This is absolutely fascinating. Still a bit dense ngl lol. It will take me some time to work through, I feel bad I’m not giving your write-up the time it deserves. Wondering, what would be your ideal solution?
You basically wrote an entire essay for me and I’m half in love with you now. Talk my ear off about it anytime
Oh, another tidbit that I’d throw in the mix, just as an afterthought – I’d totally smack the BC FSA upside the head on their data collections, and any other government regulator type agency that’s over collecting granular citizen data under similar silly pretenses. I’d also likely take a slightly different approach on AI regulations, though attempt to keep it generally in line with the EU counterparts, as the most likely ‘friendly’ block going forward.
Regulators are generally tasked with maintaining the viability and stability of critical industries, and the businesses there in. It’s important to have regulation of FIs, but regulators like the BC FSA have gone overkill, to the point that they’re basically cited as the #1 reason for FI’s needing to merge… to get bigger to handle regulatory burdens and overreach. In BC, it’s sorta like they were put in charge of ensuring a thriving forest, but then they decided that to do that, they had to reduce it down to just 4-6 big trees, and then to map out each individual leaf on those trees. They really don’t need all the data they’re collecting, to manage aggregate risks in the ecosystem – their collection just adds to this foreign exposure issue. It’s possible to do 90% of their risk analysis using aggregate, annonymous data collected from the FIs. If there are specific dimensions / concerns they want FIs focused on for ‘internal’ risk reasons, they can work WITH industry during reviews to make sure they’re tracking the ‘right’ variables and being transparent with stakeholders etc.
From a Risk Management perspective, it’s a semi easy thing to describe how the BC FSA has failed miserably at its job: If the Mitigations for a Risk outweigh the cost of that Risk occurring, you shouldn’t apply the mitigations. Ie. If it costs you $100k to prevent a potential ‘threat’ that could cost you $1k in fines/damages, you should just accept the $1k cost. Likewise, if your regulation has killed off roughly 75% of the provinces financial institutions, while there’ve been 0 cases of a BC financial institution “failing due to mismanagement” since like the 80s (and back then, it was an outlier case!), your regulations suck and you should feel bad. One of the biggest indicators of the health of a forest/ecosystem, is its stability / ability to renew itself organically: ie. lots of competition, a reasonable amount of turn over, which is filled in with new entrants. You can monitor the health of a populace / forest by looking at how many trees are there, and getting a rough report on whether they’re healthy or not, without needing to map out every leaf.
Regulatory hurdles are also often used to create moats around industries/businesses, so there’s this delicate balancing act needed to allow for innovation, while still protecting against industry-wide negative risks. The more regulation surrounding a setup, the more locked out new entrants are. You don’t want to allow OpenAI to dictate the terms for new competitors to startup and challenge OpenAI, sorta thing. Like the Tumbler Ridge tragedy was… tragic. But if new regulations come in placing onerous oversight / reporting obligations on all AI companies as a result, it’ll be that much harder for a ‘new’ Canadian company to get rolling. So with regards to tech-side regulation, I’d definitely try to align with the EU models, but I’d aim to have them be more unique to Canada – we still need a small moat between us and the EU platforms, but we need a much bigger moat between us and authoritarian regimes.
Lots to unpack here. This is the big thing at the moment and I’d like to know what I can. Would you be willing to talk on the phone at some point? I’ve been going through something hard and I don’t want to cry about it, but I think it would help a lot if someone smart and passionate in a subject I know little about ranted at me. Not like a formal interview, just a talk
Yeah, I’d ramble about this stuff at a pub like a freak, if it were stuff that people actually wanted to talk about haha… but ok, let’s see, ‘my’ ideal solution? This’ll be rambly for sure ;p
First off, for non-critical industry businesses, I’d avoid any heavy handed data sovereignty type regulations / laws. That alone poses a bit of an issue that’d require some additional nuance get built in to Canada’s privacy legislation. But I’d want to put that out there first and foremost, as Canada generally benefits from having international players / service providers and features from all over the world.
For critical industries, I’d be a good bit more strict, and require both data sovereignty and some sort of mechanism to try and prevent any specific vendor lock-ins where feasible. International IT standards have generally called for reviewing your tech stack / supply chain issues for a decade now, but it hasn’t really been as much of a focus until lately – and, realistically, it’d be difficult for Canada to fully stand up every component required to provide modern services overnight (we likely couldnt do absolutely everything either, like chip fabs and whatnot – but a ‘chip’, as a commodity, is far less risky than a “always-online connection requirement that can be severed on a whim”). Steps can be taken to mitigate / minimize the impact of potential issues though, and those steps can be phased in rather aggressively depending on the scale of the organisations involved, and could even, potentially, be done using the existing regulatory frameworks in some areas.
For starters, the government would need to aggressively sort out its own shit – because them trying to push this sort of thing on to the industries they regulate, without “walking the walk”, would be problematic. On the bright side, at present there’s a glut of out of work IT people who can assist. There are tools that are generally “sufficient” for most targeted purposes that already exist, and use licenses that generally allow for more international community-driven involvement. If you look, for example, to how China’s handled their data sovereignty – they forked a version of Linux, Ubuntu, creating their own national OS called Kylin (I think I’ve got that name right). Their developers / government resources have in many ways been a boon to the Ubuntu project too, helping it stay very current with different tech trends – so its a win win symbiotic relationship between government and open source community. Places like the EU are doing similar. There’s no practical reason I can see as to why Canada couldn’t do something along the same lines, especially given the talent that exists in the country.
Once the governments taken a bit of a lead on that, they’d be in a better position to not only say to industry “data residency is so last era, we doin data sovereignty now”, but to help guide potential adoptions and migrations – especially for smaller organisations in those regulated spaces, which’d represent a lower risk ‘testing’ ground for making those changes. So like, helping them shift from using Microsoft’s Cloud ecosystem, and instead having them use something like Nextcloud on their own servers / backend hardware. The news we often see about “AI Data Centers” are a bit trendy, but realistically there’s nothing stopping/preventing organisations in Canada from having a T1 data center hosting their servers (ie. the only thing the third party provides is space / electricity, which Canada can easily nationalise if there’s some US connection on the Datacenter front). ignoring all the outsourcing for service providers etc, it’s entirely possible to setup a “sovereign” stack in Canada even today, with no additional hardware / long-time line building required. The AI Data Centers we see in the news with Carney and them, often seem like they’re specifically referencing a desire to have a hyperscaler public cloud type option – but a smaller managed cloud that’s data sovereign is also an option, it’s just often a bit more expensive, and involves more management on the part of the organisation pending their size. I think Carney’s push in this regard, for a “sovereign canadian cloud”, is an attempt to have one big provider, to which existing companies can sort out large-scale migrations towards – ie. if you have something like OVH (a french cloud) but a “Canadian” hyperscaler, and sort out how to migrate clients from Microsoft’s cloud over in a streamlined fashion to that provider, it makes it easier to put out a broad-stroke data sovereignty legislation change. But for immediacy / urgency sake, there are options for companies to start moving that way already – they may just need that extra regulatory push.
In terms of fitting some of these migration things into existing regulatory frameworks – many banks are regulated by the same organisation that effectively controls their insurance premiums for deposit insurances: CUDIC/CDIC. The BC FSA has in the past used this mechanism to essentially choke the BC industry into merging/consolidating, by declaring smaller financial institutions “high risk” and charging them hundreds of thousands of dollars more per year for their deposit insurance (which is an existential issue, given most had annual profits of less than $1m, they’re coops afterall!). In fact, their push to consolidate / move people into the cloud is a big reason we have this risk / issues moving the industry in another direction! They could, for example, use their IT Security Guideline to declare orgs “more at risk” the more foreign outsourcing they rely on – that’d create a very clear financial imperative for orgs to move away from US providers in as aggressive a fashion as the penalties dictate. Tell someone like Vancity Credit Union they’ll be paying millions of dollars more per year for insurance if they stick with Microsoft, and they’ll put serious effort into adopting sovereign solutions, I’m sure. One of Carney’s big flaws, and you can see it historically even from his time at the BOC, is that he doesn’t actually “see” the Credit Union system / “regular Canadian” citizen financial situations – but by nudging that more agile industry in the right direction first, you could at least ensure that there’s an option for people in the financial services space, to avoid those risks, and have that option available very quickly compared to the lead times likely required by the big banks to make similar moves.
One thought is also that the government would likely need to review the critical components that they’d need to bolster in order to get some of this to happen - so its not just a matter of forking a linux distro in that stage. Like one area where Canada has a general weakness, is on something like Firewall providers for protecting assets – there aren’t many ‘canadian’ companies that offer that sort of asset, and you’re generally stuck relying on USA, Chinese/Asian, European or Israeli companies if you want a quality device. So that’d have to be built into the steps above, where the gov would likely need to fork/partner with an open source vendor for their primary OS needs. Oh, in terms of those, I’d prolly vote for them to go with SUSE as its Euro-centric, and it’d help to align us with them a bit more – though for some thing’s like ATMs, *BSD should be the default. BSD is sorta a brick shithouse that has limited integration features, but can be purpose built to be super hardened/secure, and stay that way for long stretches – requiring little updates/tweaks. It’s practically designed for infrastructure devices. The security folks on some of the main BSD projects, are also already tied to Canada, so win win.
And I guess, as I went about re-tooling things to bring those critical industries more ‘in house’, I’d tweak the ISO20022 setup to add in some more “vendor lock-in prevention” controls – goal there would be to welcome things like international Fintechs, but also to ensure Canadians are protected from undue foreign pressures. You want to allow enough flexibility for a general business to use ODOO or similar products, if they want, but you don’t want them to become ‘stuck’ there, nor would you want to have that be a huge slice of the Canadian market place for that feature. That may require some subsidies to local competitors, not sure how I’d structure that specifically though. Another risk I’d be preparing for as part of it, though it’s a bit of an outlier, is to have better fallbacks get built in to the regulatory frameworks – as noted above, there’s almost always going to be some supply chain exposure/issues. One big ‘nightmare’ scenario, would be China attacking/taking Taiwan, paired with US chip makers being blocked from providing chips to Canada. Not only would that situation screw over a bunch of the financial industry vendors, but it’d massively hit the customers/members of those organisations – if you’ve designed a system like Wealthsimple, you’re pre-supposing that your customers/members all have a ton of tech toys to do their online banking. In the nightmare scenario, you’d basically be going back to analogue setups – which, given some trends and climate change projections, is something that ought to at least be on the radar and considered given the critical industry nature of the financial system.
One last thought to loop back to the subsidies bit, is that one challenge, is trying to maintain a sufficient volume to keep whatever parts of the stack you ‘in-country’ profitable as possible. Like Carney and them setting up these big data center projects and making noise about data sovereignty is interesting – but if they don’t somehow force canadian businesses to use those sovereign solutions, there won’t be an edge for Canadian offerings due to the differences in scale between the Canadian and US / Foreign markets. I’ve reached the limit for posting length, so ill shut up now ;p
This is absolutely fascinating. Still a bit dense ngl lol. It will take me some time to work through, I feel bad I’m not giving your write-up the time it deserves. Wondering, what would be your ideal solution? You basically wrote an entire essay for me and I’m half in love with you now. Talk my ear off about it anytime
Oh, another tidbit that I’d throw in the mix, just as an afterthought – I’d totally smack the BC FSA upside the head on their data collections, and any other government regulator type agency that’s over collecting granular citizen data under similar silly pretenses. I’d also likely take a slightly different approach on AI regulations, though attempt to keep it generally in line with the EU counterparts, as the most likely ‘friendly’ block going forward.
Regulators are generally tasked with maintaining the viability and stability of critical industries, and the businesses there in. It’s important to have regulation of FIs, but regulators like the BC FSA have gone overkill, to the point that they’re basically cited as the #1 reason for FI’s needing to merge… to get bigger to handle regulatory burdens and overreach. In BC, it’s sorta like they were put in charge of ensuring a thriving forest, but then they decided that to do that, they had to reduce it down to just 4-6 big trees, and then to map out each individual leaf on those trees. They really don’t need all the data they’re collecting, to manage aggregate risks in the ecosystem – their collection just adds to this foreign exposure issue. It’s possible to do 90% of their risk analysis using aggregate, annonymous data collected from the FIs. If there are specific dimensions / concerns they want FIs focused on for ‘internal’ risk reasons, they can work WITH industry during reviews to make sure they’re tracking the ‘right’ variables and being transparent with stakeholders etc.
From a Risk Management perspective, it’s a semi easy thing to describe how the BC FSA has failed miserably at its job: If the Mitigations for a Risk outweigh the cost of that Risk occurring, you shouldn’t apply the mitigations. Ie. If it costs you $100k to prevent a potential ‘threat’ that could cost you $1k in fines/damages, you should just accept the $1k cost. Likewise, if your regulation has killed off roughly 75% of the provinces financial institutions, while there’ve been 0 cases of a BC financial institution “failing due to mismanagement” since like the 80s (and back then, it was an outlier case!), your regulations suck and you should feel bad. One of the biggest indicators of the health of a forest/ecosystem, is its stability / ability to renew itself organically: ie. lots of competition, a reasonable amount of turn over, which is filled in with new entrants. You can monitor the health of a populace / forest by looking at how many trees are there, and getting a rough report on whether they’re healthy or not, without needing to map out every leaf.
Regulatory hurdles are also often used to create moats around industries/businesses, so there’s this delicate balancing act needed to allow for innovation, while still protecting against industry-wide negative risks. The more regulation surrounding a setup, the more locked out new entrants are. You don’t want to allow OpenAI to dictate the terms for new competitors to startup and challenge OpenAI, sorta thing. Like the Tumbler Ridge tragedy was… tragic. But if new regulations come in placing onerous oversight / reporting obligations on all AI companies as a result, it’ll be that much harder for a ‘new’ Canadian company to get rolling. So with regards to tech-side regulation, I’d definitely try to align with the EU models, but I’d aim to have them be more unique to Canada – we still need a small moat between us and the EU platforms, but we need a much bigger moat between us and authoritarian regimes.
Lots to unpack here. This is the big thing at the moment and I’d like to know what I can. Would you be willing to talk on the phone at some point? I’ve been going through something hard and I don’t want to cry about it, but I think it would help a lot if someone smart and passionate in a subject I know little about ranted at me. Not like a formal interview, just a talk
Yeah, I’d ramble about this stuff at a pub like a freak, if it were stuff that people actually wanted to talk about haha… but ok, let’s see, ‘my’ ideal solution? This’ll be rambly for sure ;p
First off, for non-critical industry businesses, I’d avoid any heavy handed data sovereignty type regulations / laws. That alone poses a bit of an issue that’d require some additional nuance get built in to Canada’s privacy legislation. But I’d want to put that out there first and foremost, as Canada generally benefits from having international players / service providers and features from all over the world.
For critical industries, I’d be a good bit more strict, and require both data sovereignty and some sort of mechanism to try and prevent any specific vendor lock-ins where feasible. International IT standards have generally called for reviewing your tech stack / supply chain issues for a decade now, but it hasn’t really been as much of a focus until lately – and, realistically, it’d be difficult for Canada to fully stand up every component required to provide modern services overnight (we likely couldnt do absolutely everything either, like chip fabs and whatnot – but a ‘chip’, as a commodity, is far less risky than a “always-online connection requirement that can be severed on a whim”). Steps can be taken to mitigate / minimize the impact of potential issues though, and those steps can be phased in rather aggressively depending on the scale of the organisations involved, and could even, potentially, be done using the existing regulatory frameworks in some areas.
For starters, the government would need to aggressively sort out its own shit – because them trying to push this sort of thing on to the industries they regulate, without “walking the walk”, would be problematic. On the bright side, at present there’s a glut of out of work IT people who can assist. There are tools that are generally “sufficient” for most targeted purposes that already exist, and use licenses that generally allow for more international community-driven involvement. If you look, for example, to how China’s handled their data sovereignty – they forked a version of Linux, Ubuntu, creating their own national OS called Kylin (I think I’ve got that name right). Their developers / government resources have in many ways been a boon to the Ubuntu project too, helping it stay very current with different tech trends – so its a win win symbiotic relationship between government and open source community. Places like the EU are doing similar. There’s no practical reason I can see as to why Canada couldn’t do something along the same lines, especially given the talent that exists in the country.
Once the governments taken a bit of a lead on that, they’d be in a better position to not only say to industry “data residency is so last era, we doin data sovereignty now”, but to help guide potential adoptions and migrations – especially for smaller organisations in those regulated spaces, which’d represent a lower risk ‘testing’ ground for making those changes. So like, helping them shift from using Microsoft’s Cloud ecosystem, and instead having them use something like Nextcloud on their own servers / backend hardware. The news we often see about “AI Data Centers” are a bit trendy, but realistically there’s nothing stopping/preventing organisations in Canada from having a T1 data center hosting their servers (ie. the only thing the third party provides is space / electricity, which Canada can easily nationalise if there’s some US connection on the Datacenter front). ignoring all the outsourcing for service providers etc, it’s entirely possible to setup a “sovereign” stack in Canada even today, with no additional hardware / long-time line building required. The AI Data Centers we see in the news with Carney and them, often seem like they’re specifically referencing a desire to have a hyperscaler public cloud type option – but a smaller managed cloud that’s data sovereign is also an option, it’s just often a bit more expensive, and involves more management on the part of the organisation pending their size. I think Carney’s push in this regard, for a “sovereign canadian cloud”, is an attempt to have one big provider, to which existing companies can sort out large-scale migrations towards – ie. if you have something like OVH (a french cloud) but a “Canadian” hyperscaler, and sort out how to migrate clients from Microsoft’s cloud over in a streamlined fashion to that provider, it makes it easier to put out a broad-stroke data sovereignty legislation change. But for immediacy / urgency sake, there are options for companies to start moving that way already – they may just need that extra regulatory push.
In terms of fitting some of these migration things into existing regulatory frameworks – many banks are regulated by the same organisation that effectively controls their insurance premiums for deposit insurances: CUDIC/CDIC. The BC FSA has in the past used this mechanism to essentially choke the BC industry into merging/consolidating, by declaring smaller financial institutions “high risk” and charging them hundreds of thousands of dollars more per year for their deposit insurance (which is an existential issue, given most had annual profits of less than $1m, they’re coops afterall!). In fact, their push to consolidate / move people into the cloud is a big reason we have this risk / issues moving the industry in another direction! They could, for example, use their IT Security Guideline to declare orgs “more at risk” the more foreign outsourcing they rely on – that’d create a very clear financial imperative for orgs to move away from US providers in as aggressive a fashion as the penalties dictate. Tell someone like Vancity Credit Union they’ll be paying millions of dollars more per year for insurance if they stick with Microsoft, and they’ll put serious effort into adopting sovereign solutions, I’m sure. One of Carney’s big flaws, and you can see it historically even from his time at the BOC, is that he doesn’t actually “see” the Credit Union system / “regular Canadian” citizen financial situations – but by nudging that more agile industry in the right direction first, you could at least ensure that there’s an option for people in the financial services space, to avoid those risks, and have that option available very quickly compared to the lead times likely required by the big banks to make similar moves.
One thought is also that the government would likely need to review the critical components that they’d need to bolster in order to get some of this to happen - so its not just a matter of forking a linux distro in that stage. Like one area where Canada has a general weakness, is on something like Firewall providers for protecting assets – there aren’t many ‘canadian’ companies that offer that sort of asset, and you’re generally stuck relying on USA, Chinese/Asian, European or Israeli companies if you want a quality device. So that’d have to be built into the steps above, where the gov would likely need to fork/partner with an open source vendor for their primary OS needs. Oh, in terms of those, I’d prolly vote for them to go with SUSE as its Euro-centric, and it’d help to align us with them a bit more – though for some thing’s like ATMs, *BSD should be the default. BSD is sorta a brick shithouse that has limited integration features, but can be purpose built to be super hardened/secure, and stay that way for long stretches – requiring little updates/tweaks. It’s practically designed for infrastructure devices. The security folks on some of the main BSD projects, are also already tied to Canada, so win win.
And I guess, as I went about re-tooling things to bring those critical industries more ‘in house’, I’d tweak the ISO20022 setup to add in some more “vendor lock-in prevention” controls – goal there would be to welcome things like international Fintechs, but also to ensure Canadians are protected from undue foreign pressures. You want to allow enough flexibility for a general business to use ODOO or similar products, if they want, but you don’t want them to become ‘stuck’ there, nor would you want to have that be a huge slice of the Canadian market place for that feature. That may require some subsidies to local competitors, not sure how I’d structure that specifically though. Another risk I’d be preparing for as part of it, though it’s a bit of an outlier, is to have better fallbacks get built in to the regulatory frameworks – as noted above, there’s almost always going to be some supply chain exposure/issues. One big ‘nightmare’ scenario, would be China attacking/taking Taiwan, paired with US chip makers being blocked from providing chips to Canada. Not only would that situation screw over a bunch of the financial industry vendors, but it’d massively hit the customers/members of those organisations – if you’ve designed a system like Wealthsimple, you’re pre-supposing that your customers/members all have a ton of tech toys to do their online banking. In the nightmare scenario, you’d basically be going back to analogue setups – which, given some trends and climate change projections, is something that ought to at least be on the radar and considered given the critical industry nature of the financial system.
One last thought to loop back to the subsidies bit, is that one challenge, is trying to maintain a sufficient volume to keep whatever parts of the stack you ‘in-country’ profitable as possible. Like Carney and them setting up these big data center projects and making noise about data sovereignty is interesting – but if they don’t somehow force canadian businesses to use those sovereign solutions, there won’t be an edge for Canadian offerings due to the differences in scale between the Canadian and US / Foreign markets. I’ve reached the limit for posting length, so ill shut up now ;p