Explainer: Bharat Financial Inclusion Limited Loan 'glitch'

tl;dr

Bharat Financial Inclusion Limited (BFIL), a subsidiary of IndusInd Bank recently admitted to disbursing 84,000 loans without getting customers' consent recorded owing to a ‘technical glitch’. Though the bank took corrective steps upon the receipt of the complaints, there is very little regulatory oversight and acknowledgement of these instances in general.

Why should you care?

With the uptake in digital lending, consent scams of this nature are also witnessing a rise. For instance, something as widespread as One-Time Password (OTP), if misused, might have serious privacy and financial implications. The consequences of such scams doesn’t only lead to loss of personal data, but also has financial ramifications such as drops in credit scores.

Introduction

India has gone through rapid digital transformation in the past decade, led by technological advancements in financial services. Digital penetration in India has been facilitated by mobiles, digital identity and internet connectivity. The JanDhan-Aadhaar-Mobile (JAM) trinity is often said to be a key enabler for financial inclusion,  giving millions of Indians access to banking services. While these advancements might seemingly lower the cost for market players (payments banks, small finance banks, microfinance institutions, fintech companies etc.) in delivery of financial services, particularly digital credit, the consumer harms arising out of digitised financial services get overshadowed/ underreported, unless they are too large to miss.

One such instance was reported in February, wherein a private company named Dhani Loans and Services Limited, the lending arm of the Indiabulls Group, disbursed loans to several people who availed it using someone else’s name and PAN details, without their knowledge or consent. The impact of such ghost scams is not only limited to loss of personal data and mental harassment, but also has financial ramifications such as drops in credit scores. Such instances raise questions about digital lending practices, in particular the consent design mechanisms.

India has been witnessing consent scams by various digital financial service providers, all of which involved transactions being performed by bypassing consent in letter or spirit. Consent scams are those where consumers of digital financial services get defrauded due to lack of proper consent collection by financial service providers either willfully or due to ‘technical glitches’. Some examples of this are opening of payments bank accounts and diverting state subsidies without knowledge of person and dumping a consent-less loan on students even before they enrol for coaching. The fact that ed-tech firm Byju's aggressive marketing practices of dumping loans without taking consent or providing any recourse was highlighted in parliament 2 years after it was first reported, goes to show how often such matters are brushed aside, no matter the scale.  

The latest to have joined the list of consent scams is Bharat Financial Inclusion Limited (BFIL), a subsidiary of IndusInd Bank. In May 2021, BFIL admitted to have disbursed 84,000 loans without the customer consent getting recorded. As per their statement, this was due to a ‘technical glitch’ at the time of loan disbursement and not due to evergreening (the process of banks reviving a loan on the verge of default by granting further loans to the same borrower). Bharat Financial incidentally also happened to be the first microfinance market player to have completely digitised their operations through Aadhaar based authentication as early as 2017.

Despite the increasing trend of consent scams by financial service providers, there has been very little regulatory action around the issue as even acknowledgement of the issue is seldom official. Even in the current instance, media reports (see here, here and here) suggest that the Reserve Bank of India (RBI), which regulates the microfinance industry, was made aware of certain issues pertaining to loans given in May 2021 as early as September 15th, 2021, but there has been no official statement from the banking regulator on the matter till now.

Whistleblowers complain

On November 5, 2021, the Economic Times reported that several people, including senior employees of BFIL, reported the issue to the RBI and the board of IndusInd Bank, highlighting lapses in governance and accounting norms allegedly leading to 'evergreening' of loans running into thousands of crores since the outbreak of the COVID-19 pandemic.

S.No Date Sender Letter Sent to
1 September 15th, 2021 Non-executive chairman of BFIL, M. R. Rao Resignation letter citing - “RBI has raised issues with respect to BFIL particularly the 80,000 loans given in May 2021”. Board of IndusInd Bank
2 October 14th, 2021 ‘Outside’ whistleblower Suggestions to set up risk management and audit committees for BFIL were ignored; "process lapses" in extension of loan contracts, cash disbursement and accounting practices. RBI
3 October 17th, 2021 and October 24th, 2021 ‘Internal’ Whistleblowers "Adjusting new loan money with overdues from earlier loans"; alleged transactions to dress-up the books. Some independent directors of IndusInd Bank and RBI officials

In a subsequent interaction with analyst Hemandra Hazari, IndusInd Bank clarified that:

“the loan disbursal systems are end-to-end digital in BFIL, without any manual intervention. In April, BFIL implemented a technology upgrade to its system. The biometric verification is sought for customers’ approval for the loan, and when it fails, a One Time Password (OTP) is sent to the customer’s mobile, which is then inputted in the system for customer approval. However sometime in May 2021, on account of a bug in the system, the OTP stage got bypassed for those customers who could not record their biometrics, and the loans were disbursed.”

The same analyst also noted that the ‘technical glitch’ was highlighted in 2 days and rectified as well but without giving a timeline. However, there was no mention whether the 84,000 affected people were notified about the ‘glitch’ or if any redressal mechanisms were provided to them. On December 3rd, 2021, the Economic Times reported that IndusInd bank has appointed Deloitte to review the whistleblower allegations.

Upon the publication of the whistleblower report, the media coverage around the issue was limited to the financial consequences being faced by the bank, without much focus on the root of the issue or the way forward for the victims. This, coupled with the resignation of M.R. Rao in September and RBI’s knowledge of the matter before that, does indicate corporate politics at play, overshadowing the actual issue at hand.

Description of evidence

The ‘Citizens’ Report on Bharat Financial Technical Glitch / Consent Scam’ released by the Digital Lending WatchTower and Cashless Consumer in February 2022 elaborates on an investigation conducted by them to gather publicly available information to analyse the glitch. The investigation revealed that ‘BFIL Sampark’ was the name of the application that provided the services to borrowers. The report added that searching for “bfil sampark app” and “bfil sampark app 1.” on Google Play Store returned a list of auto-suggest options, some with various specific version numbers, that ought to have been populated due to repeated searches by other users. The BFIL Sampark application - however seems to have been removed from Google Play since the incident and is no longer publicly available.

The android binaries (apk files) of BFIL Sampark application, listed in Table 3 in the citizens’ reports, were sourced from Koodous. The report states that except for Version 1 that is signed with Google’s certificate, all other versions are signed with BFIL’s certificate, and thus authenticity of the .apk files can be reasonably ascertained to be original. The aforementioned report concluded that though the publicly available evidence was insufficient to arrive at a conclusion, the entire episode brought to light an important oversight issue with respect to consumer consent in digital lending.

Sahayata Loan is a special type of loan offered by BFIL to help people get additional credit, after offsetting the past dues with this loan. If there was a consent bypass, agents can evergreen unserviceable accounts without the knowledge of the customer. In the versions analysed during the investigation, it was found that consent for Sahayata loans was only OTP based and biometric consent was needed only if there was a disbursement. Unlike an Aadhaar authenticated biometric consent where a transaction is recorded on the UIDAI side, the OTP consent is against an OTP server run by BFIL that sends a 4 digit OTP. The client side app on the analysed versions does not have special bugs to skip entering OTP, so in all likelihood, an OTP was entered for all the 84,000 loans and the glitch could be in validation. This gives room for the malpractice theory, but we cannot ascertain the same using available data.

Up until now, OTP scams have been limited to hackers reaching out to people and asking for their OTP to gain access to their accounts (see here, here and here). Not much is known or written about OTP scams of a nature as seen in the case of BFIL. Thus, while OTP abuse is a fairly novel phenomenon, it has severe privacy and regulatory consequences.

Recommendations

  1. Robust regulatory paradigm: Though RBI had set up a working group in January 2021 to regulate digital lending through mobile apps, digital lending apps remain unregulated as of yet. Thus, there is an urgent need for regulatory oversight over these applications to prevent these consumer harms. Standard operating procedures for banking regulators must also be published with provisions for due notice and redressal mechanisms for affected consumers.
  2. Need for study and research: There is a need for extensive study, analysis and public documentation on consent violations and OTP abuse, wherein emphasis is laid on the root causes of system design issues instead of covering it up as a ‘Technical Glitch’. Moreover, the role and relevance of OTP as a consent mechanism must be revisited across sectors (Government, Industry, Regulators, Consumers).
  3. Enhanced user rights: In order to maintain user privacy and further financial inclusion, data rights of users must be strengthened, fair and transparent decision-making processes which do not have a disparate impact on marginalised groups must be mandated, and strong regulations to oversee the digital lending market must be enacted.
  4. Increased transparency: Lastly, the external audit report must be published publicly, detailing forensic evidence as well as the methodology to verify the assertions made in the report.

We acknowledge and thank Mr. Srikanth Lakshman for his assistance. He can be reached at: @logic on Twitter.

Important documents

  1. Citizens’ Report on Bharat Financial Technical Glitch / Consent Scam (Link)

Note: This post was drafted by Tejasi Panjiar, Capstone Fellow hosted at IFF, and reviewed by IFF staff.