Business week
APRIL 25, 2005

A high-tech scam on Citibank accounts is a nightmare for India's call centers On the steamy morning of Apr. 4 two smartly dressed men walked into a branch of Rupee Co-operative Bank Ltd. in Pune, 150 km from Bombay. The two were among the city's software and back-office workers -- a growing, prosperous group coveted by banks and merchants.

But Rupee Bank officials didn't greet them warmly as valued clients. Police had asked the branch managers to keep an eye out for suspicious transactions in the duo's bank accounts, and the pair were soon arrested for stealing money from four U.S. customers of Citibank (C). Both had worked at Citibank call-center contractor MphasiS BFL Ltd., where, police allege, they had persuaded Citi customers to give them passwords and other account details. After quitting MphasiS, according to police, the pair logged on to Citi's online system and transferred at least $426,000 to their own accounts. So far, 14 people have been arrested in the crime, and about $230,000 has been recovered. Formal charges are pending, but a lawyer for the two men says they and others implicated in the case will plead not guilty. A high-tech scam targeting a top U.S. customer is a nightmare for India's call-center industry. The nation has been riding high on demand from multinationals seeking to cut costs by shipping jobs offshore, and industry revenues are expected to double next year, to $12 billion. Yet many had lived in fear of the day when some sort of scam was uncovered. Even though there has been relatively little identity theft in India -- just two other, small-bore cases are known, compared with hundreds of thousands in the U.S. -- industry officials are afraid of a backlash from U.S. opponents of offshoring. "This is a real body blow to our image," admits MphasiS Chairman Jerry Rao. "It doesn't help saying: 'If a customer gives out passcodes, there is little we can do."' 


What the industry can do is beef up its security. Already most companies have strict measures in place to guard customer data. Employees' bags are searched when they enter and leave call centers. They must swipe security cards to gain access to their offices. They are forbidden to take cell phones, PDAs -- even pens and paper -- to their workstations. And premises are monitored by video cameras, while many calls are recorded. Now outsourcing companies are auditing their procedures to see whether there are any gaps. MphasiS is subjecting itself to an intense investigation by outsiders. And Nasscom, the industry trade organization, plans to launch a group that will set security standards for call-center and info-tech companies.

Some worry, though, that the computer systems of the industry's U.S. clients let workers in India see too much sensitive information. For instance, an agent handling loan applications may also have access to a customer's savings account number -- something that wouldn't be addressed by Nasscom's proposed standards. "Companies need to strictly restrict access to information among employees on a requirement basis," says Ravindra Datar, an analyst at research house Gartner India. "And when employees leave, the firm should map the information they had access to and take precautions to ensure it cannot be misused." The problem is that too many workers are leaving too soon. Attrition in India's back-office industry is about 60%, and at some companies reaches 80%. That's the consequence of the explosive growth of a young industry, where companies hire 1,800 newbies every week to do everything from telemarketing to engineering design. In the rush to get fresh recruits to their workstations, rigorous interviewing and quality training are often overlooked, consultants say. "When you cut corners under pressure, you pay the price for it," says Raman Roy, managing director of Indian tech powerhouse Wipro's business outsourcing unit. Both multinational corporations and Indian companies report that as many as 20% of the résumés they get are inflated. And the average training period has shrunk to just two weeks from as long as six weeks three years ago. "The companies don't even put new hires through basic psychometric tests that can unravel a potentially crooked mind," says Chiranjit Banerjee, a Bangalore management consultant. Keeping tabs on ex-employees is no small feat in an industry that employs 350,000. Some Bangalore companies have agreed to cooperate on background checks, and Nasscom is hoping to implement a registry of employees soon. "Attrition is a productivity issue, a training issue, a security issue, a cost issue," says John C. McCarthy, an analyst at Forrester Research (FORR). "It affects everything you're doing." Despite the widespread concern, the MphasiS incident won't likely derail the industry. Some potential clients will reassess their options, but Citibank, for one, says it's not changing its relationship with MphasiS and has no plans to curtail outsourcing to India. If the industry can keep improving security, it has little to fear in the long term. "This could have happened anywhere," says McCarthy. "The Indians are doing a pretty good job, and this shouldn't be viewed as a systematic indictment of their practices." But if the industry can't curb its attrition problem and more such scams turn up, customers could start heading for the exits. That would be a nightmare come true.