quantum Computing offers the ability to solve those kinds of problems much more quickly. I don't think we're gonna ever run into a quantum computer at your local target store when you buy your bag of chips and two cans of Coke, but where quantum computing will excel is in these really, really hard problems with many, many variables.
So if you look at a network like the, the Chips wire Network operated by the clearinghouse, where there are, you know, 40 or 50 participants, each of them have different positions. Each of them have ins and outs all day long. One of the reasons that that system works so well is because it can optimize the liquidity.
From the American Bankers Association, this is the A BA Banking Journal podcast. Welcome back. I'm Evan Sparks. Today's episode is presented by Intrafi's Banking with Interest Podcast, and we are talking about the future of payments, both near term, long term. What is going on in innovation in the payment space? There's obviously.
A lot of, a lot of things going on and payments change happens on a really long time horizon, but there are some really exciting developments that are out there in the payments industry that bankers need to be aware of. And so to talk with us about those, I have two two experts in the field. One is Peter taping. Peter is managing director of P Tap Advisory.
He's a board member of the Faster Payments Council and he was the project team lead for the Quantum Payments Project at nachas Payments Innovation Alliance. Peter, welcome to back to the show.
Thank you for having me
and one of our more recent guests, Steve Keneally. Steve is Senior Vice President for payments policy here at a BA and someone I go to to get when I, whenever I need to get marginally more smart than I, than I am, which is an easy thing because I'm not very smart on any payments, policy issues. So, Steve, welcome back.
Oh, thanks for having me on.
So I wanna start off by talking a little bit about quantum quantum payments. And I'm gonna get in way over my head here because, you know, I've got a, got a, some go back to my college physics classes here we've got you know, the basic concept of computer-based payments is, is this, you know, the binary bit of on or off.
And. I don't understand how it all works, but I know in the world of quantum computing, we're able to make decisions, make process information on a basis of the, the sub-atomic particles. And, and and I'm not going to torture our listeners by making them listen to me explain this anymore. So, Peter, why don't I throw it to you? Quantum computing, what's the, how does it work? And then we'll get a dig into how it affects affects banking.
I, I, I think we should let you go for another 30 minutes. I'd love to hear that conversation. Yeah. Hey, so you know, I I, I always preface this conversation to, to remind people that if they go back to pre-internet and somebody talk to them about internet banking, they would say, oh my God, we can't do that. Like, we don't understand it, right? And so quantum computing is a new technology. There are new concepts involved. You don't need to understand all of the concepts.
The most important thing. But, you know, piggybacking on your college physics class comment quantum computing is a form of computing that has become possible through the exploitation of quantum physics. And there are some characteristics in quantum physics that enable a quantum computer to operate on something called a qubit. Where you, you are correct. Today we operate on bits, which are ones and zeros. So imagine a qubit being more like a dimmer switch.
It can be a one or it can be a zero, or it can be any position in between at any given time. Suffice it to say, what quantum computing enables is it enables the solution of very hard problems and particular to payments. We rely heavily in payments, in digital payments on encryption. Encryption generally is symmetric encryption or asymmetric encryption. Asymmetric encryption counts on the fact that certain numbers are really hard to guess.
And traditional computers could take thousands or millions of years to guess. The keys involved in asymmetric key. Cryptography, quantum computing, when fully realized, will be able to make those guesses in a matter of minutes. And so that's the threat that quantum computing can pose to payments, particularly relative to cryptography. Quantum computing offers a whole lot of promise. We can create better models for managing liquidity across complex payment flows.
We can create, you know, we're all, anybody who has a 401k program is used to the to the Monte Carlo model, where we're gonna run your outcome in your retirement, you know, a thousand times and come up with what the average might be. Problems that are very difficult for traditional computers to process can potentially be solved more quickly with quantum computers. Yeah,
so I know we have talked on this podcast before with folks from our, you know, office of Innovation about, and, and, and with our cybersecurity experts about some of the scary challenges that quantum computing poses to bank cybersecurity and to our current defenses. If, if it's, if it gets a lot easier for the bad guys to break through, can you walk us through some of the, the positive use cases for quantum computing and payments.
I mean, we, we've, you know, talked about, we've been talking about faster payments for decades. We've been talking about how we can kind of navigate through some of these, you know. Did the eliminate some of the friction? Although I know in certain cases with the rise of certain kinds of fraud, we are like, well, let's bring some friction back in here.
But you know, we're talking about what are the what are the, some of the use cases for quantum computing in terms of accelerating in efficiency and innovation in the payment space?
Sure. So the problems that quantum computing excels at where, where it can solve those problems better than a traditional computer are problems that have many variables, and that there is an opportunity for optimization. And so earlier, I mentioned the concept of, of liquidity management. So if you look at a network like the, the Chips wire Network operated by the clearinghouse, where there are, you know, 40 or 50 participants, each of them have different positions.
Each of them have ins and outs all day long. One of the reasons that that system works so well is because it can optimize the liquidity. Today, that's a relatively difficult process for the existing computing to be able to manage, and so quantum computing. Quantum Computing offers the ability to solve those kinds of problems much more quickly. I recognize those are not directly related to payments.
Like, you know, I don't think we're gonna ever run into a quantum computer at your local target store when you buy your bag of chips and two cans of Coke. But you, you, where quantum computing will excel is in these really, really hard problems with many, many variables.
In one sense, I wonder to what extent does this affect the overall, the whole function of clearing where you have these, like central hubs of that information gets passed through. If you, if you can streamline the ability to process and analyze data, can you also distribute it?
Possibly you know, it turns out that one of the things that quantum computers are not good at are dealing with text and numbers. So we're never going to see a quantum computer acting as our word processor or replacing our Excel spreadsheet. Quantum computers don't have the concept of state, so they can't, they can't do. One third of a problem, stop and think about it, and then pick it up and do the next two thirds of the problem.
Once they start working out a problem, they gotta go all the way through. And so again, they work very well for very hard optimization problems. But I think we're still gonna see for most of what we do in payments, we're still going to be using traditional computing. I think where the opportunities exist are the, are, are those back office processes related to optimization?
The key for 99% of the bankers out there that are listening is, don't overthink this. You can get wrapped around the axle thinking about, you know, entanglement theory and interference and quibb versus qubits versus quidditch. But all what, what you really need to focus on is that the encryption you're relying on now. You're not gonna be able to rely on it in the next 3, 5, 7 years. And that's the other challenge.
There's no hard deadline like in Y 2K where you, where you have the timeline, where, you know, I have five years to get ready. So year five we'll do the study. Year four we'll hire the vendor. Year three we'll start implementing, and two we'll do the testing. There's, there's, there is that little bit of, of. Uncertainty out there with when this is going. Yeah.
That uncertainty can cause procrastination. Yeah. The, in in quantum computing land, we, we say that this threat will become evidence.
The point at which this threat will become evident is, is referred to as Y two Q, the, the year in which quantum computing becomes commercially viable to a point to create this threat to cryptography and, the there, Michael Moscow's been presenting at NSC and nist and part of the team that pulled together the post quantum quantum safe algorithms said that it's between 2030 and 2032, right? Five to seven years. But think about it. If it's 2030, we're already in 2025.
You don't have any money in this year's budget to do it. We're in April, so in the next two months, you're gonna have to come up with the money in the 2026 budget to do it. And one of the challenges of this is that encryption is always a two-sided game. I can encrypt things, but somebody else has to decrypt them. And so it truly is kind of a whole of industry activity that everyone needs to understand that this is a priority and then put in place.
A long-term strategy for getting from where we are today to getting to a point where we are operating in a quantum safe environment. The good news is it's not a hard cutover. Y 2K, we had no, we had no choice, right? Y 2K, January 1st, 2000 was going to happen no matter what we did, right? In this case, you can actually run traditional cryptography and quantum safe cryptography alongside each other for a period of time. Okay?
Yeah. All right. I wanna come back to this in just a second, but I'm gonna take a minute and thank our sponsor here. This episode is sponsored by Banking With Interest, a podcast from Intrafi, featuring in-depth analysis and insight into the policy changes reshaping the banking industry with insightful interviews and previews of pending policy challenges. The podcast is an essential listen for anyone connected to the financial services industry.
Banking With Interest is hosted by Rob Blackwell, an award-winning former journalist with more than two decades of experience as an expert on financial services policy, who's now Chief Content Officer and Head of External Affairs with Intrafi. You can find out more about the podcast and and how you can access it@Intrafi.com. That's I-N-T-R-A-F i.com. And thanks again to the Banking with Interest podcast from Intrafi for sponsoring this episode.
So coming back to this conversation on the one hand. We don't have a, we don't have a, this hard deadline, but on the other hand, we have an uncertain period in which someday quantum computing could break most banks', cryptography, and we don't encrypt. Most banks or de could figure out how to decrypt most banks you know, records and data. And we don't know when that is, but once it happens, it happens. So what's the so it sounds like the, the pressure should be on to.
Devote more attention to this on upfront rather than, you know, planning towards some future, you know, 20 32 deadline.
Yeah, and that's a real challenge for a lot of banks. 'cause a lot of banks when it comes to technology projects or compliance, you know, they operate because the regulators say you have to do X before y date. And so they do do the planning there. This is a case where, you know, you're, you're gonna have to get ahead of that. And what, what should you be doing versus what are you required to do? 'cause this hasn't filtered down to the US' regulatory agencies yet.
The G seven put out some guidance telling the World Central Banks," this needs to be on your priority list." We haven't seen any rules come out yet. I know nist, the National Institute of Standards, has been working on this for years, but they're not a bank regulatory agency, so I don't, Peter, is there any indication on when we might see rules or guidance on this?
I, I would think that you're gonna, you're gonna, you're gonna begin to see guidance that's asking you what you're doing about it. You're gonna see your regulators begin coming in your door and saying, Hey, what's your plan for relatively quickly? And, and here's my reasoning behind this nist, which you mentioned, NIST has already created, they've already blessed three or four or five. Post quantum algorithms, quantum safe encryption algorithms.
So the technology exists to have this quantum safe cryptography. By the way, quantum safe cryptography actually operates on traditional computers, right? So you don't need a quantum computer to run a quantum safe algorithm. What it means is that the algorithm is an algorithm that's harder for the quantum computer to guess, right? Harder to guess the keys. So you use a traditional computer, apply quantum safe cryptography, and your cryptography is safe from the threat of of quantum breach.
NIST came out with those with those algorithms FIPS federal Information Processing Standards the FIPS Group came out, and I, I don't, I have to tell you on this call, I don't know if it was FIPS or if it was nist, but somebody said that as guidance for the federal government, the federal government agencies should be quantum safe by. I think the number is 2032. I wanna make that analogy because if you remember the NIST Cybersecurity framework.
The NIST cybersecurity framework was not anything that was applied to banks. To Steve's point, NIST is not a banking regulatory agency. They can't tell banks to do anything. But then FIPs came out and FIPs said, Hey, federal government agencies, you all need to be operating under the NIST Cybersecurity Framework by a certain date. What happens is the regulators look at that and they're like, well, if this is good enough for.
All federal government agencies, which includes the Fed and the Bureau of Fiscal Service, then financial institutions. This is a great touchstone for perhaps how you should be behaving. And so in the early days around the NIST Cybersecurity framework, the regulatory activities really were reflected as your regulators showing up at your bank and saying. Have you reviewed the NIST cybersecurity framework and how do your policies map to that? So that's where it starts.
It starts with them asking questions. It doesn't start with them coming in and saying, are you quantum safe right now?
Oh, Peter, a follow up to that? So, so what would be a good answer in 2025 for a bank to give to an examiner that says, what are you doing about quantum computing threats?
You know, interesting, one of the things that we're trying to do in the project team and, and Steve is an active participant in the participant in the payments Innovation Alliance, quantum Payments team, project team. We we're really focused on awareness. We do a lot of these podcasts and a lot of, we've written a couple papers, we have resources available. NIST has resources available, CISA has resources available.
So I think directly answering your question, Steve, I. Today the best answer was B, we understand it's a problem. We've assigned someone the task of understanding what it is we need to do and in what timeframe we need to do it. I think that if a regulator came in in April or May of 2025, and that was your answer, you're gonna be ahead of probably 80% of the financial institutions out there.
I think Steve, maybe the one question that a bank should ask back, I, I, although I, I don't suppose I'd recommend it, is, you know, what are you doing on this? If, if the regulators are still waiting on guidance from, from, from a, from on high end if the examiners are still waiting from guidance on, on high end, their agencies.
It's, it's always a slippery slope asking a regulator a question like that.
Yeah. Yeah. How much of this Steve or Peter, how much of this for the community banks is gonna be at addressed by, at the vendor level for them. Community bank, CEO, or Chief Risk Officer who's being asked about this, or chief Information security officer. You know, how much of this is something that they need to deal with within the bank, and how much of this is something that they're gonna have to deal with at the core or some other security provider.
Yeah, great question. And for all banks, banks of all sizes, all the way up to JP Morgan Chase, they employ hundreds, thousands of service providers and the activities that you will undertake will largely be an inventory, meaning understanding where is it that we're using cryptography, and then based on that inventory a prioritization, what are my, where, where are my family? Where are the crown jewels, right? What are I trying to protect?
And then a prioritization of who is it that I need to talk to, to say where are we on this road towards being quantum safe? Earlier you said, Steve, like, what, what, what would be the best thing right now, 2025? You know, if the first step is that inventory and identifying who I need to talk to, then a pretty obvious second step is getting on the phone with your providers and saying, what's your plan?
Because some of your providers won't have one, and your question will start them down the path. I predict that many of the larger providers, the, the, the, the core processors, the payment providers, et cetera, et cetera, they have someone working on this already. But it would be good for you to know that.
Yeah, and like with any big projects, when you're dealing with the core already vendors, it's good to be at the top of the line and not at the end of the line when it comes to getting changes implemented by them.
So start those conversations early, especially if you're relying on them to help you understand and navigate these challenges.
Yeah, and, and you know, this is mu much of what will change will be behind the scenes. It will be networking kind of stuff. But I don't know if you recall, I don't know if either of you are old enough to be back When the internet came out and we had HTTP and it was several years before we had H-T-T-P-S. Yes, right. Which added the, the, the, the cryptography around protecting the channel.
When that happened, there were many conversations about, well, how slow will my connection get as every packet is being encrypted and decrypted. We don't have any of those conversations anymore. We just assume it works. We bought enough hardware, et cetera, et cetera. And so I think this is one of those projects that we'll get a ton of visibility until everything gets in place, and then everyone will just assume it exists.
Yeah. Yeah. And sort of the, the, the other concern, you know, the nightmare scenario was sort of the, the zombie breach where you may have been breached five years ago or somebody else may have been breached, that has your customer's personal information, and they weren't able to decrypt that that file. When Quantum comes around, maybe they will be able to, to harvest that data that was actually stolen five years ago. Right. So that's something else.
" Peter Tapling: Harvest now, decrypt later." Is well, what this is referred to as in, in, in the risk business. But yeah, any breach that you've read about in the newspaper where they said, we stole, you know, X hundreds of thousands of customer records, where the response from the party that was breached was, well, it's okay because it was all encrypted. That is potentially at risk now, remember?
The, the quantum risk that we're talking about to cryptography is around asymmetric key cryptography. Most data at rest is encrypted using a symmetric algorithm. But the symmetric keys are almost always protected using an asymmetric. Package. Right? A asymmetric key package. So it's, it's a, it's, it could be far more complicated, but yes, there is a harvest now decrypt later threat.
And so, you know you certainly don't want to be one of the parties that gets breached, and you don't want to be in a position of saying, oh, well, you know, we're gonna be quantum safe. And because we're quantum safe, all that data that was breached in the past is now safe. That's not true. If it was breached earlier.
Well, Steve or Peter, any concluding thoughts before we end the conversation today?
I would say I, I'm gonna give ho Oh, go ahead. I'm gonna, I'm gonna go, I'm gonna give homework to every banker on the phone, which is go ask somebody in your organization, what are we doing relative to quantum computing?
I think that's exactly it with the idea being, how are you going to answer the bank examiner when they ask, what are you doing about this? Have you assigned somebody to, to be responsible? Have you talked to your cores? Have you started doing any budget planning for 26, 27, 28? You know, ha, have an answer. And more importantly, start, start preparing. I.
I haven't done any of those things, but I have listened to a really good podcast episode about the subject, so, you know.
Well, there you go. We have one now. Right? I, I will say that the all of the work that we're doing with the Quantum Payments project team at the Alliance is freely available for download at alliance.nacha.org.
Perfect. I was gonna, I was gonna plug that to go check out, check out the, the great report from Peter's, Peter's working group. That was something that was very informative for me. I, we also have resources on quantum computing on@aba.com in our Office of Innovation area. I. And then there are resources on, on how quantum computing affects the affects cybersecurity and cryptography from the financial services information sharing and analysis center at fsisac.com.
So a lot of resources out there for bankers who are, who want to be able to go to answer the question, what are you doing about quantum quantum computing in the near term? Thanks again to both of you for being on the show today. Thanks to our listener, or thanks to our, our sponsor for this episode banking With Interests, a podcast from Intrafi.
We you can find this episode in previous episodes at aba.com/banking journal, and you can find all the, of the other additional resources that we talked about at, at on, on aba.com as well while linked to several of them on the show notes for this pa for for this show. Thanks so much for listening and we'll be back with you again very soon.