Dhani Loans: A Case Of Identity Theft Or Flawed Processes?
What went wrong at Dhani Loans & Services?
When actress Sunny Leone and journalist Aditya Kalra took to Twitter to complain about Dhani Loans and Services, their posts saw a flurry of responses. Leone and Kalra had both found that loans had been taken fraudulently in their names. The responses to their posts indicated there were others who had had similar experiences.
In Leone's case, someone had allegedly used her permanent account number to avail a Rs 2,000 loan without her knowledge. Kalra, a journalist with Reuters, had also claimed that his PAN had been used to avail a loan without his knowledge.
Both saw their credit scores impacted because of these loans and subsequent defaults on them. For no fault of theirs.
Shocking revelation in my credit report. A loan disbursed by IVL Finance (Indiabulls) @dhanicares with my PAN number & name, addresses in Uttar Pradesh and Bihar. I have no clue. How can a disbursal happen on my name and PAN. In default already @RBI @IncomeTaxIndia @nsitharaman pic.twitter.com/LMMrwKyeit— Aditya Kalra (@adityakalra) February 13, 2022
Behind The Fraudulent Loans
Dhani Loans and Services, formerly known as Indiabulls Consumer Finance Ltd., is a wholly-owned subsidiary of Dhani Services Ltd. While Dhani Services' mobile app primarily focuses on providing healthcare services, customers are also allowed to take unsecured loans for their needs.
"Dhani has given small transaction finance loans to over 35 lakh people in the last 12 months, and 99.9% have gone to genuine people who have benefited from this offering," a spokesperson from Dhani Services said in an emailed response to BloombergQuint's queries. "We will leave no stone unturned to mitigate any possibility of identity theft on our fintech platform."
According to information available on the company's website, on a standalone basis, Dhani Loans and Services reported loan assets worth Rs 3,302 crore as on Sept. 30, 2021, down 11% on a year-to-date basis. Gross non-performing asset ratio stood at 3.38% at the end of the second quarter.
While the company argues that the proportion of fraudulent loans is small, the modus operandi to avail these loans offers a peek into possible systemic issues at Dhani.
According to a person with direct knowledge of the matter, Dhani Loans allows customers to borrow money through two modes of verification. One is the commonly used Aadhaar route, which allows users to verify themselves through a one-time password sent to their mobile number linked to the UIDAI. This is a route commonly used by digital lenders.
However, if a customer claims that their Aadhaar number and phone number are not linked, the Dhani app also allows you to upload images of the documents to verify identity.
This seems to have become the source of recent troubles. Fraudsters appear to have uploaded morphed images of KYC documents to avail small value credit through the app. While these KYC documents should ideally go through independent checks at the lender's end, either this was not done in these cases or the use of documents of unrelated people escaped the checks.
According to the first person quoted above, Dhani's systems were not geared to thoroughly review applications with such morphed images. This led to fraudulent loan applications being approved.
A financial services consultant, who has worked with fintech lenders of various sizes, said that internal audits conducted by a company should reveal any such process lapses. If the internal audit revealed such issues and the management or the board did not act on it, it could point to more serious issues, the consultant said, speaking on the condition of anonymity.
Dhani, on its part, said it has now taken measures to deter incidents of fraudulent loan applications.
"We have integrated with G-defence, which is a global security platform to further verify each device against a specific customer and PAN through various data fields. This will stop these stray incidents of identity thefts," the company's spokesperson said.
Since Dhani's loan product extends only to a small portion of the credit line in the first transaction, the impact of such fraudulent transactions on the company's book has been limited. However, those facing the phantom loan entries on their credit report have been severely affected, the person said.
"Our risk management and tech teams therefore have been on overdrive, constantly building more robust systems to try and keep such fraudsters at a distance," the Dhani spokesperson said.
Was This Avoidable?
According to the head of a cybersecurity firm, who spoke on the condition of anonymity, the kind of problems Dhani has been facing could be discovered through regular internal audits of its systems and processes. However, many fintech lenders avoid regular audits to avoid taking action until a major fraud occurs. Owing to their size and the low value lending they do, many system deficiencies go under the radar, this person said.
The Reserve Bank of India, in its guidelines issued in June 2017, requires non-bank finance companies with asset size of over Rs 500 crore to regularly conduct audits of their IT systems.
For those under this ceiling, the RBI has made recommendations. These requires the board of the NBFC to implement a policy for regular audits, beef up information security and cybersecurity, ensure a strong maker-checker system to avoid error and misuse, among other things.
Since these norms exist in the form of recommendations for smaller lenders, they have not become the industry standard, allowing for problems to creep in, the cybersecurity expert said.
According to Asim Parashar, partner at PwC India, KYC verification for lending startups will always be a challenge in the digital world as we don’t have a single ID which is used across services, including credit bureaus.
"Companies are focused on increasing the number of loans disbursed conveniently to the customers with minimum documentation in the shortest possible time using artificial intelligence-based algorithms," Parashar said. "Now for these algorithms to mature in [a market with] very diverse customer profiles, it will take time and also additional cost."
Since the loan amounts are small in some of the product segments, default rates can be easily managed, Parashar said. As the ecosystem evolves and private financiers start seeking accountability against their funds, fintechs will need to adopt better quality customer checks, he said.
The Role Of Credit Bureaus
What makes an experience of this nature more painful for consumers is the difficulty in getting a credit bureau to correct your score.
Typically, a credit bureau receives borrower level data from a lender so as to arrive at a credit score. Depending on the customer's past loan behaviour, the score may go up or down. A high credit score can help a customer get loans at better (cheaper) terms and from a wider variety of lenders. However, any volatility in the credit score, even if it is corrected quickly, can lead to difficulty in availing credit.
According to Parijat Garg, a fintech advisor and a former credit bureau executive, bureaus tend to not verify all the data submitted to them.
"Most lenders have multiple layers of checks for the borrower data that they share with the bureaus. It is not the bureau's responsibility to maintain quality of the credit data," Garg said.
Credit bureau Experian explains on its website that a bureau cannot amend credit data, without express written consent from the lender concerned, since the lender owns the data.
As such, the process of rectifying an error on the credit report remains a prolonged one. Once a rectification request is raised by a customer, the bureau will mark the disputed credit entry as "under dispute". It will then take the issue up with the concerned bank or financial institution, after which the request is either accepted or rejected.
According to details available on TransUnion Cibil's website, the turnaround time for such dispute resolution could be up to 30 days.
Queries mailed to two of the largest credit bureaus, TransUnion Cibil and Experian were not answered.