Fintech Swindling and RBI Regulation | By Drishti Yadav

Digital Payments, loans and fintech space have a growing emergence in India. However, it can prove to be a double-edged sword by keeping in mind the present scenario of data security.

Data privacy has invariably been a major concern in the nation and when money comes into play, data security and scams are recurrent. The above statement can be testified by visiting app stores wherein Indian loan apps consist of keywords ranging between loans, instant loans, and quick loans. In order to control the jeopardy of illegal loan apps, Nirmala Sitharaman, the Union Finance Minister of India, has directed the Reserve Bank of India (RBI) to prepare a whitelist of legal loan apps, while the Ministry of Electronics and Information Technology (MeitY) has been tasked with ensuring only such whitelisted applications to be available on app stores. During Covid-19 digital payments have seen growth, it has contributed to easing the financial system but at the same time invited scammers and fraudsters. The issue needs to be addressed since such apps offer loans or micro-credit to low income groups at a very high-interest rate, resorting to blackmail and criminal menace.

In accordance with this, the Google play store has directed the disbursal apps and credit aggregators to display a link to partner banks or non-banking finance corporations. The applications which fail to comply with these rules will be deleted from the play store. In order to obtain public confidence in the digital lending ecosystem, RBI has encouraged innovation in the financial institution, commodity and credit delivery methods while ensuring financial stability and protection of depositors and customers interest.

The primary concerns (as mentioned on RBI website) in such loan applications were unbridled engagement of third parties, misselling, breach of data privacy, unfair business conduct, charging of exorbitant interest rates and unethical recovery practices. The above conclusions were drawn by the Working Group on Digital Lending (WGDL) which was a group working on digital lending through online platforms and mobile apps constituted in the year 2021.

As per RBI, 3 groups of digital lenders have been identified:

• Regulated by RBI and permitted to carry out business

• Entity authorized to carry out a lending as per statutory/regulatory provision but isn’t regulated by RBI

• Entities regulating outside statutory/regulatory provisions

In order to ensure consumer protection , considerable initiatives has been taken by the RBI in respect to loan applications. The loan disbursals and repayments are required to be executed only between bank accounts of the borrower and regulated entities without any pass through/pool account of the lending service provider or any other third party. In addition to this, any fee/charge payable to legal service providers in the credit intimidation process shall be paid directly by the regulated entity and not by the borrower. A standardized key fact statement must be provided to the borrower executing the loan contract. The borrower needs to be informed about the all-inclusive cost of digital loan. The loan applications cannot increase the bank loan interest themselves, without any prior information. The important disclosure to be mentioned in the loan contract is cooling off/look up period i.e., the principal amount and proportionate Annual Percentage Rate. If in case a complaint isn’t resolved by the lending service provider within the limit of 30 days, a complaint can be lodged under RBI.

As far as the technological requirements for such applications are concerned, an option for the borrower must be provided to accept or deny consent for use of specific data since lending apps need credit information. Inadequate transparency about what information is collected, why it is collected and how it will be used needs to be informed to the user to ensure consumer confidence. Moreover, steps should be taken to increase cyber awareness among customers, bank employees, law enforcement agencies and other stakeholders.

It has been remarked by the Finance Ministry that a new data privacy bill, which would be a product of consultations, will also be released. Hence, data privacy, not only in the fintech space but all key areas including economy, politics and commerce is a prominent issue. It is a known fact that the 2018 massive data breach of the Aadhaar database is a major lesson for India to focus on data safety.

Further, it’s important to discuss the banking frauds which have been stated as per a booklet issued by the Reserve Bank of India which draws attention towards the modus operandi of scamsters. It also states the relevant precautions to be taken while making a digital transaction. Being an informed citizen it is necessary to know about such scams and not fall in fraudulent traps. The most common scam is phishing wherein a legitimate website is created, the link for which is shared through SMS, emails or social media, as soon as a person clicks on the link, they are required to enter the OTP or PIN which is later misused for illegal purposes. The most popular scam which takes place frequently is Vishing, an imposter acts as a banker, insurance agent or government official and reaches the consumer through calls or SMS, they tick the person by sharing a few common details such as name, date of birth to act legit, further they pressurize the person to share OTP, PIN and even Card Verification Values (CVV) by citing an emergency. Customers are then defrauded using these credentials. Moreover, some fraudsters use UPI apps “request money” option and demand that the seller authorize the request by entering UPI PIN and then money gets transferred to the fraudster’s account.

A user must ensure to never click on any unknown link since certain links get directed to downloading a particular fraudulent application which if once downloaded, lets the scamster gain access to all the confidential information of a user. These may even be screen-sharing applications which later becomes a problematic situation for consumers since their important data including CVV and PIN gets easily tracked. Even while using ATM cards one must be cautious because fraudsters install a dummy keypad or a camera to create a duplicate card and withdraw money from the customer's account.

Subscriber Identity Module (SIM) cards can also be cloned to perform unauthorized transactions. Customers have the tendency to visit search engines to know about their bank application/website, these websites must be carefully checked before entering any password or banking detail because scamsters also list their websites and people often fall prey to scams.

It is predominant for society to be aware of such activities and also to report about any scams since it helps the authorities to regulate the illegal practices which hinder the development of each income group. Moreover, it is necessary for the government to be even more careful with the data of its citizens since the Swachh city platform suffered from a data breach leaking 16 million user records in September. Hence, with the collective efforts of the stakeholders and the people, a prominent structure against scams and fraudulent activities can be built and the same would be successful after an extensive policy formation which gets implemented practically for the overall benefit of each and every person.

As stated by Jeh Jhonson, “Cybersecurity is a shared security which boils down to this: In cybersecurity the more systems we secure, the more secure we all are.”