Friday, May 08, 2009

FSA (finally) determines offshore call centres a risk

I seem to hear the sound of a stable door being shut, and long after the horse has bolted.

The FSA seems finally to have realised that offshore call centres can constitute a risk in financial services. This is not to say all centres, but that offshore centres managed and compliant only to local standards may not protect consumer data that well. Indeed they may be in countries where the law does not recognise most cyber crime or where it is unenforceable.

This isn't news to anyone in the industry, but the FSA has been remarkably relaxed about this until now. It has amazed me that if the data was in the UK it had to be managed securely and comply with what the EU demands, but if the same institution took the data offshore, then the FSA took little interest.

It's perhaps best quote the report in the Financial Times, as it sets out all the issues very well:

"The FSA found that all firms it visited had a high staff turnover rate and a need for constant recruitment, which was seen as a key financial crime risk given the continuing infiltration of financial services firms by organised criminals seeking to obtain sensitive customer data.

In a number of firms the FSA also found that staff vetting procedures were "inconsistent" and did not apply to all staff, which increased the risk that firms may inadvertently take on a person with a criminal background.
The FSA also found that some employees had provided the financial services call centres with false CVs.
The regulator said: "We were informed that fake CVs, inconsistent references and previous employers being reluctant to provide references were common in India."

On top of this, the FSA also said staff training was "generally poor" and urged firms to do more to ensure staff are equipped to identify and report potential financial crime risks.

An FSA spokeswoman said the review was aimed at helping firms understand how having an offshore centre affects firms responsibilities. She added: "Whatever security processes or compliance measures you apply to your business in UK, firm must makes sure those standards are also being applied to the business elsewhere.""

The thing that amazes me is it has taken so long to get to this position. This blog has covered some of the failings in onshore contact centres (see "Call centre worker gaoled for data theft" or "Security, Call Centres and Fraud", for example) and the BBC has highlighted a number of examples in the offshore area (see "Indian Call Centre Fraud and the BBC News"). It's been an area of huge consumer concern and one of the focal points of the opposition to offshoring.

I still believe offshoring has a role to play but it has to be done in a way that complies with UK security standards and where the threat is no greater than onshore. It is no use getting customers to check a waiver box agreeing to their data being handled outside of the EU and thinking that is an end to the matter.

This also highlights one of the great fallacies in offshoring, that it is just a cheaper way of delivering a call centre with the value proposition of "your mess for less". I've long argued that offshoring for cost reasons only is a mistake (see "The comming death of Indian Outsourcing" or "Onshore, Offshore & Internet Resilliency" for examples) and that offshoring for cost has significant risks in areas outside of security such as brand perception and customer experience..

Longer term, I think offshoring still has great potential for businesses who want to provide 24hr customer service through a follow the sun model, but this story is another nail in the coffin for those who see outsourcing as a cost saving.

1 comment:

Karlx said...

British gas uddingston doesnt do CRB checks on employees because they refuse them. I know of one who GBP been in the high court on drugs charges thats one what about the other fifteen hundred? There people deal with your bank and credit cards. Think carefully when handing these details over. You'll find most of them texting or on Facebook when at work so whats actually leaving the building?