Money Mules To Clone Apps, Study Of India’s Digital Lenders Throws Up Large Challenges
The Reserve Bank of India’s task to weed out fly-by-night digital lending apps will be a regulatory whack-a-mole. Swat one, another pops up elsewhere.
Inputs that a central bank internal working group is getting underscore how difficult will it be to tame the problem—because the RBI will be hunting for everything from money mules to clones, in the virtual world.
“The problem of unauthorised digital lending is like a tree that never stops growing. You cut one branch and there grows another,” said Vivek Ramji Iyer, leader - financial services risk at Grant Thornton Bharat LLP.
The only way to completely eradicate the issue is to cut it off from the root, which then poses the big issue of over-regulating a sector that’s still in a nascent stage. “The idea is to curb illegal lending but not throw the baby (read innovation) with the bathwater (read regulation),” he said.
Iyer isn’t directly involved with the RBI committee’s work but even those who are have come away with a similar conclusion.
When researchers providing inputs to the internal working group commenced work, they had to sift through nearly 11,400 apps that matched the keywords “loan” and “quick loan” across 40 app stores, according to an initial presentation made to the working group, reviewed by BloombergQuint.
Of these, over 1,200 apps were found to be carrying out digital lending activities in India, a person directly aware of the matter told BloombergQuint on condition of anonymity.
But the problem isn’t resolved by merely removing the illegal apps.
The researchers have found that developers, which could be a set of individuals or a company in any part of the world, create not one but multiple apps with minor tweaks in their codebase to evade regulatory action.
So, if one app developed by an individual or firm is blocked on an app store, it remains active on other app store platforms. Even if the regulator blocks it from all such platforms, there are others with similar codes that continue to operate, the person told BloombergQuint.
While there are solutions such as using clustering algorithms to weed out apps with similar code bases, this has to be done manually till enough data points are available. But the problem, the person said, is that these illegal apps are being created in real-time, and the second one such app is removed, ten others can be created.
Another thing researchers found is the cloning of genuine apps. There were multiple mobile apps emulating a genuine digital lender. These apps are cloned by fraudsters with unnoticeable changes to confuse the end-user.
“These are well-laid traps,” said Madhusudan Ekambaram, chief executive of online lending platform KreditBee and co-founder of not-for-profit industry body FACE (Fintech Association for Consumer Empowerment).
The problem, he said, is amplified by the fact that many genuine online lenders aren’t household names such as large banks and popular non-bank lenders. “So, a consumer would search by the name of an app and find multiple clone apps listed with the same-sounding brand name or similar user interface, leading them to believe that they are genuine.”
Even if one were to solve the issue around cloning and removing multiple versions of the same app, there are illegal online lenders who use money mules, or persons who knowingly or unknowingly allow use of their bank accounts or addresses, to channel loans, the person cited earlier said.
Another challenging task has been to identify the source or country of origin of these apps. That, according to the person, is the most complicated part in curbing nefarious digital lending activities as many of these apps are registered with false addresses. Where money mules are found and investigated, they often lead to dead ends. The source is often so well-hidden that it is almost untraceable, the person said.
The only way one can possibly trace the origin of these apps is through bank accounts but if they belong to mules, there is absolutely no way of tracking it back to the source country or developers, the person explained.
In January, Google Inc. removed over 400 suspicious lending apps from its app store based on red flags submitted by users and government agencies. This, the company said in a blogpost dated Jan. 14, was done by asking developers of identified apps to demonstrate their compliance with applicable local laws and regulations.
“Apps that fail to do so will be removed without further notice,” it said. “In addition, we will continue to assist the law enforcement agencies in their investigation of this issue.”
When contacted, a Google spokesperson declined to share the latest number of apps removed or reinstated by its app store. RBI did not reply to BloombergQuint’s email queries sent on Thursday.
Setting Up Guard Rails
Even as the problem of unscrupulous digital lending is not an easy one to tackle, the RBI will have to set up some guard rails to weed out apps when it finally releases its recommendations to regulate the segment.
The regulator has set certain basic parameters that must be checked, shows the presentation cited above. These parameters include identifying:
- Websites of loan apps circulated in India.
- Source country of the lending apps.
- Geo-location of the administration of the loan apps.
- The extent of critical permissions taken by these apps from customers.
- Statistics on how lending apps use mobile phone permissions.
- Personal loan apps that violate safety policies.
In its internal presentation, the regulator further outlined the methodology to gather information on the sector. This, it said, would be done through interviews with loan app founders and team members, interacting with cyber-crime cells and gathering data regarding existing complaints, approaching informed individuals who could provide feedback and by collating publicly available data and insights.
But RBI alone may not be able to do the job.
“The proliferation of unregulated lending apps, several of them potentially malicious, has emerged as one of the rare unfavourable outcomes of a rapid shift towards adoption of digital financial services,” said Fali Hodiwalla, partner - financial services, consulting at advisory firm EY. “An unprecedented disruption such as this can only be controlled through very well-coordinated, near real-time monitoring by multiple stakeholders, and not just the RBI.”
These stakeholders, he said, would include the banking system which can monitor transactions and mobile network operators that can help with tracing the origins of these apps. “These stakeholders would necessarily need to supplement RBI’s current and envisaged regulations covering digital lending operations.”
While there are no industry-wide estimates available on how large India’s digital lending segment has grown, Boston Consulting Group estimated in a 2018 report that it could be a $100-billion market for India by 2023 across all segments.
The issue can also be tackled better if RBI authorises an independent supervisory body for digital lending, like National Payments Corporation of India that regulates digital payments in India, according to Ekambaram.
“An independent regulator for digital lenders can take care of customer grievances and follow a standard code of procedures for licensing and supervising the companies in the space on a real-time basis,” he said. “It will also make it easier for genuine companies to raise red-flags on clone apps and get them blocked from app stores.”