Regulations & Outsourcing
Regulations and compliance: BPO.co.in
After BFSI, BPO has the greatest exposure to regulations.
Anil Patrick R examines the role that IT plays in empowering outsourcing
companies as they comply with regulations, mostly international ones
In business process outsourcing, service providers have to
abide by the regulations that their clients follow. The BPO industry is driven
by technology. The technology component of BPO will only increase as the industry
moves from low-end services such as customer support and medical transcription.
Right now, the shift towards premium, high end services--research & analytics,
level 3 (and above) IT helpdesks, medical insurance processing, and media services--is
happening. It is only natural that technology plays an important role in helping
the average BPO outfit comply with the zillion regulations that each outsourcing
deal involves. "Monitoring processes such as IT spending, change management,
system security and SLAs is the order of the day. Technology has to put in place
along with policies and procedures to ensure that there is compliance in all
areas," said Rajiv Gerela, GM-Technology, Wipro Spectramind Services Ltd.
Although most BPOs are clear about compliance as far as certifications are concerned,
awareness with regard to getting systems to comply with international regulationsSarbanes
Oxley Act, Gramm Leach Bliley act, EU Data Protection Act, etc.spread
only in 2004. Let us examine the Indian outsourcing industry's structure and
the effect of regulations upon it.
The state of Indian BPO
The Indian outsourcing industry can be broadly categorised into two segments
as per Nasscomin-house or captive centres and third party providers.
In the case of in-house or captive centres, outsourcing is done by an arm of
the parent organisation. Business processes are located at low-cost and high
skill offshore locations (like India). In this approach, the central unit itself
will take care of and enforce all the regulatory issues that the offshore centre
is subject to, as this is just an extension of the business that happens to
be located outside the country.
However, in the case of third-party outsourcing centres, the scenario is different.
These organisations have to keep themselves compliant with the latest quality
and technological regulations in order to stay competitive in the global marketplace.
A time for regulation
Data privacy and integrity concerns that relate to outsourcing are the biggest
concerns for Indian BPO's clientèle. This is especially true in the case
of businesses that have IPRs (Intellectual Property Rights) to protect or banks
and others that must maintain the confidentiality of their customer records.
"Clients insist that regulations are adhered to as this can result in business
being attracted or lost. If BPOs fail to implement the required level of information
security, they lose out on business," said Himanshu Vaish, Chief Technology
Officer, Epicenter Technologies.
Implementing ethical practices for client confidentiality etc. are almost mandatory.
"Consumer banking uses data about account holders. In this case, if data
is processed outside the country, there is a chance that the BPO company fails
to follow the relevant privacy laws," said Sanjay Prasad, Head-Technology
Services, e-Serve International Ltd.
Fraud is an ever-present problem. "Strong security policies have to be
there in an ITES-BPO organisation. The issue of client confidentiality--addresses,
phone numbers, credit card information etc.-must be addressed," said NT
Arun Kumar, Senior Vice President, Global Operations, OfficeTiger.
This trend is assuming increased prominence as higher service quality levels
become the norm. In such an environment certification and regulatory compliance
can help a BPO company stand out.
Certified for global business
If data about account holders of a consumer bank gets
processed outside the country of origin, there is a chance that a third-party
BPO outfit may fail to follow relevant laws regarding privacy
Sanjay Prasad, Head-Technology Services, e-Serve International Ltd.
In terms of global certifications and standards, Indian BPOs
are at par with the rest of world. Most Indian BPO companies are BS 7799 and
ISO 17799 certified.
According to the Ernst & Young (E&Y) and The Indo-American Chamber of
Commerce (IACC) Offshore Outsourcing Survey, BS 7799 and ISO 17799 security
certifications are in place at 43 percent of surveyed BPO companies. An increasing
number of BPO firms are getting themselves certified. See the graph on Information
On the service management front, ITIL (IT Infrastructure Library) is used as
a foundation by most BPO companies. This is helping Indian BPO outfits leap
frog over other industry segments that haven't caught up on this front. The
effective use of ITIL means that BPOs have a comparatively easier time in catching
up with upcoming standards such as BS 15000 and the COBIT (Control Objectives
for Information and related Technology) framework.
On the quality accreditation front, an E&Y-IACC survey found that ISO 9000
is the most popular quality standard followed by COPC and Six Sigma. The graph
Global quality accreditations and best practices highlights these trends.
What regulators want
Even after they get certified, Indian BPO companies still
have to catch up on the regulations front. The principal regulations that affect
Indian BPOs are the Sarbanes-Oxley Act, HIPAA (Healthcare Insurance Portability
and Accountability Act), GLBA (Gramm Leach Bliley Act), UK Data Protection Act,
FDCPA (Fair Debt Collection Practices Act) and the US-EU Safe Harbour Agreement.
Most of these relate to Indian BPO's biggest clients, i.e. The US and the UK.Although
the percentage of Indian BPO companies that are comply with these regulations
is minuscule, the majority of them are partially compliant on the technology
front. "Around 25 to 30 percent of Indian BPOs are comply with regulations.
However, on the partial compliance front, most companies are more or less there,"
said Himanshu Vaish.
The home front
regulatory authorities haven't really got around to framing regulations for
the BPO industry.
The main law or regulation that affects BPO companies in India is the Indian
IT Act 2000. Other legal regulations that affect this sector are the Indian
Penal Code Act, Consumer Protection Act 1986, Indian Contract Act 1972, Specific
Relief Act 1963, Indian Copyright Act 2000, and the Product Patent act 2005.
See Table: Indian BPO regulation vis a vis competition from Nasscom's Indian
ITES-BPO fact sheet for more on areas covered by Indian regulations regarding
The required technology compliance for BPO companies is limited to copyrights,
patents and data security. These are easily fulfilled as most of these companies
comply with BS 7799 and ISO 17799 that have the required mechanisms built in.
The technological readiness of the Indian BPO industry is is at a higher level
than what Indian regulations mandate.
This is poor consolation as this industry is concerned about competing globally.
The likes of Nasscom are working with the Indian government to bring regulations
like the Indian IT Act 2000 to par with regulations such as the EU Data Protection
|Data Protection Laws
|Vertical Specific Laws
|*Privacy laws exist in China, but they are not comprehensive
|Source: Nasscom Indian ITES-BPO fact sheet (Evalueserve Analysis)
Getting their Act together
Each regulation requires a different strategy to handle
it due to the differing levels of complexity and coverage areas. There
is no single
Rajiv Gerela, GM-Technology, Wipro Spectramind Services Ltd.
"Each regulation requires a different strategy to handle
it due to the differing levels of complexity and coverage areas. There is no
single all encompassing strategy," said Rajiv Gerela.
However, the basic strategies followed by these companies are similar. The first
strategy is to have clearly documented policies and procedures. This helps satisfy
the client and the certifying or regulatory authority. It also helps the organisation
approach new business opportunities with a greater degree of confidence and
Educating users through regular training programs comes next. The knowledge
of compliance policies has to percolate right down from the top management to
the operational management. Organisations can achieve this through regular training
and other means like online training over the intranet, poster campaigns, awareness
BPO companies emphasise data security and integrity. Extensive security policies
and proper configuration right from access level control for data to configuring
firewalls and IDS systems is essential here. These are complemented by regular
audit and review mechanisms. Audits are done at regular intervals by the internal
IT team as well as by third party auditors. Reviews and modifications of the
policies are also done if required. This systematic approach has made their
life easier when it comes to conforming to regulations.
Other measures include proper incidence management, and clearly documented and
tested escalation plans. When we go into the specifics, the compliance initiatives
of most BPOs basically include the following as per Arun Kumar.
- Assessing internal controls
- Managing and optimising financial reporting processes
- Consolidating information for managing business
- Improving business intelligence
- Providing financial models for high-risk operations
and programs to manage risk
- Improve records management and audit trail
- Ensuring fraud detection and prevention
Where do we go from here?
In terms of technology regulations and certifications are largely built on ITIL
which forms the basis of most BPO infrastructure. Therefore, compliance should
not be too difficult for most of these organisations.
The first technology framework that will soon become mandatory is COBIT (Control
Objectives for Information and related Technology). Based on ITIL, this is a
framework for IT governance. It includes the best practices for IT governance,
control and assurance. There will be increasing adoption of COBIT this year.
BS 15000 is yet another standard that shows signs of becoming mandatory soon.
This is the first global standard for service management and it is basically
an integrated set of management services for service provision. It will be required
by BPOs that cater to European clients. Many of the Indian BPOs are already
gearing up to achieve BS 15000.
CISP (Card holder Information Security Program) will soon be required for BPO
firms that handle credit cards information. The industry is gearing up for this
and CISP should be in place in a couple of months.
Anil Patrick R can be reached at: firstname.lastname@example.org