I think I heard that exchange at the end of their session. They said they relied on the contractual arrangements with the outsourcing party that they could insist on, and that they would then take full responsibility for making good to individual consumers. I'm not questioning the ability of the banking companies to fulfill that in narrow and specific cases, but if there's a major problem, what are they going to do when their data is outside the country? Are they going to be able to sue the outsourcer? They're going to have to go to another jurisdiction. I don't think contractual arrangements are adequate. As they mentioned or alluded to, these arrangements don't deal with the laws of the country that the data is in. Those laws apply, and any outsourcer is going to have to comply with them, even if it means breaking their contract—or they're going to be in a dilemma there.
I was much less reassured by their confidence that they could just outsource to other countries and rely on the contracts. I think they'd be much better off if they could bring that service within Canadian jurisdiction and Canadian territory. I don't see any major reason why they can't, at least in the long term, hit that goal—have their cake and eat it too, so to speak.