I am Canadian. I’ve worked in the Financial industry for about 20 years (either directly or adjacent to it in roles like auditing). I am an IT guy.
Here’s some more examples / clarifications of it: pretty well all of Canada’s ATMs run on Windows. When questioned about why, companies that provide those systems state that its a requirement from Payments Canada.
Most Financial Institutions use USA-tied backend banking systems – there’s 1-2 “Canadian” providers, but they’re very niche (hence the note about BC’s situation, BC being the western most province in Canada). Companies like FISERV (USA) expanded into Canada a few decades ago – their initial entry to the market failed due to them not caring about differences between Canadian and US financial products. They didn’t bother porting anything, treating things like the US “401k” logic as basically the same as Canada’s RRSPs doesn’t work, and lead to massive problems for many FIs – problems that sank a couple. So they bought out a Canadian product that was called DNA (which ran on Oracle). FISERV is one of the dominant players in the Canadian market.
Canada’s Central1 Credit Union, the trade association / service provider for their Credit Unions, recently bailed on hosting in-country online banking services, after having screwed up their implementation of the ISO20022 really really badly. They ‘sold’ that whole segment of their business off to an Indian Headquartered company which hosts its products in Microsoft’s cloud, uses developers from the UAE, and has only like 1-2 security staff in Canada (so all your security events are definitely going elsewhere). Adding to this, at the start of Central1’s mismanagement of online banking, they had 2 geodistant datacenters on either side of the country – but they hired a US Banker to run their IT department, and he put all their internal stuff (beyond just the online banking) into the cloud, turfing their internal systems. Oh, and in terms of it continuing in this direction even with the turmoil – since 2025, Central has shifted their backend online cheque processing, one of the last items outstanding, into Microsoft’s cloud. So even if you’re using a small credit union in a tiny community, if you write a cheque, you’re reliant on USA cloud infrastructure.
BC’s provincial financial regulators, the BC FSA, put out an RFP about a decade ago noting some serious gaps in their IT framework – the RFP was amazing to read, as it noted things like software that had been EOL for almost a decade, which they admitted they couldn’t support properly, because they’d basically fired most of their IT staff. The RFP was a total “front”/box-checking exercise though, as they’d already chosen who they were going with – the RFP lasted only a brief time, and was tailored to ensure a specific vendor would win (issued June 17, 155 pages of specifications/environment description background, submission deadline July 31 – vendor work startingQ4. A turn around speed unheard of in govt, if they were doing any due diligence). The result was that the BC FSA moved all of its IT ecosystem stuff into Microsoft’s cloud. The industry submits member/customer personal information directly into a site that’s hosted on Microsoft’s cloud – even uses generic Microsoft cloud login infra. So a huge portion of FI customer data is exposed through the regulators of the industry.
Bless you for responding sincerely, I appreciate that so much. I apologize if most of it has gone over my head but is there a movement to detach yourselves from the US?
I have been so in my own head lately and focused on my field of study that I almost feel like an alien. What does this mean in practical terms, how much is my data available to entities I’ve never heard of, can you tell me in practical terms what that means for me/the average person?
Sure, I can try to clarify it a bit, though I may get a bit wordy at times. I can even use recent government docs to support comments, in case that helps a smidge.
So late last year, the government of Canada published a white paper that sort of summed up the exposure risk with regards to data sovereignty, something that, I think, most people in tech have known for decades at this point. The appendix of that document is fairly concise, and generally indicates that there’s no realistic way you can have a “Cloud Service Provider” from a foreign nation, where there’s no chance of interference / pressure / disclosures by that foreign nation.
So someone like Wealthsimple, who’s completely in US cloud technologies, and who’s persona ID (Peter Thiel/Palantir connected) system for doing their “Know your Member” due diligence, has no realistic / practical way to be sure that any/all of their information is being disclosed to the United States government. Similarly, if a cloud service provider is providing services from India, there’s no practical way to ensure that the information they handle isn’t being disclosed to the Indian government. In the states specifically, they have legislation in place that declares the government can make data requests, and that companies can’t disclose those requests to anyone – in the past, this was ‘overlooked’ by many because both Canada and the States had similar judicial systems and a general expectation of habeas corpus, and there was an expectation that international laws would apply on agreements. That’s sorta changed, hence the Fed gov publishing that paper and admitting the risks involved.
A bunch of that is rooted in the nuance of agreements / SLAs. Even as a consumer, you can see the language they use – phrases like “We comply with the laws and regulations of the jurisdictions in which we operate” (and we operate in Panama, so hide your taxes here! sorta thing). The phrasing means if the foreign government demands the data, under the laws/regulations of that foreign government, the company hands it over. Those sorts of agreements aren’t actually saying that the laws/regulations of that foreign jurisdiction, are the same as Canadas – your data can get moved to a foreign authoritarian dictatorship with no regard for your privacy, and it would be totally legal for them to … ignore the end users privacy expectations, which they thought would be in line with Canadas privacy legislation. It’s legal hocus pocus, and one reason lawyers get the bad rep that they do.
In terms of how much is exposed, it varies depending on your service provider/financial institution, and where they have different partnerships / supply chain exposure to these sorts of risks. For example, the BC FSA publicly shows that they require all regulated entities under their purview to submit quarterly Mortgage/Loan reports. They tend to show you what those submissions include even – the LDR for example, includes fields such as your employer, your job title, your income amounts, how much you pay for condo fees, and a ton of other information that realistically can personally identify you. There’s another extract they request for names and other items. All of that information, because it’s disclosed to a system that’s hosted in Microsoft’s cloud ecosystem, by that earlier federal government white paper’s own admission, is potentially exposed and accessible to the US Government through “legal” disclosures by Microsoft. It’s worth noting, I think, that these are all mandatory disclosures, meaning every single Financial Institution that’s regulated by the BC FSA is required to provide this information to the Regulator via Microsoft’s cloud – this is quite explicitly, the BC Government requiring industry to be exposed to Data Sovereignty risks… and to think, the BC FSA’s mandate is to reduce risk in the industry! Doin a bang up job!
What ultimately gets exposed/disclosed to foreign entities largely depends on where those disclosures occur, and what information is sent/transferred. So like, in the above example with the BC FSA, they’re exposing a ton of personal information to foreign actors – but because they don’t request something like your granular payment transactions, that information isn’t disclosed as part of that arrangement. I mention in the earlier post the risks/issue of losing the last BC credit union with a Canadian back end – what I refer to there, is commonly just called a banking system, which is just the sort of “combined” database that has all the data on your account with that specific financial institution. If that banking system is in a foreign company’s cloud ecosystem, all of your data is potentially exposed to those foreign interests, through ‘legal’ channels, even if it’s not in Canada’s general interests.
In terms of direct risks to you as an individual, there are generally two big categories I’d flag: first, is that we can clearly see the USA and other foreign powers increasingly using things like AI, and mass data-gathering, to target political or ideological “enemies” – and to use that targeting to take very real actions against those people. Barring them from entering the country, de-banking/de-platforming people outright, and so on. In the most extreme cases, you could picture some jurisdictions using it to explicitly target individuals – for example, prior to Carney whitewashing the situation, India had previously been allegedly connected to getting the BIshnoi gang to conduct political assassinations in Canada. One way they could theoretically target those actions, would be to get the data from a Canadian company that’d outsourced services to India – especially if that outsourcing included access to Addresses, Names, and Transactions (“You donated to the wrong charity man!!”). Having noted this, I should highlight that there’ll always be SOME risk of this sort of thing with regards to online services – even if the foreign powers don’t have “Direct” access via legal means, there’s no reason to think they wouldn’t then default to attempting hacks / illegal means to access that information. It’s just that the setup basically makes it super easy to do, and defaults the info to being accessible on demand.
The second bigger risk I’d flag is related to service availability and organisation resiliency, which is kind of referenced in my earlier post noting that the FI industry would go ‘pop’ if a data sovereignty law came in immediately. Whether those services get cut off due to Canada enacting legislation that said “You gotta be mindful of data sovereignty, so you CANT outsource this stuff to the people you’ve outsourced everything to”, OR, more importantly, If Donald Trump / the US Administration were to say “You tech companies can’t provide service to Canada, cause we want them to implode and be forced to become a US state”, then those outsourced international agreements go poof, as do all connected services. So, for example, Canada’s Credit Unions and some Banks generally outsource their online banking platforms to Indian multinationals, hosted in US cloud spaces. If either the USA, or India, were to put in those sorts of export restrictions, your online banking would disappear overnight. If your backend is sovereign to Canada, accounts and everything would remain available, but the clipping of all those third parties may result in you likely needing to go in to the branch to get cash – cause, as noted, even the ATMs run on Windows, and cheques / other forms of payment all route through US tech giants. If your backend is in a cloud ecosystem, there’s a good chance the org has a ‘backup’ somewhere – but they’ll need to find somewhere to host it that can comply with the backup structure (some ‘backups’ can only restore to Azure or AWS infrastructure, for example). The FI would still have all their regular reports, so they’d likely still be able to sort out all the big ticket items like deposits totals/ loans owing, but it’d all be delayed significantly due to the volume of the mess – in other words, people would be kept “whole” financially, but it would be chaos, and potentially a long time before the mess got sorted. Most digital payment options would disappear – the one exception potentially being Interac Konek, which I believe is a Canadian-centric option that cuts out a bunch of the US Tech stack – though I don’t know for sure how much exposure interac itself has to this issue.
Not sure if that helps clarify things, or if it muddles it more due to my hamfisted attempts to explain… but anyhoo, hopefully it made sense.
This is absolutely fascinating. Still a bit dense ngl lol. It will take me some time to work through, I feel bad I’m not giving your write-up the time it deserves. Wondering, what would be your ideal solution?
You basically wrote an entire essay for me and I’m half in love with you now. Talk my ear off about it anytime
I am Canadian. I’ve worked in the Financial industry for about 20 years (either directly or adjacent to it in roles like auditing). I am an IT guy.
Here’s some more examples / clarifications of it: pretty well all of Canada’s ATMs run on Windows. When questioned about why, companies that provide those systems state that its a requirement from Payments Canada.
Most Financial Institutions use USA-tied backend banking systems – there’s 1-2 “Canadian” providers, but they’re very niche (hence the note about BC’s situation, BC being the western most province in Canada). Companies like FISERV (USA) expanded into Canada a few decades ago – their initial entry to the market failed due to them not caring about differences between Canadian and US financial products. They didn’t bother porting anything, treating things like the US “401k” logic as basically the same as Canada’s RRSPs doesn’t work, and lead to massive problems for many FIs – problems that sank a couple. So they bought out a Canadian product that was called DNA (which ran on Oracle). FISERV is one of the dominant players in the Canadian market.
Canada’s Central1 Credit Union, the trade association / service provider for their Credit Unions, recently bailed on hosting in-country online banking services, after having screwed up their implementation of the ISO20022 really really badly. They ‘sold’ that whole segment of their business off to an Indian Headquartered company which hosts its products in Microsoft’s cloud, uses developers from the UAE, and has only like 1-2 security staff in Canada (so all your security events are definitely going elsewhere). Adding to this, at the start of Central1’s mismanagement of online banking, they had 2 geodistant datacenters on either side of the country – but they hired a US Banker to run their IT department, and he put all their internal stuff (beyond just the online banking) into the cloud, turfing their internal systems. Oh, and in terms of it continuing in this direction even with the turmoil – since 2025, Central has shifted their backend online cheque processing, one of the last items outstanding, into Microsoft’s cloud. So even if you’re using a small credit union in a tiny community, if you write a cheque, you’re reliant on USA cloud infrastructure.
BC’s provincial financial regulators, the BC FSA, put out an RFP about a decade ago noting some serious gaps in their IT framework – the RFP was amazing to read, as it noted things like software that had been EOL for almost a decade, which they admitted they couldn’t support properly, because they’d basically fired most of their IT staff. The RFP was a total “front”/box-checking exercise though, as they’d already chosen who they were going with – the RFP lasted only a brief time, and was tailored to ensure a specific vendor would win (issued June 17, 155 pages of specifications/environment description background, submission deadline July 31 – vendor work startingQ4. A turn around speed unheard of in govt, if they were doing any due diligence). The result was that the BC FSA moved all of its IT ecosystem stuff into Microsoft’s cloud. The industry submits member/customer personal information directly into a site that’s hosted on Microsoft’s cloud – even uses generic Microsoft cloud login infra. So a huge portion of FI customer data is exposed through the regulators of the industry.
Bless you for responding sincerely, I appreciate that so much. I apologize if most of it has gone over my head but is there a movement to detach yourselves from the US?
I have been so in my own head lately and focused on my field of study that I almost feel like an alien. What does this mean in practical terms, how much is my data available to entities I’ve never heard of, can you tell me in practical terms what that means for me/the average person?
Sure, I can try to clarify it a bit, though I may get a bit wordy at times. I can even use recent government docs to support comments, in case that helps a smidge.
So late last year, the government of Canada published a white paper that sort of summed up the exposure risk with regards to data sovereignty, something that, I think, most people in tech have known for decades at this point. The appendix of that document is fairly concise, and generally indicates that there’s no realistic way you can have a “Cloud Service Provider” from a foreign nation, where there’s no chance of interference / pressure / disclosures by that foreign nation.
So someone like Wealthsimple, who’s completely in US cloud technologies, and who’s persona ID (Peter Thiel/Palantir connected) system for doing their “Know your Member” due diligence, has no realistic / practical way to be sure that any/all of their information is being disclosed to the United States government. Similarly, if a cloud service provider is providing services from India, there’s no practical way to ensure that the information they handle isn’t being disclosed to the Indian government. In the states specifically, they have legislation in place that declares the government can make data requests, and that companies can’t disclose those requests to anyone – in the past, this was ‘overlooked’ by many because both Canada and the States had similar judicial systems and a general expectation of habeas corpus, and there was an expectation that international laws would apply on agreements. That’s sorta changed, hence the Fed gov publishing that paper and admitting the risks involved.
A bunch of that is rooted in the nuance of agreements / SLAs. Even as a consumer, you can see the language they use – phrases like “We comply with the laws and regulations of the jurisdictions in which we operate” (and we operate in Panama, so hide your taxes here! sorta thing). The phrasing means if the foreign government demands the data, under the laws/regulations of that foreign government, the company hands it over. Those sorts of agreements aren’t actually saying that the laws/regulations of that foreign jurisdiction, are the same as Canadas – your data can get moved to a foreign authoritarian dictatorship with no regard for your privacy, and it would be totally legal for them to … ignore the end users privacy expectations, which they thought would be in line with Canadas privacy legislation. It’s legal hocus pocus, and one reason lawyers get the bad rep that they do.
In terms of how much is exposed, it varies depending on your service provider/financial institution, and where they have different partnerships / supply chain exposure to these sorts of risks. For example, the BC FSA publicly shows that they require all regulated entities under their purview to submit quarterly Mortgage/Loan reports. They tend to show you what those submissions include even – the LDR for example, includes fields such as your employer, your job title, your income amounts, how much you pay for condo fees, and a ton of other information that realistically can personally identify you. There’s another extract they request for names and other items. All of that information, because it’s disclosed to a system that’s hosted in Microsoft’s cloud ecosystem, by that earlier federal government white paper’s own admission, is potentially exposed and accessible to the US Government through “legal” disclosures by Microsoft. It’s worth noting, I think, that these are all mandatory disclosures, meaning every single Financial Institution that’s regulated by the BC FSA is required to provide this information to the Regulator via Microsoft’s cloud – this is quite explicitly, the BC Government requiring industry to be exposed to Data Sovereignty risks… and to think, the BC FSA’s mandate is to reduce risk in the industry! Doin a bang up job!
What ultimately gets exposed/disclosed to foreign entities largely depends on where those disclosures occur, and what information is sent/transferred. So like, in the above example with the BC FSA, they’re exposing a ton of personal information to foreign actors – but because they don’t request something like your granular payment transactions, that information isn’t disclosed as part of that arrangement. I mention in the earlier post the risks/issue of losing the last BC credit union with a Canadian back end – what I refer to there, is commonly just called a banking system, which is just the sort of “combined” database that has all the data on your account with that specific financial institution. If that banking system is in a foreign company’s cloud ecosystem, all of your data is potentially exposed to those foreign interests, through ‘legal’ channels, even if it’s not in Canada’s general interests.
In terms of direct risks to you as an individual, there are generally two big categories I’d flag: first, is that we can clearly see the USA and other foreign powers increasingly using things like AI, and mass data-gathering, to target political or ideological “enemies” – and to use that targeting to take very real actions against those people. Barring them from entering the country, de-banking/de-platforming people outright, and so on. In the most extreme cases, you could picture some jurisdictions using it to explicitly target individuals – for example, prior to Carney whitewashing the situation, India had previously been allegedly connected to getting the BIshnoi gang to conduct political assassinations in Canada. One way they could theoretically target those actions, would be to get the data from a Canadian company that’d outsourced services to India – especially if that outsourcing included access to Addresses, Names, and Transactions (“You donated to the wrong charity man!!”). Having noted this, I should highlight that there’ll always be SOME risk of this sort of thing with regards to online services – even if the foreign powers don’t have “Direct” access via legal means, there’s no reason to think they wouldn’t then default to attempting hacks / illegal means to access that information. It’s just that the setup basically makes it super easy to do, and defaults the info to being accessible on demand.
The second bigger risk I’d flag is related to service availability and organisation resiliency, which is kind of referenced in my earlier post noting that the FI industry would go ‘pop’ if a data sovereignty law came in immediately. Whether those services get cut off due to Canada enacting legislation that said “You gotta be mindful of data sovereignty, so you CANT outsource this stuff to the people you’ve outsourced everything to”, OR, more importantly, If Donald Trump / the US Administration were to say “You tech companies can’t provide service to Canada, cause we want them to implode and be forced to become a US state”, then those outsourced international agreements go poof, as do all connected services. So, for example, Canada’s Credit Unions and some Banks generally outsource their online banking platforms to Indian multinationals, hosted in US cloud spaces. If either the USA, or India, were to put in those sorts of export restrictions, your online banking would disappear overnight. If your backend is sovereign to Canada, accounts and everything would remain available, but the clipping of all those third parties may result in you likely needing to go in to the branch to get cash – cause, as noted, even the ATMs run on Windows, and cheques / other forms of payment all route through US tech giants. If your backend is in a cloud ecosystem, there’s a good chance the org has a ‘backup’ somewhere – but they’ll need to find somewhere to host it that can comply with the backup structure (some ‘backups’ can only restore to Azure or AWS infrastructure, for example). The FI would still have all their regular reports, so they’d likely still be able to sort out all the big ticket items like deposits totals/ loans owing, but it’d all be delayed significantly due to the volume of the mess – in other words, people would be kept “whole” financially, but it would be chaos, and potentially a long time before the mess got sorted. Most digital payment options would disappear – the one exception potentially being Interac Konek, which I believe is a Canadian-centric option that cuts out a bunch of the US Tech stack – though I don’t know for sure how much exposure interac itself has to this issue.
Not sure if that helps clarify things, or if it muddles it more due to my hamfisted attempts to explain… but anyhoo, hopefully it made sense.
This is absolutely fascinating. Still a bit dense ngl lol. It will take me some time to work through, I feel bad I’m not giving your write-up the time it deserves. Wondering, what would be your ideal solution? You basically wrote an entire essay for me and I’m half in love with you now. Talk my ear off about it anytime