A breach of security at two payment card processing companies in India that led to heists at cash machines around the world has reopened questions on the risks of outsourcing sensitive financial services to the country.
Global banks that ship work to be processed in India, either in-house or to big IT services vendors, were already under pressure to step up oversight of back-office functions after a series of scandals last year.
Last week, U.S. prosecutors said a global criminal gang stole $45 million from two Middle Eastern banks by breaking into the two card processing companies based in India and raising the balances and withdrawal limits.
“India is exposed in two ways: The threat that the same theft could happen in India and the fact that the outsourcing industry will also get affected,” said Arpinder Singh, partner and national director for fraud investigation and dispute services at consultancy Ernst & Young. The episode is reopening debate on banks sending work requiring a high degree of confidentiality to offshore locations.
“It is the weakest link,” said Shane Shook, an expert with U.S. cyber-security firm Cylance Inc who has helped financial firms conduct investigations into some major cyber crimes. “I think the lesson is they need to pull back on what they've outsourced. When you're giving a third party, the outsourced entity, the ability to access credit limits or cash limits of the consumers you're managing the finances for, you're giving up control that is your fundamental responsibility,” he said.
India's $108 billion IT services industry is the world's favoured destination for outsourcing. Over 40 percent of exports by the industry are support services for the global financial sector, ranging from investment bank back-office functions to research, risk-management and processing of insurance claims.
ATM's across the nation are now subject to unwanted scrutiny. (photo credit: Reuters)
Lured by a tech-savvy English-speaking population and wages that can be one-fifth those in the West, more than three-quarters of global banks have a direct or third-party offshore presence in India.
Indian IT firms, led by outsourcers such as Tata Consultancy Services
Still, any perception that data may be less safe in India is unwelcome for an industry that faces an undercurrent of hostility for taking away jobs in the West, home to most of its clients. “The threat (to security) is for real, that's for sure,” said Parag Deodhar, chief risk officer at Bharti AXA General Insurance, the local joint venture of France's AXA
There has been no suggestion that anyone employed at the two card processing firms, ElectraCard Services and EnStage, is involved. EnStage, incorporated in California but with operations based in Bangalore, handled card payments for Bank of Muscat
ElectraCard Services, based in Pune, processed prepaid travel cards for National Bank of Ras Al Khaimah PSC
Two previous cases of hacking into processors of pre-paid debit cards occurred at RBS WorldPay and Fidelity National Information Services Inc
“The notion that this will affect outsourcing to India is wrong. There is no relation. There have been bigger frauds at BPOs in the United States,” Ravi Sundaram, ElectraCard's head of strategy and corporate services, told Reuters on Monday. Nevertheless the breach comes after a series of other events that have tarnished the IT industry in India.
Last year, the New York state banking regulator accused London-based Standard Chartered
A U.S. Senate probe last year criticising anti-money laundering controls at HSBC
While plenty of global companies are moving more functions to India, either to outsourcers or wholly-owned “captive” operations, some are moving work back home.
Costs, however, remain an over-riding factor. “Most banks in U.S. are trying to cut costs because of recession. So they will try to outsource, not just to India but to any other country or any other company,” said Nishanth Chandran, co-founder and CEO of E-Billing Solutions, a Chennai-based company that helps merchants process payments. “For banks, it is completely a balance between security and costs.” he said.