MAS and Partners Unveil QKD Sandbox Technical Report: Quantum Security in Financial Services

29 Sep 2025 – The Monetary Authority of Singapore (MAS), together with four major banks (DBS, HSBC, OCBC, UOB) and tech partners SPTel and SpeQtral, has released a technical report detailing the results of a pioneering Quantum Key Distribution (QKD) sandbox in the financial sector.

This proof-of-concept (PoC) sandbox was initiated under an August 2024 Memorandum of Understanding (MoU) to evaluate QKD’s viability for securing financial communications. The sandbox builds on MAS’s broader quantum-safe agenda – earlier, MAS had advised banks on quantum cyber risks (February 2024) and even ran a cross-border post-quantum cryptography trial with Banque de France in 2024. Now, with this QKD experiment completed, MAS and its partners are sharing key findings and recommendations, marking a significant step in practical quantum-safe cybersecurity.

Scope and Objectives of the Sandbox

The QKD sandbox was designed to answer a fundamental question: Can quantum cryptography techniques like QKD be integrated into real-world banking IT systems to enhance security? The project had several objectives agreed upon by MAS and the participants: technical viability, security properties, integration and applicability, and skill development.

Key Participants

This effort was truly a multi-stakeholder collaboration. MAS provided regulatory oversight and convening power, while the four banks (DBS, HSBC, OCBC, UOB) contributed use cases and infrastructure at their data centers.

Technology was supplied by SpeQtral, a Singapore-based QKD tech company, and SPTel, a telco providing fiber network services (including access to Singapore’s National Quantum-Safe Network Plus, or NQSN+). Together, these players formed a working group to deploy and test QKD in a controlled, yet operationally realistic, environment.

Layered QKD Architecture

The sandbox architecture was built in layers, ensuring that QKD could be slotted into a familiar security stack. At the lowest level lay the QKD layer, consisting of specialized QKD devices and optical fiber links (dark fiber) for transmitting quantum signals (photons). On top of that was the Key Management System (KMS) layer, which receives raw keys generated by QKD hardware and handles their storage, relay, and delivery via standard APIs. Finally, the Secure Application Entity (SAE) layer sat at the top – this is where applications (e.g. file encryption tools, VPN software) request keys from the KMS and perform cryptographic functions like encryption/decryption.

In practical terms, each participating bank and MAS set up a QKD rack in a secure on-premise data center, containing the QKD hardware and a local KMS server. The QKD link from MAS to a bank ran via SPTel’s fiber network, which included trusted node sites (physically hardened telecom substations) to regenerate keys for longer distances. This trusted node model is necessary because of fiber loss – the QKD signals (photons) can only travel so far before needing a secure relay.

In the sandbox, MAS and two banks would be connected at any given time through one or more trusted nodes on the NQSN+ network. The KMS appliances at each end used an industry-standard API (ETSI GS QKD 014 REST API) for the SAE applications to fetch keys. For example, one test application was a custom file encryption program: it would call the KMS API to get a fresh QKD key, use that key to encrypt a file, then securely transfer the file to the other party who would fetch the same key from their KMS to decrypt it.

Testing Scenarios and Use Cases

Over several months (split into two phases from late 2024 to early 2025), the sandbox participants ran a comprehensive battery of tests. These covered operational performance, security, resilience, and even hybrid QKD+PQC scenarios.

Key Findings

The published report highlights several insights and recommendations based on the sandbox experience:

QKD Can Enhance Network Security: The trials confirmed that QKD is effective in strengthening the security of communication links for financial institutions. For example, QKD-generated keys can secure connections between data centers and bank systems, adding an extra layer of protection beyond conventional encryption. In all tests, QKD worked as intended – sensitive data was successfully transferred using keys delivered over quantum channels, with the assurance that any eavesdropping would be noticed.

Integration Challenges – Need for Standards and Interoperability: While promising, QKD is not a plug-and-play solution yet. MAS and the banks found that integrating QKD into existing IT environments is complex. The report calls out the need for greater interoperability between different QKD vendors – today, one provider’s QKD system may not talk easily to another’s. For QKD to see wider adoption in finance, common standards and interfaces must be established so that banks aren’t locked into a single vendor. Additionally, integrating QKD with existing network and security infrastructure required custom work; smoother integration layers (APIs, middleware) will be important going forward.

Trusted Node Security is Paramount: The use of trusted nodes (intermediate relay stations) was identified as both enabling and challenging. On one hand, trusted nodes make long-distance QKD feasible, allowing the network to link multiple sites across the country. On the other hand, these nodes become high-value targets that must be physically and digitally secured. The report urges QKD providers and telcos to implement tamper-resistant, auditable trusted nodes with multi-layer security measures (e.g. hardened facilities, access control, monitoring). Essentially, the group stressed that the “trust” in trusted nodes should be justified by rigorous safeguards and potentially independent certification. Developing standards for trusted node security assurance is a priority before production deployment.

Performance and Resilience Considerations: The sandbox revealed that current QKD technology has limits in terms of distance, key rate, and redundancy. For instance, fiber attenuation limits how far keys can be distributed without a node; high availability might require redundant QKD links or switching to backup (classical) encryption if the quantum channel fails. The cost and complexity of deploying dedicated QKD equipment and fibers are non-trivial. Thus, institutions must weigh where QKD makes sense (perhaps for the most sensitive data corridors) and ensure robust fallback mechanisms. Encouragingly, the hybrid tests showed that combining QKD with PQC can provide resilience – if one technology falters, the other can cover, which might be a model for future quantum-safe architectures.

Organizational Readiness: A less technical but crucial finding was the importance of internal support and expertise. MAS and the banks noted that strong senior management backing is needed to pursue quantum security projects, which can span multiple years and require budget for specialized equipment. Building an in-house knowledge base (or partnering with academics/experts) is vital so that teams can evaluate and implement quantum technologies effectively. The report recommends that financial institutions start capacity-building now – training staff in quantum cryptography, participating in community trials, and earmarking R&D funds – to be prepared for the post-quantum future.

In summary, MAS’s QKD sandbox demonstrated that quantum key distribution can be integrated into financial networks and offers genuine security benefits (notably, extremely high confidentiality when used in one-time-pad fashion, and the ability to detect interception).

However, it also highlighted that the technology is nascent: interoperability, standards, and cost-efficiency need to improve before widescale adoption is practical. The findings serve as a roadmap for both industry and regulators – pointing to areas where further innovation and policy support are needed (e.g., defining security standards for QKD hardware and trusted nodes, fostering multi-vendor compatibility, and encouraging hybrid QKD+PQC approaches).

Next Steps and Resources

Off the back of this successful sandbox, MAS indicated that it will continue to collaborate with the industry on quantum-safe cybersecurity. We can expect more trials and even funding support: MAS’s Financial Sector Technology and Innovation (FSTI) scheme now includes a “quantum track” to encourage projects in this space. The regulator’s message is clear – while large-scale quantum attacks may still be on the horizon, now is the time to prepare defenses.

In the press release announcing the report, MAS’s Chief Technology Officer Vincent Loy called the QKD sandbox “a significant step” that enhanced understanding of how such technologies can bolster the cyber resilience of Singapore’s financial sector.

Opinion – Singapore’s Quantum Leap vs. Western Caution

Singapore’s bold experimentation with QKD in banking stands in stark contrast to the more cautious stance we’ve seen from U.S. and U.K. security authorities. Having worked closely with MAS in the past, I’m not surprised – this is classic MAS: deeply technical, forward-leaning, and unafraid to run live trials of emerging tech.

In a country known for meticulous planning, MAS has a tradition of learning-by-doing when it comes to new financial technologies (from fintech sandboxes to digital currencies, and now quantum security). This QKD sandbox is a prime example of that ethos. It wasn’t merely a lab simulation; it was a multi-month collaboration with real banks, real networks, and real data (albeit test data) to flush out practical realities. That proactive approach is rare among regulators, especially for something as avant-garde as quantum cryptography.

By contrast, the official guidance from the likes of the U.S. National Security Agency (NSA) and the U.K.’s National Cyber Security Centre (NCSC) has been notably skeptical of QKD. The NSA bluntly states that it “does not recommend the usage of QKD… for securing the transmission of data in National Security Systems” and has no plans to approve QKD for high-security use cases absent major breakthroughs. They cite well-known limitations – QKD’s need for special hardware and fiber, distance constraints requiring trusted nodes (which they note add cost and insider risk), and the lack of built-in authentication means you still need classical cryptography anyway.

Similarly, the NCSC has recommended that organizations focus on post-quantum cryptography as the primary defense, deeming QKD “unsuitable for government or military applications” due to implementation vulnerabilities and complexity in securing it at scale. In other words, the prevailing view in both Washington and London has been: “Interesting science, but not ready (or necessary) for prime time.”

So why is Singapore forging a different path? Part of the answer lies in Singapore’s strategic calculus – this is a nation that aspires to be a global financial hub and a technology innovation center. Embracing new security tech early is a way to build expertise and influence standards. MAS likely recognizes that quantum threats are a long-term game, and they want to explore every tool in the toolbox. They’re not alone in Asia; we see interest in quantum communications in countries like China and South Korea too. China arguably leads the world in QKD and quantum communication implementation. Indian army has deployed it too.

But MAS has uniquely pulled in the end-users (banks) into the experimentation process. That’s significant: it ensures that feasibility is assessed not in isolation by physicists, but with bankers and CIOs in the loop, evaluating integration with core banking systems and real-world operational constraints.

From my perspective, the MAS sandbox sends a powerful signal that QKD is maturing from theory to practice. A few years ago, QKD was often dismissed as a niche lab demo or something only for ultra-secret government links. But here we have mainstream commercial banks co-testing it with a regulator – that suggests a level of confidence that the technology is at least robust enough to trial in semi-live conditions. The findings of the report actually reinforce many of NSA/NCSC’s cautions (for example, the challenges around trusted node security and the importance of authentication). However, instead of using those as reasons to avoid QKD, MAS is using them as a to-do list to improve QKD. The report doesn’t claim QKD is a silver bullet; it provides a balanced view of pros and cons, and then crucially, it provides a path forward: develop standards, improve interoperability, combine QKD with PQC for robustness, etc.

One could argue that MAS’s approach and the NSA/NCSC stance are not actually at odds on the facts – they differ mainly in strategy and timing. The U.S. and U.K. are effectively saying “for now, rely on PQC, QKD isn’t worth the hassle yet,” whereas Singapore is saying “let’s experiment with both PQC and QKD now, so we’re not caught off-guard later.” In fact, MAS is not rejecting post-quantum cryptography at all; in the contrary, they are actively working on it (recall MAS’s PQC trial with Banque de France, and their ongoing engagement with NIST standards). What Singapore is doing differently is hedging bets and layering defenses. The hybrid QKD+PQC VPN test in the sandbox exemplifies this mindset: rather than debating PQC versus QKD, they tried using them together. The advantage of such a hybrid approach is clear – if someday a flaw is found in a PQC algorithm (which is entirely possible; these algorithms are new and still being vetted), a QKD layer could provide a safety net, and vice versa. It’s the classic defense-in-depth principle applied to the quantum era.

Now, is QKD right for everyone? Probably not. Even MAS would agree that QKD is not going to replace public-key encryption universally. It has niche applicability – perhaps securing the most sensitive data links (think inter-bank networks, payment systems, maybe connections to critical market infrastructure) where the extra security is worth the cost and complexity. Not every financial transaction needs QKD-level encryption, just as not every facility needs an army guarding it. But what this report demonstrates is that in those niche but vital areas, QKD can be made to work. And importantly, banks were able to integrate it without breaking their existing systems – emails were sent, files were transferred, and VPNs were run with quantum keys in the mix, all while core operations continued. That’s a big deal to a CISO or a network architect: it hints that you can deploy QKD as an add-on security layer rather than a rip-and-replace overhaul.

Another point that strikes me is the role of regulators as enablers of innovation here. MAS didn’t mandate QKD; it facilitated a safe sandbox for it. Contrast that with a hypothetical scenario where a regulator might outright ban or discourage a tech until it’s “proven.” By taking a collaborative sandbox approach, MAS accelerated learning for everyone involved – the banks, the tech vendors, and even other regulators who might be watching. In a space as new as quantum security, empirical data from real trials is gold. The MAS report will likely inform standards bodies (like ETSI, ITU) and international discussions on quantum networks. It’s a form of regulatory leadership that we might start seeing more of – where regulators don’t just write rules, but also convene pilots.

Why does this MAS QKD report matter? In my opinion, it marks a shift from debating theory to testing reality. It suggests that QKD technology has evolved enough that serious industry players are willing to get their hands dirty with it. Financial services, known for being conservative on tech due to security and compliance demands, are now actively shaping quantum-safe practices rather than passively waiting. The involvement of multiple banks means the results aren’t just one-off vendor claims; they represent aggregated insights that could benefit the whole sector. For instance, if interoperability was a pain point, banks as customers can now push vendors for more open solutions – a unified ask that arose from this collective sandbox.

The report also underscores that trusted-node QKD networks and hybrid cryptographic stacks may offer viable roadmaps for critical sectors. Yes, the NSA is right that trusted nodes introduce risk, but the sandbox showed that with proper physical security and network design, those risks can be managed (the trusted nodes were in high-security facilities with biometric access control, etc., as noted in the report). And importantly, the sandbox didn’t treat QKD as a standalone cure-all – it was combined with other controls (PQC, conventional encryption for classical channels, etc.). This layered approach is something other critical infrastructure operators (power grids, telecommunications, defense networks) should take note of. We might well see a future where, for example, an energy pipeline’s control system uses QKD links between major nodes in addition to PQC, to protect against both immediate threats and future quantum ones simultaneously.

In closing, Singapore’s QKD sandbox should serve as a call to action for other regulators and industries. Rather than taking sides in the “QKD vs PQC” debate, MAS chose to explore and inform. Other financial regulators, national research programs, or industry consortia could emulate this by setting up their own “quantum-safe testbeds.” The threats posed by quantum computers are still mostly on the horizon, but the defenses need to be tested and understood now – under sunlight, not just in theory. Whether QKD ultimately becomes commonplace or remains niche, the knowledge gained from these experiments is invaluable.