By Swati Pandey and Harichandan Arakali
MUMBAI/BANGALORE (Reuters) - A breach of security at two payment card processing companies in India that led to heists at cash machines around the world has reopened questions on the risks of outsourcing sensitive financial services to the Asian nation.
Global banks that ship work to be processed in India, either in-house or to big IT services vendors, were already under pressure to step up oversight of back-office functions after a series of scandals last year.
Last week, U.S. prosecutors said a global criminal gang stole $45 million from two Middle Eastern banks by breaking into the two card processing companies based in India and raising the balances and withdrawal limits.
"India is exposed in two ways: The threat that the same theft could happen in India and the fact that the outsourcing industry will also get affected," said Arpinder Singh, partner and national director for fraud investigation and dispute services at consultancy Ernst & Young.
The episode is reopening debate on banks sending work requiring a high degree of confidentiality to offshore locations.
"It is the weakest link," said Shane Shook, an expert with U.S. cyber-security firm Cylance Inc who has helped financial firms conduct investigations into some major cyber crimes.
"I think the lesson is they need to pull back on what they've outsourced. When you're giving a third party, the outsourced entity, the ability to access credit limits or cash limits of the consumers you're managing the finances for, you're giving up control that is your fundamental responsibility."
India's $108 billion IT services industry is the world's favored destination for outsourcing. Over 40 percent of exports by the industry are support services for the global financial sector, ranging from investment bank back-office functions to research, risk-management and processing of insurance claims.
Lured by a tech-savvy English-speaking population and wages that can be one-fifth those in the West, more than three-quarters of global banks have a direct or third-party offshore presence in India.
Indian IT firms, led by outsourcers such as Tata Consultancy Services and Infosys, argue that security breaches are rare.
"I think if you look at the nature of the work we do and how much we do, we've actually had very very few incidents," said Som Mittal, president of the National Association of Software and Services Companies, the industry lobby.
UNDERCURRENT OF HOSTILITY
Still, any perception that data may be less safe in India is unwelcome for an industry that faces an undercurrent of hostility for taking away jobs in the West, home to most of its clients.
"The threat (to security) is for real, that's for sure," said Parag Deodhar, chief risk officer at Bharti AXA General Insurance, the local joint venture of France's AXA.
"When people don't take it seriously, it doesn't help. People still take information security quite lightly, and they don't address the weakest link, which is the people aspect."
There has been no suggestion that anyone employed at the two card processing firms, ElectraCard Services and EnStage, is involved.
EnStage, incorporated in California but with operations based in Bangalore, handled card payments for Bank of Muscat of Oman, sources have said. Bank of Muscat lost $40 million in a coordinated heist on February 19.
ElectraCard Services, based in Pune, processed prepaid travel cards for National Bank of Ras Al Khaimah PSC (RAKBANK), according to sources. RAKBANK suffered a $5 million coordinated heist at ATMs around the world on December 21 last year, the U.S. indictment said.
Several industry watchers have said payment card fraud is a global problem and is not unique to India.
Two previous cases of hacking into processors of pre-paid debit cards occurred at RBS WorldPay and Fidelity National Information Services Inc, both in the United States. The amounts involved however were less than the losses suffered by the Middle East banks.
The U.S. Federal Bureau of Investigation has said many cases of cyber-crime involving credit cards and bank fraud never get publicized.
"The notion that this will affect outsourcing to India is wrong. There is no relation. There have been bigger frauds at BPOs in the United States," Ravi Sundaram, ElectraCard's head of strategy and corporate services, told Reuters on Monday.
Nevertheless the breach comes after a series of other events that have tarnished the IT industry in India.
Last year, the New York state banking regulator accused London-based Standard Chartered of hiding $250 billion in transactions with Iran and not giving proper oversight to its back office operation in Chennai, India. Standard Chartered settled with the regulator.
That had followed a backlash in Britain after customers of Royal Bank of Scotland and its Natwest unit were left locked out of their accounts for a week due to an inexperienced IT operator in Hyderabad, media reports said.
A U.S. Senate probe last year criticizing anti-money laundering controls at HSBC identified deficiencies in work done by its "offshore reviewers" in India, according to media reports.
While plenty of global companies are moving more functions to India, either to outsourcers or wholly-owned "captive" operations, some are moving work back home.
Costs, however, remain an over-riding factor.
"Most banks in U.S. are trying to cut costs because of recession. So they will try to outsource, not just to India but to any other country or any other company," said Nishanth Chandran, co-founder and CEO of E-Billing Solutions, a Chennai-based company that helps merchants process payments.
"For banks, it is completely a balance between security and costs."
(Additional reporting by Aradhana Aravindan in Bangalore, Kaustubh Kulkarni in Pune and Jim Finkle in Boston; Writing by Tony Munroe; Editing by Raju Gopalakrishnan)