|
In Bangalore last week, local police arrested Nadeem Kashmiri bringing back to fore data privacy and potential security breaches in back office transactions. An employee of HSBC Electronic Data Processing Private Ltd---a Bangalore-based captive business process outsourcing outfit of Europe's biggest bank, HSBC---Kashmiri allegedly siphoned off nearly Rs 2 crore from the accounts of 20 bank customers in the UK. The heist comes less than 15 months after five call centre agents at MphasiS-BFL's facility in Pune almost made off with nearly half a million dollars.
The HSBC Bangalore bust made the headlines not just in India but also in British and US papers playing on the fears associated with outsourcing customer transactions half way across the world. But the splash was toned down this time as there's increasing realisation that such frauds are far in between in India compared to the hundreds reported, for instance, in the US.
"Cases of breach of security in India are minimal compared to that abroad," says Sivarama Krishnan, executive director, Price Waterhouse. "Most global companies leave 2%-3% margin for fraudulent transactions. BPO outsourcing cases must be not more than a fraction of that. Earlier cases of fraud were limited to a country, now it is cross-country." Adds Raman Roy, chairman and managing director of Quatrro -- a BPO that was earlier Raman Roy associates: "In India, least people get caught, overseas they never get caught."
BPO companies, wary of potential thefts, have left no stone unturned to make them as secure "as Fort Knox", a stated aim of Nasscom president Kiran Karnik. "We have a multi-layered security policy and 137 security control points. Each desktop has an 8-digit alphanumeric password with special keywords. We have firewalls for data protection. The access card (to the building) allows entry only to limited floors. No cellphones are allowed in the workplace," says N Ranjit, CEO, HCL BPO. "Close circuit cameras monitor the workforce 24/7. Workers handling sensitive data have checks done on them by an outside security agency."
Most companies have similar processes vetted by the British Standards Institute, London, and Customer Operations Performance Centre Inc of Amherst, NY. Says Charan Bhalla, chief risk officer, Wipro: "We adhere to stringent security measures like checks on a person's background, BS 7799 certification, floor specific access to workers, etc. When we transact with multinationals, they bring their team here and do due diligence such as firewalls, audit of PCs, removal of unnecessary software, etc. Security checks by Fortune 500 companies are very rigorous. Data on our closed circuit TVs are stored for 30 days. We have had a few breaches. Every time, we have reported the cases and have had those people arrested."
Other measures in the $3.6 billion BPO industry include a database of BPO workers that National Association of Software and Service Companies (Nasscom) is trying to put in place. Says Nasscom vice president Sunil Mehta: "Nasscom has launched the national skills registry (NSR), a certification for employees. We have also been working on a self-regulatory organisation that will be the certification authority for companies. This has been conceptualised following an analysis of Indian law and various international standards in US and Europe."
In an industry that employs over 400,000 and churns nearly 4,000 agents every week, maintaining and updating a database like the NSR is a punishing task. Kashmiri, the accused in the HSBC heist, was not registered on the just-launched NSR, an opt-in list. Companies may make it mandatory for new recruits to be registered on the NSR in the months ahead.
The task gets even more tough with the increasing number of such frauds in recent years. "In a recent PricewaterhouseCoopers survey, 54% of respondents had become the victims of economic crime in the two years to 2005 as compared with 24% in the previous survey," says Srikiran Raghavan, Chennai-based regional sales head of RSA Security. "Online fraud is a growing internationally as well as in India."
Industry insiders admit that there is a little BPO companies can do if an employee with a criminal bent of mind comes in contact with an unsuspecting -- read: unwise -- customer. Says MphasiS president Anant Koppar, "In most cases, the executives on call get friendly with the customer who divulges confidential data such as personal identification numbers (PIN), etc." The April 2005 MphasiS Pune case is one such example.
Further, loopholes in the law do not help. According to Sanjay Veer Singh, deputy inspector general, economic offences and cyber crime, the Information Technology Act, 2000 does not have direct provisions for data theft. "Section 65 of IT Act deals with tampering of data, Section 66 with hacking of data and Section 67 with obscenity and pornography. Data and identity theft are becoming serious issues and the IT Act is not conclusive enough," says he. "A separate Data Protection Act could be introduced or be incorporated in the provisions of the IT Act. The HSBC employee has been charged under Sections 420 and 408 of the Indian Penal Code for breach of trust and also under sections 66 and 72 of the IT Act dealing with confidentiality and privacy."
Referring to proposed amendments to the IT Act, expected to be tabled in Parliament in the monsoon session, Pavan Duggal, president, cyberlaws.net says, "Currently, the punishment under the Act if caught is 3 years' imprisonment and fine starting from Rs 2 lakh to Rs 1 crore. Usually, the fraudster in these crimes manage to siphon off several crores." The HSBC fraud has brought back into focus the shortcomings in the law and a pressing need to fix them.
|