The financial sector is well-known for its relentless focus on compliance and audit. This regulatory rigor has played a vital role in protecting the world’s most sensitive data, driving up trust in banking systems, and shielding consumers from fraud and operational risk. Yet, as the quantum frontier looms closer and the need for cryptographic agility intensifies, these very safeguards are emerging as unintended roadblocks to innovation and resilience.
Compliance: Friend or Foe of Crypto Innovation?
Today, banks and other financial institutions must prepare for the coming era of post-quantum cryptography (PQC), as quantum computers threaten to render legacy algorithms such as RSA and ECC obsolete. Leading bodies like NIST have outlined the timeline for cryptographic deprecation, and regulatory frameworks, from PCI DSS to ISO/IEC 27001 and DORA, are increasingly nudging banks to migrate toward quantum-resistant security.
Yet, regulatory ambiguity and legacy compliance processes are holding many financial institutions back. Standards and requirements for PQC are still evolving, and the lack of explicit guidance or certification frameworks forces compliance teams into a waiting game, weighing the risks of moving too soon and misaligning with future rules against falling behind and exposing customers to quantum threats.
Audits, Certification Bottlenecks, and Legacy Complexity
Banking compliance teams must validate every new cryptographic system through robust audits and, in many cases, obtain re-certification under standards such as FIPS 140-3 or ISO/IEC 19790. Integrating PQC into sprawling legacy environments introduces enormous complications. Cryptographic upgrades often break existing integrations, creating downstream issues across interconnected systems. Performance impacts, including increased latency or expanded key storage requirements, can also conflict with transaction speed regulations that financial institutions are bound to meet. On top of this, vendor ecosystems remain fragmented, with payment processors, cloud providers, and security vendors all pursuing different PQC support roadmaps, which further complicates compliance. The result is that even well-intentioned transitions frequently stall, as banks prioritize passing audits today over laying the groundwork for long-term crypto-agility.
Awareness, Budgeting, and Governance Gaps
As the quantum threat grows more immediate, many financial institutions recognize the need to act, but real progress is stalling for reasons that go beyond technical readiness. Despite public awareness of the coming cryptographic transition, substantial gaps remain in frontline knowledge, prioritization, and investment across financial organizations. According to recent data from Sectigo and Omdia’s State of Crypto Agility Report, only 28% of BFSI professionals are fully aware of NIST’s cryptographic deprecation plans, significantly lower than the 41% cross-industry average, and just 18% expect a significant PQC budget increase, far below the 39% average seen in other sectors. Additionally, compliance and audit constraints were cited as the number one barrier to progress by 72% of BFSI respondents, evidence that strict regulatory requirements can actually hamper essential upgrades. Coordination across legal, IT, and compliance departments remains critical, yet current governance and resource allocation often lag behind the growing quantum risk, threatening to widen the readiness gap even further.
Balancing Compliance and Innovation
To break the cycle of compliance-driven inertia, financial institutions can:
- Conduct a Cryptographic Inventory:
Begin by thoroughly assessing and mapping all cryptographic assets, algorithms, certificates, and dependencies across your systems. Understanding where and how cryptography is used is critical to prioritize and plan upgrades effectively. - Monitor Regulatory and Standards Developments:
Stay actively informed on evolving guidelines and mandates from key bodies such as NIST, ISO, and industry-specific regulators. This helps ensure compliance and allows your teams to anticipate necessary adjustments well before deadlines. - Pilot PQC Implementations in Non-Critical Environments:
Test post-quantum algorithms and cryptographic agility tools in a sandbox or less critical systems first. This phased approach helps identify performance and compatibility issues with lower risk before enterprise-wide rollout. - Establish Cross-Functional Collaboration:
Break down silos by aligning legal, compliance, risk management, procurement, and IT/security teams on shared goals and responsibilities related to post-quantum readiness. This is often referred to as a Cryptographic Center of Excellence. Elevating PQC to a strategic priority with clear governance improves coordination and resource allocation. - Engage Vendors and Align Procurement:
Collaborate with technology and service providers to understand their PQC roadmaps and ensure their solutions support cryptographic agility needs. Incorporate PQC requirements in procurement and vendor assessment processes to sync external capabilities with internal strategy.
The Quantum Turn Needs Compliance Reimagined
Compliance must evolve from a backstop into a driver of cryptographic innovation. As the quantum age accelerates, financial institutions that balance regulatory responsibility with technical agility will be best positioned to safeguard trust, ensure audit-readiness, and meet future-proof standards for customer protection. This means moving beyond mere compliance to embed crypto-agility into the core of security strategy, anticipating regulatory changes rather than reacting to them. Institutions that proactively invest in innovation and cross-functional collaboration will be more resilient to quantum-era threats and better equipped to maintain seamless, secure customer experiences. Ultimately, compliance and innovation must work hand-in-hand to protect the integrity and continuity of financial services organizations.
About Author:
Tim Callan has more than 20 years of experience in the SSL and PKI technology spaces, where he has become a respected figure shaping the standards and practices that govern digital trust. At Sectigo, Tim is the Chief Compliance Officer, where he leads the company’s conformance with industry and regulatory requirements, including browser root programs, WebTrust compliance, the CA/Browser Forum, and other critical governance bodies. His leadership has been instrumental in driving initiatives that deliver greater certificate agility, automation, and reliability to enterprises worldwide.
One of the founding members of the CA/Browser Forum and its current vice chair, Tim has long been at the center of key industry discussions that safeguard the secure operation of the internet. He is also the creator and co-host of Root Causes: A PKI and Security Podcast, the world’s most popular podcast dedicated to digital certificates and digital identity. With more than 500 episodes recorded to date, Tim provides IT and security professionals with accessible insights on evolving trends such as shortening certificate validity terms, automation in certificate management, and the transformational impact of post-quantum cryptography.