Application Security , Cybercrime , Fraud Management & Cybercrime

More Than Half of Indian Loan Apps Illegal, RBI Panel Finds

Working Group Highlights Malpractice, Suggests Minimum Standards for Better Security
More Than Half of Indian Loan Apps Illegal, RBI Panel Finds
The RBI plans to regulate the digital lending space. (Image: ISMG)

Critical issues in India's digital payments space have been identified by a Reserve Bank of India working group that has recommended new regulatory frameworks, technological upgrades and guidelines to prevent fraud and address other issues.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The working group comprised stakeholders from financial institutions, government bodies, law enforcement agencies, academics and financial technology firms, according to India's lead financial regulator. It sought to maintain neutrality toward technological differentials, adopt a principle-backed regulation instead of a rule-based system and ensure a level playing field and market integrity, the RBI report says.

Illegal Apps

The working group report found that of the 1,100 digital lending apps on 81 Indian app stores, 600 were illegal. Of that 600, 350 were unique apps, while the rest were emulating legitimate lending apps, it says.

Several illegal and fake apps have now been taken down, says Rahul Sasi, a member of the RBI working group and CTO of Indian cybersecurity firm CloudSEK, who did not specify the number removed.

In March, the RBI identified and blocked 27 fraudulent lending apps, according to a Financial Express report.

To weed out fake apps, the working group says software publishers must use digital signatures to enable end users to verify authenticity. The National Security Council Secretariat's new privacy and security project I-CAMPS will also help in weeding out fake and illegal lending apps, Sasi says.

Loan Recovery

Sasi tells Information Security Media Group that many digital lending apps - and not just the fake ones - used "illegal and unscrupulous" methods to recover loaned money.

Consumers could borrow small amounts of money - 4,000 rupees to 10,000 rupees, or $54 to $134 - from any of the thousands of lending apps available, he says. "When they were unable to repay the borrowed money, some lending firms would use the access they had to the customers' contacts and media, create WhatsApp groups with the borrowers' family members, and shame the customers and accuse them of fraud," Sasi says.

The harassment has even led to some customers committing suicide, he adds. As of January, there were at least six such deaths reported.

Amala Halder, a legal consultant and former advocate at the High Court of Calcutta calls the practice "shocking" and tells ISMG that as a practicing lawyer, she often came across harassment cases in which lending apps used "inhuman means of recovery for even meager sums of money."

The RBI is bringing a new law to regulate the digital lending space, which is likely to entail compliance guidelines as well, she says. "The best bet for borrowers is to stay alert and use only nonbanking financial companies registered with the RBI for lending. The list is on the RBI website."

The working group also recommended that balance sheet lending through digital lending apps be restricted to entities regulated and authorized by the RBI. Loan servicing and repayments must be executed directly in a bank account of the balance sheet lender and disbursements should always be made into the bank account of the borrower, it adds.

Use of CIBIL Scores

Banks in India determine a borrower's ability to repay loans based on CIBIL scores, which are calculated on the basis of credit history.

Several digital lending firms did not use Credit Information Bureau of India Limited, or CIBIL, as the mechanism for underwriting as the loan amounts were small. Instead, they relied on customers granting full access to their mobile devices, Sasi says.

"One of the recommendations the working group has put forth is that all digital lenders will mandatorily have to approve or turn down loans based on CIBIL scores only."

Some digital lending platforms exploit users' lack of financial awareness and charge them exorbitant interest rates, Rahul Pratap Yadav, chief business officer and strategy at digital payments firm iMoneyPay and former senior vice president at Yes Bank, tells ISMG. He adds that digital lenders ensnare other customers through multilevel marketing and by offering them referral bonuses.

The lack of awareness on privacy and absence of regulatory mandates protecting user identity has also contributed to the list of challenges in the digital lending space, Yadav notes.

He recommends that digital lenders "have the right checks and balances in the app, and educate borrowers on financial fraud and getting into bad debt because of financial irresponsibility."

The Indian digital lending space is also home to several China-based actors, according to the working group. "Anyone that had access to money and can build an app is capable of becoming a digital lender," Sasi says.

Many of these unregulated digital lending apps charge 10% to 15% monthly interest, making the lending market a lucrative business for companies trying to make a quick buck, he says.

Other Recommendations

The RBI working group recommends setting up a secretariat that will verify the technological credentials of lenders in the digital lending ecosystem and a self-regulatory organization to oversee the lending platforms.

It also recommends baseline technology standards for digital lending apps of regulated entities. The standards are to include secure application logic and secure application code, keeping event logs of user activity along with their geolocation, IP address and device information.

And digital lending firms must implement a multistep approval process for critical activities and monitor transactions processed on the app in an auditable manner, according to the RBI report.

The working group also recommends measures to ensure protection of sensitive data and protection from SQL intrusions, along with adopting appropriate data encryption technologies.

Also, when people are discriminated against by legitimate lenders, they may be forced to borrow from questionable sources that may open them up to fraud risks. Consequently, the group says it is important to consider the possibility of bias creeping into AI algorithms that digital lenders use for underwriting, Yadav says.

"Biases have been noticed in AI algorithms in the U.S. and Europe as well. It was observed that certain demographics were not given loans. So gaining visibility in the algorithm is an important recommendation."

The RBI working group recommends that algorithm auditing should point at minimum underwriting standards and potential factors that may lead to discrimination.

About the Author

Soumik Ghosh

Soumik Ghosh

Former Assistant Editor, Asia

Prior to his stint at ISMG, Ghosh worked with IDG and wrote for CIO, CSO Online and Computerworld, in addition to anchoring CSO Alert, a security news bulletin. He was also a language and process trainer at [24] Ghosh has a degree in broadcast journalism from the Indian Institute of Journalism & New Media.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.