TO CALL THE GECKO: follow me on https://www.twitch.tv/lyleforever to get a notification for when I am taking calls. I am usually live Mondays, Wednesdays, and Fridays but lately a lot of other times too. I am a gecko.