Late spring 2005, the world learned that a crime ring that included call center employees of an Indian outsourcing company stole more than $300,000 from Citibank customers by tricking callers into giving up their PIN numbers.The news sent shockwaves through the industry, as India was the premier destination for business process outsourcing in the world.
Many predicted that the Indian outsourcing sector would suffer as a result.
A report from Boston-based Forrester Research, for example, predicted that security concerns, regulatory pressures and customer backlash would undermine Indian call center expansion by as much as 30%.
Financial firms would take a longer time to make outsourcing decisions, slow large projects, or cause firms to build their own call centers in India instead of going to outsourcers, according to the report's author John McCarthy.
To avoid this fate, the Indian outsourcing industry joined forces on a number of new security measures, including a voluntary registry for call center employees. The National Skill Registry went live in January, allowing employers to perform background checks on prospective employees.
SELF-REGULATION
In May 2006, these efforts led to the creation of an independent self-regulatory body under the auspices of the New Deli-based National Association of Software and Services Companies (Nasscom), India's IT trade association.
"Data security and privacy have been seen as few of the larger barriers to global trade," says Sunil Mehta, vice president of Nasscom. "(We have been working on these) to make sure that India emerges not only as the most competitive outsourcing location but the most security-conscious outsourcing location."
Last spring's security breach involved employees of the business process outsourcing operation of Banglore-based software and services company MphasiS BFL Group, who were charged with collecting and misusing account information from the Citibank customers they had dealt with as part of their work at the call center in Pune.
It was a significant event, says Cliff Justice, offshore practice leader at Houston-based EquiTerra Inc., which helps Fortune 500 companies develop offshoring strategies.
"It was very high profile," he says. "When it happened, there was enough internal discussion and controversy within companies that were looking at moving operations to India to create pause."
However, ultimately, the security concerns weren't sufficient to detail projects, he says. Instead, financial firms and their outsourcing vendors beefed up security processes.
Justice was personally involved with Nasscom, looking at ways that the industry group and individual companies could self-police and provide additional layers of security and assurance.
This effort has been underway for a number of years, he says, but the Citibank breach provided the necessary impetus and political clout to get everything moving.
ADDITIONAL BENEFITS
"The fact is, the security system in place now is robust. It's more robust than a lot of clients have in their own domestic operations," Justice says. "At the end of the day, everybody probably realizes that it made the service providers better. It's made the industry better."
According to Nasscom's Mehta, the new self-regulatory organization will not only help establish best practices for data privacy and security and help India be more competitive with alternate outsourcing destinations, it will also have a training component to help outsourcing companies become compliant.
The organization will also work to monitor member companies to ensure they adhere to the standards, Mehta says. Non-compliant companies would lose their memberships.
EquiTerra's Justice isn't the only industry expert who agrees that the security steps are paying off.
Rajat Mohanty, CEO of Mumbai-based Paladion Networks Pvt. Ltd., which provides security services to companies offshoring to India, says he hasn't seen U.S. financial customers reducing exposure to India out of security concerns.
"My perception on the security problem is: We are seeing a lot of focus in managing information security in outsourced entities in India," he says. "We have seen more requirements being put in RFPs [requests for proposals] for information security and more contractual terms discussing security like data protection and disclosure of security incidents. Also, some financial sector firms have started programs for ongoing security audits of their outsourced entity."
RAPID ADOPTION
According to Mohanty, in India there is more focus on having a well-rounded security program, and there is very rapid adoption of international security standards.
"Top management sees security not just as a differentiator but as a basic necessity for winning business," Nasscom's Mehta says.
For example, Mumbai-based Tata Consultancy Services Ltd. recently achieved the trifecta of security certification-ISO 9001:2000, BS 7799-2:2002 and BS 15000-1:2002.
"We have won major outsourcing deals last year, including leading insurers in the U.S. and the Pearl deal in the U.K.," says Kishore Padmanabhan, head of the firm's insurance practice.
In the Pearl deal, TCS subsidiary Diligenta will provide processing and administration services for an initial 12-year period for Pearl Group Ltd., a Peterborough, U.K.-based insurance firm. The $800 million deal was the biggest yet for the U.K.'s life assurance market.
Many insurance firms are reluctant to talk about their outsourcing decisions because of public relations concerns, but it's not only the biggest firms such as New York-based AIG that send work to India.
For example, Westport, Conn.-based Subrogation Partners LLC, now sends work to outsourcing vendor Sumpraxis LLC, based in Boca Raton, Fla., which has the bulk of its employees in India.
The personnel registry and other security steps taken by the Indian outsourcing industry have helped allay his concerns, says Subrogation Partners CFO Kevin Manion.
"The companies in India understand they have to eliminate any concerns about where the data might go," he says. "They're probably a step ahead of even us here in the States. The people who run the business over there understand customer needs. Their technology is newer and it's not wedded to old systems like here in the United States."
In addition to data security issues, control is also an import factor when it comes to outsourcing decisions, says Eva Weber, an analyst at Boston-based Aite Group LLC.
"When it comes to data security, the issues are always the same," she says. "Whether they're your employees or someone else's and whether they work at your site or overseas, there is always a chance that employees can make illicit use of your data. Data security issues are real and must be addressed, but outsourcing is not the real problem-it's employee behavior."
At MphasiS, for example, the employees didn't hack into Citibank's customer accounts; they tricked callers into giving the information up voluntarily.
"We engaged KPMG to conduct a forensic audit," says Jeroen Tas, vice chairman of MphasiS BFL Group. "Their analysis of the fraud did not indicate any major security or process breach. It appeared to be a case of social engineering and misuse for illegitimate gain."
According to Tas, as early as 2002, MphasiS had achieved the BS7799-2 standard across all its locations in India. BS7799 is the most wildly recognized security standard for information security management and is an assurance that the confidentiality, integrity and availability of vital corporate and customer information are maintained, the company says.
After the breach became public, MphasiS supported Nasscom's employee registry plan, and also rolled out a series of additional internal security measures.
For example, automated workflows and electronic note pads replaced notebooks, enabling a completely paperless office. And a series of devices were installed to keep employees from accessing client data.
The company also sped up the time it takes to remove access privileges for former employees, Tas says.
"It now takes three minutes, instead of three days, to disable systems and physical access for employees leaving the company," he says.
What's the bottom line? Outsourcing to India continues to grow. The Singapore-based research firm, Fusion Consulting, reports that India's IT and BPO industry exports have grown 33% to reach $23 billion, up from $18 billion last year. And, according to Nasscom, the Indian IT industry is on course to meet its target of $60 billion by 2010.
Maria Trombly is a freelance writer based in Shanghai, China. Wendy Yu contributed to report.
"Homesourcing" A Domestic Alternative
There are three main reasons why it's cheaper to outsource work to WillowCSN Inc. than to do it in-house-even though Willow doesn't ship the work off to India, but keeps it in the Unites States.
First: Willow's agents work from home as independent contractors, so there are no office costs or benefits expenses.
Second: The Miramar, Fla.-based company's agents are paid by the call, not by the hour, so a company doesn't need to pay for downtime.
Third: Willow's agents pay for their own training and equipment. This is a big departure from a traditional call center, where the insurance company pays for everything.
The result: Costs that average 30% to 40% below typical in-house call center costs.
On top of that, Willow's agents are a high-quality demographic-80% are college educated, 75% have sales experience, and 50% have management experience, according to the company's CEO Angie Selden.
That's a total of 3,000 agents in the U.S. today, 100 of them licensed property/casualty insurance agents. Turnover is less than a quarter of that at a typical call center, and 35,000 people are applying for 7,000 positions this year.
WILLOW'S POPULARITY
The primary reason these people go to Willow is they can pick their own hours and work locations, according to Selden. This is a good deal for military spouses, the disabled, people providing care to children or elderly parents, and those who live in small, remote towns with few employment options.
"We estimate there are 10 million people in the U.S. who would find working from home an attractive alternative to the job they have today-or to the fact that they don't have a job," Selden says.
The calls are monitored to make sure that crying babies, television or barking dogs don't spoil the customer experience, she adds.
"We have zero tolerance for an unprofessional work environment," says Selden.
NICE Systems, an Israel-based company that provides Internet telephony solutions to call centers, estimates 150,000 call center agents work from home, out of a total of 5 to 6 million call center employees in the United States.
"The trend is picking up," says Eyal Danon, NICE Systems' vice president of global marketing. "We see it all over the place."
According to International Data Corp., Framingham, Mass., other homesourcing-or homeshoring-vendors include Alpine Access, Aspect Communications, IntelliCare, West, and Working Solutions.
IDC estimates that the number of outsourced homeshoring jobs will reach 330,000 by 2010.
