Meeting the Citbank Fraud Challenge
Now that the Citi Bank fraud has happened and has damaged the
reputation of the Indian BPO industry, it is time to consider how the industry
has to respond.
Before going ahead with the call for "Data Protection Law"
and setting up a committee for further reviewing ITA-2000 which the authorities
will focus on, it is necessary for the BPO industry to get together and chart
out their industry wide "Due Diligence Programme".
In all probability, some BPO s might have already started an
exercise in developing a plan of action for mitigating the risks of the kind
MphasiS and Citibank had to face.
Drafting a Due Diligence Programme for a BPO is an exercise
specific to the unit. However it has to go through the following steps like any
other security planning.
a) Planning
b) Implementation
c) Monitoring
d) Review
e) Training
Planning itself has to start with an "Assessment of the
Financial implications of the Risk". This is essential for getting the top
management support for any "Compliance Programmes aimed at mitigation of the
Risk".
It is here that I would like to reiterate, "Fraud loss is
like an Iceberg. More is hidden than what is revealed."
It is widely discussed that the loss in the case of Citibank
is RS 1.5 core or so which may actually represent the amount transferred
fraudulently from the accounts of several customers of the Bank. The quantum of
this loss should not mislead us to think that this is the loss which we should
ascribe to the fraud. Perhaps Citibank is big enough to bear this loss as an
operational loss without a whimper.
However, let us not forget that the " Loss of the Reputation
of the Bank" which could hurt further business and also the possible legal
claims from the customers for the consequential loss arising out of the
dishonouring of cheques etc could be several times more than the actual loss.
If therefore we look at planning a "Cyber Law Compliance
Programme to mitigate the fraud loss", we need to take much more than RS 1.5
crores as the potential loss and proceed to evaluate the cost benefit of any
measures planned. The same argument holds good for the calculation of ROI on
such compliance programmes.
When we asses the losses in terms of the BPO, the possibility
of the BPO going out of business unable to bear the loss should also be factored
in. May be Mphasis is big enough to absorb the loss and even shed MSourcE and
still continue in business.
The fall from grace of MPhasiS also raises the question mark
on the wisdom behind those who declared it as "Number 1 BPO".
The incident also exposes the weaknesses of SEI CMM,
ISO,BS7799 and Six Sigma systems of certifying the quality of an organization,
as the undersigned has been stressing for a long time.
The cumulative loss to MphasiS is therefore much larger than
what it is to Citi Bank. We can also reasonably assume that the ability of
MphasiS to bear the loss is much less than that of Citibank and hence the long
term effect of the fraud on MphasiS is much more than what is apparent.
The next question in assessing the loss is whether CitiBank
and Mphasis would be protected from any "Insurance" against employee fraud loss.
I would be extremely surprised if MphasiS/Citibank have not
covered themselves with an insurance against fraud by "Outsource partners" or
"Employees". However, it would be necessary to study such an arrangement in
detail to assess if such insurance holds.
The difficulty in enforcing the insurance may arise from, the
fact that the Fraud was committed by the ex-employees of the outsource partner
and not the current employees of Citbank or MphasiS.
Further there would be doubts about whether MphasiS and
CitiBank had adequate security systems in place to prevent "Social Engineering"
and also to monitor "Abnormal Life styles of Employees" Whether the employees
had been trained properly and supplied with suitable manuals of instruction will
also be considered as evidences of systems in place for security.
It would not be proper to comment on the adequacy or not of
such systems without a knowledge of the actual practices. The issue is only
brought up here for the sake of records that this would be one of the points on
which further discussions take place before a final value on the loss is put
down.
Obviously, the cost of a revamp of the security systems,
training of the staff for "Cyber Law Compliance" etc would be additional
expenses that would now fall on the organization which has to be incurred and
amortized from the personnel development cost.
Once the cost of compliance and the benefits in the long run
are evaluated, the organization can proceed to develop an "CyLawCom audit
process".
It is clear that CyLawCom audit process cannot be undertaken
by the Six Sigma Black belts or CMM specialists. It has to be undertaken by
those who understand Technology in the Legal perspective or the "Techno
Legal Cyber Security Specialists".
Let us hope that the growing BPO industry finds enough number
of such techno legal cyber security specialists in time to avoid another
embarrassment.
(Visit www.cylawcom.org
and www.cyberlawcollege.com for
more information on Techno Legal Cyber Security)
Naavi
April,17, 2005
Related Articles:
From Naavi.org:
Collective Negligence
Cyber Law
Related Risk Management
Screening
of Staff ?.. A Wrong Prescription for a Right Cause
The
Strength of Indian Cyber Laws
Changing
Profile of Cyber Crimes
Other Articles on
CyLawCom
Are You
Cyber Law Compliant?
From other Sources:
Critical Review of the
Incident in technewsworld.com
India Acts on Call center Fraud..Personnel Today
http://www.technewsworld.com/story/42112.html
http://economictimes.indiatimes.com/articleshow/1077097.cms
http://www.theregister.co.uk/2005/04/13/india_call_staff/
http://economictimes.indiatimes.com/articleshow/1077047.cms
Call centre fraud on Citibank mars Indian BPO image
16 arrested in US money transfer fraud
