I served as the inaugural Chief Innovation Officer of the FDIC. The job teaches you one thing the policy schools can’t: financial systems do not fail the way their operators are ready for. They fail in the corner you didn’t game out. The credit shock is the one you priced. The run is the one you didn’t.

I left that role for reasons I’ve written about elsewhere. The discipline I took with me was simple: go back to first principles, demand evidence that’s been challenged in public, be honest about what your data can and can’t tell you. It’s why I’ve publicly said CAMELS ratings need a serious refresh. In Q3 2023 I pointed that discipline at digital money and didn’t like what I found.

The shorthand for the project I started afterwards is “an L1 I’ve been building.” I’ll name it in post three. For now what matters is the question I started from, and why it sent me back to first principles for three years.

The question was simple and unkind: what would a digital monetary system have to look like to survive across cryptographic regime change and if a central bank were to get behind it (without going down the central bank digital currency route)?

What’s on the table

• Bitcoin market cap: ~$1.57T (Apr 2026)

• NIST FIPS 203 / 204 / 205 (post-quantum signatures and KEMs): finalized August 2024

• The current best public CRQC estimates from the labs whose numbers I trust: a range, not a date. Center of the range, optimistic side, is uncomfortably close

• “Q-Day” used in this series: the first day a cryptographically relevant quantum computer exists in private hands and is willing to use it

• Working assumption in this series: the parties most likely to hold a CRQC first are not optimizing for Bitcoin’s market cap

❦ ❦ ❦

The problem

Bitcoin can’t survive cryptographic regime change. That’s not a slur, it’s a property. It’s the most-watched, least-upgradable cryptosystem in the world. Roughly a tenth of the supply sits in addresses whose public keys are already on chain in plaintext. The signing primitive — ECDSA over secp256k1 — is one of the things a working quantum computer breaks first. The protocol governance is, charitably, slow. Less charitably, it ships a hard fork roughly never. The process to do so would come at the last minute, with lots of hand wringing and cause significant market chaos. None of this is news to anyone in the room. None of it is fixed.

The objection, if you’ve spent any time around this conversation, is “we have years.” I don’t think that’s true anymore. And the reason isn’t a paper.

Here’s the part I want you to read precisely.

The parties capable of fielding a cryptographically relevant quantum computer first — whichever ones get there, in whichever order, on whichever timeline — are not optimizing for the market cap of Bitcoin. They are optimizing for sovereign-scale advantage. Encrypted diplomatic cable archives. Banking system interception. Adversary code that has to stay secret for forty years. Digital regime change. Weapons telemetry. The list is long and Bitcoin is not on the front page of it. Bitcoin is collateral.

That sounds like good news for a Bitcoin holder. It is not.

Three reasons.

One. Once a CRQC exists for any of those other reasons, the Bitcoin attack becomes cheap. The capital expenditure was made for someone else’s problem. Cracking the coins out of pre-2010 P2PK addresses is a side project on the same hardware. Cheap is relative — these are not laptop programs — but the marginal cost line, once the platform exists, is well inside the upside.

Two. Harvest-now-decrypt-later already applies. Every transaction graph, every public key, every Groth16 proof published to a public chain since inception is in the harvest. A patient adversary doesn’t need to attack the network the day the machine boots. They need to wait until the machine boots. Recent AI advancements have already proven this point.

Three. The people who do hold this capability, if anyone does, are not signaling. Operationally, they cannot. Once they signal, every adversary’s encrypted backlog gets airgapped or rotated. The default state of a working CRQC, if one already exists, is silence. “We’re not there yet” is consistent with both worlds — we are not there yet, and we are there and choosing not to say. If you bet on the announcement, you’re betting the wrong direction.

Put those three together honestly and “we have years” stops being a forecast. It becomes a hope. I am not willing to design a monetary system around a hope.

That’s the window. It might already be closed and we wouldn’t necessarily know.

The decision

The decision I made three years ago, and that the rest of this series unpacks, is the one most projects defer: treat post-quantum resilience as a property of the whole stack, not a future migration.

This is unpopular for a reason. PQ primitives are slower, larger, less battle-tested, and more annoying to integrate. They eat block space. They make wallets harder to write. They make every elegant cryptographic shortcut twice as hard. People put them off because the deadline is hypothetical, the cost is real, and the next-quarter incentives reward shipping today.

The trade looks different if you take seriously that the deadline is not hypothetical, and that if the wrong week arrives, every signature you ever produced is retroactively reversible. Which is to say: every commitment you ever made, every payment, every proof of compliance, every privacy guarantee. All of it back on the table, retroactively, at the speed of whoever is decrypting first.

You don’t migrate out of that. You design around it from the start.

Here is the honest version of how far that gets you, today, April 2026.

| Phase | Status (Apr 2026) | What it gives you | |—|—|—| | Phase 1 | Production | Groth16 for ZK, BLS for aggregation. Battle-tested. Performant. Not quantum-resistant. Acknowledged. | | Phase 2 | 12–18 months out | Hybrid. Hash-based commitments alongside the existing proof system. Buys integrity through the migration window. | | Phase 3 | The destination | STARK-based or lattice-based ZK end-to-end. Larger proofs. Slower verification. Quantum-resistant. |

I will not pretend Phase 3 is finished. It is not. The cookbook on sultanismyname.com lays out exactly which primitives are production-ready as of this writing and which are 12 to 18 months out. There is real work between here and there. Anyone telling you otherwise is selling something. Launching a L1 is a non-trivial process. This is the first in a series of steps to not only do that but also make it work in a modern regulatory construct AND to operate as a replacement to fiat currencies in a central bank, post Bretton Woods, context

What I will say is this. The architecture commits to it. The protocol does not have an ambiguous we’ll figure it out clause where the migration belongs. The migration is on the roadmap with a number next to it. That, structurally, is the difference.

What the decision touches

The thing I didn’t expect, three years ago, was how much else this single decision pulled in.

Once you take cryptographic regime change seriously, you can’t have a stability mechanism that depends on signatures being unforgeable forever. You have to design escalation rules that survive a primitive being broken. The rules have to be written down — in code, immutably — before the panic, because you cannot patch them during it. Which means the resolution waterfall has to be immutable. Which is the central-banking question. Which is the FDIC question, in different clothes.

Once you take it seriously, you can’t have privacy guarantees that decay when the proof system breaks. The privacy layer has to be designed for a proof system you will eventually swap out. Which forces compliance attestations onto the same migration path. Which is the regulatory-perimeter question.

Once you take it seriously, you can’t have an MEV story that depends on transaction ordering being tamper-proof under cryptographic assumptions you don’t trust across decades. So you build threshold-encrypted ordering with primitives chosen for the long arc.

Each of those is a post in this series. Each of those is a chapter in the cookbook. The thread connecting them is the one I started this post with: a digital monetary system has to fail well across cryptographic regime change, or it isn’t a digital monetary system. It’s a digital wager.

See also

This is post one of six.

• Post 2 — Bagehot Was Right. Why every stablecoin failure is a failure of escalation, not of code. The five-layer stability regime, the bounded-dilution proof, why one specific number is the entire ballgame.

• Post 3 — Make the Waterfall Immutable Or Don’t Bother. What the FDIC actually does, and what crypto refuses to import. The L1 gets a name in this post.

• Post 4 — Privacy and Compliance Aren’t Enemies. The view-key model, ZK compliance attestations, and what regulators actually object to (it isn’t privacy).

• Post 5 — The False Binaries. Five tradeoffs the industry treats as inviolable, plus a sixth — deal with quantum later — that has the same problem the others do.

• Post 6 — Money Without a Master Key. Hand-off to the long-form cookbook on sultanismyname.com, including the open problems I’m still arguing with myself about.

Closer

I’m not selling a token in this series. There won’t be one to sell during the run of these posts and there isn’t an allocation to ask for at the end. If that changes I will tell you, in plain text, in the post where it changes, before the rest of the post.

Pick a recipe — even just the threat model in this post — and use it this week. If you run a stablecoin treasury, an exchange, a custody desk, a fund: the harvest-now-decrypt-later assumption is one your auditors should already be on. Print this post and hand it across the table. If your security review doesn’t have a post-quantum migration plan with a number next to it, you are running on hope.

Hope is not a forecast.

— Sultan

• First off THANK YOU for subscribing, I hope you enjoy these posts!

• Second, you’ll see content related to regulations (like this piece) in financial services, more broadly in FS, healthcare and a few other things — specifically I have a series on how I’ve radically optimized my life using AI

• I love engagement, so please reach out if there’s something you’d like to see/hear

Now on to the article

Well, well, well. Look who's finally decided to join the 21st century. The FDIC—that bastion of bureaucratic brilliance—has just issued new guidance saying banks can now engage in "permissible crypto-related activities" without begging for permission first. Acting Chairman Travis Hill declares they're "turning the page on the flawed approach of the past three years."

The flawed approach of the past three years.

Let me tell you about those three years.

I should know—I lived through them as the FDIC's first (and apparently last) Chief Innovation Officer, a role I occupied for exactly one year before throwing in the towel and writing what can only be described as a regulatory resignation letter that made headlines. My Bloomberg op-ed, titled "Why I Quit as FDIC Innovation Chief: Technophobia," wasn't just a farewell—it was a eulogy for American financial leadership. Oh and yes I know they ‘announced’ this in March, but here in June we’re still not seeing a lot of action so I don’t feel late, especially in regulatory terms…

The Cave Paintings of Financial Regulation

Picture this: You're tasked with explaining cryptocurrency to an agency where less than one-half of staff had a basic understanding of the technologies they regulate. Even senior officials—the people making the rules—are baffled by concepts like fintech, the dark web and even financial apps. It's like being asked to teach quantum physics to people who think electricity is witchcraft.

The resistance wasn't just to crypto—it was to modernity itself. I received pushback from staff in response to basic modernization efforts such as ending the use of fax machines and physical mail. FAX MACHINES. In 2021. While I'm trying to explain blockchain technology, these people are literally still sending documents via methods invented when disco was popular. My (often repeated) dad joke is that most of these people can’t even change the ring tones on their phones.

The Great Crypto Standoff

For three years, the FDIC treated cryptocurrency like that weird uncle at Thanksgiving—acknowledged its existence but kept it at arm's length, occasionally throwing suspicious glances and making everyone uncomfortable. Banks wanting to dip their toes in digital assets had to go through a bureaucratic obstacle course that would make Kafka weep… and to no end in process.

The 2022 guidance essentially required banks to ask "Mother, may I?" before doing anything crypto-related. It was regulatory helicopter parenting at its finest—the kind of risk-averse, innovation-crushing approach that makes China's central bank digital currency look like a stroke of genius by comparison.

And now? Now they've suddenly discovered that maybe, just maybe, treating the fastest-growing sector of finance like radioactive waste wasn't the smartest strategy.

The Technophobic Bureaucracy

In my Bloomberg piece, I called the federal bureaucracy "both hesitant and hostile to technological change" and warned that "America's global financial leadership is in jeopardy". That was in February 2022. Three years later, the FDIC is finally admitting I might have had a point.

The problem wasn't just ignorance—it was willful ignorance combined with institutional inertia. Something like 30% of different departments at FDIC have a majority of staff who are retirement eligible, meaning their planning horizon extends about as far as their next pension check based on their over $300,000 a year salary. You can't innovate for the future when half your workforce is mentally already on a golf course in Florida.

The Caveman Analogy

Explaining crypto to financial regulators in 2021-2022 was exactly like trying to explain the automobile to cavemen. Except worse, because at least cavemen were curious about new hunting techniques. These regulators looked at innovation the way cavemen might look at fire—simultaneously terrified and convinced it would burn down everything they'd spent decades treading water around.

"But what if people use Bitcoin for bad things?" they'd ask, apparently unaware that people have been using cash for bad things since cash was invented. "But what about consumer protection?" they'd worry, while simultaneously allowing payday lenders to operate with predatory rates that would make a medieval usurer blush. The US Treasury Department estimates that at least $300 billion is laundered annually in the US.

The Real Cost of Institutional Cowardice

While the FDIC was busy playing whack-a-mole with crypto innovation, Singapore was building a comprehensive digital asset framework. While our regulators were clutching their pearls over DeFi, the UK was positioning itself as a global crypto hub. We weren't just falling behind—we were actively sabotaging our own competitive position. And let’s not even get into the regulatory innovations in the UAE, the global home of crypto currently.

The "flawed approach" wasn't just about crypto policy—it was about a fundamental inability to adapt to technological change. We had an agency filled with lawyers over 50 trying to regulate technologies they couldn't even pronounce, let alone understand.

Welcome to the Party, It's Only Half Over

So here we are in 2025, with the FDIC finally admitting that maybe banks should be allowed to participate in the digital economy without filing Form 27-B in triplicate and waiting six months for approval. Better late than never, I suppose, though "late" doesn't quite capture the magnitude of this timing failure.

The new guidance is a step in the right direction, but let's not break out the champagne just yet. This is like finally getting indoor plumbing and acting like you invented the flush toilet. The rest of the world has been building crypto infrastructure while we've been debating whether blockchain is safe enough for our delicate financial system.

The Trump Administration's Uphill Battle

To be fair, the Trump administration is trying to course-correct this regulatory disaster. The Senate just passed the GENIUS Act (Guiding and Establishing National Innovation for U.S. Stablecoins) in a 68-30 vote, creating the first federal framework for stablecoins. Trump himself has said he wants stablecoin legislation on his desk before Congress breaks for its August recess, and there's genuine bipartisan momentum building.

But here's the kicker: this was supposed to be "the easiest crypto bill to pass," yet it took months to reach the Senate floor, failed once, and passed only after fierce negotiations. As Senator Cynthia Lummis admitted, "We thought it would be easiest to start with stablecoins. It has been extremely difficult. I had no idea how hard this was going to be."

The GENIUS Act is progress, but it's also a perfect example of how broken the system remains. We're celebrating the passage of basic regulatory clarity for stablecoins like it's the moon landing, when countries like Singapore established comprehensive crypto frameworks years ago. It's regulatory Stockholm syndrome—we've been trapped in bureaucratic paralysis for so long that any movement feels like victory.

And even this modest progress comes with controversy. Critics like Elizabeth Warren opposed the bill partly because of Trump's own crypto ventures, including his stablecoin USD1, arguing it creates conflicts of interest. The spectacle of senators debating whether the President should be allowed to profit from the very industry he's trying to regulate perfectly captures the absurdity of our situation.

The Bottom Line

Three years ago, I warned that American financial leadership was at risk because our regulators were more interested in protecting their bureaucratic fiefdoms than protecting America's competitive edge. The recent FDIC announcement and the GENIUS Act prove my point—we're finally doing what we should have done in 2021 (or earlier), except now we're playing catch-up in a race where everyone else got a head start. And congress is moving at the pace we should expect (i.e. very slowly)

The FDIC's "green light" for crypto isn't innovation—it's admission of failure. It's regulatory agencies finally acknowledging that maybe, just maybe, treating the future of finance like a contagious disease wasn't the brilliant strategy they thought it was.

But hey, at least they've stopped using fax machines… so has anything really changed that much?

tldr: no

Sultan Meghji was the first Chief Innovation Officer at the FDIC, where he spent a year trying to drag financial regulation into the digital age before concluding that some missions are impossible. His resignation letter to Bloomberg became required reading for anyone interested in why American financial innovation moves at the speed of continental drift. He currently is CEO of Frontier Foundry, a privacy-focused AI firm.

1. Can I just say how AMAZING the current AI + Open Source environments are?

2. I DO. NOT. ENDORSE. this as a formal recommendation.

3. BUT WOW there are some great nuggets in there!

4. I’m very curious what you all think…

—

BILL

To restructure and enhance the United States banking system, to create a more cohesive, proactive, and accountable banking industry, and for other purposes.

SECTION 1. SHORT TITLE

This Act may be cited as the "Comprehensive Banking Reform Act of 202X".

SECTION 2. DEFINITIONS

In this Act, the term "Bank" refers to any financial institution accepting deposits from the public.

SECTION 3. SEPARATION OF DIF FROM THE FDIC

(a) The Deposit Insurance Fund (DIF) shall be separated from the Federal Deposit Insurance Corporation (FDIC) and placed within the Federal Reserve System.

(b) Up to $1,000,000 in deposits shall be 100% covered. Deposits ranging from $1,000,000 to $5 million shall be covered pro-rata based on the balance sheet of the bank. Deposits exceeding $5 million shall not be covered. DIF passthrough insurance may be considered.

SECTION 4. EXAMINER UNIFICATION AND STANDARDIZATION

(a) All bank examiners shall be unified into a single organization, under the authority of a management board. The Board shall consist of the following members, who may only be seated upon Senate confirmation:

1. The Secretary of the Treasury (who shall serve as co-chair)

2. The Chair of the Federal Reserve Board (who shall serve as co-chair)

3. The Vice Chair for Examination of the Federal Reserve Board

4. Two State Banking Commissioners, voted on bi-annually by the aggregate of States’ Banking Commissioners. If, by January 1 of a voting year, a slate is not presented to the Secretary of the Treasury or Chair of the Federal Reserve Board, the board co-chairs shall appoint 3 for that year.

5. The Comptroller of the Currency

6. The Director of the Consumer Financial Protection Bureau

7. Four senators from the Senate Banking Committee, no more than 2 of any one party at any time

8. Two Independent Board Directors, each serving staggered 2-year terms, no more than 1 of any one party at any time

(b) A standardized examination process for all banks shall be established, with tiers based on the percentage of U.S. deposits and loans. The top 20 banks in the United States shall be under daily enhanced examination and shall not increase their deposits or loan books by over 1% without pre-approval and a public hearing with the management board.

(c) Banks within the bottom 5% will be put under 'enhanced' examination and shall have two years to leave the bottom 5% tier or be required to sell until meeting the necessary requirements.

SECTION 5. DATA UPLOADS AND ANALYSIS

(a) All banks are required to facilitate automated daily data uploads, both standard and based on API requests from the relevant agency.

(b) Standard numerical analysis shall be performed daily, with both dashboards and automated reports of changes - internally and from external open source data, such as federal rates, put out in real-time.

(c) All banks with assets exceeding $20 billion are required to conduct automated quarterly balance sheet stress testing.

(d) Any change in balance sheet more than 1% shall be reported to the federal government within 3 hours of the discovery of that change. Failure to do so will result in significant penalties equal to or greater than the change in balance sheet.

SECTION 6. HUMAN CAPITAL MANAGEMENT

(a) Implement a comprehensive overhaul of policies regarding hiring, growth, and retention of human capital in banking institutions.

SECTION 7. CYBERSECURITY OPERATIONS

(a) Create a separate cyber operational program with regulatory and enforcement authority equal to other banking regulatory bodies, under the same board as defined in Section 4. This program will work in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA) and Department of Homeland Security (DHS) to provide a proactive cyber regulatory component.

(b) All banks shall be subject to an annual cybersecurity audit.

(c) A new rating system for organizations' cybersecurity measures and resilience will be created and implemented.

(d) Any incident that exposes any Personally Identifiable Information held by the bank, transactional data, balance sheet data, regulatory data or internal operating processes shall be reported within 24 hours of discovery. Failure to do so will result in significant penalties equal to or greater than 2% of the balance sheet of the bank.

SECTION 8. IMPLEMENTATION AND REGULATIONS

(a) The Federal Deposit Insurance Corporation (FDIC) is hereby dissolved. All authorities, duties, responsibilities, and functions of the FDIC, unless otherwise specified in this Act, shall be transferred to the Federal Reserve Board.

(b) The Federal Reserve Board is directed to promulgate necessary regulations to effectively assume the duties and functions transferred from the FDIC.

(c) The relevant regulatory authorities shall promulgate additional regulations to implement and enforce this Act.

(d) The Federal Reserve Board shall coordinate with other relevant agencies and bodies, as appropriate, to ensure the smooth transition of functions and duties from the FDIC. All FDIC staff shall be moved to the Federal Reserve Board or the Office of the Comptroller of the Currency, with no loss of role, benefits, compensation, or tenure.

SECTION 9. EFFECTIVE DATE

This Act shall take effect one year after the date of enactment.

SECTION 10. SEVERABILITY

If any provision of this Act or the application thereof to any person or circumstances is held invalid, the remainder of this Act or the application of such provision to other persons or circumstances shall not be affected thereby.

In an interview conducted at the Association of Certified Anti-Money Laundering Specialists (ACAMS) meeting, it was revealed that the integration of SVB, a bank recently acquired by First Citizens Bank, has been a series of challenges. Many of these problems echo the troubles that traditional banks often encounter, including siloed data and outdated technology.

Despite SVB's reputation for innovation, the bank apparently grappled with the same issues as "old clunky banks." According to a senior source, it lacked a truly centralized Know Your Customer (KYC) data store, and struggled to overcome disjointed data systems. The Board of Directors reportedly did not prioritize compliance, which was seen as a "cost center," potentially exacerbating these issues.

The issues with SVB's Anti-Money Laundering (AML) risk management may indicate more systemic problems within the organization. The former coworker warned that "a bank with poor AML risk management is likely to have poor credit risk management too," hinting at deeper operational and structural issues.

The source further criticized the culture of noncompliance within the organization, stating, "If you can’t follow the procedure, you are likely ignoring company policy. When you ignore policy, that’s when you do things like breaking the law."

The repercussions of non-compliance are severe. The cost of remediation often dwarfs the initial penalty, a fact underscored by the source's claim that remediation costs can be "10X the cost of the fine itself."

The insider also alluded to some "skeletons" in the closet of MUFG/Union Bank, which has also been acquired by US Bank. These undisclosed issues are now inherited problems that the US Bank team will have to tackle, causing further consternation within the organization.

This unfolding situation underscores the importance of thorough risk assessments and well-planned, relevant operational procedures in the banking industry. As the issues with SVB and potentially MUFG/Union Bank continue to come to light, industry insiders will be watching closely to see how the acquiring banks manage these acquisitions and navigate the challenges ahead. Given the likelihood of more bank M&A in the coming months, this does not bode well for either the acquiring banks or their customers.

Authors:

Jimmie Lenz - Duke University

Sultan Meghji - Duke University, Carnegie Endowment for International Peace, Bretton Woods Foundation (former Federal Deposit Insurance Corporation)

Nick Reese - George Washington University & Department of Homeland Security

Jack Speer - Johns Hopkins University, National Public Radio & SAG-AFTRA

Executive Summary:

The 4 authors are excited to have seen the OCC call for papers as it relates to emerging risks in the banking system. These kinds of questions are key to the ongoing process of maintaining the most safe and sound banking system in the world, and maintaining the leadership of the United States in the global banking system. This is a massive question and we have tried to focus on a specific set of areas that we believe are both the most critical as well as the easiest to directly address inside of existing statutes and authorities for the OCC. 

Contents:

1. Executive Summary

2. Risk Context and Scalability

3. Changes in Risk Landscape

4. Changes in Banking Landscape

5. Communications

6. Cybersecurity

7. Quantum Computing

8. Artificial Intelligence 

9. Conclusion

1. Executive summary

We should first point out that there are a myriad of risks in the banking system already, and we specifically chose to not include them, leaving the system in, in our opinion, a far more precarious place than most people realize. The strength of the full faith and credit of the United States of America has, until now, been more than enough to offset those risks. Today, it is the author's view that we are beginning to see the limitation of that as an absolute and now more a function of an overall risk discussion that is not fully quantified or even understood in the sector. 

Second, we feel that the overall banking and risk landscape are worth calling out in some degree of detail beyond purely the technical changes. From concentration risk, to geopolitical risk, to other macroeconomic trends, we see the landscape as being more in flux now than at any other point since the era of Bretton Woods at the end of the second World War.

Third, we have specifically picked areas both of immediate need as well as those with timelines that require attention in the very near future. In terms of specific functional risks, we see the coming evolutions in Artificial Intelligence, Cybersecurity and Quantum Computing as most impactful in the medium and longer term. 

Finally, we should highlight that we do not consider the current iteration of crypto as a strategic risk to the banking sector. Web3 will, without doubt, completely remake the technical landscape of the financial sector, but given the current White House programs (and we include the various regulatory bodies enforcement actions as an extension of that), we do feel it is worth including crypto in this document. Wholesale technology replacement will eventually happen, but broader shocks to the system as well as significant reallocation of resources will have to occur first.

2. Risk Context and Scalability

Any call for papers on emerging risks to the financial sector will certainly contain references to technological risks, specifically issues such as quantum, cyber, and artificial intelligence (AI). Those three issues are in fact risks to the financial sector and are deserving of mention in any emerging risk conversation. To be certain, those three specific technologies are discussed here, but the distinguishing factors that make this emerging risk discussion unique from others is how convergence and context make those risks more specific and actionable. Further, the ability to model risk in a way that allows for a more accurate and timely view of how convergence and context impact emerging risks creates a novel approach reflective of the speed and complexity of the risk environment. Simply identifying cyber or quantum or AI as risks is too vague to be able to direct meaningful changes to OCC’s core mission functions. However, identifying specific risks on informed timelines creates space for planning, entrance into budget cycles, formation of partnerships, and research and development.

Great power competition (GPC) is a phrase often used but infrequently defined. It refers to the current geopolitical environment where emerging technology is the primary asset driving national policy decisions and expenditure of blood and treasure globally among nation-state powers. This era is defined by a constant state of cyber warfare, weaponization of information, exponential technology growth, and dynamic economic conditions. The combination of these four conditions drives an emerging risk environment that requires scalability to identify, analyze, and mitigate risk. The state of the geopolitical environment to include relationships between nation-states is a dynamic issue with a direct correlation to the aggressiveness and volume of cyber risks as an example. This reality necessitates a risk approach that fully considers the context around current risks to aid in understanding emerging risks. That context includes the geopolitical environment but is incomplete without additional scalers covering the legal/regulatory environment and the state of the economy. Together, these three factors provide a broad context within which emerging risks can be identified and mitigation methods can be created and applied. 

1. Geopolitical Environment

2. Financial Legal/Regulatory Environment

3. Status of the Economy

Putting risk in the proper context is a first step but is incomplete without the ability to apply adjustments that reflect real situations. The risk scalers can be thought of as defining the scale on which emerging risks can be plotted both in terms of level of risk of an activity and risk acceptance. How much risk a particular piece of technology may present to OCC is directly proportional to the geopolitical environment, financial legal/regulatory environment, and the status of the economy; all of which are dynamic factors. When deciding the level of risk presented by quantum computing, it is insufficient to base that assessment only on the status of the technology at that moment and a greater miscarriage to assume that initial risk assessment will continue to be valuable into the future. Instead, risk assessment must allow for changes to the context in which risk decisions are made. In this way, emerging risks can be evaluated over time with the understanding that how they evolve will change. 

Emerging risk will mean something different a year from now than it does today, which is why risk should be evaluated on a scale that reflects the most important contextual factors and allows for adjustments as the context changes. To illustrate this thesis, the next two sections will review changes in the banking and risk landscapes. The three sections that follow will demonstrate how those landscapes combined with the scaler approach informs the perception of emerging risks. Finally, the last section will provide a proposal for OCC consideration to operationalize this approach.

While this section is mostly focused on the more emergent areas of Risk as it relates to the banking system, we also will, at various points, highlight more strategic macroeconomic risk. Key areas that will be highlighted include Global Reserve Currency, Financial Rails/Infrastructure, Strength of the US Dollar and Immigration.

3. Change in the Banking Landscape

The changes to the banking landscape over the last few years cannot be overstated. From the ongoing decrease in the number of banks, to the atrophied depository growth outside of the largest 50 banks, to the move to fintechs for consumer facing financial services, there is much in flight. Here we will focus on four specific areas of change that we think constitute the largest increases in risk:

1. Workforce technical acumen and age. The aging workforces in the banking system (from the staff at the institutions, to the regulators to the legacy technology companies) are inexorably moving these institutions towards higher risk on a daily basis. The joke amongst the bankers was that 10 years ago the average age of a bank CEO was 65 and the bank chairman was 70, and today the bank CEO is 75 and the chairman is 80. While a hyperbolic joke, it is not too far from the truth. When workforce atrophies, it becomes a significant challenge to adjust to outside pressures, with technology being one specific area. 

2. Legacy technology in the system and the dysfunctional nature of technology contracts. The vast majority of banking Cores in the system are >10 years old. As such the cost to maintain, ability to maintain and integrate as well as broader cybersecurity risks are increasing on a daily basis. Coupled with the prohibitive costs of the licensing contracts, terms and lack of investment in technology leads to an ever-aging enterprise technology environment. Newer technologies are being used exclusively in fintech and crypto - the ability for ‘challenger cores’ to launch is nearly non-existent. The significant concentration risk of 3 companies controlling over 85% of this market also cannot be overstated. 

3. Investment outside of the banking system in banking services and technologies. Inside of the banking system, over 50% of the technology spent per year is on maintenance, not on new products, services or technologies. If you leave the banking system, banks are being significantly outspent by others in these same areas. For example, the Starbucks app holds a significant amount in deposits, but is not considered a bank or a fintech is not regulated as one. Starbucks spends orders of magnitude more than most banks' entire IT budget on that app. 

4. Massive growth in payment, credit and lending platforms outside of the banking system. The gray areas and cracks in the systems are being routinely exploited by non-bank players - from Buy Now Pay Later to a variety of payments platforms that are implied to be ‘compliant’ but in most cases only are PCI compliant from one non-bank actor to another. 

4. Changes in Risk Landscape

The concentration of commercial banks in the US, i.e. the top 1% having the majority of deposits, poses significant risks to the financial system, which has been realized several time in just the past two decades.

Systemic Risk

A small number of large banks can pose systemic risks to the financial system if they experience distress.  The failure of a single large bank can trigger a chain reaction and cause other banks to fail, leading to widespread economic crisis.

Too Big to Fail

The largest banks in the US are considered “too big to fail” because their failure would have significant negative impacts on the financial system and the broader economy.  As a result, these banks may engage in risky behavior, knowing that the government is likely to bail them out in the event of crisis, i.e. TARP, PPP “loan” payments, etc.

Limited Competition

A concentration of banks limits competition in the industry, reducing true customer choice and potentially leading to higher prices and lower quality services.  This has also led to increased market power for the largest banks, giving them the ability to set prices and influence market conditions, e.g. the current delta between 30 year mortgages and the 30 year Treasury.

Lack of Innovation

A lack of competition has stifled innovation in the banking industry.  A few large banks dominate the market and are less inclined to invest in new technologies and services, since there is little or no customer choice. It should also be noted that the capabilities in local and regional economic development from smaller state banks far exceeds that of the larger national banks and the overall lack of innovation is having a broader negative impact at the ‘main street’ level.

Regulatory Capture

A concentration can lead to the risk of regulatory capture, where regulators are influenced by the largest banks and may be reluctant to enforce regulations . This leads to lax oversight of the industry, misconduct, and fraud.

Overall, while a concentration of commercial banks in the US can provide certain benefits, such as economies of scale, this poses significant risks to the financial system and broader US economy.

5. Role of Communications in Ameliorating Risk

Systemic risk in global banking and financial markets is nothing new. In fact, risk caused by external shocks or unanticipated events is endemic within the system and has been around for decades. While emerging technologies may amplify risks, they are just one factor. For example, much is made of so-called “Black Swan” events popularized by author Nicholas Taleb. Taleb recounts the 1987 stock market crash as such an event. However, pressures had been building in the financial system for some time leading up to the market freefall, at the very least making such a crash more likely. And Taleb himself notes there are “narrated” Black Swan events… those already present already in the current discourse. And the type “nobody talks about since they escape models.”

So,  if we know such events are likely to occur at any given time, and in many cases, we have documented a high degree of likelihood, why is there still a lack of preparedness in place and what is the role of the communicative process in ameliorating risk? This is an area where I believe OCC and other financial regulatory bodies need to be more intensely focused.

In their article for the Federal Reserve Bank of New York, “ Cyber risk and the U.S financial system: A pre-mortem analysis”, the authors note a cyber-attack could be “amplified” through the financial system, where “ estimated spillovers of an attack on one of the five most active banks…impair 31% of the network on average” on any given day.  The authors further stating, “The top five most active banks in the payment system account for close to 50% of total payment”

Hackers have stolen billions from banks, including the so-called “Bangladesh Bank Robbery”, where dozens of fraudulent instructions were carried out through the SWIFT network in 2016. While most were ultimately blocked by the Federal Reserve Bank of New York, more than $100mil of an estimated $1bil was illegally transferred to Sri Lanka and the Philippines, some of which remains unrecovered. Future heists with the advent of ever more powerful computing systems are virtually inevitable.

In his analysis “ Threat and Risk: What is the Difference and Why Does it Matter?” David Strachan-Morris makes the argument that since 9/11 “ the terms ‘threat’ and ‘risk’ have entered the daily lexicon to a greater extent than even before.”

So while a great deal has been written about financial risk and efforts to reduce such risk, much less time has been devoted to the reputational effects these types of incidents have on financial institutions. I would argue that communications and crisis preparedness play an important role in ameliorating some of the fallout from these events, in conjunction with continued hardening of existing systems and vigilance on the part of regulators including the OCC. 

6. Cyber

A cyberattack against an element of the financial sector is hardly an insightful analysis of risk, but because it is known makes it no less relevant. One defining characteristic of GPC is the constant state of cyber warfare between nation-state actors and their proxies. While it will come as no surprise that cyberattacks are, and will remain, significant risks of primary concern to OCC, the specificity and timing of cyberattacks are more important. Cyber actors may operate with the explicit material and policy support of nation-states giving them access to sophisticated resources and safe harbor from which to launch attacks. Defenders are at more of a disadvantage than ever as they face threats from well-funded and resourced cyber actors underscoring the importance of knowing when cyber threats are most likely and under what conditions.

An excellent example of applying this kind of risk scaling was the “Shields Up” campaign launched by the Cybersecurity and Infrastructure Security Agency (CISA) at the outset of Russia’s invasion of Ukraine. The messaging was that geopolitical events were such that cyberattacks against particularly valuable targets were increasingly likely. To be sure, the implication was not that normally organizations could exercise mediocre cybersecurity and at this particular moment needed to exercise world class cybersecurity. In a sense, the shields should always be up. However, this was a signal to cybersecurity professionals and leaders that the context changed and with it the risk. 

Learning lessons from this campaign, OCC can designate specific and dynamic factors that define the context of its risk picture. Once the structure is built, an initial state of risk can be identified and serve as a baseline. When conditions change, the structure changes providing a scalability to the risk picture that captures real conditions. In the cyber context, what forces are at play that might increase (such as Russia’s invasion of Ukraine) or decrease (such as the take down of LAPSUS$) the likelihood of a major coordinated cyberattack against the financial sector. 

The second part of the picture is evaluating the convergence of other emerging technologies with cyber capabilities. Convergence is when two or more technologies combine to create a capability that is exponentially more powerful and impactful than any of them would alone. Cyber is particularly prone to significant swings in its risk perception due to geopolitical context and convergence. 

Combining the risk scaler approach with a systematic evaluation of technology convergence makes the evaluation of emerging cyber risk actionable and operational. The strategic view of cyber as both an emerging and emerged risk is settled. The next frontier of emerging risk evaluation is how quickly risks can be recognized and actioned. This approach prioritizes action.

7. Quantum

Quantum information science (QIS) is a multidisciplinary scientific field that uses the properties of sub-atomic particles to represent and manipulate information. The specific field of quantum computing is an area of increasing innovation with the potential to create significant risk to the financial sector. A 2023 insight report published by the European Patent Office stated that the number of inventions in the field of quantum computing has multiplied over the last decade and that quantum computing inventions have outpaced all other fields of technology in terms of growth. A quantum computer of sufficient capacity, called a cryptoanalytically relevant quantum computer (CRQC), will be able to break asymmetric encryption methods in common use for electronic communications and financial transactions. While the risk to encryption is known, the context around the risk creates the true narrative of the nature of this emerging risk. A CRQC is a technology with state power implications that is emerging as a race between geopolitical competitors. A CRQC in the hands of an adversary would present one of the most significant cybersecurity challenges ever faced and following the pace of development for a CRQC is challenging and imperfect. China made quantum computing leadership a key point of its strategy as laid out in its 14th Five Year Plan. Specifically, China aims to be able to manipulate over a hundred coherent qubits by 2025. While that goal does not, by the most widely accepted estimates, get China a CRQC, there can be no doubt of its intent. A CRQC in the hands of an adversarial nation-state is rightly classified as an emerging risk, but understanding how and at what speed it is emerging takes a scalable approach.

China’s progress in creating a CRQC, and thus how it would impact the US financial system, is a product of the geopolitical environment and availability of accurate information. Chinese relationships with regional and global partners and its ability to acquire critical materials are key factors driven by the geopolitical environment. The quantum program in China is almost entirely state-run and includes a few select universities so what progress it self-reports will make an imperfect indicator of its true progress. Simply labeling quantum computing as a risk is vague and unhelpful to drive meaningful change in the financial system. Instead, quantum computing can be narrowed to the availability of a CRQC by an adversary nation before the transition to post-quantum algorithms is complete. That risk can be further defined by applying the relevant context and applying the relevant factors to understand more about the emergence of this risk. Consistent updating of the risk environment through adjustable scalers gives a more accurate, timely, and actionable risk picture. Over time, the risk scale and adjustments made can be plotted as a time series visualization providing a more accurate aggregate representation of quantum risk. 

8. Artificial Intelligence

First a table-setting comment - there is no Artificial Intelligence in the banking system; in fact there is no artificial intelligence operational yet in our civilization. Artificial Intelligence is a category of a multitude of distinct technologies - from simple dynamic programming (which has been the banking system since before the year 2000) to the most cutting edge Natural Language Processing (like ChatGPT) and Machine Learning (such as is used in current state of the art risk identification systems in the money laundering space). No artificial intelligence exists that is making significant quantifiable lending decisions as another example. A far better descriptor would be advanced algorithms. 

Second, over the coming years, we will see the largest expansion in the use of advanced algorithms in the banking sector. Those algorithms will mostly be consolidated into two categories of actors - first the fintechs scattered around the banking system, and second inside of the largest 100 banks in the United States. Those algorithms have a number of specific relevant uses:

1. Automation of processes - in lieu of the legacy technology that no bank can afford to completely replace, and in a regulatory environment resistant to that kind of wholesale change, coupled with a significant human capital shortfall, we are seeing massive investment in these systems as automation tools. While the vast majority of these automations have highest value in the back office of banks, we are seeing it creep into the retail and front of the office side. Automation of back office functions are fundamentally not risky, and in most cases actually decrease the risk by enforcing standardization of process (example being more consistent math applied to SARS). On the retail or front of the office side, this is the inverse. Given that most of these technologies are coming from advertising and social media platforms, inherent bias is easy to diagnose. In the medium term, we expect to see significant differentials in customer identification, vetting and onboarding that bypass the existing regulatory guidance and standards and causing non-trivial impact to significant at risk populations in the United States. In this case, AI is a ‘band aid’ relative to the banks actually updating their Core systems to modern standards. 

2. Customer interactions - the current massive expansion of natural language processing systems (like ChatGPT) have the opportunity to create another layer between customers and their institutions. Beyond the inherent technological capability bias that such a system implies, the lack of a thoughtful regulatory regime will leave most regulators in a position to simply not allow such systems - in essence throwing the baby out with the bathwater. Here we have a significant risk to ensuring equal, fair, equitable access to the banking system.

3. Identification of risk - the current manual risk management processes most banks employ in the United States is rife with issues - from simply missing things to the ability for the individuals responsible to knowingly allow activities in the banking system that should not be there. Utilizing AI to standardize the risk management processes and focus risk management staff on auditing of such activities ameliorates two significant issues. First, it appropriately improves the quality, consistency and efficiency of the risk management processes. Second, it assists with the significant human capital shortfalls most banks are currently facing - and which will only get worse in the coming decades. Hostile actors are already making significant use of these technologies and without them in use, the potential for hostile actors to have meaningful impact increases.

4. Deep fakes are currently being used in a variety of significant ways to gain access to the banking system - from impersonating customers (including one of the authors of this paper recently) to causing market volatility by inserting noise into social media platforms - an extension of the kinds of election interference we have seen over the last 15 years, but systematized, scaled and commoditized. It is now possible to deep fake someone with an investment in the hundreds of dollars. Imagine the scale of spam email, but applied across nefarious attempts to compromise bank accounts and you get a sense of the potential medium term risk.

Third, given the inability of a comprehensive policy set to come from the Executive and Legislative branches in the near terms, the regulatory community will undoubtedly fall on ‘regulation by enforcement’ in the area of AI, making broad statements about the risks of using AI (similar to some of the guidance recently coming from the various regulatory bodies around crypto). However, unlike with crypto, with AI there are far broader positives that these technologies can apply. Above we highlighted 3 that we believe are the most relevant in terms of potentials for introducing risk - both if not done, be especially if done poorly. Regulating “AI” is both impossible and a waste of time. Our suggestion would be to work backwards from what success is considered… AI should not introduce any unmanaged new risk, and hopefully it should reduce risk. This lack of policy and the potential for actions by the federal government to misstep is in and of itself a significant risk. A set of smaller specific guidance actions, such as requiring any algorithm that makes a credit or lending decision to be both ‘deterministic’ and ‘transparent’ would do far and away more good than a broad regulation on not using “AI” for credit or lending decisions. 

As a bit of a tangent - we specifically used the words Algorithm, Deterministic and Transparent. Determinism says that all events in a system are ultimately determined by causes regarded as external to the will - which would alleviate the ability for bias to be included in such a system (we do not feel the need to define algorithm or transparent as they are broadly obvious, we do not know how many philosophy majors would read this document). Determinism is key - it creates in the builders of such technologies as we are discussing here a design requirement. A parallel would be in security by design - the type of encryption is (broadly) irrelevant as long as it is secured, complies to standards and is auditable. The same we think will be true here - standards around AI will eventually be built - in this window where they do not yet exist, outcomes based rules are a useful starting point.

9. Conclusion

Here the authors have attempted to lay out what, to us, are the most meaningful areas of potential risks in the system and coming in the medium term. In an attempt at brevity we have limited this document to its current length, but offer the opportunity in any forum requested to continue the discussion - especially in the areas of AI, Cyber & Quantum. In all three cases, we see significant risk, but also significant opportunity to ameliorate risk and extend the capabilities of the banking system.

At a global level, we believe the greatest threats to the American banking system are myriad of ways in which the global economy is moving away from the US Dollar. From the PRC’s moves to create retail and other consumer payments activities in Africa, to new financial hubs growing with a multi-currency worldview instead of one focused on the US Dollars as the dominate global reserve currency, we encourage all to ensure that innovation is allowed to flourish to ensure that the US Dollar continues to be currency of choice globally for countries and companies.

We applaud this project by the OCC and hope to see it and others in similar veins be successful.