Experts have warned businesses with offshored services that they need rigorous fraud- detection systems, after former call centre employees in India were arrested for allegedly attempting to steal around $350,000 from customer accounts.
The three ex-staff of Mphasis Business Process Outsourcing (BPO), who left the company last December, are accused of obtaining personal account information including PINs of US Citibank customers and then transferring stolen money to fake accounts.
This news shows how rigorous companies need to be about protecting their assets, according to John C McCarthy, BPO expert at analyst Forrester Research. "Companies can't rest on their laurels in matters of data protection and privacy," McCarthy said. "But customers must be diligent too - it wasn't all Citibank's fault."
McCarthy said customers should never have revealed their PINs to the call centre staff in the first place. But ultimately the fraud detection measures did their job, showing the importance of such technology, he added.
However, the incident may encourage fears that strict data protection rules imposed on UK organisations are not being observed so strictly by their overseas partners.
The Information Commissioner's Office (ICO), which oversees data protection, said under UK law it is up to companies as data controllers to ensure any information they transfer overseas has the same level of protection as if it were still in the UK.
A spokeswoman for the ICO said, "The responsibility lies with [each firm] and the ICO can enforce this by issuing notices to pull them into line if necessary."
Dale Vile of analyst firm Quocirca said firms considering offshoring should check that prospective partners follow good corporate governance practices. They should also investigate human resources policies and business processes. "It's fairly easy to know what to check," said Vile. "[But] the question is whether you can afford to fly someone out there for two weeks to do it."
Vile added that it is hard for UK firms to establish the reliability and honesty of companies with no previous history of providing outsourced services, and in such cases they should be "doubly diligent" to manage the risks.
