PremiumMUMBAI : In November 2011, India’s Railway Board sent out a circular to the chief commercial managers of all zonal railways. Tatkal tickets—those booked for journeys at short notice—could henceforth be issued only when a prescribed proof of identity such as the passport or the permanent account number (PAN) is produced by the passenger. The details of this identity proof had to be captured by the reservation system and indicated on the reservation chart. In those days, such charts were pasted, both on the coaches and at railway stations.
Once the system was implemented, there was a flood of complaints. The Railways wanted to curb irregularities in the tatkal scheme but it also unwittingly, became one of the largest sources of customer data leak.
Traders, for instance, could have used the publicly displayed PAN for benami transactions or one where a fictitious name is used to trade. Direct marketing companies, it is said, started employing people to take photographs of railway reservation charts.
The names, age and identity proof numbers were then sorted based on clients they were sold to, mostly agents selling insurance, loans and other financial products. The price for one customer’s data could range from 50 paise to even ₹10, depending on whether they had been sorted through some specific filters or just put together as a large data dump, says an industry executive aware of such sales.
Data privacy in India, the executive added, was a concept few knew about a decade ago. Frighteningly, little is known still. “Our mobile numbers, addresses and email ids are all available in the market for a price," he says.
Things appear to have taken a sharp turn for the worse now.
A decade ago, leaked data, by and large, were used by outbound call centres of various product and services companies for cold calling. Recent instances show that data breaches can cripple people’s finances or even the future prospects of availing financial products such as loans.
Not my loan
Earlier this year, hundreds took to social media platform Twitter. To their surprise, they found that their credit reports, from bureaus like Transunion Cibil, reflected loans they never took. The lender in these cases was Dhani Loans and Services Ltd, earlier known as Indiabulls Consumer Finance Ltd.
The loan details had their PAN numbers. However, the remaining credentials such as addresses, dates of birth and mobile numbers did not match.
32-year-old Ranjan Patel, a stock market trader from Gurugram, was one of those in for a shock. His credit score, a measure of one’s ability to pay back any loan, was down from 850 in May 2021 to 682 in February 2022. The cause for his misery: a mysterious ₹10,000 unpaid loan taken in his name from Dhani.
Patel got in touch with Moneylife Foundation, a non-governmental organization with journalists Sucheta Dalal and Debashis Basu as founding trustees. The organization promotes financial literacy and helped rectify the error.
“My score is gradually improving," says Patel.
Although the exact number of such loans is unknown, the whole episode forced Dhani to slow down onboarding of new customers and focus on tightening its processes instead. The company also decided to write off these loans after verifying claims. In a statement last month, the lender’s spokesperson said it is speaking to all the complainants, establishing if there has been a case of identity theft. The company was also rectifying their records with the credit bureaus.
What happened at Dhani is not an isolated incident and such know your customer (KYC) breaches have been common in the financial services sector for a few months now, industry watchers say. The KYC process verifies the identity of customers for a product or service.
The affiliate problem
In December last year, reports of KYC leaks at Navi Finserv Pvt Ltd, the financial services startup launched by Flipkart co-founder Sachin Bansal, started doing the rounds. The company was reportedly sending unsolicited text messages to people attaching their unmasked PAN numbers—a sign that it already had access to such sensitive KYC data.
A Twitter user who goes by the handle @spuriousmallu tweeted on 3 December 2021: “So now Navi has my pan card details and phone number. Wonder how did they manage this stunt? Is this Navi the same startup that belongs to the poster boy of internet in India till some years ago?"
A person aware of the incident says that the text messaging campaign was conducted by a third-party marketing affiliate. Typically, many fintech companies engaging affiliates are given an underlying guarantee—that the data of prospective customers would be collected through fair means and with due consent. In reality, the affiliates may employ not-so-fair means.
“As soon as Navi became aware of this instance, it immediately stopped the campaign and the third-party affiliate was issued a warning. The fintech has also strengthened the processes and oversight of public campaigns to avoid any such incidents in the future," the person adds.
An email sent to Navi remained unanswered.
These incidents, nevertheless, underline the lack of scrutiny at digital borrowers. It also shows how easy it is to duplicate customer credentials like PAN cards and proof of address. While there are systems in place to deal with such violations, they have not been foolproof and people manage to get hold of important KYC documents to commit acts of fraud.
The investment gap
So, what leads to the KYC leaks?
While some could be because of lax onboarding standards by the digital lenders, lack of investment in technology is also a key issue, experts say.
“All these leaks have happened despite following the RBI protocols on cyber security," says Srinath Sridharan, independent director at the Fintech Association for Consumer Empowerment (FACE), a non-profit organization that promotes dialogue with policy stakeholders.
The fintech industry body has realized that without a common data repository for all loans, preventing fraud in the digital lending space is a problem. FACE has therefore partnered credit bureau Equifax to launch a unified fraud data repository. It would enable fintechs to mitigate fraud real-time, using big data.
Others experts believe that only some of the big digital lenders and fintechs are investing in security while the smaller companies are unable to match that in scale. “It must be kept in mind that attempts to breach cyber security occur more in larger companies. In India, where the number of attacks are growing, it is certainly a challenge," says Rahul Sasi, founder of CloudSEK, a company that identifies and removes digital threats. He was also a member of the RBI working group on digital lending set up in January 2021. It begins with an innocuous breach that companies say has been plugged but a lot of these data leaks have staggered consequences for consumers. The same set of KYC data stolen can be used to seek fraudulent loans in the coming months or years from different lenders.
To be sure, a lot of the lending apps also have flaws. BeVigil, a security search engine by CloudSEK, points out in a report that it scanned widely-used neobanking apps and found a wide array of security vulnerabilities. It also found trackers in the apps. Social engineering, malware, and phishing are the three main cybersecurity dangers that neobank and other forms of digital banks face, it stated. The endgame: hackers gain access to a user’s personal information and bank account.
A question of access
Many new-age digital lenders have harsh recovery practices. After a growing number of complaints, particularly during the pandemic, India’s banking regulator, the Reserve Bank of India (RBI), stepped in. An RBI committee, in a 150-page report released in November last year, suggested reining in the digital lenders and an array of other measures to protect customers. As per the findings of the committee, there were approximately 1,100 lending apps available for Indian Android users across 80 application stores between 1 January and 28 February 2021. Of these, 600 were illegal.
Digital lending apps, while allowing quick loans, require users to allow access to their contacts on the phone. Such access forms a safety net—in case a borrower defaults. That said, some lenders crossed a line. Their recovery agents incessantly called people on the borrowers’ contact list. Such access also raises the prospect of data leakages and fraud.
While 30% of the digital lending apps sought permission to access location and camera, 21% sought contact access and 11% demanded permission from users to make phone calls and record audio, the RBI report found. Some of these measures are required as part of the e-KYC regulations but without proper safeguards, they remain open to abuse.
According to RBI’s digital lending report, as more companies go cashless and paperless, the number of apps requesting critical permissions will continue to grow. A blanket ban on lending apps accessing many of these permissions would adversely impact growth. “Hence, the better approach would be to regulate and formulate better standards for cyber security, privacy and fraud, instead of heavy-handed prohibitions," the report states.
Localize the data
During the pandemic came a China scare. Several of India’s digital lenders were tied together by a Chinese connection, albeit before the government, Google Playstore and law enforcement stepped in. Many apps had Chinese nationals as directors.
A Bloomberg report claimed on 14 March that Vijay Shekhar Sharma’s Paytm Payments Bank was penalized by the RBI for allegedly allowing Chinese entities access to information from its servers. Sharma immediately appeared on various news platforms to deny the report. He clarified that Paytm always adhered to India’s data localization guidelines.
Over the past few years, the central bank has tightened data storage norms for institutions it oversees. In April 2018, it had directed that all payment system providers ensure that their data is stored in India. Three large corporations–Diners Club, American Express and Mastercard–were asked to stop issuing new cards in 2021 after they failed to store data in India. Although the RBI subsequently allowed Diners Club to resume issuing cards, the ban on American Express and Mastercard remains.
Self-regulation?
India has regulations to protect personal data. Yet, it has failed to keep up with the times. There is the Information Technology (IT) Act, 2000, which, in some sense, defines sensitive data and personal information that companies using information technology need to take notice of.
“The challenge with the Act is that it does not have a monitoring mechanism and lacks penal provisions if there is a misuse of information," says Parijat Garg, an independent fintech expert.
He points out that the consent architecture in India is quite vague. While one might say that users have consented to something and therefore, he/she is receiving messages from sellers, it cannot be verified or tracked. “The consent (form) might say that the company would share the data with a third-party partner. That could be 100, or 1,000 or even a lakh. There is no way for consumers to know," adds Garg.
India, therefore, needs a strong data protection bill. After it was tabled in 2019, the Personal Data Protection Bill was sent to a Joint Parliamentary Committee which submitted its recommendations last November. The Economic Times reported last month that the government is planning to draft a fresh bill to address data privacy issues.
“To say that India needs a robust data privacy law is an understatement," says Anupam Shukla, partner at law firm Pioneer Legal. Leaked data often ends up for bulk sale on dark web forums available to multiple bidders and finds its way to those who intend to use it to harm computer systems or for unsolicited advertisement or analytics, he adds. In addition to prescribing heavy penalties, India’s privacy law is also expected to set data security standards and mechanisms to be adopted by all organizations.
While we await the law, the fintech industry is working on self-regulation. Some are also trying to promote ethical lending practices. FACE, the fintech association cited earlier, has recently applied for the role of a self-regulatory organization (SRO) based on an RBI framework from October 2020. The RBI believes that SROs would serve as a two-way communication channel between its members and the regulator. Such efforts are small but significant steps towards stronger customer protection.
Download the App to get 14 days of unlimited access to Mint Premium absolutely free!