Treasury Attestation in a Post-Quantum World

Published: April 2026 | 7 min read

Your custodian is preparing for post-quantum cryptography. JPMorgan, BNY Mellon, State Street are all evaluating ML-DSA-65. Your CFO and CISO are asking: when do we migrate?

"Post-quantum readiness is not optional. It's a supply chain requirement within 24 months."

The Quantum Threat

Treasury operations move billions daily through networks signed with ECDSA-256 and RSA-2048. Both are vulnerable to quantum attacks. Adversaries are recording SWIFT messages today, betting they'll have quantum capability in 10-15 years. Every settlement instruction sent today could be retroactively forged.

The Custodian's Timeline

JPMorgan is piloting post-quantum APIs now. BNY Mellon is publishing ML-DSA-65 compatibility guides. By 2028, custody networks will require post-quantum signatures. By 2030, legacy ECDSA/RSA will be deprecated. When your custodian flips the switch, RSA-signed settlement instructions will be rejected.

What You Must Do Now

Audit current cryptographic inventory and key expirations.
Contact your custodian and demand their post-quantum roadmap in writing.
Implement Sovereign Receipts for all settlement confirmations.
Plan hybrid-mode operations by Q3 2026.

Next: Read the Clearing House guide on Sovereign Receipts for settlements.