Standard Chartered Bank recently agreed to pay $340 million and take measures including hiring an anti-money laundering auditor to settle a New York State Department of Financial Services claim stemming from an investigation that found the bank concealed billions of dollars of financial transactions with Iran through its BPO subsidiary in India’s bottom town of Chennai.
In response to the StanChart incident, BPO firms across India have tightened their already strict security measures. Visitors to BPO centers are frisked at the entrance and monitored by secret cameras. Security agents collect personal belongings from employees, including mobile phones, PDAs, pens and notebooks, as they enter the premises.
While at work, employees are banned from accessing social networking sites or their personal email accounts. As they leave the office, they are once again examined to ensure they are not carrying any sensitive data.
“I don’t think this is something new. We have been practicing this sort of security norms for more than a decade now,” said Shirley Fatima iyaz, head of BPO division at SPI, an outsourcing service provider in Mysore, a town 150 miles south of Bangalore.
Standard Chartered’s back-office work in Chennai is processed at a captive facility, one of about 750 such captive units located throughout the country that employ over 200,000 people.
Industry insiders in India do not buy the argument that U.S. officials could have prevented Standard Chartered Bank from hiding the transaction with Iran if the bank’s back-office work had been processed inside the United States.
According to Nasscom, India’s IT industry association, BPO providers that store, process or transmit customer payment card data adhere to information security controls and processes. A majority of BPO companies, Nasscom says, have adopted global security standards (ISO 27000) to protect data, and their clients check everything in detail before contracting out the job.
Safety in Numbers
“Foreign banks know it well that ultimately they will have to pay the price if their client’s sensitive data is disclosed and misused. So they take all security precaution” said BS Murthy, CEO of Leadership Capital, a headhunter that supplies skilled labor to Bangalore’s BPO industry.
Still, the StanChart incident isn’t the first time Indian companies have dealt with security concerns. In 2006 a British TV channel carried out a “sting” operation to show that criminal networks in India traded British consumers’ account details and other commercial information for profit. A few months later, police in Bangalore arrested a worker at HSBC’s captive unit on charges of stealing money from British bank customers.
“It is not for the first time India’s back-office operation has come under cloud. Many people around the world are trying to say that outsourcing is a dangerous thing to do,” said BS Murthy. “But they will not be successful so long as outsourcing is economically profitable.”
Almost every BPO firm in Bangalore has in-house training facilities and they check employees’ backgrounds before hiring them. Many of them have started developing internal fraud management and forensic capabilities.
The Data Security Council of India (DSCI), a subsidiary of Nasscom, is doing everything it can to help BPO firms handle data with care. And the federal government has recently set up cyber forensic labs in India’s major cities, including Mumbai, Bangalore and Pune. Over the past two years, DSCI has held 112 camps and trained nearly 4,000 police officers in cyber crime investigation.