I seem to hear the sound of a stable door being shut, and long after the horse has bolted.
The FSA seems finally to have realised that offshore call centres can constitute a risk in financial services. This is not to say all centres, but that offshore centres managed and compliant only to local standards may not protect consumer data that well. Indeed
they may be in countries where the law does not recognise most cyber crime or where it is unenforceable.
This isn't news to anyone in the industry, but the FSA has been remarkably relaxed about this until now. It has amazed me that if the data was in the UK it had to be managed securely and comply with what the EU demands, but if the same institution took the
data offshore, then the FSA took little interest.
It's perhaps best quote
the report in the Financial Times, as it sets out all the issues very well:
"The FSA found that all firms it visited had a high staff turnover rate and a need for constant recruitment, which was seen as a key financial crime risk given the continuing infiltration of financial services firms by organised criminals seeking to obtain
sensitive customer data.
In a number of firms the FSA also found that staff vetting procedures were "inconsistent" and did not apply to all staff, which increased the risk that firms may inadvertently take on a person with a criminal background.
The FSA also found that some employees had provided the financial services call centres with false CVs.
The regulator said: "We were informed that fake CVs, inconsistent references and previous employers being reluctant to provide references were common in India."
On top of this, the FSA also said staff training was "generally poor" and urged firms to do more to ensure staff are equipped to identify and report potential financial crime risks.
An FSA spokeswoman said the review was aimed at helping firms understand how having an offshore centre affects firms responsibilities. She added: "Whatever security processes or compliance measures you apply to your business in UK, firm must makes sure those
standards are also being applied to the business elsewhere.""
The thing that amazes me is it has taken so long to get to this position. This blog has covered some of the failings in onshore contact centres (see "Call
centre worker gaoled for data theft" or "Security, Call Centres and Fraud", for example) and the BBC has highlighted a number of examples
in the offshore area (see "Indian Call Centre Fraud and the BBC News"). It's been an area of huge consumer concern and one of the focal
points of the opposition to offshoring.
I still believe offshoring has a role to play but it has to be done in a way that complies with UK security standards and where the threat is no greater than onshore. It is no use getting customers to check a waiver box agreeing to their data being handled
outside of the EU and thinking that is an end to the matter.
This also highlights one of the great fallacies in offshoring, that it is just a cheaper way of delivering a call centre with the value proposition of "your mess for less". I've long argued that offshoring for cost reasons only is a mistake (see "The
comming death of Indian Outsourcing" or "Onshore, Offshore & Internet Resilliency" for examples) and that offshoring for cost has
significant risks in areas outside of security such as brand perception and customer experience..
Longer term, I think offshoring still has great potential for businesses who want to provide 24hr customer service through a follow the sun model, but this story is another nail in the coffin for those who see outsourcing as a cost saving.