Archives ||About Us || Advertise || Feedback || Subscribe-
Issue of March 2005 

[an error occurred while processing this directive]

 Home > Cover Story
 Print Friendly Page ||  Email this story

Regulations & Outsourcing

Regulations and compliance:

After BFSI, BPO has the greatest exposure to regulations. Anil Patrick R examines the role that IT plays in empowering outsourcing companies as they comply with regulations, mostly international ones

In business process outsourcing, service providers have to abide by the regulations that their clients follow. The BPO industry is driven by technology. The technology component of BPO will only increase as the industry moves from low-end services such as customer support and medical transcription. Right now, the shift towards premium, high end services--research & analytics, level 3 (and above) IT helpdesks, medical insurance processing, and media services--is happening. It is only natural that technology plays an important role in helping the average BPO outfit comply with the zillion regulations that each outsourcing deal involves. "Monitoring processes such as IT spending, change management, system security and SLAs is the order of the day. Technology has to put in place along with policies and procedures to ensure that there is compliance in all areas," said Rajiv Gerela, GM-Technology, Wipro Spectramind Services Ltd.

Although most BPOs are clear about compliance as far as certifications are concerned, awareness with regard to getting systems to comply with international regulations—Sarbanes Oxley Act, Gramm Leach Bliley act, EU Data Protection Act, etc.—spread only in 2004. Let us examine the Indian outsourcing industry's structure and the effect of regulations upon it.

The state of Indian BPO

The Indian outsourcing industry can be broadly categorised into two segments as per Nasscom—in-house or captive centres and third party providers.

In the case of in-house or captive centres, outsourcing is done by an arm of the parent organisation. Business processes are located at low-cost and high skill offshore locations (like India). In this approach, the central unit itself will take care of and enforce all the regulatory issues that the offshore centre is subject to, as this is just an extension of the business that happens to be located outside the country.

However, in the case of third-party outsourcing centres, the scenario is different. These organisations have to keep themselves compliant with the latest quality and technological regulations in order to stay competitive in the global marketplace.

A time for regulation

Data privacy and integrity concerns that relate to outsourcing are the biggest concerns for Indian BPO's clientèle. This is especially true in the case of businesses that have IPRs (Intellectual Property Rights) to protect or banks and others that must maintain the confidentiality of their customer records.

"Clients insist that regulations are adhered to as this can result in business being attracted or lost. If BPOs fail to implement the required level of information security, they lose out on business," said Himanshu Vaish, Chief Technology Officer, Epicenter Technologies.

Implementing ethical practices for client confidentiality etc. are almost mandatory. "Consumer banking uses data about account holders. In this case, if data is processed outside the country, there is a chance that the BPO company fails to follow the relevant privacy laws," said Sanjay Prasad, Head-Technology Services, e-Serve International Ltd.

Fraud is an ever-present problem. "Strong security policies have to be there in an ITES-BPO organisation. The issue of client confidentiality--addresses, phone numbers, credit card information etc.-must be addressed," said NT Arun Kumar, Senior Vice President, Global Operations, OfficeTiger.

This trend is assuming increased prominence as higher service quality levels become the norm. In such an environment certification and regulatory compliance can help a BPO company stand out.

Certified for global business

If data about account holders of a consumer bank gets processed outside the country of origin, there is a chance that a third-party BPO outfit may fail to follow relevant laws regarding privacy

Sanjay Prasad, Head-Technology Services, e-Serve International Ltd.

In terms of global certifications and standards, Indian BPOs are at par with the rest of world. Most Indian BPO companies are BS 7799 and ISO 17799 certified.

According to the Ernst & Young (E&Y) and The Indo-American Chamber of Commerce (IACC) Offshore Outsourcing Survey, BS 7799 and ISO 17799 security certifications are in place at 43 percent of surveyed BPO companies. An increasing number of BPO firms are getting themselves certified. See the graph on Information security compliance.

On the service management front, ITIL (IT Infrastructure Library) is used as a foundation by most BPO companies. This is helping Indian BPO outfits leap frog over other industry segments that haven't caught up on this front. The effective use of ITIL means that BPOs have a comparatively easier time in catching up with upcoming standards such as BS 15000 and the COBIT (Control Objectives for Information and related Technology) framework.

On the quality accreditation front, an E&Y-IACC survey found that ISO 9000 is the most popular quality standard followed by COPC and Six Sigma. The graph Global quality accreditations and best practices highlights these trends.

Indian BPOs: Information security compliance

What regulators want

Even after they get certified, Indian BPO companies still have to catch up on the regulations front. The principal regulations that affect Indian BPOs are the Sarbanes-Oxley Act, HIPAA (Healthcare Insurance Portability and Accountability Act), GLBA (Gramm Leach Bliley Act), UK Data Protection Act, FDCPA (Fair Debt Collection Practices Act) and the US-EU Safe Harbour Agreement. Most of these relate to Indian BPO's biggest clients, i.e. The US and the UK.Although the percentage of Indian BPO companies that are comply with these regulations is minuscule, the majority of them are partially compliant on the technology front. "Around 25 to 30 percent of Indian BPOs are comply with regulations. However, on the partial compliance front, most companies are more or less there," said Himanshu Vaish.

The home front

Indian regulatory authorities haven't really got around to framing regulations for the BPO industry.

The main law or regulation that affects BPO companies in India is the Indian IT Act 2000. Other legal regulations that affect this sector are the Indian Penal Code Act, Consumer Protection Act 1986, Indian Contract Act 1972, Specific Relief Act 1963, Indian Copyright Act 2000, and the Product Patent act 2005.

See Table: Indian BPO regulation vis a vis competition from Nasscom's Indian ITES-BPO fact sheet for more on areas covered by Indian regulations regarding BPOs.

The required technology compliance for BPO companies is limited to copyrights, patents and data security. These are easily fulfilled as most of these companies comply with BS 7799 and ISO 17799 that have the required mechanisms built in. The technological readiness of the Indian BPO industry is is at a higher level than what Indian regulations mandate.

This is poor consolation as this industry is concerned about competing globally. The likes of Nasscom are working with the Indian government to bring regulations like the Indian IT Act 2000 to par with regulations such as the EU Data Protection Directive.

Indian BPO regulation vis--vis competition


3 3
Patent Product    
  patents-2005 x x
Data Protection Laws Comprehensive    
  framework-2004 x x
Vertical Specific Laws x x x
Digital signatures 3 3 3
Blackhat Hacking 3 3 3
Privacy 3 3* 3
*Privacy laws exist in China, but they are not comprehensive      
Source: Nasscom Indian ITES-BPO fact sheet (Evalueserve Analysis)      

Getting their Act together

Each regulation requires a different strategy to handle it due to the differing levels of complexity and coverage areas. There is no single
all-encompassing strategy

Rajiv Gerela, GM-Technology, Wipro Spectramind Services Ltd.

"Each regulation requires a different strategy to handle it due to the differing levels of complexity and coverage areas. There is no single all encompassing strategy," said Rajiv Gerela.

However, the basic strategies followed by these companies are similar. The first strategy is to have clearly documented policies and procedures. This helps satisfy the client and the certifying or regulatory authority. It also helps the organisation approach new business opportunities with a greater degree of confidence and comfort.

Educating users through regular training programs comes next. The knowledge of compliance policies has to percolate right down from the top management to the operational management. Organisations can achieve this through regular training and other means like online training over the intranet, poster campaigns, awareness quizzes, etc.

BPO companies emphasise data security and integrity. Extensive security policies and proper configuration right from access level control for data to configuring firewalls and IDS systems is essential here. These are complemented by regular audit and review mechanisms. Audits are done at regular intervals by the internal IT team as well as by third party auditors. Reviews and modifications of the policies are also done if required. This systematic approach has made their life easier when it comes to conforming to regulations.

Other measures include proper incidence management, and clearly documented and tested escalation plans. When we go into the specifics, the compliance initiatives of most BPOs basically include the following as per Arun Kumar.

  • Assessing internal controls
  • Managing and optimising financial reporting processes
  • Consolidating information for managing business performance
  • Improving business intelligence
  • Providing financial models for high-risk operations and programs to manage risk
  • Improve records management and audit trail
  • Ensuring fraud detection and prevention
Certifying authorities

Some of the main certifying authorities or agencies used by Indian BPO organisations are:

  • BSI (British Standards Institute)
  • DNV (Det Norske Veritas)
  • STQC (Standardisation Testing Quality Certification), Government of India
  • KPMG
  • Ernst & Young


Where do we go from here?

In terms of technology regulations and certifications are largely built on ITIL which forms the basis of most BPO infrastructure. Therefore, compliance should not be too difficult for most of these organisations.

The first technology framework that will soon become mandatory is COBIT (Control Objectives for Information and related Technology). Based on ITIL, this is a framework for IT governance. It includes the best practices for IT governance, control and assurance. There will be increasing adoption of COBIT this year.

BS 15000 is yet another standard that shows signs of becoming mandatory soon. This is the first global standard for service management and it is basically an integrated set of management services for service provision. It will be required by BPOs that cater to European clients. Many of the Indian BPOs are already gearing up to achieve BS 15000.

CISP (Card holder Information Security Program) will soon be required for BPO firms that handle credit cards information. The industry is gearing up for this and CISP should be in place in a couple of months.

Anil Patrick R can be reached at:

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.