At 03:14 UTC on a Tuesday, a tier-one CIB sees its primary RTGS connectivity drop. The trigger is not a fibre cut. It is a ransomware detonation inside an ICT third party that runs its market-infrastructure gateway. Within six minutes, the bank's payments control tower executes the triage protocol: sub-USD-500k commercial volume cascades onto FedNow, SEPA Instant and RTP; GBP retail flow holds at the Faster Payments ceiling; high-value wholesale flow queues for the secondary RTGS gateway — CHIPS for USD, the CHAPS contingency adapter for GBP, the T2 backup participant for EUR. The failover is not a perfect mirror. It is a brutal, algorithmic reprioritisation of liquidity that respects hard network value caps while keeping the bank open. Treasury confirms the cyber recovery vault is sealed, the day's pacs.008 batches replay cleanly into the fallback rail, and the board dashboard flips from green to amber — never to red. The framing comes straight from the 2026 contingency-rails playbook that wholesale banks now treat as a baseline rather than an aspiration.
The point is simple. Always-on CIB is no longer a marketing phrase. It is a regulated, measurable, cryptographically enforced operating model.
01. From DR to "always on" — DORA Article 5/6 framing #
Disaster recovery is over as the organising idea. DORA Article 5 puts ICT-risk governance on the management body as a non-delegable duty. DORA Article 6 then demands a documented ICT risk-management framework that covers detection, response, recovery and learning. Read together with Basel III operational-risk capital and the UK SM&CR regime, the message to CIB boards is direct. Recovery time objectives and recovery point objectives must be expressed in minutes, evidenced under live test, and tied to named senior managers.
The shift in language matters. "Restore the service" assumes the service stopped. Always-on assumes degradation is detected, contained and routed around without the client-facing flow stopping. That is the standard the UK PRA SS1/21 "Operational Resilience" expectations and DORA jointly enforce, and it is the only standard a 2026 CIB treasury can plausibly market to a Fortune 100 corporate client.
02. FHE, QKD and PQC as resilience primitives — not just confidentiality controls #
Cryptography is now part of the resilience stack, not a parallel security project. Three primitives matter.
FHE lets a bank compute on encrypted treasury positions inside a cyber recovery vault without exposing plaintext. When the production environment is suspect, analytics, reconciliation and pre-trade checks can continue on the encrypted copy. The BIS paper "Project Leap: quantum-proofing the financial system" makes the operational case directly — confidentiality controls and resilience controls are converging on the same primitives.
QKD provides information-theoretic key distribution between data centres carrying always-on workloads. It is not a replacement for PQC. It is a complementary layer for the few links where physical key-exchange assurance is worth the cost. The author's earlier piece — QKD in wholesale banking: where physics-grade keys actually pay off — sets the boundary.
PQC, specifically FIPS 203 and FIPS 204, now signs the fallback-rail manifests, the cyber recovery vault snapshots and the inter-domain trust chains between primary and contingency participants. A 2026 CIB that signs failover artefacts with classical RSA is reporting a finding to its regulator. The FHE in banking analytics piece argued the same in the analytics domain — the resilience argument extends it cleanly to recovery.
03. Fallback rail design patterns — ISO 20022 across RTGS, instant, tokenised and external networks #
A fallback rail is not a spreadsheet of contact numbers. It is a routed, tested, ISO 20022-native alternative path with its own liquidity, its own participants and its own dress-rehearsed cutover.
Four patterns now dominate CIB blueprints.
- Dual RTGS participation. USD flow that normally rides Fedwire holds a warm secondary connection — CHIPS for high-value commercial, or a correspondent bank with independent Fedwire connectivity. GBP holds CHAPS plus a Bank of England contingency-participant arrangement. EUR holds T2 plus a backup direct-participant agreement via a different ICT third party.
- Instant-rail substitution. Where corporate flow tolerates lower per-transaction ceilings, SEPA Instant, FedNow and RTP carry payments while the high-value rail is sealed. The treasury control tower applies dynamic value-band routing — anything inside the instant-rail ceiling rides instant; everything else queues for RTGS resumption. Crucially, the policy engine rejects the temptation to split high-value payments into smaller instant chunks to dodge value caps: structuring a USD 2 m wholesale transfer into ten USD 200 k instant payments trips every smurfing alarm in the receiving bank's AML pipeline and converts an operational incident into a financial-crime one. The right answer is to hold the high-value payment safely for RTGS resumption, not to deliver it through a route that will be flagged on arrival.
- Tokenised settlement networks. Wholesale CBDC pilots, regulated stablecoin networks and tokenised-deposit platforms are now in scope as a third-tier fallback for interbank obligations. They are not equivalent to RTGS settlement finality, but they buy hours, and hours are what cyber recovery needs.
- External-network bypass. When the bank's own ICT third party is the failure point, ISO 20022 pacs.008 and pacs.009 messages route via a pre-agreed correspondent that is independently connected. Concentration risk inside a single ICT vendor is the silent killer; this pattern removes it.
The silent cost of this architecture is liquidity fragmentation. Every pre-funded balance at a secondary RTGS participant, every warm correspondent backup account, and every pre-staged tokenised-settlement position is capital that is not generating yield. The engineering challenge for 2026 is not just writing the ISO 20022 routing logic; it is wiring the intraday liquidity sweeps that fund the fallback rail just-in-time — drawing on the central-bank intraday repo facility, the parent group's liquidity pool, or a contractually-committed contingent funding line — so the bank is not paying a nine-figure opportunity cost for a disaster that has not happened yet. Resilience without intraday-funding orchestration is trapped capital with a compliance label.
ISO 20022 is what makes this work as architecture rather than improvisation. The same pacs.008 payload, the same <RmtInf><Strd> block, the same EndToEndId, on a different rail. The treasury platform validates against a single schema and lets the routing layer choose the rail.
04. Treasury SLAs and board reporting — quantifiable resilience metrics #
Boards now ask five questions and expect numerical answers.
- What is the per-currency RTO? USD, GBP, EUR, JPY high-value: minutes, not hours. Instant rails: seconds.
- What is the per-currency RPO? Cyber recovery vault snapshot frequency, expressed in minutes of lost economic value at the worst-case detonation time.
- What is the fallback-rail liquidity headroom? Pre-funded balances at secondary participants, sized to absorb a 24-hour primary outage at peak day volume.
- What is the PQC signing coverage on recovery artefacts? Percentage of vault snapshots, manifests and inter-domain trust anchors signed under FIPS 203 / FIPS 204.
- What is the Cost of Contingency Capital (CoCC)? The daily opportunity cost of the idle intraday liquidity trapped in secondary clearing accounts, warm correspondent balances and pre-staged tokenised positions, measured against the overnight rate. The board must see the exact price of the bank's resilience insurance, and the operating committee must defend the trade-off between trapped capital and outage tolerance — refreshed at least quarterly.
These are the metrics that map cleanly to DORA Article 6 evidence, to SM&CR senior-manager statements of responsibility, and to SR 11-7 model-risk governance over the routing logic that decides which rail wins. The board does not need a narrative; it needs a quarterly chart with a hard floor.
Conclusion #
CIB resilience in 2026 is an operating system, not a recovery plan. Cyber recovery vaults seal the data. FHE, QKD and PQC enforce trust on the failover path. ISO 20022 fallback rails carry the flow across RTGS, instant, tokenised and external networks. Treasury SLAs report the result in minutes the board can defend to a regulator on a Monday morning.
The work is concrete. Inventory the ICT third parties on every payment rail. Stand up the cyber recovery vault with PQC-signed snapshots. Negotiate the secondary RTGS participations and the instant-rail substitutions. Wire the routing decisions through a single ISO 20022 schema. Test the cutover under live load, quarterly, with the board watching.
Always-on is not a slogan. It is a number on a dashboard, signed by a senior manager, validated by a regulator, and built on cryptography that survives the day a quantum-capable adversary shows up.
Last reviewed .
Syndicate this article
Format for Medium
# Always-On CIB: Cyber Recovery, Fallback Rails and Quantum-Safe Treasury > Originally published at [https://sebastienrousseau.com/2026-06-26-always-on-cib-cyber-recovery-fallback-rails-quantum-safe-treasury-2026/](https://sebastienrousseau.com/2026-06-26-always-on-cib-cyber-recovery-fallback-rails-quantum-safe-treasury-2026/) Always-on CIB in 2026: cyber recovery vaults, ISO 20022 fallback rails across RTGS, instant and tokenised networks, FHE, QKD and PQC primitives, and quantum-safe treasury SLAs under DORA. Read the full article on sebastienrousseau.com: https://sebastienrousseau.com/2026-06-26-always-on-cib-cyber-recovery-fallback-rails-quantum-safe-treasury-2026/
Format for Mastodon
Always-On CIB: Cyber Recovery, Fallback Rails and Quantum-Safe Treasury Always-on CIB in 2026: cyber recovery vaults, ISO 20022 fallback rails across RTGS, instant and tokenised networks, FHE, QKD and PQC primitives, and quantum-safe treasury SLAs under DORA. https://sebastienrousseau.com/2026-06-26-always-on-cib-cyber-recovery-fallback-rails-quantum-safe-treasury-2026/
Copy formatted for LinkedIn
Always-On CIB: Cyber Recovery, Fallback Rails and Quantum-Safe Treasury Always-on CIB in 2026: cyber recovery vaults, ISO 20022 fallback rails across RTGS, instant and tokenised networks, FHE, QKD and PQC primitives, and quantum-safe treasury SLAs under DORA. Here are the key strategic takeaways: - 01. From DR to "always on" — DORA Article 5/6 framing. Disaster recovery is over as the organising idea. - 02. FHE, QKD and PQC as resilience primitives — not just confidentiality controls. Cryptography is now part of the resilience stack, not a parallel security project. - 03. Fallback rail design patterns — ISO 20022 across RTGS, instant, tokenised and external networks. A fallback rail is not a spreadsheet of contact numbers. - 04. Treasury SLAs and board reporting — quantifiable resilience metrics. Boards now ask five questions and expect numerical answers. What is your organisation's approach to the challenges outlined in this piece? → https://sebastienrousseau.com/2026-06-26-always-on-cib-cyber-recovery-fallback-rails-quantum-safe-treasury-2026/ #CyberRecovery #FallbackRails #OperationalResilience #Dora #QuantumSafeTreasury Sebastien Rousseau | CC-BY-4.0
Cite this article
Always-On CIB: Cyber Recovery, Fallback Rails and Quantum-Safe Treasury
Always-on CIB in 2026: cyber recovery vaults, ISO 20022 fallback rails across RTGS, instant and tokenised networks, FHE, QKD and PQC primitives, and quantum-safe treasury SLAs under DORA.
BibTeX
@online{rousseau2026always,
author = {Rousseau, Sebastien},
title = {{Always-On CIB: Cyber Recovery, Fallback Rails and Quantum-Safe Treasury}},
year = {2026},
url = {https://sebastienrousseau.com/2026-06-26-always-on-cib-cyber-recovery-fallback-rails-quantum-safe-treasury-2026/index.html},
urldate = {2026}
}RIS
TY - GEN AU - Rousseau, Sebastien TI - Always-On CIB: Cyber Recovery, Fallback Rails and Quantum-Safe Treasury PY - 2026 UR - https://sebastienrousseau.com/2026-06-26-always-on-cib-cyber-recovery-fallback-rails-quantum-safe-treasury-2026/index.html ER -
Vancouver
Rousseau S. Always-On CIB: Cyber Recovery, Fallback Rails and Quantum-Safe Treasury. sebastienrousseau.com. 2026 Jun 26. Available from: https://sebastienrousseau.com/2026-06-26-always-on-cib-cyber-recovery-fallback-rails-quantum-safe-treasury-2026/index.html
Chicago
Rousseau, Sebastien. "Always-On CIB: Cyber Recovery, Fallback Rails and Quantum-Safe Treasury." sebastienrousseau.com. June 26, 2026. https://sebastienrousseau.com/2026-06-26-always-on-cib-cyber-recovery-fallback-rails-quantum-safe-treasury-2026/index.html.
APA
Rousseau, S. (2026, June 26). Always-On CIB: Cyber Recovery, Fallback Rails and Quantum-Safe Treasury. sebastienrousseau.com. https://sebastienrousseau.com/2026-06-26-always-on-cib-cyber-recovery-fallback-rails-quantum-safe-treasury-2026/index.html
Republish this article
Always-On CIB: Cyber Recovery, Fallback Rails and Quantum-Safe Treasury
Always-on CIB in 2026: cyber recovery vaults, ISO 20022 fallback rails across RTGS, instant and tokenised networks, FHE, QKD and PQC primitives, and quantum-safe treasury SLAs under DORA.
This article is licensed under Creative Commons Attribution 4.0 International. Republication requires attribution to the canonical URL.
Always-On CIB: Cyber Recovery, Fallback Rails and Quantum-Safe Treasury Always-on CIB in 2026: cyber recovery vaults, ISO 20022 fallback rails across RTGS, instant and tokenised networks, FHE, QKD and PQC primitives, and quantum-safe treasury SLAs under DORA. Originally published at https://sebastienrousseau.com/2026-06-26-always-on-cib-cyber-recovery-fallback-rails-quantum-safe-treasury-2026/ by Sebastien Rousseau. Licensed under CC-BY-4.0.