Regulations and compliance:
BPO Industries
By Sanjay Mishra , B.COM, ACS ,LL.B. A.D.I.T.
After BFSI, BPO has the greatest exposure to regulations. R examines the role that
IT plays in empowering outsourcing companies as they comply with regulations,
mostly international ones
In business process outsourcing, service providers have to abide by the regulations
that their clients follow. The BPO industry is driven by technology. The technology
component of BPO will only increase as the industry moves from low-end services
such as customer support and medical transcription. Right now, the shift towards
premium, high end services--research & analytics, level 3 (and above) IT helpdesks,
medical insurance processing, and media services--is happening. It is only natural
that technology plays an important role in helping the average BPO outfit comply
with the zillion regulations that each outsourcing deal involves. "Monitoring processes
such as IT spending, change management, system security and SLAs is the order of
the day. Technology has to put in place along with policies and procedures to ensure
that there is compliance in all areas.
Although most BPOs are clear about compliance as far as certifications are
concerned, awareness with regard to getting systems to comply with international
regulations—Sarbanes Oxley Act, Gramm Leach Bliley act, EU Data Protection Act,
etc.—spread only in 2004. Let us examine the Indian outsourcing industry's structure
and the effect of regulations upon it.
The state of Indian BPO
The Indian outsourcing industry can be broadly categorised into two segments as per
Nasscom—in-house or captive centres and third party providers.
In the case of in-house or captive centres, outsourcing is done by an arm of the
parent organisation. Business processes are located at low-cost and high skill
offshore locations (like India). In this approach, the central unit itself will take care
of and enforce all the regulatory issues that the offshore centre is subject to, as this
is just an extension of the business that happens to be located outside the country.
However, in the case of third-party outsourcing centres, the scenario is different.
These organisations have to keep themselves compliant with the latest quality and
technological regulations in order to stay competitive in the global marketplace.
A time for regulation
Data privacy and integrity concerns that relate to outsourcing are the biggest
concerns for Indian BPO's clientèle. This is especially true in the case of businesses
that have IPRs (Intellectual Property Rights) to protect or banks and others that
must maintain the confidentiality of their customer records.
"Clients insist that regulations are adhered to as this can result in business being
attracted or lost. If BPOs fail to implement the required level of information security,
they lose out on business.
Implementing ethical practices for client confidentiality etc. are almost mandatory.
"Consumer banking uses data about account holders. In this case, if data is
processed outside the country, there is a chance that the BPO company fails to follow
the relevant privacy laws.
Fraud is an ever-present problem. "Strong security policies have to be there in an
ITES-BPO organisation. The issue of client confidentiality--addresses, phone
numbers, credit card information etc.-must be addressed.
This trend is assuming increased prominence as higher service quality levels become
the norm. In such an environment certification and regulatory compliance can help a
BPO company stand out.
In terms of global certifications and standards, Indian BPOs are at par with the rest
of world. Most Indian BPO companies are BS 7799 and ISO 17799 certified.
According to the Ernst & Young (E&Y) and The Indo-American Chamber of Commerce
(IACC) Offshore Outsourcing Survey, BS 7799 and ISO 17799 security certifications
are in place at 43 percent of surveyed BPO companies. An increasing number of BPO
firms are getting themselves certified. See the graph on Information security
compliance.
On the service management front, ITIL (IT Infrastructure Library) is used as a
foundation by most BPO companies. This is helping Indian BPO outfits leap frog over
other industry segments that haven't caught up on this front. The effective use of
ITIL means that BPOs have a comparatively easier time in catching up with
upcoming standards such as BS 15000 and the COBIT (Control Objectives for
Information and related Technology) framework.
On the quality accreditation front, an E&Y-IACC survey found that ISO 9000 is the
most popular quality standard followed by COPC and Six Sigma. The graph Global
quality accreditations and best practices highlights these
trends.
What regulators want
Even after they get certified, Indian BPO companies still have to catch up on the
regulations front. The principal regulations that affect Indian BPOs are the SarbanesOxley Act, HIPAA (Healthcare Insurance Portability and Accountability Act), GLBA
(Gramm Leach Bliley Act), UK Data Protection Act, FDCPA (Fair Debt Collection
Practices Act) and the US-EU Safe Harbour Agreement. Most of these relate to Indian
BPO's biggest clients, i.e. The US and the UK.Although the percentage of Indian BPO
companies that are comply with these regulations is minuscule, the majority of them
are partially compliant on the technology front. "Around 25 to 30 percent of Indian
BPOs are comply with regulations. However, on the partial compliance front, most
companies are more or less there.
The home front
Indian regulatory authorities haven't really got around to framing regulations for the
BPO industry.
The main law or regulation that affects BPO companies in India is the Indian IT Act
2000. Other legal regulations that affect this sector are the Indian Penal Code Act,
Consumer Protection Act 1986, Indian Contract Act 1972, Specific Relief Act 1963,
Indian Copyright Act 2000, and the Product Patent act 2005.
See Table: Indian BPO regulation vis a vis competition from Nasscom's Indian ITESBPO fact sheet for more on areas covered by Indian regulations regarding BPOs.
The required technology compliance for BPO companies is limited to copyrights,
patents and data security. These are easily fulfilled as most of these companies
comply with BS 7799 and ISO 17799 that have the required mechanisms built in.
The technological readiness of the Indian BPO industry is at a higher level than what
Indian regulations mandate.
This is poor consolation as this industry is concerned about competing globally. The
likes of Nasscom are working with the Indian government to bring regulations like
the Indian IT Act 2000 to par with regulations such as the EU Data Protection
Directive.
Indian BPO regulation vis-à-vis competition
Laws
India
China Philippines
IPR
Copyright
3
3
x
x
framework2004
x
x
X
x
x
Digital signatures
3
3
3
Blackhat Hacking
3
3
3
Privacy
3
3*
3
Patent
4
Product
patents-2005
DATA PROTECTION
Data Protection Laws
Vertical Specific Laws
Comprehensive
CYBER
*Privacy laws exist in China, but they
are not comprehensive
Source: Nasscom Indian ITES-BPO
fact sheet (Evalueserve Analysis)
"Each regulation requires a different strategy to handle it due to the differing levels
of complexity and coverage areas. There is no single all encompassing strategy".
However, the basic strategies followed by these companies are similar. The first
strategy is to have clearly documented policies and procedures. This helps satisfy the
client and the certifying or regulatory authority. It also helps the organisation
approach new business opportunities with a greater degree of confidence and
comfort.
Educating users through regular training programs comes next. The knowledge of
compliance policies has to percolate right down from the top management to the
operational management. Organisations can achieve this through regular training
and other means like online training over the intranet, poster campaigns, awareness
quizzes, etc.
BPO companies emphasize data security and integrity. Extensive security policies
and proper configuration right from access level control for data to configuring
firewalls and IDS systems is essential here. These are complemented by regular
audit and review mechanisms. Audits are done at regular intervals by the internal IT
team as well as by third party auditors. Reviews and modifications of the policies are
also done if required. This systematic approach has made their life easier when it
comes to conforming to regulations.
Other measures include proper incidence management, and clearly documented and
tested escalation plans. When we go into the specifics, the compliance initiatives of
most BPOs basically include the following : 





Assessing internal controls
Managing and optimizing financial reporting processes
Consolidating information for managing business performance
Improving business intelligence
Providing financial models for high-risk operations and programs to manage
risk
Improve records management and audit trail
Ensuring fraud detection and prevention
Where do we go from here?
In terms of technology regulations and certifications are largely built on ITIL, which
forms the basis of most BPO infrastructure. Therefore, compliance should not be too
difficult for most of these organisations.
The first technology framework that will soon become mandatory is COBIT (Control
Objectives for Information and related Technology). Based on ITIL, this is a
framework for IT governance. It includes the best practices for IT governance,
control and assurance. There will be increasing adoption of COBIT this year.
BS 15000 is yet another standard that shows signs of becoming mandatory soon.
This is the first global standard for service management and it is basically an
integrated set of management services for service provision. It will be required by
BPOs that cater to European clients. Many of the Indian BPOs are already gearing up
to achieve BS 15000.
CISP (Card holder Information Security Program) will soon be required for BPO firms
that handle credit cards information. The industry is gearing up for this and CISP
should be in place in a couple of months.