In December 2004, four call centre employees, working at a renowned BPO facility in India, obtained PIN codes from four US customers of one of their most prestigious clients. These individuals were not authorized to obtain these PINs.
Working in collusion with others, these call centre employees opened new accounts at Indian banks using false identities. Within two months, they used the PINs and account information garnered during their employment at the BPO to transfer money from the bank accounts of those customers to the new accounts at Indian banks.
By April 2005, the Indian police had been tipped off to the scam by a US bank, and rapidly identified the entities involved in the scam. Arrests were made when the miscreants attempted to withdraw cash from the falsified accounts. $426,000 was stolen, and the amount recovered was $230,000.
With the rising number of personal data thefts reported from call centres, data privacy and information security relating to outsourcing are the biggest concerns for Indian BPOs today. This is especially true in the case of businesses that have IPRs (Intellectual Property Rights) to protect or banks and other organizations that must maintain the confidentiality of their customer records.
Fraud is an omnipresent problem. Consequently, implementing ethical practices for client confidentiality – addresses, phone numbers, credit card information etc. – is mandatory. This trend is assuming enhanced prominence as higher service quality levels become the norm. In such an environment, robust certification and regulatory compliance can help a BPO company stand out.
It is essential that strong security policies be in place in an ITES-BPO organization. Extensive security policies and proper configuration right from access level control for data to configuring firewalls and IDS systems are imperative. These need to be complemented by regular audit and review mechanisms by the internal IT team as well as by third party auditors. Alternative measures include proper incidence management, and clearly documented and tested escalation plans.
Delving into the specifics, the compliance initiatives of most BPOs essentially include the following:
Broadly speaking, there are typically three identifiable types of illicit activities concerning fraud emanating from call centers and BPOs:
While items 1 and 2 are chiefly subject to police action, BPOs can utilize internal procedures to minimize risk. Prevalent mitigation measures include:
Draconian and intrusive as these measures may appear, they reflect the determination of Indian BPO companies to prevent data security and privacy breaches.
Employee safety is another major concern for BPOs, especially in the light of diverse heinous criminal activity directed at female employees, which has been rising to alarming levels of late. The growing use of drugs and alcoholic elements in the BPO industry poses another major challenge, affecting the health as well as the safety of the employees.
Some popular measures taken to ensure employee security include:
The reputational risk is enormous, says Anand, manager of corporate intelligence and investigation at United e-Services. Having employees attacked or robbed at gunpoint isnt good; people worry that if you cant protect yourselves, how can you protect others—and their data?With call centers already the focus of security concerns around keeping data safe, the escalating crime rate around BPO employees is a salutary reminder that its also important to keep safe the people who work with that data.