Third-party outsourcing can create mayhem in banking sector
It is often said that frauds with financial and personal details of customers in banking operations take higher dimensions when the service is outsourced to a third party. This new consumer hazard is becoming a way of fast money for call centre executives! It is especially gaining ground after the Standard Chartered and Citibank fraud revelations. Standard Chartered outsourced money laundering violations to third parties in US resulting in massive embarrassment for the company of having to deal with huge flow of cash entering Iran in violation of US laws. Although, it didn’t involve loss of personal funds of the consumers through their stolen information, but it did vindicate the vulnerability of the banking system and its pressing problem of outsourcing data. The disappointment was more direct to consumers in the Citibank case, which involved specifically to security issues. It was a classic case of credit card cloning that took place in April 2005 involving a sum of $350,000.
The expression of risk in banking/financial fraud is as grave, if not more, in India as in other developed countries like US and UK. It is because of loopholes in our regulations and greater propensity to outsource services by our banks. For instance, allotment of bank account, credit/debit cards, cheque books, ATM PIN And other such details are dispatched to the customers through outsourced sources increasing the risk of misuse. Further, while sharing the ATM network by the banks SPDI (Sensitive Personal Data or Information) is shared with outsourced executives. Also, the personal information is often shared with other banks or vendors in calculating reward points in credit cards. Last but not the least; SDPI is also pooled in case of Internet banking with the BPO employees.
The government of late has resorted to recovery work by enacting statutes that will protect customers’ interest. Some lukewarm regulations were enacted under Information Technology Act, 2000 to monitor over the online financial fraudulent, and later on Reserve Bank of India introduced guidelines in 2001 emphasizing the consumer data confidentiality could not alleviate their security related fears to a large extent. This corroborated the attempted introduction of “Personal Data Protection Bill 2006” in a proposal to enhance the privacy of the consumers. But the bill did not see the light of the day then and in 2008, certain acts of the bill were amended to safeguard personal information and SPDI. Even though the sharing of data is not prohibited altogether because that will jeopardize the progress of banking industry but certain procedures are laid down regarding data collection, data transfer and data disposal. Under the act in case of “wrongful loss or gain” for an individual because of breach of data protection, the victim can claim to the adjudicating officer a compensation sum up to Rs. 5 crores. Also, a formal note of consent must be derived from the consumers before sharing his information by the banks.
However, in retail banking (where the threat of legal entanglement is lower because of the lower capacity of a single retailer to successfully prosecute a bank) it’s a mix of captive banking and outsourcing. Still, banks and financial institutes resort to third party for their banking needs, thus giving the keys of one’s bank account to several persons. In this age of internet banking, its important for these banks to inform the consumers with the details of all those who have the keys of his/her accounts. This may not completely eradicate the problem but would also share some accountability with the end-consumer too!