Multi-country payroll outsourcing (MCPO) in the Americas has been steadily growing in popularity over the last five to ten years, but one big issue is still holding it back: security.
As nearshore vendors encourage the technological transformation of MCPO with automation, big data, business analytics, mobility, and cloud solutions, the question of whether sensitive HR and employee data can be 100% secure becomes much more difficult to answer.
“In terms of human resources (HR) information, security has been a major issue in the region,” said Raimundo Diaz, Head of Americas at TMF Group, a provider of MCPO services. “Around half of the client companies we speak to don’t have secure systems for their HR and payroll processes. The most extensive piece of HR software is still Microsoft Excel, which says it all.”
Typical Security Concerns
The main security concern with MCPO is the unauthorized access and use of sensitive payroll information. “This is a problem that can arise in a whole lot of outsourcing constructs, but it is more complex in the case of MCPO,” said Anil Vijayan, Practice Director at Everest Group. “You have a lot of geographies in such a construct, meaning there are multiple people in multiple countries handling the data. Furthermore, although MCPO for a buyer would be attached to one particular vendor, there is typically a partner network that the vendor uses in an aggregated model.”
This additional network of partners is less easy for buyers to control than just the one chosen vendor, creating a “buyer beware” type situation, in which extensive due diligence should be performed to ensure the data doesn’t fall into the wrong hands. In this case, it pays to go with larger vendors who are already trusted and well-established, as their partner network is more likely to be highly reliable.
“Data security tends to be easier to manage when you have a lower number of moving parts,” said Vijayan. “In that sense, the pure platform model, in which a single vendor uses its own platform to process the data, would lend itself best to MCPO for better security and control.”
Latin America has commonly been known as a region that needed to mature in the MCPO space, but Luis Volpon, Head of HR & Payroll Solutions for Americas at TMF Group has seen it climb out of that reputation in recent years. “There is clearly an identified need, especially from multinationals, who realize that payroll is a “know-how”, and outsourcing it to professionals who know it well is an advantage for them. We often see that when multinationals enter a country fresh, they instantly look at outsourcing as a first option. The situation is not the same when you look at local companies, as they still have reservations about outsourcing to third parties.”
As well as being a concern for clients, Diaz believes that security will be one of the biggest issues for governments too, as they begin to further enforce privacy when it comes to employee data. “It’s a risky thing, because if you have access to the payroll of a large organization, the information that you have is just staggering,” said Diaz.
Furthermore, with offshore and nearshore outsourcing, the value of payroll data can be much higher than the wages that companies are paying, so there is a greater incentive to acquire data maliciously.
Framework of an MCPO System
There are generally two dimensions to a pure platform MCPO system: the repository of information (usually spread out across multiple databases) and the exchange of that information. It is critical that both elements of this are 100% secure as you need to exchange information internally with very little risk of leaks or data breaches.
The most complex and challenging part of developing an MCPO system is the lack of customer knowledge in certain jurisdictions where payroll is simple, according to Diaz. “Sometimes it takes us time to educate clients about the more complex payroll systems in other countries,” he said. “They have to realize that there are legal implications, tax implications, and labor law implications. Once that hurdle has been overcome, we find that customers quickly warm to the system.”
Mitigating Risk & Sharing Responsibility
Much of the risk with MCPO lies with people accessing information, not so much through hacking the system, but “social hacking” and malicious insiders, in which people convince a co-worker to allow them to have access. The only way to limit this threat is to make sure clients are educated and realize how much security depends on them too. “They need to understand the implications of weak passwords, not renewing passwords, and not applying classic security protocols,” said Diaz. “Access to MCPO information is segmented, so it’s the company who decides who has access to what. Employees will only have access to their own information, but no more.”
In that sense, it’s vital that the responsibility for security is shared between the client and the MCPO provider. This means a lot of communication and transparency, so providers can be aware of new employees entering the company and old ones leaving, to make sure there are no eventual leaks from staff departures. “Only the supervisors have full visibility of the information,” said Diaz. “Even as head of the region I don’t have full access to everything, so if I asked for access I wouldn’t get it due to the ISO rules that we follow.”
Furthermore, security can be increased by blocking access to USB ports, so no files can be copied onto external flash drives and removed from the building. You can also create dummy data sets that use fake information that is linked to the original information in another location.
Ultimately, due the nature of risk in MCPO, there is no way to completely eliminate it, but through the use of technology, the vetting of partner networks, strict vetting of employees, and other process checks, there are plenty of ways to mitigate it.