How IT ACT 2000 and its 2008 amendments have brought changes in BANKING SECTOR

ABSTRACT Information Technology (IT) is changing our way of doing things. So it ischanging the banking industry. This study is to look into the impact of IT before its existence and after its implementationonthe banking industry in India and in particular to what extent customers aresatisfied with IT enabled services and contribute to this industrys growth. INTRODUCTION Technology has been playing most essential and important part for the mankinddevelopment. During the last two hundred years, technological changes have often beenrelated to economic growth in the form of new types of goods and services. InformationTechnology (IT) can be defined as the modern handling of information by electronic means,which involves its access, storage, processing, transportation or transfer and delivery. In the financial institutions IT has been playing enabling role in improving services,introducing new products, easy enquiry, and saving time. In modern world IT has beenpicked to provide solutions to all most every sector that greatly include education, health,library, communication and many more.People in India are getting aware of their right on quality and value added services for theirmoney. Banking industry in India realized what customers need and their expectation onthe banking services. Therefore, the new generation private commercial banks are furnishedwith necessary IT infrastructure. Most people go to the old fashioned bank for bankingservices only then when they do not have other alternatives. People mostly like IT equippedbanks for prompt and efficient services and easy access to account information. People areno longer interested to spend hour in the bank. They want quick services and which canonly be ensured through proper application of relevant IT. Besides offering customerssatisfaction, IT can extensively reduce the operating costs and increase market share andgenerate extra revenue. Banks have adopted IT throughout the world for three basic reasons (Horseman, Michael J.1997): To protect and increase market share To reduce operating costs To generate new revenue Ultimately one of the prime motives of implementing IT is to gain extra productivity andattain more growth.Information technology plays two important roles in the banking: supportive role, andstrategicrole. The supportive role helps banks to prepare the platform for business processreengineering and IT based financial products i.e. electronic banking, whereas the strategicrole helps banks to develop new products to sharpen competitive edge of the business. Inthe emergence of e-banking and payment system plays a vital role as infrastructure forecommerce (Raihan et el. 2001).Technology implementation in the banking industry has had a chequered history and is theresult

of many initiatives which were driven by the Reserve Bank in its developmental role.Today, with the coming of the age of the banking industry, the Reserve bank has decided tomove away from the prescriptive role (a move which commenced ever since the liberalizationprocess was initiated in the early nineties), to that of the guide. Accordingly, the vision ofthe RBI in respect of the financial sector, it is hoped, will enable banks to carve out theirpath towards implementation of the IT based systems at their end, which wouldsynchronies with the plans of the Reserve Bank for the medium term of three to five years. Indian banking industry has witnessed a remarkabledevelopment in the Informational Technology (IT) inlast few years. Banking transactions are becomeeasier and customer friendly due to thetechnological improvements. To play a supportiveand key role, banks are providing with lots ofservices which are the combination of electronicsand information technology, like, Automatic TellerMachines (ATMs, plastic money i.e. credit card,debit card and smart cards, phone banking, ebankingwhich is called by netbanking, etc. ATMshave emerged as the most favoured channel foroffering banking services to the customers in the world. RBI has also adoptedIT in endorsing the payment system's functionalityand modernization on an ongoing basis to improvethe efficiency of banking sector. There is anoticeable improvement in the performance offinancial institutions and the service sector byincorporating IT into their functionality. It shows anincreasing share, enhanced competitiveness at theglobal surface because of adopting IT culture. The advancements ininformation and telecommunication technologies (IT)since past 25 years clearly indicate a positive impacton banking and financial institutions. Before the use of IT: Before the technological innovation, the functioningof all banks was manual for all the services includingdata handling, maintaining and processing theaccounts, receiving the customers and fulfillmenttheir needs etc. Customers had to pay their time,patience in banks to do their transactionscompletely. They had to face the multipleoccurrences of unnecessary requirements withinlimited time period and to suffer by the lack of properinformation to complete their financial desires.Attendants were limited compared to the customers;hence, were not capable of attending them efficientlyand effectively within the given time framework. As aresult of this growing dissatisfaction amongst thecustomers there was an imperative need toautomate this sectorso as to remove all theseproblems. In 1980s, the developments in IT withthe advancement in personal computer (pc) andemerging networking made the transactionsautomatic by computerization in the banks. Now,customers could use error free services due todevelopment of information and communicationtechnology (ICT). With this automation customerretention ratio went up as customers were verysatisfied with the modernization of the set up. TheICT, structural and functional changes wereintroduced in mode of banking transactions toelectronic channels not only in urban areas but alsoin rural and NCR. This changed their strategicbehavior and enhanced their scale of operations.

Introduction of IT in Banking Sector:

Indian Banking Sector witnessed new opportunitiesand challenges as there was a major drift in thepresent paradigm.IT improvements are significantlyuseful to reduce the cost and improve the

efficiencyof the banks. Technological efficiency can result inlower transaction costs and increased revenues for banks. Transactionsthrough technology channels cost much less to thebanks than the customers reaching the bank anddoing the transaction. Relative Cost of bankingtransactions using various channels of IT are shownin Table1.

Table 1: Relative cost of banking transactionthrough different modes

Channel Cost per transaction (Rs.) Physical Branch 100 Postal 40 Telephone 18 ATMs 18 Internet 12 *Source: Bank of International Settlements

It is evident that information technology has broughtkey changes in the banking operations. Foreign and Private foreign sector banks were the leaders inadopting the new the technology to align theirbusiness processes and were successful in creatingthe synergies between the two. In case of publicsector banks which had already had the massivephysical infrastructure and to make these banks ITenabled Business Process Re-engineering (BPR)was required. Technology deployment is slow inthese banks because of this reason. The main focusof the banks till now was on the deploying thetechnology. The main challenge now onwards for allthe banks will be to make the customers use of thetechnology and reduce down the transactions cost and data theft related to cyber-crime.Being focused on the aspect of IT, there is arequirement to analyze the impact of IT and othertechnological changes on the efficiency of Indiancommercial banks. Therefore, in recent time, Indian banking industry has beenconsistently working towards the developmentof technological changes and its usage in thebanking operations for the improvement of theirefficiency. To get the benefits of enhancedtechnologies, Indian banks are continuouslyencouraging the investment in informationtechnology (IT), i.e. ATMs, e-banking or net banking,mobile and telebanking, CRM, computerization in the banks, increasing use ofplastic money, establishment of call centers, etc.RBI has also adopted IT in endorsing thepayment systems functionality andmodernization on an ongoing basis by thedevelopment of Electronic Clearing Services(ECS), Electronic Funds Transfer (EFT), IndianFinancial Network (INFINET), a Real-Time GrossSettlement (RTGS) System, Centralized FundsManagement System (CFMS), NegotiatedDealing System (NDS), Electronic PaymentSystems with the Vision Document, theStructured Financial Messaging System (SFMS)and India Card a domestic card initiative,implemented recently (2011). Therefore, Indianbanking environment has become morecompatible as compare to the standards ofinternational financial system, by the positiveimpact of all these efforts. Todays banking business cannot exist without dependence on IT mainly because of theneed to service its customers in a better way and increase their profitability. Realizing theneed for the banks to adopt technology and use IT to a large extent, the Reserve Bankbrought out the Financial Sector Vision

Document FST Vision` in the Annual PolicyStatement 2005-06, aimed at proving banks with inputs on the approach been taken byReserve Bank in the implementation of the IT for the financial sector. The corporate objective was:Enabling banks to leverage on IT for better customer service, improved housekeeping and overall systemic efficiency Till today banks have come up with various services for its customers. Following are someinitiatives taken by banks to help customers get easy access to banking services. Net banking:Net Banking is conducting ones banking or bank account online. Thesystem is updated immediately after every transaction automatically. In other words it issaid that it is updated 'on-line, real time'. It removes geographical disparities and henceprovided the customers with an efficient way to perform banking activities fromanywhere.

Mobile banking: Mobile banking (also known as M-Banking, SMS Banking etc.) is a termused for
performing balance checks, account transactions, payments etc. via a mobiledevice such as a mobile phone.

Insta alerts: Insta-alert service means that whenever there is a transaction performed bya bank
customer the details of the transaction are sent immediately to the customersmobile. This service is available free of cost.

Credit cards: Credit card is a plastic card used as a system of payment on credit. Itallows its holder to
buy goods and services from his/her premises. It provides the easeand power of purchase. It can also be used in case of emergencies. But it does involve ahigh interest rate and online frauds.

ATM cum Debit cards: ATM cum debit card enables the customer to draw money at anyATM centre or
use it as a substitute for money. Debit card cannot be used for deferringbill purchases and have preset spending limits.

Charge cards: Charge cards allow the customer to pay on credit but any outstandingbalance must be
paid off in full every month.

Smart cards: A smart card is a multipurpose card that can be loaded with data used fortelephone
calling, electronic cash payments and other applications.

Stored cards: Stored value cards refer to monetary value on cards not in an externallyrecorded
account which provides a way to make financial transactions.

Core banking: It is a comprehensive and integrated business where the services areprovided by a
group of networked bank branches. Bank customers can access theirfunds from any branch.

Shopping: The debit or credit cards provided the banks can be used for online purchase.This helps the
customer to purchase any good or service from any convenient place.

Ticket booking: Online ticket booking is also made possible by the use of credit or debitcards. E-cheques: It is an electronic fund transfer that withdraws money directly from the bankaccount. It is
like writing an electronic cheque.

All the above technology aided facilities have proven to be a boon to the bank customers.With the help of these facilities they have been able to perform transactions faster andbetter.

IMPLICATIONS OF THE IT ACT 2000 AND ITS OBJECTIVES IN BANKING SECTOR: This is an Act to provide legal recognition for transactions carried out by means of electronicdata interchange and other means of electronic communication, commonly referred to as"electronic commerce", which involve the use of alternatives to paper-based methods ofcommunication and storage of information, to facilitate electronic filing of documents with theGovernment agencies and further to amend the Indian Penal Code, the Indian Evidence Act,1872, the Bankers' Books Evidence Act, 1891 and the Reserve Bank of India Act, 1934 andfor matters connected therewith or incidental thereto. Objectives of the Act are related to Banking Sector: To grant legal recognition for transactions carried out by means of electronic datainterchange and other means of electronic communication commonly referred to aselectronic commerce in place of paper based methods of communication; To give legal recognition to Digital signatures for authentication of any information ormatter which requires authentication under any law. To facilitate electronic filing of documents with Government departments To facilitate electronic storage of data To facilitate and give legal sanction to electronic fund transfers between banks andfinancial institutions To give legal recognition for keeping of books of accounts by bankers in electronic form. To amend the Indian Penal Code, the Indian Evidence Act, 1872, the Bankers BookEvidence Act, 1891, and the Reserve Bank of India Act, 1934.

Thus the new Section 43-A dealing with compensation for failure to protect data was introduced in theITAA -2008. This is another watershed in the area of data protection especially at the corporate level. As per this Section, where a body corporate is negligent in implementing reasonable security practicesand thereby causes wrongful loss or gain to any person, such body corporate shall be liable to paydamages by way of compensation to the person so affected. The Section further explains the phrasebody corporate and quite significantly the phrases reasonable security practices and procedures andsensitive personal data or information. Thus the corporate responsibility for data protection is greatly emphasized by inserting Section 43Awhereby corporates are under an obligation to ensure adoption of reasonable security practices. Furtherwhat is sensitive personal data has since been clarified by the central government vide its Notificationdated 11 April 2011 giving the list of all such data which includes password, details of bank accounts orcard details, medical records etc. After this notification, the IT industry in the nation including techsavvyand widely technology-based banking and other sectors became suddenly aware of theresponsibility of data protection and a general awareness increased on what is data privacy and what isthe role of top management and the Information Security Department in organisations in ensuring dataprotection, especially while handling the customers and other third party data.

Security Practices bank can follow are as below: Site certification Security initiatives Awareness Training Conformance to Standards, certification Policies and adherence to policies Policies like password policy, AccessControl, email Policy etc Periodic monitoring and review.

Adjudication:The first adjudication obtained under this provision was in Chennai, Tamil Nadu,in a case involving ICICI Bank in which the bank was told to compensate the applicant with theamount wrongfully debited in Internet Banking, along with cost and damages in April 2010. The next Act that was amended by the ITA is the Reserve Bank of India Act, 1934. Section 58 of theAct sub-section (2), after clause (p), a clause relating to the regulation of funds transfer throughelectronic means between banks (ie transactions like RTGS and NEFT and other funds transfers) wasinserted, to facilitate such electronic funds transfer and ensure legal admissibility of documents andrecords therein. e-Records Maintenance Policy of Banks: Computerization started in most of the banks in India from end 80s in a small way in the form of standalonesystems called Advanced Ledger Posting Machines (Separate PC for every counter/activity)which then led to the era of Total Branch Automation or Computerization in early or mid 90s. TBA orTBC as it was popularly called marked the beginning of a networked environment on a Local AreaNetwork under a client-server architecture when records used to be maintained in electronic manner inhard-disks and external media like tapes etc for backup purposes. Ever since passing of the ITA and according of recognition to electronic records, it has becomemandatory on the part of banks to maintain proper computerized system for electronic records.Conventionally, all legacy systems in the banks always do have a record maintenance policy often withRBIs and their individual Board approval stipulating the period of preservation for all sorts of records,ledgers, vouchers, register, letters, documents etc. Thanks to computerization and introduction of computerized data maintenance and often computergeneratedvouchers also, most of the banks became responsive to the computerized environment andquite a few have started the process of formulating their own Electronic Records Maintenance Policy. Indian Banks Association took the initiative in bringing out a book on Banks e-Records MaintenancePolicy to serve as a model for use and adoption in banks suiting the individual banks technological setup.Hence banks should ensure that e-records maintenance policy with details of e-records, their nature,their upkeep, the technological requirements, off-site backup, retrieval systems, access control andaccess privileges initiatives should be in place, if not already done already. On the legal compliance side especially after the Rules were passed in April 2011, on the ReasonableSecurity Practices and Procedures as part of ITAA 2008 Section 43A, banks should strive well toprove that they have all the security policies in place like compliance with ISO 27001 standards etc ande-records are maintained. Besides, the certificate to be given as an annexure to e-evidences asstipulated in the BBE Act also emphasizes this point of

maintenance of e-records in a proper ensuringproper backup, ensuring against tamperability, always ensuring confidentiality, integrity, availabilityand Non Repudiation. This policy should not be confused with the Information Technology Business Continuity and DisasterRecovery Plan or Policy nor the Data Warehousing initiatives. Focus on all these three policies (BCDRP,DWH and E-records Maintenance Policy) are individually different, serving different purposes,using different technologies and maybe coming under different administrative controls too at themanagerial level. IT Governance and Management Systems in Banking: With the increasing importance of financial systems in the global and domestic economies and theever-increasing regulatory compliance requirements, banks are also automating risk assessment andmanagement systems. IT governance and management is increasingly acquiring importance withboard-approved governance policies, alignment of business and IT teams and realignment oforganization structures for the smoother implementation of IT projects. Organization structure hasbeen defined, ensuring all the requirements of business with respect to IT projects, enhancements toapplications and infrastructure, backup, finance and budgets and IT governance. The ResponsibilityAccountability Consulted Informed (RACI) Matrix has also been defined to better clarify the roles andresponsibilities and segregation of duties.Business and IT teams have to increasingly work together for new IT initiatives to meet businessgoals. The IT Strategy Committee has representations from IT as well as from business andoperations. The involvement and interaction is facilitated across the board based on the constitutionof the project teams and the steering committee. The IT project management process defines thedocuments/templates required for all IT projects with clear roles and responsibilities for thecompletion of these templates. The IT Steering Committee plays a vital role in ensuring that the ITstrategy is implemented as envisaged by the senior management.

Here are some of the tools being used to enforce and improve IT governance: IT Governance Portal contains all the IT policies, workflows, procedures and templates. The links to important and interesting websites such as itgi.org, itil.org and isaca.org are available. There is a schedule for IT training programs. A link is also available for feedback and queries on IT processes. The Universal Service Desk (USD) tool for users to log calls for various service requests, incidents and change requests to name a few. The Control and Compliance Suite (CCS) tool has the capabilities of mapping various Standards/compliances to IT policies. The COMET (COmpliance and MEasurement Techniques) process, a self-assessment exercise, using tools persuading process owners to confirm adherence to established processes has been implemented. The periodic scorecards of processes based on self-assessment havebeen published.

Nowadays, banks have their own IT Risk management policy to assess the risk involved through IT. The objective of the IT risk management policy is to ensure that IT risks are identified, assessed andmanaged for infrastructure and applications within the operating environment of the bank. Bankshave an IT risk management policy approved by the board, which is regularly reviewed and updated,considering the changing technology landscape within and outside the bank.The policy is applicable to all personnel and/or process related to IT applications, IT infrastructure, ITservices, vendors and documents for the applicable bank locations in scope. The risk

managementpolicy document encompasses all aspects such as physical/logical security, encryption, remoteaccess, intranet/internet, password and network security. The risk management framework includesrisk assessment, risk reporting, risk treatment and residual risk monitoring.

People risks to IT in terms of Security, Awareness and Availability (in Banking): Banks should focus on the development of a comprehensive awareness strategy to augmenttechnology and process controls. This is with a view to bring about a behavioral change, rather thanjust to educate employees about what the desired behavior should be. Focused efforts from thesenior management help in focusing on changing attitudes and encouraging a security-mindedculture. This endeavor motivates banks employees to keep themselves informed of informationsecurity risks and remediate them in a timely manner for their respective units. Here is a list of ourkey awareness initiatives: There is a theme-based approach to spread awareness on the importance of security. The security policy can be broken into simple and understandable points. Posters are a means of passive re-iteration and various touch points in a bank. Simplethemed posters can carry IT security messages illustrated in the form of interesting images. Videos and films can emphasize on good and bad security behavior and convey that banksstand in a dos and donts format using animated characters. A mandatory on-line e-learning course can cover the key elements of the informationsecurity policy of banks and can be attached with an online certification course for thecompletion of the course. There are online quizzes to spread awareness. Employees who do not comply with the banks policy should be given warning memos andshould be asked to leave through the HR process in case of serious issues.

A full-time awareness manager may be appointed to raise awareness levels and provide appropriatetraining so that employees can protect their confidential electronic information; understand riskswhen using and storing electronic information; reduce risks to the confidentiality, integrity andavailability of confidential electronic information and understand the roles and responsibilities forthe protection of information and systems.Through training, reward programs and global awareness, banks can take a constructive andproactive approach to security, which is making a positive difference for their business. Security-positivebehavior should be encouraged by making attendance at the security awareness trainingmandatory, publicizing security successes and failures throughout the organization, and linkingsecurity to personal performance objectives/appraisals.

ICICI Bank Held Liable for Phishing (CASE) Phishing is a very common type of Cyber Crimeoccurring in India. On April 12th 2010, theadjudicator of Tamil Nadu, Sri PWC Davidarpronounced a landmark judgment in respect of acomplaint lodged with him under ITA 2000 by acustomer of ICICI Bank who had lost Rs 6.46 lakhsthrough Phishing. The award directed the Bank topay the customer the amount fraudulentlytransferred in the Phishing transaction along withexpenses and interest amounting to a total of Rs12.85 lakhs.

It was interesting to note that the Adjudicatoramongst other things pointed out that ICICI Bankdid not use Digital Signature for its normal e-mailcommunications with the Customers as requiredunder ITA 2000 and RBI guidelines. The adjudicator also pointed out that the amountwas transferred from the Victims account to thefraudsters account which was also kept in the sameBank and later Bank found that the fraudster hadprovided false address at the time of opening of theaccount and had become untraceable indicatingfurther negligence in following the KYC guidelinesunder the Anti-Money Laundering Act. The Adjudicator found the Bank liable underSection 85 of ITA 2000 for lack of DueDiligence.This was the first such award given by anyAdjudicator in India and could be a forerunner to aoverhauling of the Information Security policiesand procedures in Banks.The judgment also highlights the need for Banksand other organizations to assess Section 85 Risksthrough appropriate ITA 2008 compliance auditand initiate necessary Risk Mitigation steps.

Section 66C- Mphasis-citibank (CASE). IDG News Service - BANGALORE, India -- Former employees of a call center in Pune, India, were arrested this week on charges of defrauding four Citibank account holders in New York, to the tune of $300,000, a police official said. The three former employees of Mphasis BPO, the business process outsourcing operation of Bangalore software and services company Mphasis BFL Group, are charged with collecting and misusing account information from customers they dealt with as part of their work at the call center, according to Sanjay Jadhav, chief of the cybercrime cell of the Pune police. "Either in goodwill or on false pretenses, they also obtained the [personal identification numbers] from these account holders in the course of their work," Jadhav said. The three former employees and their accomplices then used the services of SWIFT (Society for Worldwide Interbank Financial Telecommunication) to transfer funds from these accounts to their own accounts and fake accounts that were created for this purpose in Pune, he added. Mphasis officials declined to comment on the matter. The Pune operation of the company runs a call center for New York-based Citibank N.A., a subsidiary of Citigroup Inc. The police acted on a complaint from Citibank, which was alerted when account holders noticed suspicious transactions in their accounts, Jadhav said. Citibank officials weren't immediately available for comment. Police arrested 12 people, three of whom were employees of Mphasis BPO in Pune until December last year. When they quit their jobs, the three employees carried with them the details of the four accounts and used a number of subterfuges, including false e-mail accounts and account details to transfer funds into accounts in Pune, Jadhav said. "We caught one of them on Monday when he came to a bank in Pune to inquire about one of the accounts," Jadhav said. "After that, we were able to arrest the others." The outsourcing of call center and other business processes from the U.S. and the U.K. to Indian companies has been criticized by many organizations, including U.S and U.K. workers' unions, which complain that members are losing jobs as a result of offshore outsourcing. One of the key issues that has been raised is the danger of data theft and misuse.

The threat of data theft and misuse is no higher in India than in other countries, including the U.S., according to the National Association of Software and Service Companies in Delhi. The organization maintains that Indian outsourcing companies have adequate security systems in place.

7. After section 72 of the principal Act, the following section shall be inserted, namely: 72A. Save as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both..

According to Gartner, the market research firm, the size of the global Business Process Outsourcing market by 2007 will be $173bn, of which $24.23bn will be outsourced to offshore suppliers. India is currently the leading offshore destination for business process outsourcing (BPO). However, in the wake of some well publicized data protection and security lapses in recent times, foreign companies had begun to doubt whether India is a safe place for their customers data. In order to resolve these concerns the Indian Government, working in collaboration with industry representative body the National Association of Software and Service Companies (NASSCOM), is now in the process of amending the current Indian Data Protection law, as well as setting up a self-regulatory body to establish security guidelines and monitor any data protection breaches. Recent Data Protection Leaks in India1 In April 2005 three employees of Mphasis, a Bangalore-based outsourcing company, were arrested for allegedly stealing $350,000 from Citibank account holders in New York, by acquiring passwords to the holders bank accounts. In June 2005 an IT employee in Delhi was reported by a UK newspaper, The Sun, to be prepared to sell confidential information on 1,000 banking customers to one of its reporters. In August 2005 the Australian current affairs program, "Four Corners," reported that one of its journalists had been offered personal data about 1,000 Australians. Changing the Law2 When the European Union Data Protection Directive came into force in 1998, doubts were raised as to whether India met the requirements regarding the Article 25 prohibition on the transfer of personal data from the EU to a country outside the EU with a less stringent data protection than the EU. The U.S. met this prohibition by negotiating the Safe Harbor agreement. The Indian government, despite being lobbied by NASSCOM to update its data protections laws, did not act, in the hope that the problem would go away. However the Indian government reversed this policy with the announcement of Prime Minister Manmohan Singh that he had directed the Department of Information Technology to revise the current data protection laws. In late August 2005, the Ministrys Expert Committee issued its recommendations. Rather than enact a new law, the Expert Committee has proposed amending the existing Indian Information Technology Act 2000. The amended Act will require BPO firms to implement and maintain reasonable security practices and appropriate procedures to protect sensitive personal

data. Any BPO contractor who negligently fails to comply with the above will be liable to pay compensation of up to 10 million rupees (approximately 100,000 at current rates) to any person who suffers harm as a result. The amended Act will also render liable employees who dishonestly remove data without permission from a database to imprisonment for up to one year and/or a fine of up to 200,000 rupees (approximately 2,000). Existing provisions of the Act provide that persons who remove data from databases without permission are liable to pay compensation of up to ten million rupees to those persons harmed by such removal. Self-Regulation by the Indian BPO Industry3 In June 2004, NASSCOM officials launched a Trusted Sourcing Initiative. Further to this initiative, NASSCOM released a survey benchmarking Indian corporate security practices with their counterparts in the UK and U.S. The survey showed that levels of data security in Indian companies compare favorably with their foreign counterparts. In July 2004, the industry reported a 40% increase in network and employee security spending from 2003. In August 2004, NASSCOM announced that it had engaged Ernst &Young and PricewaterhouseCoopers to perform an industry-wide security audit of its 860 member companies, especially those processing banking, credit card, insurance and health information. Furthermore, companies are working together to compile a national database of employees in the outsourcing industry to help them monitor their BPO workforce. In addition, NASSCOM has provided training for Indian police officers in cyber-crime fighting tactics. More Recently NASSCOM is initiating an employee registry program, the National Skills Registry, to compile a national database of employees in the outsourcing industry. It is administered by a third party through a professional reference checking company who conducts background checks on workers, rendering referral checks more stringent, and assisting major BPO companies to monitor their workforce4. NASSCOM states that this registry currently contains 70% of the IT workforce. Furthermore, NASSCOM has announced its intention to set up a code of conduct and an independent regulatory body, modeled on the Irish Institute of Chartered Accountants, to establish security guidelines and monitor any breaches. This independent body will receive initial funding of $300,000, thereafter membership dues will cover its ongoing operating costs, and ensure its independence. It will be run by a CEO, whom NASSCOM hopes to hire within the next 6 months, and a board of members from across the industry. Sunil Mehta, vice-president of NASSCOM, said that the independent body would have the unique mandate to audit its members as well as to punish those not compliant with regulations. Such punishments will include expelling members, or law enforcement5. Currently, some 1,050 companies (representing 98% of the Indian IT industry) have agreed to become members of the new independent body6. Conclusion In the light of the current discrepancies between the EU Data Protection Directive and the India Information Technology Act, and Indias recent data protection leaks and breaches, the news that India is making efforts to put their data privacy "house" in order will interest those organizations who have offshored or may now be contemplating offshoring. India is coming under increasing competition from up and coming locations, such as China, Eastern Europe and the Philippines. As the offshoring landscape changes, India can ill afford to rest on its laurels and give ammunition to its critics. The steps India is now taking to become "data secure" will help it remain at the forefront of offshoring locations for some time to come.