I am Canadian. I’ve worked in the Financial industry for about 20 years (either directly or adjacent to it in roles like auditing). I am an IT guy.
Here’s some more examples / clarifications of it: pretty well all of Canada’s ATMs run on Windows. When questioned about why, companies that provide those systems state that its a requirement from Payments Canada.
Most Financial Institutions use USA-tied backend banking systems – there’s 1-2 “Canadian” providers, but they’re very niche (hence the note about BC’s situation, BC being the western most province in Canada). Companies like FISERV (USA) expanded into Canada a few decades ago – their initial entry to the market failed due to them not caring about differences between Canadian and US financial products. They didn’t bother porting anything, treating things like the US “401k” logic as basically the same as Canada’s RRSPs doesn’t work, and lead to massive problems for many FIs – problems that sank a couple. So they bought out a Canadian product that was called DNA (which ran on Oracle). FISERV is one of the dominant players in the Canadian market.
Canada’s Central1 Credit Union, the trade association / service provider for their Credit Unions, recently bailed on hosting in-country online banking services, after having screwed up their implementation of the ISO20022 really really badly. They ‘sold’ that whole segment of their business off to an Indian Headquartered company which hosts its products in Microsoft’s cloud, uses developers from the UAE, and has only like 1-2 security staff in Canada (so all your security events are definitely going elsewhere). Adding to this, at the start of Central1’s mismanagement of online banking, they had 2 geodistant datacenters on either side of the country – but they hired a US Banker to run their IT department, and he put all their internal stuff (beyond just the online banking) into the cloud, turfing their internal systems. Oh, and in terms of it continuing in this direction even with the turmoil – since 2025, Central has shifted their backend online cheque processing, one of the last items outstanding, into Microsoft’s cloud. So even if you’re using a small credit union in a tiny community, if you write a cheque, you’re reliant on USA cloud infrastructure.
BC’s provincial financial regulators, the BC FSA, put out an RFP about a decade ago noting some serious gaps in their IT framework – the RFP was amazing to read, as it noted things like software that had been EOL for almost a decade, which they admitted they couldn’t support properly, because they’d basically fired most of their IT staff. The RFP was a total “front”/box-checking exercise though, as they’d already chosen who they were going with – the RFP lasted only a brief time, and was tailored to ensure a specific vendor would win (issued June 17, 155 pages of specifications/environment description background, submission deadline July 31 – vendor work startingQ4. A turn around speed unheard of in govt, if they were doing any due diligence). The result was that the BC FSA moved all of its IT ecosystem stuff into Microsoft’s cloud. The industry submits member/customer personal information directly into a site that’s hosted on Microsoft’s cloud – even uses generic Microsoft cloud login infra. So a huge portion of FI customer data is exposed through the regulators of the industry.
Bless you for responding sincerely, I appreciate that so much. I apologize if most of it has gone over my head but is there a movement to detach yourselves from the US?
I have been so in my own head lately and focused on my field of study that I almost feel like an alien. What does this mean in practical terms, how much is my data available to entities I’ve never heard of, can you tell me in practical terms what that means for me/the average person?
Sure, I can try to clarify it a bit, though I may get a bit wordy at times. I can even use recent government docs to support comments, in case that helps a smidge.
So late last year, the government of Canada published a white paper that sort of summed up the exposure risk with regards to data sovereignty, something that, I think, most people in tech have known for decades at this point. The appendix of that document is fairly concise, and generally indicates that there’s no realistic way you can have a “Cloud Service Provider” from a foreign nation, where there’s no chance of interference / pressure / disclosures by that foreign nation.
So someone like Wealthsimple, who’s completely in US cloud technologies, and who’s persona ID (Peter Thiel/Palantir connected) system for doing their “Know your Member” due diligence, has no realistic / practical way to be sure that any/all of their information isn’t being disclosed to the United States government. Similarly, if a cloud service provider is providing services from India, there’s no practical way to ensure that the information they handle isn’t being disclosed to the Indian government. In the states specifically, they have legislation in place that declares the government can make data requests, and that companies can’t disclose those requests to anyone – in the past, this was ‘overlooked’ by many because both Canada and the States had similar judicial systems and a general expectation of habeas corpus, and there was an expectation that international laws would apply on agreements. That’s sorta changed, hence the Fed gov publishing that paper and admitting the risks involved.
A bunch of that is rooted in the nuance of agreements / SLAs. Even as a consumer, you can see the language they use – phrases like “We comply with the laws and regulations of the jurisdictions in which we operate” (and we operate in Panama, so hide your taxes here! sorta thing). The phrasing means if the foreign government demands the data, under the laws/regulations of that foreign government, the company hands it over. Those sorts of agreements aren’t actually saying that the laws/regulations of that foreign jurisdiction, are the same as Canadas – your data can get moved to a foreign authoritarian dictatorship with no regard for your privacy, and it would be totally legal for them to … ignore the end users privacy expectations, which they thought would be in line with Canadas privacy legislation. It’s legal hocus pocus, and one reason lawyers get the bad rep that they do.
In terms of how much is exposed, it varies depending on your service provider/financial institution, and where they have different partnerships / supply chain exposure to these sorts of risks. For example, the BC FSA publicly shows that they require all regulated entities under their purview to submit quarterly Mortgage/Loan reports. They tend to show you what those submissions include even – the LDR for example, includes fields such as your employer, your job title, your income amounts, how much you pay for condo fees, and a ton of other information that realistically can personally identify you. There’s another extract they request for names and other items. All of that information, because it’s disclosed to a system that’s hosted in Microsoft’s cloud ecosystem, by that earlier federal government white paper’s own admission, is potentially exposed and accessible to the US Government through “legal” disclosures by Microsoft. It’s worth noting, I think, that these are all mandatory disclosures, meaning every single Financial Institution that’s regulated by the BC FSA is required to provide this information to the Regulator via Microsoft’s cloud – this is quite explicitly, the BC Government requiring industry to be exposed to Data Sovereignty risks… and to think, the BC FSA’s mandate is to reduce risk in the industry! Doin a bang up job!
What ultimately gets exposed/disclosed to foreign entities largely depends on where those disclosures occur, and what information is sent/transferred. So like, in the above example with the BC FSA, they’re exposing a ton of personal information to foreign actors – but because they don’t request something like your granular payment transactions, that information isn’t disclosed as part of that arrangement. I mention in the earlier post the risks/issue of losing the last BC credit union with a Canadian back end – what I refer to there, is commonly just called a banking system, which is just the sort of “combined” database that has all the data on your account with that specific financial institution. If that banking system is in a foreign company’s cloud ecosystem, all of your data is potentially exposed to those foreign interests, through ‘legal’ channels, even if it’s not in Canada’s general interests.
In terms of direct risks to you as an individual, there are generally two big categories I’d flag: first, is that we can clearly see the USA and other foreign powers increasingly using things like AI, and mass data-gathering, to target political or ideological “enemies” – and to use that targeting to take very real actions against those people. Barring them from entering the country, de-banking/de-platforming people outright, and so on. In the most extreme cases, you could picture some jurisdictions using it to explicitly target individuals – for example, prior to Carney whitewashing the situation, India had previously been allegedly connected to getting the BIshnoi gang to conduct political assassinations in Canada. One way they could theoretically target those actions, would be to get the data from a Canadian company that’d outsourced services to India – especially if that outsourcing included access to Addresses, Names, and Transactions (“You donated to the wrong charity man!!”). Having noted this, I should highlight that there’ll always be SOME risk of this sort of thing with regards to online services – even if the foreign powers don’t have “Direct” access via legal means, there’s no reason to think they wouldn’t then default to attempting hacks / illegal means to access that information. It’s just that the setup basically makes it super easy to do, and defaults the info to being accessible on demand.
The second bigger risk I’d flag is related to service availability and organisation resiliency, which is kind of referenced in my earlier post noting that the FI industry would go ‘pop’ if a data sovereignty law came in immediately. Whether those services get cut off due to Canada enacting legislation that said “You gotta be mindful of data sovereignty, so you CANT outsource this stuff to the people you’ve outsourced everything to”, OR, more importantly, If Donald Trump / the US Administration were to say “You tech companies can’t provide service to Canada, cause we want them to implode and be forced to become a US state”, then those outsourced international agreements go poof, as do all connected services. So, for example, Canada’s Credit Unions and some Banks generally outsource their online banking platforms to Indian multinationals, hosted in US cloud spaces. If either the USA, or India, were to put in those sorts of export restrictions, your online banking would disappear overnight. If your backend is sovereign to Canada, accounts and everything would remain available, but the clipping of all those third parties may result in you likely needing to go in to the branch to get cash – cause, as noted, even the ATMs run on Windows, and cheques / other forms of payment all route through US tech giants. If your backend is in a cloud ecosystem, there’s a good chance the org has a ‘backup’ somewhere – but they’ll need to find somewhere to host it that can comply with the backup structure (some ‘backups’ can only restore to Azure or AWS infrastructure, for example). The FI would still have all their regular reports, so they’d likely still be able to sort out all the big ticket items like deposits totals/ loans owing, but it’d all be delayed significantly due to the volume of the mess – in other words, people would be kept “whole” financially, but it would be chaos, and potentially a long time before the mess got sorted. Most digital payment options would disappear – the one exception potentially being Interac Konek, which I believe is a Canadian-centric option that cuts out a bunch of the US Tech stack – though I don’t know for sure how much exposure interac itself has to this issue.
Not sure if that helps clarify things, or if it muddles it more due to my hamfisted attempts to explain… but anyhoo, hopefully it made sense.
This is absolutely fascinating. Still a bit dense ngl lol. It will take me some time to work through, I feel bad I’m not giving your write-up the time it deserves. Wondering, what would be your ideal solution?
You basically wrote an entire essay for me and I’m half in love with you now. Talk my ear off about it anytime
Yeah, I’d ramble about this stuff at a pub like a freak, if it were stuff that people actually wanted to talk about haha… but ok, let’s see, ‘my’ ideal solution? This’ll be rambly for sure ;p
First off, for non-critical industry businesses, I’d avoid any heavy handed data sovereignty type regulations / laws. That alone poses a bit of an issue that’d require some additional nuance get built in to Canada’s privacy legislation. But I’d want to put that out there first and foremost, as Canada generally benefits from having international players / service providers and features from all over the world.
For critical industries, I’d be a good bit more strict, and require both data sovereignty and some sort of mechanism to try and prevent any specific vendor lock-ins where feasible. International IT standards have generally called for reviewing your tech stack / supply chain issues for a decade now, but it hasn’t really been as much of a focus until lately – and, realistically, it’d be difficult for Canada to fully stand up every component required to provide modern services overnight (we likely couldnt do absolutely everything either, like chip fabs and whatnot – but a ‘chip’, as a commodity, is far less risky than a “always-online connection requirement that can be severed on a whim”). Steps can be taken to mitigate / minimize the impact of potential issues though, and those steps can be phased in rather aggressively depending on the scale of the organisations involved, and could even, potentially, be done using the existing regulatory frameworks in some areas.
For starters, the government would need to aggressively sort out its own shit – because them trying to push this sort of thing on to the industries they regulate, without “walking the walk”, would be problematic. On the bright side, at present there’s a glut of out of work IT people who can assist. There are tools that are generally “sufficient” for most targeted purposes that already exist, and use licenses that generally allow for more international community-driven involvement. If you look, for example, to how China’s handled their data sovereignty – they forked a version of Linux, Ubuntu, creating their own national OS called Kylin (I think I’ve got that name right). Their developers / government resources have in many ways been a boon to the Ubuntu project too, helping it stay very current with different tech trends – so its a win win symbiotic relationship between government and open source community. Places like the EU are doing similar. There’s no practical reason I can see as to why Canada couldn’t do something along the same lines, especially given the talent that exists in the country.
Once the governments taken a bit of a lead on that, they’d be in a better position to not only say to industry “data residency is so last era, we doin data sovereignty now”, but to help guide potential adoptions and migrations – especially for smaller organisations in those regulated spaces, which’d represent a lower risk ‘testing’ ground for making those changes. So like, helping them shift from using Microsoft’s Cloud ecosystem, and instead having them use something like Nextcloud on their own servers / backend hardware. The news we often see about “AI Data Centers” are a bit trendy, but realistically there’s nothing stopping/preventing organisations in Canada from having a T1 data center hosting their servers (ie. the only thing the third party provides is space / electricity, which Canada can easily nationalise if there’s some US connection on the Datacenter front). ignoring all the outsourcing for service providers etc, it’s entirely possible to setup a “sovereign” stack in Canada even today, with no additional hardware / long-time line building required. The AI Data Centers we see in the news with Carney and them, often seem like they’re specifically referencing a desire to have a hyperscaler public cloud type option – but a smaller managed cloud that’s data sovereign is also an option, it’s just often a bit more expensive, and involves more management on the part of the organisation pending their size. I think Carney’s push in this regard, for a “sovereign canadian cloud”, is an attempt to have one big provider, to which existing companies can sort out large-scale migrations towards – ie. if you have something like OVH (a french cloud) but a “Canadian” hyperscaler, and sort out how to migrate clients from Microsoft’s cloud over in a streamlined fashion to that provider, it makes it easier to put out a broad-stroke data sovereignty legislation change. But for immediacy / urgency sake, there are options for companies to start moving that way already – they may just need that extra regulatory push.
In terms of fitting some of these migration things into existing regulatory frameworks – many banks are regulated by the same organisation that effectively controls their insurance premiums for deposit insurances: CUDIC/CDIC. The BC FSA has in the past used this mechanism to essentially choke the BC industry into merging/consolidating, by declaring smaller financial institutions “high risk” and charging them hundreds of thousands of dollars more per year for their deposit insurance (which is an existential issue, given most had annual profits of less than $1m, they’re coops afterall!). In fact, their push to consolidate / move people into the cloud is a big reason we have this risk / issues moving the industry in another direction! They could, for example, use their IT Security Guideline to declare orgs “more at risk” the more foreign outsourcing they rely on – that’d create a very clear financial imperative for orgs to move away from US providers in as aggressive a fashion as the penalties dictate. Tell someone like Vancity Credit Union they’ll be paying millions of dollars more per year for insurance if they stick with Microsoft, and they’ll put serious effort into adopting sovereign solutions, I’m sure. One of Carney’s big flaws, and you can see it historically even from his time at the BOC, is that he doesn’t actually “see” the Credit Union system / “regular Canadian” citizen financial situations – but by nudging that more agile industry in the right direction first, you could at least ensure that there’s an option for people in the financial services space, to avoid those risks, and have that option available very quickly compared to the lead times likely required by the big banks to make similar moves.
One thought is also that the government would likely need to review the critical components that they’d need to bolster in order to get some of this to happen - so its not just a matter of forking a linux distro in that stage. Like one area where Canada has a general weakness, is on something like Firewall providers for protecting assets – there aren’t many ‘canadian’ companies that offer that sort of asset, and you’re generally stuck relying on USA, Chinese/Asian, European or Israeli companies if you want a quality device. So that’d have to be built into the steps above, where the gov would likely need to fork/partner with an open source vendor for their primary OS needs. Oh, in terms of those, I’d prolly vote for them to go with SUSE as its Euro-centric, and it’d help to align us with them a bit more – though for some thing’s like ATMs, *BSD should be the default. BSD is sorta a brick shithouse that has limited integration features, but can be purpose built to be super hardened/secure, and stay that way for long stretches – requiring little updates/tweaks. It’s practically designed for infrastructure devices. The security folks on some of the main BSD projects, are also already tied to Canada, so win win.
And I guess, as I went about re-tooling things to bring those critical industries more ‘in house’, I’d tweak the ISO20022 setup to add in some more “vendor lock-in prevention” controls – goal there would be to welcome things like international Fintechs, but also to ensure Canadians are protected from undue foreign pressures. You want to allow enough flexibility for a general business to use ODOO or similar products, if they want, but you don’t want them to become ‘stuck’ there, nor would you want to have that be a huge slice of the Canadian market place for that feature. That may require some subsidies to local competitors, not sure how I’d structure that specifically though. Another risk I’d be preparing for as part of it, though it’s a bit of an outlier, is to have better fallbacks get built in to the regulatory frameworks – as noted above, there’s almost always going to be some supply chain exposure/issues. One big ‘nightmare’ scenario, would be China attacking/taking Taiwan, paired with US chip makers being blocked from providing chips to Canada. Not only would that situation screw over a bunch of the financial industry vendors, but it’d massively hit the customers/members of those organisations – if you’ve designed a system like Wealthsimple, you’re pre-supposing that your customers/members all have a ton of tech toys to do their online banking. In the nightmare scenario, you’d basically be going back to analogue setups – which, given some trends and climate change projections, is something that ought to at least be on the radar and considered given the critical industry nature of the financial system.
One last thought to loop back to the subsidies bit, is that one challenge, is trying to maintain a sufficient volume to keep whatever parts of the stack you ‘in-country’ profitable as possible. Like Carney and them setting up these big data center projects and making noise about data sovereignty is interesting – but if they don’t somehow force canadian businesses to use those sovereign solutions, there won’t be an edge for Canadian offerings due to the differences in scale between the Canadian and US / Foreign markets. I’ve reached the limit for posting length, so ill shut up now ;p
Oh, another tidbit that I’d throw in the mix, just as an afterthought – I’d totally smack the BC FSA upside the head on their data collections, and any other government regulator type agency that’s over collecting granular citizen data under similar silly pretenses. I’d also likely take a slightly different approach on AI regulations, though attempt to keep it generally in line with the EU counterparts, as the most likely ‘friendly’ block going forward.
Regulators are generally tasked with maintaining the viability and stability of critical industries, and the businesses there in. It’s important to have regulation of FIs, but regulators like the BC FSA have gone overkill, to the point that they’re basically cited as the #1 reason for FI’s needing to merge… to get bigger to handle regulatory burdens and overreach. In BC, it’s sorta like they were put in charge of ensuring a thriving forest, but then they decided that to do that, they had to reduce it down to just 4-6 big trees, and then to map out each individual leaf on those trees. They really don’t need all the data they’re collecting, to manage aggregate risks in the ecosystem – their collection just adds to this foreign exposure issue. It’s possible to do 90% of their risk analysis using aggregate, annonymous data collected from the FIs. If there are specific dimensions / concerns they want FIs focused on for ‘internal’ risk reasons, they can work WITH industry during reviews to make sure they’re tracking the ‘right’ variables and being transparent with stakeholders etc.
From a Risk Management perspective, it’s a semi easy thing to describe how the BC FSA has failed miserably at its job: If the Mitigations for a Risk outweigh the cost of that Risk occurring, you shouldn’t apply the mitigations. Ie. If it costs you $100k to prevent a potential ‘threat’ that could cost you $1k in fines/damages, you should just accept the $1k cost. Likewise, if your regulation has killed off roughly 75% of the provinces financial institutions, while there’ve been 0 cases of a BC financial institution “failing due to mismanagement” since like the 80s (and back then, it was an outlier case!), your regulations suck and you should feel bad. One of the biggest indicators of the health of a forest/ecosystem, is its stability / ability to renew itself organically: ie. lots of competition, a reasonable amount of turn over, which is filled in with new entrants. You can monitor the health of a populace / forest by looking at how many trees are there, and getting a rough report on whether they’re healthy or not, without needing to map out every leaf.
Regulatory hurdles are also often used to create moats around industries/businesses, so there’s this delicate balancing act needed to allow for innovation, while still protecting against industry-wide negative risks. The more regulation surrounding a setup, the more locked out new entrants are. You don’t want to allow OpenAI to dictate the terms for new competitors to startup and challenge OpenAI, sorta thing. Like the Tumbler Ridge tragedy was… tragic. But if new regulations come in placing onerous oversight / reporting obligations on all AI companies as a result, it’ll be that much harder for a ‘new’ Canadian company to get rolling. So with regards to tech-side regulation, I’d definitely try to align with the EU models, but I’d aim to have them be more unique to Canada – we still need a small moat between us and the EU platforms, but we need a much bigger moat between us and authoritarian regimes.
Lots to unpack here. This is the big thing at the moment and I’d like to know what I can. Would you be willing to talk on the phone at some point? I’ve been going through something hard and I don’t want to cry about it, but I think it would help a lot if someone smart and passionate in a subject I know little about ranted at me. Not like a formal interview, just a talk
If I’m being honest, for some reason I have this aversion to voice chats with strangers from social media sites, heh. It’s totally nonsensical in some ways, as I’m fine chatting with people in games, and/or meeting people in real life, but for some reason ¯(ツ)/¯.
If you do have questions about these sorts of things though, and are in Canada, I’d suggest reaching out to your financial institution a bit and peppering them with some questions. At the very least, you’d get a sense of how they’re looking at the situation, and whether you felt like they were putting in appropriate due diligence to safeguard your interests. If the note about going through something hard was more in relation to wanting a distraction to take your mind off other things, I can empathize, but I’m also so terribly awkward on phone calls that it’d prolly end up doing more harm than good. I’d also likely pester you to try and find out what the ‘something hard’ was that you’re going through, in a very tactless fashion, as I’m really not all that good with that sorta thing.
Not a problem. I was just thinking you’re an interesting person with a fount of information. Nothing wrong with not wanting to chat with a stranger. I’ll be around if you change your mind but no pressure ofc.
I’m in the US but I’ve been looking into educating myself more about financial institutions and that’s why I was so curious. Plus you sounded really well-informed and I’m very close to Canada geographically and thinking about moving there so I need to learn all I can before I make that decision.
I am Canadian. I’ve worked in the Financial industry for about 20 years (either directly or adjacent to it in roles like auditing). I am an IT guy.
Here’s some more examples / clarifications of it: pretty well all of Canada’s ATMs run on Windows. When questioned about why, companies that provide those systems state that its a requirement from Payments Canada.
Most Financial Institutions use USA-tied backend banking systems – there’s 1-2 “Canadian” providers, but they’re very niche (hence the note about BC’s situation, BC being the western most province in Canada). Companies like FISERV (USA) expanded into Canada a few decades ago – their initial entry to the market failed due to them not caring about differences between Canadian and US financial products. They didn’t bother porting anything, treating things like the US “401k” logic as basically the same as Canada’s RRSPs doesn’t work, and lead to massive problems for many FIs – problems that sank a couple. So they bought out a Canadian product that was called DNA (which ran on Oracle). FISERV is one of the dominant players in the Canadian market.
Canada’s Central1 Credit Union, the trade association / service provider for their Credit Unions, recently bailed on hosting in-country online banking services, after having screwed up their implementation of the ISO20022 really really badly. They ‘sold’ that whole segment of their business off to an Indian Headquartered company which hosts its products in Microsoft’s cloud, uses developers from the UAE, and has only like 1-2 security staff in Canada (so all your security events are definitely going elsewhere). Adding to this, at the start of Central1’s mismanagement of online banking, they had 2 geodistant datacenters on either side of the country – but they hired a US Banker to run their IT department, and he put all their internal stuff (beyond just the online banking) into the cloud, turfing their internal systems. Oh, and in terms of it continuing in this direction even with the turmoil – since 2025, Central has shifted their backend online cheque processing, one of the last items outstanding, into Microsoft’s cloud. So even if you’re using a small credit union in a tiny community, if you write a cheque, you’re reliant on USA cloud infrastructure.
BC’s provincial financial regulators, the BC FSA, put out an RFP about a decade ago noting some serious gaps in their IT framework – the RFP was amazing to read, as it noted things like software that had been EOL for almost a decade, which they admitted they couldn’t support properly, because they’d basically fired most of their IT staff. The RFP was a total “front”/box-checking exercise though, as they’d already chosen who they were going with – the RFP lasted only a brief time, and was tailored to ensure a specific vendor would win (issued June 17, 155 pages of specifications/environment description background, submission deadline July 31 – vendor work startingQ4. A turn around speed unheard of in govt, if they were doing any due diligence). The result was that the BC FSA moved all of its IT ecosystem stuff into Microsoft’s cloud. The industry submits member/customer personal information directly into a site that’s hosted on Microsoft’s cloud – even uses generic Microsoft cloud login infra. So a huge portion of FI customer data is exposed through the regulators of the industry.
Bless you for responding sincerely, I appreciate that so much. I apologize if most of it has gone over my head but is there a movement to detach yourselves from the US?
I have been so in my own head lately and focused on my field of study that I almost feel like an alien. What does this mean in practical terms, how much is my data available to entities I’ve never heard of, can you tell me in practical terms what that means for me/the average person?
Sure, I can try to clarify it a bit, though I may get a bit wordy at times. I can even use recent government docs to support comments, in case that helps a smidge.
So late last year, the government of Canada published a white paper that sort of summed up the exposure risk with regards to data sovereignty, something that, I think, most people in tech have known for decades at this point. The appendix of that document is fairly concise, and generally indicates that there’s no realistic way you can have a “Cloud Service Provider” from a foreign nation, where there’s no chance of interference / pressure / disclosures by that foreign nation.
So someone like Wealthsimple, who’s completely in US cloud technologies, and who’s persona ID (Peter Thiel/Palantir connected) system for doing their “Know your Member” due diligence, has no realistic / practical way to be sure that any/all of their information isn’t being disclosed to the United States government. Similarly, if a cloud service provider is providing services from India, there’s no practical way to ensure that the information they handle isn’t being disclosed to the Indian government. In the states specifically, they have legislation in place that declares the government can make data requests, and that companies can’t disclose those requests to anyone – in the past, this was ‘overlooked’ by many because both Canada and the States had similar judicial systems and a general expectation of habeas corpus, and there was an expectation that international laws would apply on agreements. That’s sorta changed, hence the Fed gov publishing that paper and admitting the risks involved.
A bunch of that is rooted in the nuance of agreements / SLAs. Even as a consumer, you can see the language they use – phrases like “We comply with the laws and regulations of the jurisdictions in which we operate” (and we operate in Panama, so hide your taxes here! sorta thing). The phrasing means if the foreign government demands the data, under the laws/regulations of that foreign government, the company hands it over. Those sorts of agreements aren’t actually saying that the laws/regulations of that foreign jurisdiction, are the same as Canadas – your data can get moved to a foreign authoritarian dictatorship with no regard for your privacy, and it would be totally legal for them to … ignore the end users privacy expectations, which they thought would be in line with Canadas privacy legislation. It’s legal hocus pocus, and one reason lawyers get the bad rep that they do.
In terms of how much is exposed, it varies depending on your service provider/financial institution, and where they have different partnerships / supply chain exposure to these sorts of risks. For example, the BC FSA publicly shows that they require all regulated entities under their purview to submit quarterly Mortgage/Loan reports. They tend to show you what those submissions include even – the LDR for example, includes fields such as your employer, your job title, your income amounts, how much you pay for condo fees, and a ton of other information that realistically can personally identify you. There’s another extract they request for names and other items. All of that information, because it’s disclosed to a system that’s hosted in Microsoft’s cloud ecosystem, by that earlier federal government white paper’s own admission, is potentially exposed and accessible to the US Government through “legal” disclosures by Microsoft. It’s worth noting, I think, that these are all mandatory disclosures, meaning every single Financial Institution that’s regulated by the BC FSA is required to provide this information to the Regulator via Microsoft’s cloud – this is quite explicitly, the BC Government requiring industry to be exposed to Data Sovereignty risks… and to think, the BC FSA’s mandate is to reduce risk in the industry! Doin a bang up job!
What ultimately gets exposed/disclosed to foreign entities largely depends on where those disclosures occur, and what information is sent/transferred. So like, in the above example with the BC FSA, they’re exposing a ton of personal information to foreign actors – but because they don’t request something like your granular payment transactions, that information isn’t disclosed as part of that arrangement. I mention in the earlier post the risks/issue of losing the last BC credit union with a Canadian back end – what I refer to there, is commonly just called a banking system, which is just the sort of “combined” database that has all the data on your account with that specific financial institution. If that banking system is in a foreign company’s cloud ecosystem, all of your data is potentially exposed to those foreign interests, through ‘legal’ channels, even if it’s not in Canada’s general interests.
In terms of direct risks to you as an individual, there are generally two big categories I’d flag: first, is that we can clearly see the USA and other foreign powers increasingly using things like AI, and mass data-gathering, to target political or ideological “enemies” – and to use that targeting to take very real actions against those people. Barring them from entering the country, de-banking/de-platforming people outright, and so on. In the most extreme cases, you could picture some jurisdictions using it to explicitly target individuals – for example, prior to Carney whitewashing the situation, India had previously been allegedly connected to getting the BIshnoi gang to conduct political assassinations in Canada. One way they could theoretically target those actions, would be to get the data from a Canadian company that’d outsourced services to India – especially if that outsourcing included access to Addresses, Names, and Transactions (“You donated to the wrong charity man!!”). Having noted this, I should highlight that there’ll always be SOME risk of this sort of thing with regards to online services – even if the foreign powers don’t have “Direct” access via legal means, there’s no reason to think they wouldn’t then default to attempting hacks / illegal means to access that information. It’s just that the setup basically makes it super easy to do, and defaults the info to being accessible on demand.
The second bigger risk I’d flag is related to service availability and organisation resiliency, which is kind of referenced in my earlier post noting that the FI industry would go ‘pop’ if a data sovereignty law came in immediately. Whether those services get cut off due to Canada enacting legislation that said “You gotta be mindful of data sovereignty, so you CANT outsource this stuff to the people you’ve outsourced everything to”, OR, more importantly, If Donald Trump / the US Administration were to say “You tech companies can’t provide service to Canada, cause we want them to implode and be forced to become a US state”, then those outsourced international agreements go poof, as do all connected services. So, for example, Canada’s Credit Unions and some Banks generally outsource their online banking platforms to Indian multinationals, hosted in US cloud spaces. If either the USA, or India, were to put in those sorts of export restrictions, your online banking would disappear overnight. If your backend is sovereign to Canada, accounts and everything would remain available, but the clipping of all those third parties may result in you likely needing to go in to the branch to get cash – cause, as noted, even the ATMs run on Windows, and cheques / other forms of payment all route through US tech giants. If your backend is in a cloud ecosystem, there’s a good chance the org has a ‘backup’ somewhere – but they’ll need to find somewhere to host it that can comply with the backup structure (some ‘backups’ can only restore to Azure or AWS infrastructure, for example). The FI would still have all their regular reports, so they’d likely still be able to sort out all the big ticket items like deposits totals/ loans owing, but it’d all be delayed significantly due to the volume of the mess – in other words, people would be kept “whole” financially, but it would be chaos, and potentially a long time before the mess got sorted. Most digital payment options would disappear – the one exception potentially being Interac Konek, which I believe is a Canadian-centric option that cuts out a bunch of the US Tech stack – though I don’t know for sure how much exposure interac itself has to this issue.
Not sure if that helps clarify things, or if it muddles it more due to my hamfisted attempts to explain… but anyhoo, hopefully it made sense.
This is absolutely fascinating. Still a bit dense ngl lol. It will take me some time to work through, I feel bad I’m not giving your write-up the time it deserves. Wondering, what would be your ideal solution? You basically wrote an entire essay for me and I’m half in love with you now. Talk my ear off about it anytime
Yeah, I’d ramble about this stuff at a pub like a freak, if it were stuff that people actually wanted to talk about haha… but ok, let’s see, ‘my’ ideal solution? This’ll be rambly for sure ;p
First off, for non-critical industry businesses, I’d avoid any heavy handed data sovereignty type regulations / laws. That alone poses a bit of an issue that’d require some additional nuance get built in to Canada’s privacy legislation. But I’d want to put that out there first and foremost, as Canada generally benefits from having international players / service providers and features from all over the world.
For critical industries, I’d be a good bit more strict, and require both data sovereignty and some sort of mechanism to try and prevent any specific vendor lock-ins where feasible. International IT standards have generally called for reviewing your tech stack / supply chain issues for a decade now, but it hasn’t really been as much of a focus until lately – and, realistically, it’d be difficult for Canada to fully stand up every component required to provide modern services overnight (we likely couldnt do absolutely everything either, like chip fabs and whatnot – but a ‘chip’, as a commodity, is far less risky than a “always-online connection requirement that can be severed on a whim”). Steps can be taken to mitigate / minimize the impact of potential issues though, and those steps can be phased in rather aggressively depending on the scale of the organisations involved, and could even, potentially, be done using the existing regulatory frameworks in some areas.
For starters, the government would need to aggressively sort out its own shit – because them trying to push this sort of thing on to the industries they regulate, without “walking the walk”, would be problematic. On the bright side, at present there’s a glut of out of work IT people who can assist. There are tools that are generally “sufficient” for most targeted purposes that already exist, and use licenses that generally allow for more international community-driven involvement. If you look, for example, to how China’s handled their data sovereignty – they forked a version of Linux, Ubuntu, creating their own national OS called Kylin (I think I’ve got that name right). Their developers / government resources have in many ways been a boon to the Ubuntu project too, helping it stay very current with different tech trends – so its a win win symbiotic relationship between government and open source community. Places like the EU are doing similar. There’s no practical reason I can see as to why Canada couldn’t do something along the same lines, especially given the talent that exists in the country.
Once the governments taken a bit of a lead on that, they’d be in a better position to not only say to industry “data residency is so last era, we doin data sovereignty now”, but to help guide potential adoptions and migrations – especially for smaller organisations in those regulated spaces, which’d represent a lower risk ‘testing’ ground for making those changes. So like, helping them shift from using Microsoft’s Cloud ecosystem, and instead having them use something like Nextcloud on their own servers / backend hardware. The news we often see about “AI Data Centers” are a bit trendy, but realistically there’s nothing stopping/preventing organisations in Canada from having a T1 data center hosting their servers (ie. the only thing the third party provides is space / electricity, which Canada can easily nationalise if there’s some US connection on the Datacenter front). ignoring all the outsourcing for service providers etc, it’s entirely possible to setup a “sovereign” stack in Canada even today, with no additional hardware / long-time line building required. The AI Data Centers we see in the news with Carney and them, often seem like they’re specifically referencing a desire to have a hyperscaler public cloud type option – but a smaller managed cloud that’s data sovereign is also an option, it’s just often a bit more expensive, and involves more management on the part of the organisation pending their size. I think Carney’s push in this regard, for a “sovereign canadian cloud”, is an attempt to have one big provider, to which existing companies can sort out large-scale migrations towards – ie. if you have something like OVH (a french cloud) but a “Canadian” hyperscaler, and sort out how to migrate clients from Microsoft’s cloud over in a streamlined fashion to that provider, it makes it easier to put out a broad-stroke data sovereignty legislation change. But for immediacy / urgency sake, there are options for companies to start moving that way already – they may just need that extra regulatory push.
In terms of fitting some of these migration things into existing regulatory frameworks – many banks are regulated by the same organisation that effectively controls their insurance premiums for deposit insurances: CUDIC/CDIC. The BC FSA has in the past used this mechanism to essentially choke the BC industry into merging/consolidating, by declaring smaller financial institutions “high risk” and charging them hundreds of thousands of dollars more per year for their deposit insurance (which is an existential issue, given most had annual profits of less than $1m, they’re coops afterall!). In fact, their push to consolidate / move people into the cloud is a big reason we have this risk / issues moving the industry in another direction! They could, for example, use their IT Security Guideline to declare orgs “more at risk” the more foreign outsourcing they rely on – that’d create a very clear financial imperative for orgs to move away from US providers in as aggressive a fashion as the penalties dictate. Tell someone like Vancity Credit Union they’ll be paying millions of dollars more per year for insurance if they stick with Microsoft, and they’ll put serious effort into adopting sovereign solutions, I’m sure. One of Carney’s big flaws, and you can see it historically even from his time at the BOC, is that he doesn’t actually “see” the Credit Union system / “regular Canadian” citizen financial situations – but by nudging that more agile industry in the right direction first, you could at least ensure that there’s an option for people in the financial services space, to avoid those risks, and have that option available very quickly compared to the lead times likely required by the big banks to make similar moves.
One thought is also that the government would likely need to review the critical components that they’d need to bolster in order to get some of this to happen - so its not just a matter of forking a linux distro in that stage. Like one area where Canada has a general weakness, is on something like Firewall providers for protecting assets – there aren’t many ‘canadian’ companies that offer that sort of asset, and you’re generally stuck relying on USA, Chinese/Asian, European or Israeli companies if you want a quality device. So that’d have to be built into the steps above, where the gov would likely need to fork/partner with an open source vendor for their primary OS needs. Oh, in terms of those, I’d prolly vote for them to go with SUSE as its Euro-centric, and it’d help to align us with them a bit more – though for some thing’s like ATMs, *BSD should be the default. BSD is sorta a brick shithouse that has limited integration features, but can be purpose built to be super hardened/secure, and stay that way for long stretches – requiring little updates/tweaks. It’s practically designed for infrastructure devices. The security folks on some of the main BSD projects, are also already tied to Canada, so win win.
And I guess, as I went about re-tooling things to bring those critical industries more ‘in house’, I’d tweak the ISO20022 setup to add in some more “vendor lock-in prevention” controls – goal there would be to welcome things like international Fintechs, but also to ensure Canadians are protected from undue foreign pressures. You want to allow enough flexibility for a general business to use ODOO or similar products, if they want, but you don’t want them to become ‘stuck’ there, nor would you want to have that be a huge slice of the Canadian market place for that feature. That may require some subsidies to local competitors, not sure how I’d structure that specifically though. Another risk I’d be preparing for as part of it, though it’s a bit of an outlier, is to have better fallbacks get built in to the regulatory frameworks – as noted above, there’s almost always going to be some supply chain exposure/issues. One big ‘nightmare’ scenario, would be China attacking/taking Taiwan, paired with US chip makers being blocked from providing chips to Canada. Not only would that situation screw over a bunch of the financial industry vendors, but it’d massively hit the customers/members of those organisations – if you’ve designed a system like Wealthsimple, you’re pre-supposing that your customers/members all have a ton of tech toys to do their online banking. In the nightmare scenario, you’d basically be going back to analogue setups – which, given some trends and climate change projections, is something that ought to at least be on the radar and considered given the critical industry nature of the financial system.
One last thought to loop back to the subsidies bit, is that one challenge, is trying to maintain a sufficient volume to keep whatever parts of the stack you ‘in-country’ profitable as possible. Like Carney and them setting up these big data center projects and making noise about data sovereignty is interesting – but if they don’t somehow force canadian businesses to use those sovereign solutions, there won’t be an edge for Canadian offerings due to the differences in scale between the Canadian and US / Foreign markets. I’ve reached the limit for posting length, so ill shut up now ;p
Oh, another tidbit that I’d throw in the mix, just as an afterthought – I’d totally smack the BC FSA upside the head on their data collections, and any other government regulator type agency that’s over collecting granular citizen data under similar silly pretenses. I’d also likely take a slightly different approach on AI regulations, though attempt to keep it generally in line with the EU counterparts, as the most likely ‘friendly’ block going forward.
Regulators are generally tasked with maintaining the viability and stability of critical industries, and the businesses there in. It’s important to have regulation of FIs, but regulators like the BC FSA have gone overkill, to the point that they’re basically cited as the #1 reason for FI’s needing to merge… to get bigger to handle regulatory burdens and overreach. In BC, it’s sorta like they were put in charge of ensuring a thriving forest, but then they decided that to do that, they had to reduce it down to just 4-6 big trees, and then to map out each individual leaf on those trees. They really don’t need all the data they’re collecting, to manage aggregate risks in the ecosystem – their collection just adds to this foreign exposure issue. It’s possible to do 90% of their risk analysis using aggregate, annonymous data collected from the FIs. If there are specific dimensions / concerns they want FIs focused on for ‘internal’ risk reasons, they can work WITH industry during reviews to make sure they’re tracking the ‘right’ variables and being transparent with stakeholders etc.
From a Risk Management perspective, it’s a semi easy thing to describe how the BC FSA has failed miserably at its job: If the Mitigations for a Risk outweigh the cost of that Risk occurring, you shouldn’t apply the mitigations. Ie. If it costs you $100k to prevent a potential ‘threat’ that could cost you $1k in fines/damages, you should just accept the $1k cost. Likewise, if your regulation has killed off roughly 75% of the provinces financial institutions, while there’ve been 0 cases of a BC financial institution “failing due to mismanagement” since like the 80s (and back then, it was an outlier case!), your regulations suck and you should feel bad. One of the biggest indicators of the health of a forest/ecosystem, is its stability / ability to renew itself organically: ie. lots of competition, a reasonable amount of turn over, which is filled in with new entrants. You can monitor the health of a populace / forest by looking at how many trees are there, and getting a rough report on whether they’re healthy or not, without needing to map out every leaf.
Regulatory hurdles are also often used to create moats around industries/businesses, so there’s this delicate balancing act needed to allow for innovation, while still protecting against industry-wide negative risks. The more regulation surrounding a setup, the more locked out new entrants are. You don’t want to allow OpenAI to dictate the terms for new competitors to startup and challenge OpenAI, sorta thing. Like the Tumbler Ridge tragedy was… tragic. But if new regulations come in placing onerous oversight / reporting obligations on all AI companies as a result, it’ll be that much harder for a ‘new’ Canadian company to get rolling. So with regards to tech-side regulation, I’d definitely try to align with the EU models, but I’d aim to have them be more unique to Canada – we still need a small moat between us and the EU platforms, but we need a much bigger moat between us and authoritarian regimes.
Lots to unpack here. This is the big thing at the moment and I’d like to know what I can. Would you be willing to talk on the phone at some point? I’ve been going through something hard and I don’t want to cry about it, but I think it would help a lot if someone smart and passionate in a subject I know little about ranted at me. Not like a formal interview, just a talk
If I’m being honest, for some reason I have this aversion to voice chats with strangers from social media sites, heh. It’s totally nonsensical in some ways, as I’m fine chatting with people in games, and/or meeting people in real life, but for some reason ¯(ツ)/¯.
If you do have questions about these sorts of things though, and are in Canada, I’d suggest reaching out to your financial institution a bit and peppering them with some questions. At the very least, you’d get a sense of how they’re looking at the situation, and whether you felt like they were putting in appropriate due diligence to safeguard your interests. If the note about going through something hard was more in relation to wanting a distraction to take your mind off other things, I can empathize, but I’m also so terribly awkward on phone calls that it’d prolly end up doing more harm than good. I’d also likely pester you to try and find out what the ‘something hard’ was that you’re going through, in a very tactless fashion, as I’m really not all that good with that sorta thing.
Not a problem. I was just thinking you’re an interesting person with a fount of information. Nothing wrong with not wanting to chat with a stranger. I’ll be around if you change your mind but no pressure ofc.
I’m in the US but I’ve been looking into educating myself more about financial institutions and that’s why I was so curious. Plus you sounded really well-informed and I’m very close to Canada geographically and thinking about moving there so I need to learn all I can before I make that decision.