Indian Call Center Agent Arrested for HSBC Thefts

Police in Bangalore, India, reported the arrest Tuesday night of the chief suspect in the theft of funds from a score of customers of HSBC bank in the UK. Nadeem Kashmiri is being charged in India with stealing customer data that was sent to Nadeem’s accomplices in the UK. Nadeem’s accomplices assisted him in withdrawing funds from customers’ HSBC bank accounts between March and May of this year.

Approximately twenty customers of HSBC reported that funds had disappeared from their accounts. This prompted an investigation by bank officials, who found that US$424,689 had been diverted by Nadeem and his associates. It is possible that additional HSBC customers may come forward in the future and report losses that will raise that figure. HSBC has announced that it will reimburse its customers whose accounts were subjected to theft by Nadeem and his associates.

Once customers came forward and reported losses from their accounts, HSBC found that Nadeem had been violating HSBC’s security and customer-account access policies as soon as he began working on the call center floor. This indicates that gaps exist in HSBC’s monitoring of its offshore operations. Nadeem was hired on December 12, 2005 and moved out onto the floor on February 6, 2006. HSBC did not file a police complaint against Nadeem until June 22.

No Background Check

Nadeem worked for the HSBC Electronic Data Processing India in Bangalore. In contravention of standard industry practices for commercial call centers, HSBC had not conducted a proper background check before allowing Nadeem to access customer data.

During HSBC’s investigation, it was discovered that Nadeem had provided an invalid cell phone number and address in his employment application. He also did not disclose his previous employment with Accenture. Once he was identified as a suspect, he could not be traced to his residence because HSBC did not know where he lived.

London-based HSBC saved $215 by not having a standard background check conducted on Nadeem. Background checks are now being insisted upon by many international clients of commercial outsourcing facilities in India, but their application at captive facilities has been uneven.

Security Improvements Prompted by Citibank Thefts

Widespread improvements in security and employee screening have been implemented at Indian call centers in the wake of the theft of funds from U.S. customers of Citibank. Improvements have been pursued most energetically by operators of commercial call centers and business process outsourcing (BPO) facilities. Citibank’s Indian contractor, for example, brought in the U.S. security firm Vontu to help prevent future data leaks.

Improvements at captive (non-outsourced) operations offshore have not seen the same level of improvements as those implemented at merchant facilities. This stems in part from the mixed support that offshoring receives within originating organizations. There is often widespread covert resistance to offshoring and outsourcing activities, leading to decisions that ultimately sabotage those activities. Individuals who lead outsourcing and offshoring initiatives often find themselves unsupported and unwelcome within their own organizations.

Managers and staff at Western firms involved in outsourcing and offshoring may be unsatisfied or indifferent to the cost savings achieved by going overseas and may restrict their own staff or Western contractors from spending time offshore for training and monitoring activities. Cost cutting exercises, such as HSBC’s saving $215 on a background check for Nadeem, become more of a priority than the integrity of the business operation as a whole.

Resistance to Support for Offshore Operations

In recent discussions with a major U.S. bank, headquartered in the Pacific Northwest, about moving voice and non-voice work to Asia, the bank has decided to restrict the access and monitoring capabilities that their own staff will have to the bank’s offshore operations. Without proactive client representation, outsourced or offshore operations in South Asia invite disaster. Not only are client representatives needed to monitor security and operational integrity, but sizeable contingents of Western trainers are needed to inculcate Western principles of customer service, management methods, and overall professionalism.

The ingredients for successful data protection are often the same ingredients needed for overall operational integrity. These ingredients are often ignored by latecomers to offshoring, who attempt to do too much, too fast. Latecomers often ignore the lessons learned by early movers, as outlined in an article about Touchstone Communications, a Texas-based financial services firm that operates a call center and BPO facility in Islamabad, Pakistan.

Touchstone’s epiphany came when they realized that they were not going overseas to adapt Westerners to non-U.S. ideas of customer service and reliability, but rather to export American ideals and standards. To do this, they needed to:

1. Keep a team of American trainers on the ground at all times
2. Develop local managers — particularly women managers
3. Achieve quality first, on a small scale, before scaling up and emphasizing quantity

Western firms that experience security problems offshore have most likely been sending out warning signals that were ignored, signals that involve problems with recruiting, training, operations, and quality assurance. In HSBC’s case, to have an Indian call center agent immediately begin violating security rules — as soon as he came out onto the call center floor — indicates a failure by HSBC management to properly monitor employee activities at the most crucial period of their employment.

The lesson from the recent release of personal data on over 26 million U.S. veterans and service members is that security is not the responsibility of just one individual or department within a company. It is the responsibility of every single person within an organization. It is not a responsibility that can be delegated via e-mails and long distance teleconferences.