All posts

Fintech Regulatory Brief

What Your Bank Examiner Will Ask About Post-Quantum Cryptography in 2027 — And How to Prepare Your Answers

June 30, 2026  ·  PQCClear  ·  9 minute read

Guidance arrives, examination questions follow within 12 to 24 months — and post-quantum cryptography is following that same pattern. In the final week of June 2026, the federal government published five interlocking policy documents that together create the most complete PQC migration mandate to date.

The Pattern Every Compliance Team Knows

Bank examiners do not wait for institutions to feel ready before asking hard questions. The pattern is consistent across every major cybersecurity development of the past decade — from cloud adoption to ransomware resilience to third-party risk management. Guidance arrives, examination questions follow within 12 to 24 months, and the institutions that prepared in advance look significantly better than those that waited.

Post-quantum cryptography is following the same pattern — and the pace accelerated dramatically in the final week of June 2026.

In eight days, the federal government published five interlocking policy documents that together create the most complete federal PQC migration mandate ever assembled. On June 22, President Trump signed Executive Order 14412, Securing the Nation Against Advanced Cryptographic Attacks, setting hard deadlines for civilian high-value assets. Two days later, OMB issued Memorandum M-26-15, Execution of the Migration to Post-Quantum Cryptography, which replaced M-23-02 as the operative civilian implementation guidance and published a detailed five-phase migration timeline running to 2035. The speed of M-26-15 — issued just two days after the executive order when 90 days were allowed — signals it was written alongside the order, not in response to it.

This is not a future problem. It is a current compliance posture question. And FFIEC examination guidance will follow.

Why PQC Is an Examination Issue Now — Not Later

The FFIEC Cybersecurity Assessment Tool and the IT Examination Handbook already contain the framework through which PQC will be assessed. Examiners do not need new PQC-specific guidance to ask about cryptographic risk management — it falls squarely within existing information security examination categories.

Examination area

Information Security Program

NIST finalized ML-KEM, ML-DSA, and SLH-DSA in August 2024. Algorithms at ≤112-bit security — including RSA-2048 and ECDSA P-256 — are deprecated after 2030 and disallowed after 2035.

Examination area

Third-Party Risk Management

Cryptographic practices are information security practices. CISA's PQC Product Categories List (Jan 23, 2026) gives examiners a framework to assess quantum-capable procurement.

Examination area

Business Continuity & Resilience

Harvest-now-decrypt-later is named an active threat in EO 14412: adversaries are “collecting United States information now, and decrypting it later.”

Examination area

Board & Senior Management Oversight

OMB M-26-15 states PQC migration “is not the sole responsibility of agency CIOs and CISOs.” No board-level discussion is a governance finding waiting to happen.

The Eight Questions Your Examiner Is Most Likely to Ask

Open each question to see what a strong answer looks like — and what to do this quarter to get there.

01Do you know what encryption algorithms your institution uses, where they're deployed, and what data they protect?

Good looks like

A documented cryptographic inventory — ideally in CBOM format — identifying every algorithm, the assets it protects, and data sensitivity/retention. Dated, version-controlled, with a named owner. CISA must publish minimum CBOM elements by March 19, 2027 — institutions starting now will be ahead of that standard.

Bad looks like

“We use industry-standard encryption” with no further documentation.

Do this quarter

Begin your cryptographic inventory. An inventory that exists before an examiner asks is far stronger evidence than one assembled under examination pressure.

02What is your PQC migration plan, and who owns it?

Good looks like

A risk-prioritized migration plan approved by senior management, aligned to the OMB M-26-15 five-phase framework, with a named migration lead and defined milestones toward the 2030/2031 deadlines.

Do this quarter

Designate your internal PQC lead and draft the plan skeleton — even a preliminary plan with an owner is credible evidence of awareness.

03How have you assessed the quantum readiness of your third-party vendors?

Good looks like

Dated assessment records for critical vendors — algorithms in use, a readiness score, and a documented reassessment cadence. Cryptographic practices are information security practices under existing TPRM guidance.

Do this quarter

Add quantum readiness questions to your vendor assessment process and run your most critical vendors through a first assessment cycle.

04How are you addressing harvest-now-decrypt-later risk for long-retention data?

Good looks like

A risk register entry quantifying HNDL exposure by data sensitivity and retention period — EO 14412 names this an active threat, so “we're waiting for quantum computers to exist” is no longer a defensible answer.

Do this quarter

Identify every data class that must remain confidential beyond five years and log the exposure in your risk register.

05Has your board been briefed on quantum risk?

Good looks like

Dated board materials showing the board has been informed of the risk, the executive order, and the migration plan. OMB M-26-15 states PQC migration “is not the sole responsibility of agency CIOs and CISOs.”

Do this quarter

Put PQC on the next board agenda and retain the briefing materials — the absence of any board-level discussion is a governance finding waiting to happen.

06Are you a federal contractor subject to the FAR PQC rule?

Good looks like

A completed audit of your federal contract portfolio, with legal review of the cryptographic requirements the proposed FAR rule will impose by December 31, 2030.

Do this quarter

Have legal and procurement inventory every federal contract — many institutions lack immediate visibility into this exposure.

07How crypto-agile are your systems — can you replace algorithms without disruption?

Good looks like

An honest assessment of which systems support algorithm replacement and which are hard-coded, with remediation flagged in the migration plan. RSA-2048 and ECDSA P-256 are deprecated after 2030 and disallowed after 2035.

Do this quarter

Ask each critical system owner one question: what would it take to swap the encryption? Document the answers.

08How will you align with the CISA CBOM standard when it arrives?

Good looks like

An inventory already maintained in a structured, automatable format that can be mapped to CISA's minimum elements when they publish by March 19, 2027 — not a spreadsheet that will need rebuilding.

Do this quarter

Choose a CBOM-compatible format for your inventory now, so the CISA guidance becomes a mapping exercise instead of a restart.

The Updated Regulatory Timeline Every Bank Should Track

  1. Aug 2024

    NIST finalizes FIPS 203, 204, 205

    PQC standard now established — migration can begin.

  2. Jan 2025

    CISA PQC initiative active

    Examiner benchmark for “current standards.”

  3. Jan 23, 2026

    CISA PQC Product Categories List published

    Defines “Widely Available” vs. “Transitioning” products.

  4. Jun 22, 2026

    Executive Order 14412 signed

    Board awareness expected immediately.

  5. Jun 24, 2026

    OMB M-26-15 issued

    Five-phase migration framework established.

  6. TodayYou are here

    Preparation window

    This is the window to build your examination-ready package before guidance arrives.

  7. Oct 2026 (120 days)

    Federal agencies submit PQC migration plans

    Model for institution plan structure.

  8. Mar 19, 2027

    CISA CBOM minimum elements guidance

    CBOM standard arrives — be ready before it does.

  9. 2027–2028

    FFIEC examination guidance expected

    Examiners will ask all eight questions above.

  10. Dec 31, 2030

    PQC key establishment deadline

    Hard deadline for federal contractor banks.

  11. Dec 31, 2031

    PQC digital signatures deadline

    All signing systems must be quantum-safe.

  12. 2035

    All remaining systems — full migration

    Final horizon for complete transition.

A Note for Community Banks and Credit Unions

Smaller institutions frequently say PQC compliance feels like a large-bank problem. That framing is incorrect in two ways. First, NCUA supervisory guidance follows FFIEC examination frameworks closely — credit unions face the same examination environment, tracking the same federal policy developments.

Second, community banks and credit unions are often more exposed to vendor cryptographic risk, relying more heavily on third-party core banking vendors and digital banking platforms. That makes vendor quantum readiness assessment a higher priority for smaller institutions — not a lower one.

How to Prepare Before Your Next Examination

You do not need to complete your PQC migration before your next examination. Examiners are looking for evidence of awareness, documentation, and a credible plan. The minimum examination-ready package:

  1. 01

    Cryptographic inventory covering your highest-sensitivity systems, in a standard format, dated and version-controlled.

  2. 02

    Migration plan approved by senior management, prioritized by risk, aligned to the OMB M-26-15 five-phase framework.

  3. 03

    Board briefing documentation showing the board has been informed of the risk, the executive order, and the plan.

  4. 04

    Vendor assessment records showing you've assessed — or begun assessing — critical vendors' quantum readiness.

  5. 05

    Risk register entry for harvest-now-decrypt-later exposure, quantified by data sensitivity and retention.

This package takes most institutions three to six months to assemble properly. Institutions that begin this quarter will have examination-ready documentation before 2027 examination cycles begin.

Get every fintech vendor examination-ready

PQCClear helps banks, credit unions, and payment processors assess the quantum readiness of every fintech vendor in their portfolio — generating a Quantum Readiness Score, a full CBOM, and an FFIEC and NCUA examination-ready report for each vendor.

Request access
FFIEC post quantum cryptography examinationbank examiner PQC questionsNCUA quantum cryptography examinationOCC post quantum cryptography guidancequantum readiness bank examinationPQC compliance community bank

This post represents the editorial analysis of PQCClear as of June 30, 2026. It should not be construed as legal advice. Financial institutions should consult legal counsel and compliance advisors regarding their specific examination obligations.

Key sources: Executive Order 14412 (whitehouse.gov, June 22, 2026); OMB M-26-15 (whitehouse.gov, June 24, 2026); NIST FIPS 203/204/205 (csrc.nist.gov, August 2024); CISA PQC Product Categories List (cisa.gov, January 23, 2026); NIST IR 8547 initial public draft (November 12, 2024).