BPO and Privacy
How safe are you when banks resort to business process outsourcing (BPO)?
SEPTEMBER 16, 2002
International banks are noted for their advocacy for business process outsourcing (BPO). By farming out some of the customer interfacing activities to outside vendors, banks are said to be able to boost efficiency and trim headcounts, thus maximising profits.
When a bank engages outsiders for BPO, it is often done unilaterally without making prior disclosure to the customers. We hear of complaints from customers who fear that their personal data and critical information may be comprised once they are placed in the custody of these outsiders with whom they do not enter any contractual agreement. To dispel customer concerns, a bank which practices BPO will normally make some form of public proclamation on its guarantee on data integrity and security.
Citibank, for example, publishes a global guarantee called “Citigroup Privacy Promise for Consumers” in its global websites, including Malaysia. Among others, the bank promises that, “whenever we hire other organisations to provide support services, we will require them to conform to our policy standards and to allow us to audit them for compliance”. Is that really so?
Recently, Citibank came under the spotlight of consumer-protection agencies in its home country. It engaged an outside company (Axciom Corp.) to gather email addresses of its credit-card customers, and then hire another outside company (Touchwood Technologies) to send emails offering recipients online access to sensitive financial data without verifying each address actually belonged to the customer. What stands out prominently was the fact that the subject of the emails carry the name of the cardholder whose account they refer to.
Wall Street Journal traced such emails to a Citibank web page which says recipients can obtain information including “time-sensitive communications, such as verifications or confirmations of transactions… past due bill reminders or usual account activity.” The Journal says such data could potentially be used for credit-card fraud or identity theft.
In response, Citibank insisted that it has put in place security measures to prevent sensitive information from reaching the wrong people. Nevertheless, it admitted that some of the email addresses used do not belong to the targetted cardholders and that it was in the process of reviewing the pilot programme. This raised further questions about whether U.S. federal regulation is needed to ensure consumers’ online privacy is protected.
On the surface, Citibank’s emails may not appear to violate U.S. privacy laws, but according to privacy experts, it may still be subject to inquiries from state attorneys general or the U.S. Federal Trade Commission (FTC) if it fails to provide the security measures it has promised the customers.
Banks and financial institutions in the U.S. are also mandated to comply with the Gramm-Leach-Bliley Act. The Act requires financial companies to tell the customers about their policies regarding the privacy of personal financial information. With some exceptions, the law essentially limits the ability of financial companies to share the customers’ personal financial information with certain non-affiliates, including support service providers. Not surprisingly, banks in America are but lame cubs teethed under the might of FTC and U.S. legal conventions.
In relation to the widespread adoption of BPO in the banking sector, how then is the issue of data security being handled in Malaysia?
For example, of late, credit card issuers are on aggressive trails to recruit new customers, while credit-card debt is on a steady rise. It is an open secret that even foreign banks are now engaging outside debt collectors to track down cardholders who are delinquent in payment. How well are these outsourced debt collectors, for instance, audited for service charter compliance so that a customer’s privacy rights and data security are protected at all times? Should there be a breach of security measures, how would the victims seek a swift redress?
Sad to say, Malaysian consumers are vulnerable under the current legal framework. The Personal Data Protection Bill, originally scheduled for enactment in 2001, was delayed indefinitely due to intense lobbying by influential parties, banks included. This anomaly in Malaysia did not go unnoticed and was recorded in the 2002 edition of Privacy and Human Rights: An International Survey of Privacy Law and Practices jointly released on September 3 by the Washington-based Electronic Privacy Information Center (EPIC) and the UK-based Privacy International. The general impression is that this caused a dent to Malaysia’s ambition to be a key pillar in global k-economy.
Parting words: Do foreign banks, who obediently submit to mandatory compliance in their home countries, voluntarily practise the same customer privacy standards in the host countries? Frankly, I have lived through personal experiences that aren’t really pleasant.
This article was originally published in Jeff Ooi’s column in MALAYSIA BUSINESS (September 16, 2002)