New Delhi: Even as the Indian BPO industry grapples with the pitfalls of a sting operation by British TV channel Channel 4, a Forensic Accounting Services agency claims the industry has been facing "repeated security failures” and “shocking data protection breaches” thanks to three inherent problems.
The main reason behind such incidents is not lack of information security norms, but lack of whistle-blowing policies, Indiaforensic Consultancy Services (ICS) says, adding that the BPO industry has become vulnerable to such practices due to the lack of fraud response plans and ethics training to the employees.
On Thursday night, Channel 4 aired a sting operation showing two Indian middlemen selling personal and confidential financial information of UK citizens they allegedly obtained from Indian call centres.
A study conducted by ICS's founding promoters Mayur Joshi and Pradeep Akkunoor, says there is an urgent need for whistle-blowing policies in the industry.
In a spot-poll conducted by ICS among call centre employees in Pune, over 90 per cent of the respondents said they were not aware of any whistle-blowing policy.
"The focus of information security standards remain at the process and infrastructure levels, and rarely do they deal with the 'people' aspect of security," the ICS study suggests. "The real expertise in drafting whistle-blowing policies, fraud response plan etc rests with anti-fraud professionals like fraud examiners," they say.
With such a massive growth in the industry, incidents of fraud were bound to occur and the industry has been hit by some serious fraud charges in recent years, because of which it has been under the scanner for sometime now.
BPO employees have been accused of selling personal and confidential financial information of UK citizens to those willing to pay a price. There have been instances of employees selling bank account and credit card details of customers and even sharing of personal details like phone numbers etc.
Yet the industry doesn't even have a defition as to what constitutes a fraud. As per the ICS survey, "most call centre employees would treat frauds just like any other complaint."
"Fraud means that social security numbers should not be noted but I have seen many employees noting it; even our boss notes them down sometimes, so to whom we are supposed to report the fraud,” a BPO employee was quoted as saying in the survey.
ICS also advocates for whistle-blowing policies and training on ethics to the employees in the call centre industry. It says absence of anonymous emails and an ethics hotline are a big handicap and this discourages internal policing and development of certain ethical standards within an organisation.
For instance, ICS cites an instance where a BPO employee had smelt foul-play by one of his colleagues but could not do anything about it. "I have observed a colleague constantly talking on phone in a South Indian Language in a suspicious manner, but I was unable to understand the language and hence did not report it. My bosses would have asked me for explanations,” the ICS study quotes the employee as saying.
In another instance, another BPO employee knew about his colleague's fraudulent designs, but never spoke up. "I have seen a person, who was leaving the job, noting down a list of some credit card numbers and their expiry dates. I knew it was wrong but why create problems for the person who was quitting," he told the ICS surveyors.
As for ethical training, ICS says this is one area the BPO industry should attach some importance to. "Call centres concentrate on training individuals in English language, Voice Modulation and soft-skills. They do not consider training on dealing with complaints on fraudincident important enough - despite the fact that most of the employees are barely out of their teens and ill-equipped to cope with such complaints," the Forensic Accounting Services agency observes.
INCIDENTS OF FRAUD
In April 2005, five employees of MsourcE in Pune were arrested for allegedly pulling off a fraud worth nearly Rs 2.5 crore from Citibank accounts of four New York-based account holders.
|In June 2005, the British tabloid Sun conducted a sting operation by purchasing the bank account details of 1,000 Britons for about $5.50 each from Karan Bahree, an employee of Gurgaon-based BPO company Infinity E-Search.|
|In June 2006, Nadeem Kashmiri, an employee at HSBC's call center in Bangalore, sold the customer credit card information to a group of scamsters who used the information to siphon off nearly Rs 1.8 crore from bank accounts of UK-based customers.|
Three months later, the Channel 4 data theft scandal has hit the headlines, and coincidentally, it is also UK-based.