By Swati Pandey and Harichandan Arakali
MUMBAI/BANGALORE, May 15 (Reuters) - A breach of security attwo payment card processing companies in India that led toheists at cash machines around the world has reopened questionson the risks of outsourcing sensitive financial services to theAsian nation.
Global banks that ship work to be processed in India, eitherin-house or to big IT services vendors, were already underpressure to step up oversight of back-office functions after aseries of scandals last year.
Last week, U.S. prosecutors said a global criminal gangstole $45 million from two Middle Eastern banks by breaking intothe two card processing companies based in India and raising thebalances and withdrawal limits.
"India is exposed in two ways: The threat that the sametheft could happen in India and the fact that the outsourcingindustry will also get affected," said Arpinder Singh, partnerand national director for fraud investigation and disputeservices at consultancy Ernst & Young.
The episode is reopening debate on banks sending workrequiring a high degree of confidentiality to offshorelocations.
"It is the weakest link," said Shane Shook, an expert withU.S. cyber-security firm Cylance Inc who has helped financialfirms conduct investigations into some major cyber crimes.
"I think the lesson is they need to pull back on whatthey've outsourced. When you're giving a third party, theoutsourced entity, the ability to access credit limits or cashlimits of the consumers you're managing the finances for, you'regiving up control that is your fundamental responsibility."
India's $108 billion IT services industry is the world'sfavoured destination for outsourcing. Over 40 percent of exportsby the industry are support services for the global financialsector, ranging from investment bank back-office functions toresearch, risk-management and processing of insurance claims.
Lured by a tech-savvy English-speaking population and wagesthat can be one-fifth those in the West, more thanthree-quarters of global banks have a direct or third-partyoffshore presence in India.
Indian IT firms, led by outsourcers such as Tata ConsultancyServices and Infosys, argue that securitybreaches are rare.
"I think if you look at the nature of the work we do and howmuch we do, we've actually had very very few incidents," saidSom Mittal, president of the National Association of Softwareand Services Companies, the industry lobby.
UNDERCURRENT OF HOSTILITY
Still, any perception that data may be less safe in India isunwelcome for an industry that faces an undercurrent ofhostility for taking away jobs in the West, home to most of itsclients.
"The threat (to security) is for real, that's for sure,"said Parag Deodhar, chief risk officer at Bharti AXA GeneralInsurance, the local joint venture of France's AXA.
"When people don't take it seriously, it doesn't help.People still take information security quite lightly, and theydon't address the weakest link, which is the people aspect."
There has been no suggestion that anyone employed at the twocard processing firms, ElectraCard Services and EnStage, isinvolved.
EnStage, incorporated in California but with operationsbased in Bangalore, handled card payments for Bank of Muscat of Oman, sources have said. Bank of Muscat lost $40million in a coordinated heist on Feb. 19.
ElectraCard Services, based in Pune, processed prepaidtravel cards for National Bank of Ras Al Khaimah PSC (RAKBANK), according to sources. RAKBANK suffered a $5 millioncoordinated heist at ATMs around the world on Dec. 21 last year,the U.S. indictment said.
Several industry watchers have said payment card fraud is aglobal problem and is not unique to India.
Two previous cases of hacking into processors of pre-paiddebit cards occurred at RBS WorldPay and Fidelity NationalInformation Services Inc, both in the United States. Theamounts involved however were less than the losses suffered bythe Middle East banks.
The U.S. Federal Bureau of Investigation has said many casesof cyber-crime involving credit cards and bank fraud never getpublicised.
"The notion that this will affect outsourcing to India iswrong. There is no relation. There have been bigger frauds atBPOs in the United States," Ravi Sundaram, ElectraCard's head ofstrategy and corporate services, told Reuters on Monday.
Nevertheless the breach comes after a series of other eventsthat have tarnished the IT industry in India.
Last year, the New York state banking regulator accusedLondon-based Standard Chartered of hiding $250 billionin transactions with Iran and not giving proper oversight to itsback office operation in Chennai, India. Standard Chartered settled with the regulator.
That had followed a backlash in Britain after customers ofRoyal Bank of Scotland and its Natwest unit were leftlocked out of their accounts for a week due to an inexperiencedIT operator in Hyderabad, media reports said.
A U.S. Senate probe last year criticising anti-moneylaundering controls at HSBC identified deficiencies inwork done by its "offshore reviewers" in India, according tomedia reports.
While plenty of global companies are moving more functionsto India, either to outsourcers or wholly-owned "captive"operations, some are moving work back home.
Costs, however, remain an over-riding factor.
"Most banks in U.S. are trying to cut costs because ofrecession. So they will try to outsource, not just to India butto any other country or any other company," said NishanthChandran, co-founder and CEO of E-Billing Solutions, aChennai-based company that helps merchants process payments.
"For banks, it is completely a balance between security andcosts."