Employee fraud at HSBC BPO in Bangalore

Sufia Tippu
Wednesday, 28 June 2006 06:22

IT Industry - Market

After employee fraud last year at MSource, an Indian BPO centre in Pune in the western part of India another one has come to light and this time it is in Bangalore. An HSBC employee has been charged with stealing confidential data of the bank’s customers in UK to illegally transfer their money without their knowledge.

The complaint was lodged by the HSBC shared services centre -- HSBC Electronic Data Processing India (HDPI), against its employee Nadeem Kashmiri with the Cyber Crime Police Station in Bangalore on June 22.

The company has alleged that Nadeem has “accessed personal information; security information and debit card information” of some of its customers in the UK and has passed it to “co-fraudsters”, for conducting “fraudulent transactions through ATM, debit cards and telephone banking services at the behest of Nadeem.”

The loss is estimated at 233,000 pounds.

The fraud came to light after 20-plus UK customers of HSBC realized that money was suddenly missing from their accounts and subsequently lodged a complaint with the bank stating that funds were “transferred without their knowledge,” between March and May this year and that they “did not know, who transferred the monies.”

In the first information report (FIR), HDPI has stated that the bank conducted an internal investigation and found Nadeem to be the main culprit. “He has accessed the customers’ account without any business requirement and changed the personal information, security information and debit card information. He did not log his access on the front end of the business application, as is the mandatory procedure,” the FIR stated.

The backend system logs indicated that Nadeem accessed the information. Later, his accomplices called and cleared the procedural security requirement and “requested him for the balance information and conducted the fraudulent transaction. Nadeem facilitated his accomplices to impersonate the actual customers to enable them to cheat the HDPI and HSBC customers,” the FIR stated.

In the process of investigation, the HSBC also found that Nadeem joined HDPI on December 12, 2005 using “false records and misrepresentation."

He omitted to mention his employment with Accenture and provided false references for conducting reference checks.

The bank has alleged that Nadeem joined HSBC “with the intention to deceive and cheat the bank and its customers. He accessed customers accounts without authorisation from the day he was deputed on the processing floor, on February 6.”

The company spokesperson has said that the internal security team discovered that one of HSBC’s staff in Bangalore had caused customer data to be leaked, “which has resulted in a small number of accounts in the UK being compromised. The employee has been suspended and the crime reported with the Bangalore police.”

Last year in April five employees of MsourcE, the BPO arm of MphasiS BFL (now acquired by EDS) were arrested for allegedly pulling off a fraud worth nearly $425,000 from the Citibank accounts of four New York based account holders. The case is under investigation.

A couple of months later, the Sun tabloid in a sting operation purchased the bank account details of 1,000 Britons for about $5.50 each from one Karan Bahree, an employee of Gurgaon-based BPO company Infinity E-Search, who allegedly sold the information to an undercover reporter. The case was registered in London.

The reason for such lacunae in the system is the fact that BPO firms are feverishly recruiting and there is not enough time for inadequate employee verification.

According to a verification company, an interview for a candidate lasts an average of about 5 minutes. “How well can you verify that candidate in that time frame? It is critical to get a proper verification of candidate's education, employment and other details done but most companies are willing to let that pass – because it costs about $ 200 per employee and they are not willing to foot that” says a CEO of a verification firm.

In the HSBC case, the employee had furnished false information about himself. As per the police complaint, he had not mentioned his previous employment with Accenture and had provided false references for conducting reference checks. But HSBC appears to have overlooked all of this.

“After the MSource fraud, employee verification has become a serious issue and companies have put in place stringent rules for security and employees providing false information have been fired in some BPOs,” said Nasscom president Kiran Karnik.

Experts add that employee verification and risk mitigation should be placed under an information security department, and not under the HR department as is typically done. “HR does not understand security issues – they are more interested in hiring and placing a candidate quickly but the information security should play a stronger role in recruitment,” they say.