(ATF) Cyber security researcher Anurag Sen was rudely jolted in August when he found his contact details among the 389 million phonebook records of the China-based online lending app Moneed’s unprotected database, which had been leaked a few days earlier.
Sen was alarmed not only because the security breach had exposed him, and millions of other Moneed borrowers, to the risk of identity theft and illegal extortion. But also because Moneed, with offices in Hangzhou, New Delhi and Hong Kong, had two Android-based lending apps – called Moneed and Momo and with more than a million downloads – on the Play Store operating in violation of Google’s app store policy.
Sen was also concerned that over the past few months, several reports had alleged that Moneed and many other Chinese microloan apps have been harassing borrowers in India for repayment. A spate of reports about borrowers allegedly ending their lives following humiliation by app-based financiers, had also exposed the risks of instant digital lending in India.
Read More on ATF
While Moneed was quick in issuing a statement stating that it follows all laws and regulations of the country and denied the data breach, both Moneed and Momo are still available for download on the Google’s Play Store along with hundreds of other digital lending apps unauthorized by any financial regulator.
According to a Reuters report last week, at least 10 Indian lending apps on the Play Store, which have been downloaded millions of times, breached Google rules on loan repayment lengths aimed at protecting vulnerable borrowers.
“Over the past year, Cashless Consumers has spotted at least a thousand apps primarily on Play store, but also featuring on other platforms, that steal information and indulge in money extraction in the garb of digital lending,” Srikanth Laxman, a fintech researcher at Cashless Consumer, a consumer collective on digital payments, told Asia Times Financial.
“These apps offer cash-strapped borrowers loans at very high interest rates and then, in many instances, abuse and harass them and follow other coercive practices for recovery,” he added.
Some of these apps apply steep processing fees, as high as 2,000 rupees ($27) on loans of less than 10,000 rupees with tenures of 30 days or fewer, according to a Reuters investigation.
Together with other charges including one-off registration costs, borrowers can pay, in real terms, interest rates as high as 60% per week, some loan details show.
By comparison, Indian banks typically offer personal loans with annual interest rates of 10-20%, and they usually do not have to be repaid in full for at least a year.
A huge population of 350 million smartphone users, second only to China, and cheap mobile data, make India a lucrative target for digital lending platforms. But the pandemic had also been a windfall for these lenders.
According to Cashless Consumers, the unauthorized apps flourished during the lockdown when pandemic-hit borrowers in desperate need for cash turned to these easy sources that lent money at the click of a mouse without any question.
But the apps also ask for permission to access phone contacts when installed, and apart from using that information as a safety net against defaults, the apps use the information to assess the credit-worthiness of the borrowers, many of whom, do not have a formal credit history.
A Reuters review of 50 popular lending apps available on Google Play found that nearly all of them require borrowers to give them permission to access their phone contacts.
“The shadow lending apps are compromising borrowers’ data, using the information for illegal activities like blackmailing and even selling them on the dark web, as well as extracting money,” Pravin Kalaiselvan, a cybercrime investigator and founder of the digital rights group, Save Them India Foundation told ATF.
“Over 95% of the lending apps lend money for as few as 15 days. They are also using the apps to plant bots in borrowers’ phones to snoop on private messages,” he added.
Consequently, the predatory loan apps with high processing fees, short tenures and steep penalty charges on default, are leading many borrowers into a debt trap, and some, to even committing suicide, says Kalaiselvan.
According to Google’s own global policy for its platform “to protect users from harmful or deceitful practices, fintech apps cannot be on the Play Store which have repayments under 30 days, even though no law relating to the same has been passed that would require such action on Google’s part,” the search engine says.
Google, which dominates India’s app market with more than 98% of smartphones using its Android platform, also says its policies are “continuously updated in response to new and emerging threats and bad actors”.
“We take action on apps that are flagged to us by users and regulatory bodies,” it says, adding that many lending apps found violating its policies have also been taken down from the Play Store in India over the past months.
According to fintech industry sources, the modus operandi of these lenders is simple; they register an entity under the Companies Act, develop an app and start commercial lending. Besides, sources have also found most are Chinese white-labelled apps.
“We have traced the origins of hundreds of the shadow lending apps to China, Indonesia, Vietnam, Hong Kong and even Singapore. In fact, Singapore is the hub from where the lending apps reach out to all over Asia,” Sandeep Sahoo, the data security consultant at Save Them India Foundation, told ATF.
They don’t have long-term outlooks, are focused on making a quick buck, and do not even care to register with a regulator, add sources.
And that leads to the other problem.
“In India for instance, the (banking regulator) Reserve Bank of India (RBI) is aware of the scam and is trying to reign in shady lending but its hands are tied,” says Srikanth of Cashless Consumers. “The RBI has no power to regulate lending agencies that are outside the banking system and operate independently. And most online lenders operate in isolation, outside the legal jurisdiction of the regulator and also the states.”
But according to Madhusudan E, co-founder of Fintech Association for Consumer Empowerment however, while a regulator can only do so much, other genuine stakeholders need to be roped in.
“In short, there is law (in India), now it needs to be enforced and monitored appropriately to ensure order,” Madhusudan told ATF.
Cleaning-up in the works
Meanwhile, shadow lending apps have attracted the scrutiny of the police, who have started cracking the whip on dozens of apps following the spate of suicides in the past months after they and their families were allegedly harassed by debt-recovery agents.
On December 27, forces from the Central Crime Station in the Indian city of Hyderabad arrested three persons including a Chinese woman in connection with an instant loan fraud.
A week earlier, 11 shadow lenders were arrested by the Hyderabad City Police after raids in connection on instant loan fraud cases registered in the city. The raids were conducted simultaneously in Gurgaon and Hyderabad that also led to a seizure of 700 laptops.
“With fintech lending as a sector enhancing its presence among all lenders, RBI is now looking at it with a microscopic lens like never before, and this will lead to a clean-up of the fintech lending space for everyone's benefit,” Madhusudan told ATF.
And, the RBI said on January 14 it was setting up a six-member working group to evaluate digital lending activities and identify risks posed by unregulated digital lending to financial stability, regulated entities and consumers.
- With reporting by Reuters