Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 4)

Prior posts discussed offshore outsourcing about TransUnion and TrueCredit. Laurie has problems with TransUnion's credit monitoring service, TrueCredit, and support from its call center. Laurie is worried that if TransUnion (and TrueCredit) outsource their operations and her credit information, she won't have the same protections she would have otherwise -- since data security laws vary in other countries. I'd promised Laurie that I'd try to find some answers to her questions. So far, I've learned that both TransUnion and TrueCredit, its credit monitoring service, both offshore outsource.

To learn more about offshore outsourcing within the credit bureau industry, I reviewed the 10K document Equifax filed with the U.S. Securities and Exchange Commission. Equifax is publicly-traded while TransUnion is privately-held. The S.E.C. requires public companies to submit certain filing documents. Both collect consumers credit information, sell credit reports to potential lenders, and operate credit monitoring services. A publicly-traded company's 10K filing usually tells more about its operations than its Annual Report document.

A view of Equifax's operations would provide a perspective about TransUnion, since both companies perform similar activities. To stay competitive, TransUnion would attempt to maintain a similar cost structure to its competitors -- Experian and Equifax.

From the Equifax 10K document:

"Upon our acquisition of TALX Corporation, or TALX, on May 15, 2007, we became a leading provider of payroll-related and human resources business process outsourcing services in the United States of America, or U.S. We currently operate in three global regions: North America (U.S., Canada and Costa Rica), Europe (the United Kingdom, or U.K., the Republic of Ireland, Spain and Portugal) and Latin America (Brazil, Argentina, Chile, El Salvador, Honduras, Peru and Uruguay). Of the countries in which we operate, 73% of our revenue was generated in the U.S. during 2007."

Some interesting information about the business risks Equifax sees and how that risk relates to outsourcing activities:

"Our ability to provide reliable service largely depends on the efficient and uninterrupted operation of our computer network systems and data centers. Some of these systems have been outsourced to third-party providers. Any significant interruptions could severely harm our business and reputation and result in a loss of customers."

If you read further into the 10K document, Equifax lists its contractual obligations which include outsourcing expenses:

Payments Due By:	Total	Less Than 1 Year	1 To 3 Years	3 To 5 Years	Thereafter
Data processing, outsourcing agreements and other purchase obligations* ($millions)	$305.5	$88.5	$103.3	$90.2	$23.5
* These agreements primarily represent our minimum contractual obligations for services that we outsource associated with our computer data processing operations and related functions, and certain administrative functions. These agreements expire between 2008 and 2014.

The document also states:

"Data Processing, Outsourcing Services and Other Agreements. We have separate agreements with International Business Machines Corporation, or IBM, Acxiom, GenPact, TCS and others to outsource portions of our computer data processing operations, applications development, maintenance and related functions and to provide certain other administrative and operational services. The agreements expire between 2008 and 2013. The estimated aggregate minimum contractual obligation remaining under these agreements is approximately $305.0 million as of December 31, 2007, with no future year expected to exceed approximately $90.0 million... In certain circumstances (e.g., a change in control or for our convenience), we may terminate these data processing and outsourcing agreements, and, in doing so, certain of these agreements require us to pay a significant penalty."

I wonder exactly what's in "related functions and to provide certain other administrative and operational services." That sounds like call centers. Equifax's outsource agreement with IBM:

"Our data processing outsourcing agreement with IBM was renegotiated in 2003 for a ten-year term. Under this agreement (which covers our operations in North America, Europe, Brazil and Chile), we have outsourced our mainframe and midrange operations, help desk service and desktop support functions, and the operation of our voice and data networks. The scope of such services varies by location. During 2007, 2006 and 2005, we paid $115.0 million, $112.1 million and $120.8 million, respectively, for these services. The estimated future minimum contractual obligation at December 31, 2007 under this agreement is approximately $255.0 million, with no year expected to exceed approximately $55.0 million. We may terminate certain portions of this agreement without penalty in the event that IBM is in material breach of the terms of the agreement."

If my friend, Laurie, decides to switch credit monitoring services... drop TrueCredit and sign up for another credit monitoring service by Experian or Equifax, she can reasonably expect that they outsource also. Like TransUnion, Equifax also operates several credit monitoring services, with varying features.

The economic reasons for companies to outsource work are understandable: to manage costs and stay profitable in a competitive business environment. My point is this: should they? Is it wise to offshore outsource work involving sensitive financial data? Is it wise to do so if the company can't provide a high-quality call center operation?

I had to dig deep to find some information about the company's offshore outsourcing activities, since this data isn't readily available in the company's web site. Is it wise to do so without informing consumers? Is it wise to do so if consumers prefer otherwise?

The three national credit bureaus assume that the lowest-cost for credit information is best for consumers. Laurie's concerns suggest otherwise, that consumers want both protection and a reasonable price; not the absolute lowest price. A service with a low price and no data security isn't worth much. Consumers now realize that bad things happen: data breaches. There is always risk. And, one can reasonably expect bad things to happen with offshore outsourced credit information just like data breaches within the USA.

There has to be a balance between a company's need to manage costs, and consumers' need to trust the companies they do business with. Consumers now know today that companies suffer data breaches. Some consumers know first-hand the expense, hassle, and grief involved with restoring their information and credit after a criminal has hacked their financial accounts.

I'll bet that when given a choice, consumers prefer that their credit and financial data is kept within their country's borders, rather than being transmitted around the globe. Laurie's concerns reflect this. It all goes to the level of risk people are willing to accept. Experts have identified the data security risks of offshore outsourcing. The fewer places credit and financial data are transmitted, the less chances for bad things to happen. More importantly, it is unclear about exactly which country laws govern the protection of consumer credit and financial data. It is unclear which country laws govern the notification when the company (e.g., TransUnion, True Credit) suffers a data breach by an outsource call center vendor in another country.

That data breach in another country may never happen, but if and when it does, consumers have a right to know - promptly.

What do you think? Take our poll today or submit a comment below.

Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 3)

Prior posts discussed offshore outsourcing and TransUnion. Laurie has problems with TransUnion's credit monitoring service, TrueCredit, and support from its call center. Laurie is worried that if TransUnion and TrueCredit outsource portions of their operations, she won't have the same protections she would have otherwise -- since data security laws vary in other countries. I'd promised Laurie that I'd try to find some answers to her questions.

A wider search found information about TransUnion's participation in industry events for outsourcing professionals. The International Association of Outsourcing Professionals published information about a June 2007 event:

"Performance Monitoring Goals and Requirements for BPO Operations (Call Centers)
Brad Rubin, Director of Operations for TransUnion Interactive (formerly TrueCredit)

• Overview of the business requirements for using tools to monitor the overall performance of BPO Call Center Operations
• Discussion of the functionality needed and the types of tools that were examined to achieve TransUnion’s goals.

Brad Rubin is responsible for managing all BPO operations where he has transformed the service operations into a global multi-site operation. Prior to TransUnion, Brad was with Accenture in San Francisco.

So, it appears that TransUnion, parent company, and TrueCredit both perform offshore outsourcing. This is the first time I have ever heard of a credit monitoring service that performs offshore outsourcing. According to a 2006 Janeeva, Inc. press release:

"Janeeva, Inc., the industry leader in ORM (Outsourcing Relationship Management) software, today announced that TrueCredit, a division of TransUnion and a provider of credit management services, has implemented Janeeva Assurance™ software to manage multiple outsourced vendor relationships. True Credit is experiencing rapid growth, and customer care via their call centers is critical to their success. With multiple offshore call center locations comes increased complexity that Janeeva helps manage."

So, TrueCredit has contracts with several outsourcing firms. According to a November 2006 entry at Outsourcing Magazine (OM):

"About Blogger Brad Rubin: Brad Rubin is currently the Director of Operations for TrueCredit, a wholly-owned subsidiary of TransUnion, LLC. While at TrueCredit, Mr. Rubin has been responsible for managing all business process outsourcing (BPO) operations. He has successfully transitioned the TrueCredit service delivery platform into a global, multi-site operation. In addition to his work at TrueCredit, Mr. Rubin is an active speaker within the outsourcing community. In 2006, he participated in the Outsourcing Relationship Management Forum at the University of Michigan and the Telecommunications Risk Management Association (TRMA), Summer Conference. In 2007, he will be presenting a case study entitled Managing Multi-Vendor Environments with Relationship Management Software at the International Association of Outsourcing Professionals (IAOP), World Summit."

The OM site provides Mr. Rubin's e-mail address and his blog address: www.sourcingprofessional.com. I scanned several posts in Mr. Rubin's blog. He mentioned TransUnion's offshore outsourcing activities with vendors in Manila (Philippines), Central America, and New Delhi (India). According to Mr. Rubin's blog, TransUnion is considering new offshore outsourcing arrangements in Cebu (Philippines) and Guatemala. While I haven't read all of the posts in Mr. Rubin's blog, so far I haven't seen any posts about data security or data breach notification.

Now, my friend Laurie knows that both TransUnion and TrueCredit perform offshore outsourcing. We now have idea of some of the country locations. We don't know yet which outsourcing firms. Maybe Mr. Rubin can help Laurie resolve her problems with TrueCredit's customer service department. Maybe Mr. Rubin can explain the scope of TrueCredit's offshore outsourcing activities. Maybe Mr. Rubin can explain the data security processes TransUnion takes to ensure the protection of Laurie's and others' credit information. Maybe Mr. Rubin can provide a list of the specific offshore outsourcing locations and firms.

Last weekend, I wrote to Mr. Rubin asking for answers to the questions above. In my e-mail message to Mr. Rubin, I shared Laurie's message and concerns. So far, I haven't received a response from him, or from anyone at TransUnion. If he responds, I will post his reply in the I've Been Mugged blog.

The economic reasons for companies to outsource work are understandable: to manage costs and stay profitable in a competitive business environment. That's one reason why I titled these posts, "Is It Wise...?" and didn't title it "Is It Profitable...?" Of course, outsourcing and offshore outsourcing are profitable. That's why companies do it.

My point is this: should they? Is it wise to offshore outsource work involving sensitive financial data? Is it wise to do so without informing consumers? Is it wise to do so if consumers prefer otherwise? Is it wise to do so if the company can't provide a high-quality call center operation?

There has to be a balance between a company's need to manage costs, and consumers' need to trust the companies they do business with. Consumers intuitively sense that there's less risk to their sensitive data if companies keep it within their country borders. Some experts have identified the data security risks of offshore outsourcing.

I'll bet that when given a choice, consumers prefer that their credit and financial data is kept within their country's borders, rather than being transmitted around the globe. It all goes to risk. The fewer places credit and financial data are transmitted, the less chances for lost or stolen data. More importantly, it is unclear about exactly which country laws govern the protection of consumer credit and financial data. It is unclear which country laws govern the notification when the company (e.g., TransUnion, True Credit) suffers a data breach by an outsource call center vendor in another country.

That data breach in another country may never happen, but if and when it does, consumers have a right to know - promptly.

More about this next week.

Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 2)

Yesterday's post discussed the problems Laurie is having with her TransUnion credit monitoring service, and the related questions about legal protections when credit companies perform offshore outsourcing. I'd promised Laurie that I'd try to find some answers to her questions.

Meanwhile, Laurie contacted me again:

"I continue to call TransUnion (TrueCredit) and I leave messages for somebody in a managerial position to contact me but I never get a domestic employee. When I ask the phone associates where they are located they tell me they are prohibited from telling me. It's a vicious cycle because there's no mailing address and the potential for online help abuse is the same as telephone support. This is sensitive information I'm disclosing and all my alarms are going off like bells and buzzers."

Yesterday's post covered news reports from 2003 and 2004 about the credit bureaus' offshore outsourcing activities. In 2003, the bureaus promised more openness about their outsourcing plans, but the call center representatives' answer above does not show any openness.

So, I decided to look more closely at TransUnion, since that company was the source of Laurie's difficulties. Like most companies, TransUnion publishes its Corporate Privacy Policy on its main Web site. This seemed like a good starting point, since this document usually discloses what the company does with any sensitive consumer data collected within the site:

"Please carefully read our privacy policy to understand how we will treat the information you provide while visiting this web site or the web sites of most of our domestic subsidiaries and affiliates ("Web Site")... This privacy policy applies to TransUnion and its domestic subsidiaries and affiliates, except for TransUnion Consumer Solutions and TrueLink, Inc., who maintain their own privacy policies."

Note the emphasis on domestic subsidiaries. That refers to TransUnion divisions, companies, or business units within the USA. It implies that divisions, companies, or business units elsewhere are not subject to this Privacy Policy, a different Privacy Policy, or none at all. That should be unsettling to consumers. Why? TransUnion's approach to privacy policies forces users to wade through several documents that aren't that easy to read nor find. TransUnion has operations in 25 countries on 5 continents. So far, no explicit mentions about outsourcing in this TransUnion Privacy Policy.

Next, I checked the Privacy Policy at TrueCredit, TransUnion's credit monitoring service, since Laurie is a subscriber. The TrueCredit Privacy Policy is more detailed and more comprehensive. It contains details about several subjects: what data the company archives, what happens when users opt-in to e-mail updates, how its web site works with the user's Web browser, the company's approach to online advertising, what situations TransUnion shares data with contractors, and so forth.

I'd like to give TransUnion and TrueCredit at least one "attaboy" for sharing this amount of detail in the TrueCredit Privacy Policy. However, this document didn't mention outsourcing either.

I also checked the Public Policies pages within the TransUnion site. No mentions of outsourcing there, either. Sadly, this site section was very thin regarding content. The little bit of copy on three pages could have easily been presented on a single page. Whatever promises TransUnion made in 2003 about more openness about its outsourcing activities, weren't being fulfilled in 2008.

Next, I looked for TransUnion's Annual Report and 10K filings; documents by publicly owned companies within the USA. TransUnion is privately held, so it is not required to provide these filings which the U.S. Securities & Exchange Commission requires of publicly-traded companies. Hence, it is more difficult to obtain detailed information about a privately-owned company... and any offshore outsourcing activities it might be engaged in.

Difficult, but not impossible. More about this tomorrow.

Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 1)

A friend, Laurie, wrote to me recent about difficulty she is having with her credit monitoring service:

"In my effort to reduce the likelihood of identity theft, I've ordered a credit check from TransUnion this year as I have for the past 3. This year I had a hard time logging on so I called the help line. It was answered instantly by somebody who asked for my Social Security number. Of course it seems like a natural question from a credit bureau but I had the feeling the operator was an outsourced worker from India. I gave her my data but I still couldn't log in. After further attempts to reach TransUnion in the USA I've discovered it is nearly impossible. I feel like I got sucked into a trap door set for the financially paranoid! Have you heard of this being a problem? Do institutions outsourcing labor in other countries have to comply with the same laws? Do you have any way around credit reporting when it's done overseas?"

Laurie's situation caught my attention first because a friend was having difficulty getting the help she needed. Her situation also caught my attention because of the increasing popularity of credit monitoring services. All consumers demand effective and high-quality customer service... perhaps more so when it involves sensitive personal data, like credit reports.

So, I promised Laurie that I'd try to find answers to her questions. Maybe Laurie had encountered a new or poorly trained call center representative; or a representative with a thick accent. This could happen with any business. Regardless, consumers have an expectation for efficient, quality customer service. And according to Laurie's message, TransUnion's customer service isn't helping and is difficult to contact.

Some background: TransUnion is one of three national credit bureaus (also called credit reporting agencies) in the USA. The national credit bureaus play three roles in the credit services industry:

1. Collect and archive credit reports with consumers' sensitive personal and financial data
2. Sell credit reports to potential lenders
3. Sell credit monitoring services to consumers

The data collected in role #1 includes: Social Security Number, birth date, full legal name, current and past residential addresses, credit cards, loan accounts and information, credit score, employer information, e-mail address, and payment histories. But this data isn't always accurate. Even though credit bureaus make money by selling consumers' credit reports, it is the consumers' responsibility to check their credit files for accuracy at each of the three national credit bureaus.

Regarding role #3, TransUnion operates the TrueCredit credit monitoring service.

One could debate whether roles #2 and #3 present a conflict of interests, perhaps similar to the role a computer software company has when it sells operating system software and application software. But, that debate must wait until after I answer Laurie's questions.

Laurie's message raised the subject of outsourcing, but more specifically off-shore outsourcing. Like many Americans, Laurie probably has an impression that the three national credit bureaus support their credit monitoring service subscribers with systems entirely within the subscriber's home country. In other words, consumers intuitively sense that there's less risk to their sensitive data if companies keep it within their country borders. Some experts have identified the data security risks of offshore outsourcing.

If this local-same-country processing and archiving isn't the case, then consumers intuitively assume that their personal data is at greater risk. How much more risk? Consumers don't know and the companies rarely say. Laurie has gone the extra step and asked: if her credit service offshore outsources, does she have the same data protections? Does the outsource firm have the same rigorous data security processes and policies? Which country's laws apply, if any, regarding data security standards? If there's a data breach by the outsource vendor in another country, will she be notified? Will that notification be accurate and timely?

Consumers' impressions that the three national credit bureaus don't outsource work are inaccurate. A news literature search found this San Francisco Chronicle article from November 2003:

"Two of the three major credit-reporting agencies, each holding detailed files on about 220 million U.S. consumers, are in the process of outsourcing sensitive operations abroad, and a third may follow suit shortly, industry officials acknowledge for the first time. Privacy advocates say the outsourcing of files that include Social Security numbers and complete credit histories could lead to a surge in identity theft because U.S. laws cannot be enforced overseas... The top credit agencies -- Equifax, Experian and Trans Union -- have refused in the past to comment on their outsourcing plans. No longer."

The article also reported this about TransUnion:

"A hundred percent of our mail regarding customer disputes is going to go to India at some point," said David Emery, executive vice president and chief financial officer of TransUnion in Chicago. "We are now testing the system and negotiating a contract with an outside vendor. We expect to sign that contract by the end of the year." Emery said in an interview that the decision to have an Indian firm handle thousands of written requests for changes to credit files each year was necessitated in part by the amended Fair Credit Reporting Act, which was approved by the U.S. Senate on Wednesday.

So, it would appear that (for a variety of reasons) at the end of 2003, TransUnion was planning to outsource work to firms in other countries. Since I am not a lawyer, I cannot provide a legal opinion on the laws which govern outsourcing and the credit industry. Nor can I provide an interpretation of the Fair Credit Reporting Act referenced by Emery above. For legal assistance regarding credit information, the Privacy Rights Clearinghouse recommends that consumers contact the National Association of Consumer Advocates, or the list of attorneys at My Fair Credit.

A Wired story from 2004 titled "Outsourcing: Danger to Privacy" reported:

"Democratic Sen. Dianne Feinstein warned the chief executives of banks and credit companies this week that she would crack down on them if they didn't take steps to protect their customers' private data, such as medical and financial information, which is increasingly being handled by clerks working abroad. In a letter to the CEOs of Citigroup, Bank of America, Equifax and TransUnion, Feinstein (D-California) said she might introduce federal legislation to protect the personal data of Americans if the companies don't establish safeguards... All of the recipients of Feinstein's letter already have outsourced clerical services, or have stated their intent to do so."

To my knowledge, that crack-down never happened. It would seem that the US Congress has basically said to credit bureaus: go ahead and outsource, but you'd better not have any consumers' credit or financial data lost or stolen. And, we consumers have elected those members of Congress.

The article didn't explain exactly how Congress would oversee the companies' outsourcing activities in other countries. The article didn't say how Congress would monitor or audit the companies' compliance with the safeguards, or collect timely and accurate data breach notices about any lost, stolen, or mishandled consumer data by firms operating outside the USA.

A lot has happened since that 2003 article. Maybe, the companies' outsourcing plans, activities, or scope have changed. The fact is identity theft and fraud have blossomed as a problem since 2003. Plus, the 2003 San Fran Chronicle article made it clear that the credit bureaus were no longer going to hide their off-shore outsourcing plans and activities.

More about all of this tomorrow.

The Data Security Risks with Offshore Outsourcing

We've all read news articles about how companies, in order to remain competitive, have moved jobs and work to other companies (outsourcing), and/or have moved jobs and work to companies in other countries (offshore outsourcing). Philip Alexander has written an excellent article in SearchCIO.com about the risks with offshore outsourcing... which can expose the sensitive personal data of customers, employees, and former employees.

Mr. Alexander gets right to the point:

"... there is more to consider than just the lower labor costs of employees in India verses their domestic counterparts... it's important to make sure that in addition to going after cheap labor, you're not buying yourself a slew of security exposures as well. The decision on whether or not to outsource should not rest solely with the CFO. The chief security and compliance officers should also be involved because of the many security- and regulatory-related issues involved with offshore outsourcing."

If you live in a state where consumer notification is required when the company has a data breach, it is important to remember that:

"With the rash of highly publicized data breaches, 36 states now have their own disclosure laws mandating that companies inform customers in the event of either an actual or suspected security breach. This applies to data breaches that occur overseas if you send sensitive customer data offshore."

I applaud Mr. Alexander for challenging CIOs (Chief Information Officers) CSOs (Chief Security Officers) to consider the risk and not just the financial benefits. Mr. Alexander lists two major issues regarding offshore data security and risk:

The first is granting offshore engineers access to computer systems located within your company's network. Are you monitoring the activities of the overseas engineers? If the work that's being sent offshore is project-based, are you ensuring that access is removed when the project is completed? Do you have security professionals monitoring the activities of the offshore engineers?

The second issue and most importantly:

"... review what type of work is safe to send offshore. For instance, outsourcing production support overseas entails a high degree of risk...  You should consider projects that don't entail sending sensitive customer information offshore, or granting remote access to your internal network. Software development doesn't require providing sensitive customer data offshore. The development work can be performed offshore, then the code can be securely transmitted to your company."

The only issue I have with Mr. Alexander's article is his focus on CIOs and CSOs. I believe that general management, human resources, and customer service senior managers should be challenged also, to consider the risks of offshore-outsourcing decision. All departments handle sensitive data and all departments need training in effective data security practices. All of this becomes even more critical as companies headquartered in other countries acquire or merge with US-based companies.

For some background, read this GAO report about Medicare and Medicaid.or this article about data breaches at outsourcing firms in India. I'd love to see an consultancy or accounting firm independently audit the major brokerages against the criteria Mr. Alexander stated in his article. What do you think?