28 March 2022 | 13 min read

Fintech Wild West: Whose Duty to Act?

Predatory digital lending apps mushroom across the Indian financial landscape, poking holes in the gilded narrative of fintech innovation.

By Anuradha Ganapathy

Summary

A prolonged economic crisis, weak regulatory landscape, and smartphone revolution have enabled the rise of predatory digital lending apps (DLAs) in India. This essay, drawing from primary research, examines the ways in which dark design, targeted advertising, and trick consent procedures are deployed by apps to lure thin-file borrowers into debt traps through the promise of easy loans. Through these tactics, DLAs force users to cede access to personal data on phones such as contact lists, images, and location information, data points which are then leveraged to enact various forms of abuse and pressure. The essay sheds light both on the absence of data-based and financial regulations and the lack of platform oversight that enable the grey zones for such applications to operate. It also calls into question, the larger structures of fintech innovation, which have normalized opportunistic extraction and use of personal data as a pathway to financial inclusion.

For over two years now, digital lending apps (DLAs) have wreaked havoc amongst India’s thin-file borrowers (borrowers with little or no credit history), deploying innovative strategies to capture their social resources, and turning them into sites of financial extraction. In this article, we unpack the workings of such apps through a set of interviews with borrowers from DLAs, and point to the ways in which the nexus of a prolonged economic crisis, a weak regulatory landscape, and a smartphone revolution have come together as the perfect foils for fintech innovations.

In July 2021, when Kavita* urgently needed money to handle a financial emergency in Chennai, she installed an app called Star Loans from Google’s Play Store onto her smartphone. She then applied for a loan of Rs 3,500 (USD 45) by uploading her Aadhar card (individual ID number issued by the Government), address proof, taxpayer ID number, and a selfie as documentation. Within 24 hours, she received a credit of Rs 2,200 (USD 30), which she repaid within the stipulated seven-day period. In December 2021, nearly six months after she had repaid her loan, she received a call from the company officials reminding her of an outstanding amount to the tune of Rs 8,500 (USD 113). Realizing something was amiss, Kavita started blocking their calls. Soon enough, the company began sending messages to the 350 contacts in her phone book alleging that she was a fraudster who hadn’t repaid her loan. “While installing the app, I clicked on the ‘allow’ button several times. In the process, I didn’t realize that I had given them access to my address book,” she says. Over the next few days, Kavita recalls blocking over 300 numbers. Soon enough, the callers sent her messages on WhatsApp threatening to leak her nude pictures to her contact list and on social media. “They had my picture thanks to the selfie that I had sent them as part of my loan application,” says Kavita, who, by now was petrified. The threat became real when they sent a morphed nude image of her to two individuals from her network. Finally, Kavita decided to pay the amount, after which she filed a complaint with the police. Police officials could not do much by way of action. “They told me it’s a Jaipur-based company, but when they visited the address registered on the website, the company didn’t exist,” she says.

Like Kavita, Prabhu took out a loan of Rs 2,400 (USD 32) from an app named FreeCash in November 2021. Just six days after taking the loan, he started receiving threatening calls for repayment, even though he had seven days to repay the entire loan amount. The next day, after he repaid the full loan, he received another message stating that his account was credited for a similar amount, although the money was never deposited into his account. December onwards, a new set of calls started coming in for repayment. When he tried telling them that he never received any money and sent them screenshots of his bank account, they alleged that his screenshots were fake, showed him the serial number of the loan which had his name tagged to it as proof, and coerced him to pay. “They just don’t listen…They abused my family, threatened to send messages to my contacts, and they are unafraid of the law,” says Prabhu.

Despite mounting consumer complaints, police crackdowns, attempts to remove them from the Play Store, and widespread reports of suicides triggered by the debt traps they have created, DLAs such as Star Loans and FreeCash continue to thrive in India. A recent report released by the Working Group on Digital Lending, which was constituted by the Reserve Bank of India (RBI) to regulate the digital lending ecosystem, found that more than 50% of the 1,100 lending apps available for Indian Android users were operating illegally, i.e., they were promoted by entities not registered with the RBI as Banks or Non-Banking Financial Companies (NBFCs), or with other entities who are regulated by the state governments under statutory provisions.

The situation is certainly not unique to India. In 2016, Ezubao, a huge peer-to-peer (P2P) lending platform in China turned out to be an elaborate Ponzi scheme that had taken in and lost upwards of USD 7 billion obtained from 900,000 small investors. Soon after the incident came to light in 2020, China’s financial regulators abandoned their ‘light touch’ regulatory regime and radically restructured the fintech sector to minimize fraud and ensure more socially beneficial outcomes.

Despite mounting consumer complaints, police crackdowns, attempts to remove them from the Play Store, and widespread reports of suicides triggered by the debt traps they have created, DLAs such as Star Loans and FreeCash continue to thrive in India.

The criminogenic elements in fintech run parallel to its ‘extractivist’ style of operation with the pursuit of innovation in finance increasingly resting on the potential to transform human and non-human life into an asset, i.e., something that can be configured as property and capitalized as future earnings. Bateman and Teixeira refer to it as “a modern twist to colonial style capitalism”, with most fintech organizations clamouring for control over the vast amounts of data generated by the digital financial transactions of the poor, in order to deploy them for future profits. What does such a context mean for the emergence and spread of DLAs?

Find, Keep and Extract: Earning “Rent” Through Mobile Phone Data

As a mobile-first market with about 750 million smartphone users, for most Indians, the smartphone journey begins at Rs 5,000 (USD 66). It is their first camera, first TV, first video device, and perhaps, even their first gateway to a loan. Finance App downloads in India surpassed 1 billion in 2021, likely driven by multiple loan app downloads amongst a historically unbanked population looking for credit opportunities. The extractivist logic underpinning DLAs unfolds at this juncture with the control of the smartphone that contains the private details of one’s life. Reports suggest that many illegal DLAs do not have a website, and even when they do, access to the loan is contingent upon downloading and installing the app onto your mobile phone. What we understand as innovation, is therefore, nothing more than the deployment of trick consent procedures to gain access to personal data such as contact lists, images, etc., stored on the phone. These details do not just serve as collateral for recovery of the loan, but also assume “rent” like properties for perverse economic gains.

It usually starts with a message or a call to an individual confirming their eligibility for a loan, either in response to their Internet searches, or as a regular predatory marketing attempt. Prabhu’s Google search for “emergency loan” yielded him a loan offer of Rs 20,000 (USD 265) within three hours from a company named FreeCash. “When you need the money urgently and you are promised immediate cash, you tend to be in a hurry to get done with formalities, so you may end up overlooking some details. It is after all, an emergency situation,” says Prabhu, recounting how he clicked on the ‘yes’ button several times as part of the app installation process, unaware that these clicks were dangerous data traps. Prabhu was finally approved for a loan of Rs 3,000 (USD 40), although the actual credit that he received, deducting charges, was Rs 2,400 (USD 32). It was impossible for him to try and contact anyone to understand why the amounts shown to him decreased with every step in the application process. Like Prabhu, Ram (29), who works as an Operations and Marketing Manager in a firm in Bengaluru also discovered that the amount he received as credit was a mere 10% of what the marketing message promised him. “If I knew I was going to only get Rs 2,100 (USD 28), I would have never clicked on the link, because I was not in severe financial need,” says Ram.

Whether you are an active borrower like Prabhu, providing algorithmic clues of your desperation, or a passive one like Ram who is not in the market for loans, DLAs’ innovations hinge on the promise of immediacy afforded by the“3-1-0″ fintech-based credit model. This involves three minutes to make an online application, one second for lending assessment, and zero manual intervention in the whole process. There is, obviously, no room in such a framing to account for the gigabytes of personal data that are traded off in the three minutes, or the fact that the credit provided is not necessarily that which is most useful, or even commensurate with the extent of the trade-off.

The next set of innovations is deployed in finding ways to extract value from the data. Importantly, value here, may not always be economic or monetary, but can take the form of soft power. On the seventh day of receiving his loan, Ram received a WhatsApp message from the lending company that had details of his bike, with a threat that someone would be sent to fleece it if he didn’t repay the loan by the end of the day. Ram says that the company got the details of his bike because they had access to his photo gallery, which had a picture of his vehicle registration card. A December 2021 report by the RBI Working Group on Digital Lending found that 30% of DLAs ask for location and camera access, while 21% of them ask for access to phone contacts. The report also highlighted several instances of misuse of such data which are classified as “high-risk” data. Recently, borrowers signing up for home loans with Navi Finserv, a digital lender registered as an NBFC, found that Navi’s terms and conditions required them to email Navi for permission to uninstall and reinstall the app in case they were changing their smartphone during the tenure of the loan. Additionally, Navi does not allow its users to disable its permissions to access financial text messages, contacts, location data, a list of installed applications, etc., on their smartphones. Navi’s pitch that it’s entire home loan process from application to final sanctioning happens on its app, leaves out the extent of surveillance and control that it can wield over its borrower during the tenure of the loan, which can extend for as long as 30 years. Navi is certainly not the only lender to disallow revoking of consent. A 2019 study of the privacy policies of 48 fintech companies in India found that 20 of them did not provide the option for consumers to subsequently withdraw their consent from the use of the data or information collected by the service provider, despite this being mandated under the Information Technology Act, 2000.

DLAs’ innovations hinge on the promise of immediacy afforded by the“3-1-0″ fintech-based credit model. This involves three minutes to make an online application, one second for lending assessment, and zero manual intervention in the whole process. There is, obviously, no room in such a framing to account for the gigabytes of personal data that are traded off in the three minutes.

Designed to Shame

On the sixth day of Ram’s loan tenure, the lender formed a WhatsApp group comprising him and his immediate family, where they sent his picture, shaming him as a “fraudster”. Ram believes the only way the company could have identified these individuals as his family members was because he had stored their numbers on his contact list with relationship tags, a common practice. Kavita’s morphed nude was sent to two individuals whom she had selected as “references”, a mandatory step required in the loan application process. Kavita explained that the app was designed in a way that the references had to be selected from the phone book only, i.e, she could not manually add either names or contact details. Arguably, this could have been one of the ways the app was able to access her phone book, but equally important to note is the fact that the app wanted a phone number (and not an email ID) and that it had to be selected from her contact list (which meant it was someone in her close network).

These examples point to how control of personal data allows DLAs to practise specific patterns of localized humiliations through carefully crafted design features. Access to users’ contact book, photos, location data, ability to create targeted WhatsApp groups, knowledge of borrowers’ relationships through identifiers — all these factors allow abuse to take on a systematic character. The contact book works as a localized moral community within which persons are easily recognized, contested, and speculated upon. The recovery agents are afforded an anonymity that allows them to engage in extreme acts of violent speech without having to fear the consequences of such behavior. Prabhu was threatened that his contacts would receive a message calling him out as a rapist who has escaped a 15-year prison sentence. Such raking of the ‘private’ sphere through sexual accusations is a common intimidation tactic on online platforms that follows specific masculinist logics of shame and humiliation. Ram, who changed his phone number when he was unable to repay the loan, confirms that his family continues to receive abusive calls. On the other hand, Kavita, who was engulfed in a crippling fear of her nude photo being circulated in public, recognized that a change of phone number may not be adequate, and ended up paying for a loan that she never took. Clearly, even when the harassment is across genders, the patriarchal frameworks within which they operate produce gendered consequences with the result that the disciplining power of the platform and the tenor of its impact is disproportionately higher and qualitatively different for women as compared to men. The experiences of shaming also point to how DLAs are fast becoming platforms for hate mongering and other forms of violent and sexist speech, egged on by the data assets they capture and a near impunity from any legal backlash.

Access to users’ contact book, photos, location data, ability to create targeted WhatsApp groups, knowledge of borrowers’ relationships through identifiers — all these factors allow abuse to take on a systematic character. The contact book works as a localized moral community within which persons are easily recognized, contested, and speculated upon.

An App a Day Phenomenon

It is becoming evident that technology affords DLAs new, and perhaps, also easy ways to assetize data and extract financial value from it. Reports that every app from delivery to photo editing, now wants to be a lending app only lend credence to such a claim, giving rise to global fintech-as-a-service (FaaS) providers that make it relatively easy and simple for any digital business to embed a wide array of financial services into their offerings. By making available technology plugs such as SDKs (software development kits) and APIs (software interfaces that allow different programs to communicate with each other) for services such as ID verification, credit scoring, payments, and collection, they allow loan apps to be built by simply shopping online for these plugs.

Not only do FaaS companies host vast amounts of personal data, they are also often invisible to both the lender and the regulator, making it easy for them to use the data as they please. For example, Inditrade, a digital lender in India used SDKs and APIs of a Chinese FaaS company called Tongdun, which was accused of selling illegally obtained data to online loan sharks. Recently, several individuals in India were horrified to find their PAN card details in a personalised marketing message they received from digital lender Navi Finserv, even though they had never applied for a loan or submitted their data to Navi, raising unanswered questions on how the lender obtained access to that data.

For borrowers who are caught in this cat and mouse game of data played between DLAs and FaaS companies, parsing the real from the fake becomes increasingly difficult. As much as the regulator may want borrowers to verify the antecedents of the company offering digital loans before signing up for one, the real challenge lies in curtailing the exploitation of the grey zones in lending regulations. For example, even though the RBI stipulates that lending can only be facilitated through entities registered as NBFCs, reports suggest that it is not hard for digital lenders to find a willing NBFC partner (one from the 12,000-odd NBFCs listed in the country) to tie up with. The due diligence checks done by the payment gateways as part of the lender onboarding process cannot always determine a company’s antecedents and origins, or know if and when the ownership changes later, calling into question the dubious nature of such tie ups.

Platforms like Google Play Store which host these apps, provide additional scaffolding for them to operate without complying with even basic regulations. A review of 200 lending apps on Play Store in October 2021 found that 120 of them had no legal disclosures, nor a website, and only had an email address as part of the app store description, despite RBI guidelines on mandatory disclosures, including disclosing the bank and NBFC partners upfront to the customers. Many loan apps are known to violate Google’s own policy, which prohibits personal lending apps from listing if they issues loans with less than a 60-day repayment period. As borrowers shop for loans in a crisis, the flimsy guard rails of Play Store afford them little protection from predatory lenders and illegal apps, which continue to proliferate unchecked.

It is also important to note that technology adoption effects are particularly pronounced during periods of prolonged shocks, when innovative capabilities of providers — such as lower costs or faster processing times can take precedence over their perceived trustworthiness in driving fintech adoption, resulting in an uptick in the download of suspect apps. This was evidenced in India, where data shows that as the number of Covid-19 cases rose and lockdowns commenced, the suspect apps loan overtake and erode take−up from the legitimate loan apps, with a download of over 500,000 users a day at its peak. Therefore, tempting as it may be to laud DLAs for fulfilling an unmet credit demand during an economic crisis, there are serious normative considerations involved in deploying technology innovations that are designed to feed off the increased vulnerability that follows an economic crisis.

Many loan apps are known to violate Google’s own policy, which prohibits personal lending apps from listing if they issues loans with less than a 60-day repayment period. As borrowers shop for loans in a crisis, the flimsy guard rails of Play Store afford them little protection from predatory lenders and illegal apps, which continue to proliferate unchecked.

The Many Fixes That We Need

The 2020s are being credited with ushering in the era of innovations, which the pandemic has only accelerated. Globally, fintech raised close to USD 91.5 billion in the first three quarters of 2021, almost double the pace in 2020. While it may be true that easier, cheaper, and quicker access to a range of financial services can open up new opportunities to improve the lives of citizens and communities, there is also a growing body of work urging us to look beyond the over-valorization of financial entrepreneurs and venture capital funding, to examine more critically, the potentially longer-term downsides of fintech, particularly for lower-income groups. The prism of DLAs offers a glimpse into one such downside, which is the negative implications of privileging data extraction and mining as potential ‘fintech’ opportunities. As such, it may be possible to understand fintech innovations as organized and purposive practices of data rentiership that premise their services on the collection and use of various types of personal data.

Regulation of personal data collection and use, will therefore, be key to ensuring that fintech is able to contribute to socially beneficial outcomes, a legislation for which is pending implementation in India. China recently unveiled a new regulation on the “scope of necessary personal information for common types of mobile internet applications”, specifying what kinds of personal information various apps are allowed to collect from their users. Importantly, China’s move to break up Alibaba’s super-app Alipay and force the creation of a separate, partly state owned credit scoring joint venture that will have its own app is a recognition of the need to stem the power wielded by Big Tech’s monopoly and control of data.

The rapid mushrooming of DLAs through Play Store downloads also points to the failure of Big Tech to fulfill their duties of care as gatekeepers of the digital ecosystem, and, more broadly speaking, their tendency the push every available limit before applying ex-ante safeguards. While both Google Play Store and Apple App Store are now asking for enhanced disclosures from apps to protect the privacy and safety of their users, critical questions need to be asked about the accountability of Big Tech and the pre-emptive responsibilities they carry for the innovation ecosystem, particularly when their app stores become the de-facto infrastructure to access the services of the smaller new-to-market players. As much as RBI’s proposal to set up a nodal agency responsible for verifying digital lending apps is important, recommendations that mandate appropriate due diligence to be carried out by Big Tech for the apps that they host also need to be considered.

More broadly speaking, there are serious economic and social consequences of using digital disruption and financial inclusion as a cover while playing whack-a-mole with the law, not to mention contributing to the creation of a new set of online harms and formalizing existing forms of exploitation. Importantly, dismissing DLAs such as Star Loans, FreeCash etc., as aberrations is an innocence we can ill-afford. These arrangements in fact, obtain normative sanctions within the larger context of financialization of development, where businesses are incentivised to innovate in order to come up with new mechanisms, devices, or instruments designed to extract value through the ownership and control of personal data. The critical question at stake, therefore is – to what extent can fintech innovations support financial inclusion objectives, when they premise the provision of their services on the opportunistic collection of personal data?

*All names have been changed to protect identity.
The author would like to thank the NGO SaveThem for its assistance in connecting her to the borrowers featured in this post.

About the Author(s)

Anuradha Ganapathy

Anuradha Ganapathy is a mid career professional who recently transitioned from the corporate to the development sector. She has a Masters from SOAS University of London in Anthropology of Development and Sustainability. She also has a Postgraduate Diploma in Management from India, a Postgraduate Certification in Gender, Sexuality and Society from Birkbeck, University of London, and a Postgraduate Certification in Technology Policy. Her work interests lie in the areas of the digital gender divide, technology adoption at the margins, digital and economic justice and platforms for development.