Guide

Keeping borrower data in Canada: PIPEDA, OCAP, and AI underwriting

A practical guide for Community Futures Executive Directors weighing AI tools — what the rules actually require, and the questions to ask any vendor before a single file changes hands.

By Mezzura · 9 min read

If you run a Community Futures Development Corporation, you already hold some of the most sensitive data in your region — borrower financials, personal guarantees, tax filings, sometimes a family's entire net worth in one folder. The moment an AI tool enters that workflow, a fair question lands on your desk: where does this data go, and who can see it?

This guide walks through the four frameworks that actually apply to community lenders in Canada, what changes when AI is involved, and a short checklist you can take into any vendor conversation. It is written for the person who has to answer to a board.

Why data residency became a board-level question

"Data residency" simply means the physical location where data is stored and processed. For decades this was straightforward: your files sat on a server in your office or with a Canadian IT provider. Cloud services blurred that line, and AI blurred it further — many AI tools send whatever you type to servers in the United States or elsewhere, where different laws apply and foreign governments may compel access.

For a community lender, the risk isn't abstract. A borrower's data crossing a border without their understanding can breach their trust, your privacy obligations, and — for Indigenous communities — principles of data sovereignty that predate any statute.

The four frameworks community lenders should know

1. PIPEDA — the federal baseline

The Personal Information Protection and Electronic Documents Act governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. It requires meaningful consent, limits use to the purpose collected, and obliges you to protect the information with safeguards appropriate to its sensitivity. PIPEDA doesn't ban sending data abroad, but it makes you accountable for it wherever it goes — including under a third party's control.

2. OCAP® — First Nations data sovereignty

If you serve First Nations communities or borrowers, the First Nations principles of OCAP® — Ownership, Control, Access, and Possession — set a standard that goes beyond PIPEDA. They assert that First Nations have the right to control how data about their communities is collected, stored, and used. OCAP® is a registered trademark of the First Nations Information Governance Centre, and treating it as a checkbox misses the point: it's about who holds authority over the data, not just where it sits.

3. Quebec's Law 25 — the stricter cousin

If you have borrowers in Quebec, Law 25 (the modernization of Quebec's private-sector privacy law) raises the bar again: mandatory privacy-impact assessments before transferring personal information outside Quebec, explicit consent rules, and real penalties for getting it wrong. Even lenders outside Quebec increasingly treat Law 25 as the benchmark to design toward.

4. OSFI Guideline E-23 — a useful benchmark for model risk

CFDCs aren't federally regulated financial institutions, so OSFI's Guideline E-23 on model risk management doesn't bind you directly. But it's a well-built standard for one thing AI underwriting raises sharply: how do you govern a model that influences credit decisions? E-23's expectations — documentation, validation, ongoing monitoring, human accountability — are a sensible bar to hold any AI underwriting vendor against.

The short version

PIPEDA makes you accountable for borrower data wherever it travels. OCAP® asks who holds authority over it. Law 25 adds assessments and consent before it leaves the province. E-23 is the benchmark for governing the model itself. AI doesn't exempt you from any of these — it makes all four more urgent.

What changes when AI enters the file

Most general-purpose AI tools are built to send your input to a large model hosted by a third party, often outside Canada. For casual use that's fine. For a credit file, it means borrower-identifying information may leave your control the instant it's pasted in — and you may have no record of where it went or how long it's retained.

There are two ways a serious underwriting tool can address this. The first is data residency: running the AI models on Canadian infrastructure so the data never leaves the country. The second is sanitisation: stripping personally identifying details before any external service is ever called, so what leaves your control can't be traced back to a borrower. The strongest approach uses both.

Questions to ask any AI underwriting vendor

Take this list into the conversation. Vague answers are an answer.

  • Where, physically, are your AI models hosted — and is borrower data ever processed outside Canada?
  • Does personally identifiable borrower information ever leave your infrastructure? If so, when and to whom?
  • Do you sanitise identifying details before any external service is called?
  • Are you built for PIPEDA, OCAP®, and — where relevant — Quebec's Law 25?
  • How is the model governed, validated, and monitored, and who is accountable for an incorrect output?
  • What is your data retention policy, and can we get our data deleted on request?
  • Do you hold, or are you pursuing, an independent audit such as SOC 2?

How Mezzura is built for this

Mezzura runs on its own GPU infrastructure in Cornwall, Ontario — not on commercial cloud AI services. Personally identifiable borrower information never leaves that infrastructure. A sanitisation layer strips identifying details before any external service is called, and our reasoning models run locally on Canadian hardware. We're built for OCAP®, PIPEDA, Quebec's Law 25, and OSFI E-23 as a benchmark; data residency is Canadian, and a SOC 2 Type 2 audit is planned.

The point isn't that AI is safe by default — it isn't. The point is that data residency and sanitisation are design choices a vendor either made or didn't. You're entitled to ask which.

This guide is general information for community lenders, not legal advice. Privacy obligations depend on your specific circumstances — confirm them with your own counsel and privacy officer. OCAP® is a registered trademark of the First Nations Information Governance Centre.

Next step

Have a borrower-data question we didn't cover?

A twenty-minute call is usually enough to walk through how Mezzura handles data residency for your CF — and whether it fits your policy.

Book a 20-minute call