Open in app

Sign in

Write

Sign in

What Happened in the Indiabulls Fake Loans Scam?

Padmini Das
5 min readSep 30, 2022
Loan fraud

Another day, another fraud. Well, technically, quite many other frauds!

This time it’s a popular fintech company which somehow failed to beef up its due-diligence borders and ended up underwriting scores and scores of fake loans for fraudsters in the name of other people.

Indiabulls has found itself in the middle of a fake loan scam that came to light recently. Users on social media shared screenshots and other evidence showing how loans have been availed in their names in Indiabulls’ Dhani app, without them knowing how. As it turns out, fraudsters used the permanent account number (PAN) details of customers enlisted on the app to avail loans from the company.

How did such a glaring loophole come to be? And more importantly, what’s being done to mitigate the damages?

What Happened, Exactly?

Indiabulls Consumer Finance is the non-deposit taking NBFC (Non-Banking Financial Company) division of the Indiabulls Group conglomerate. It owns a software company called Dhani which is an app-based lending platform in the personal loans and microfinance domain. It offers a coterie of fintech services like recharge, loan payments, insurance payments, stock investments, buy-now-pay-later schemes etc.

However, around the middle of February 2022, there was a flurry of customer complaints on social media about various malfunctions on the app.

FIRST thing that was reported was stealing and misappropriation of loans. And the victim list includes even celebrities! For instance, Sunny Leone says that her account shows she availed for a loan amounting to ₹2,000 ($26.2) and then defaulted on payments. But she has no knowledge of applying for such a loan ever. The reason she found out about it is because of the SECOND thing that happened…

Credit scores went for a dive. Beside Leone, Reuters journalist Aditya Kalra and many others also reported that their credit scores went for a toss soon after the fake loan was evidently disbursed in their names.

This hints at the THIRD thing, which is, identity theft. And this was done by stealing the personal information of customers (e.g. PAN) which was shared on the app. Which reminds us…

Whatever Happened to KYC Rules?

The reason why know-your-customer rules were enforced by RBI in 2004 was to essentially stand as the first line of defence against the commission of financial frauds. Identity verification remains crucial to lending operations not only from the viewpoint of secured finance but also to ease lending in a country like India which is plagued with low credit penetration.

But when it comes to NBFCs and new-age fintech players, digitisation remains key to their customer onboarding and loan facilitation process. People approach NBFCs due to the regulatory leeway afforded to them compared to traditional financial institutions like banks which mandate long-drawn and cumbersome KYC procedures.

As it turns out, long it may be drawn but a robust KYC is what fool proofs a system that is vulnerable to innumerable hacks and bypasses by frauds every day.

This is not to say that NBFCs are completely lax in their KYC verification processes. But there are layers within layers that drive this process and fool proofing means safeguarding against all those layers.

First of all, the types of KYCs out there are as varied as Vogue issues. There’s paper-based KYC (in-person verification), Aadhaar-based eKYC (OTP- or Biometric-based verification), offline KYC (XML/PDF/QR code-based verification) and digital KYC (live photo-based authentication or PAN/Aadhaar/Driving Licence-based geo-tagged verification).

NBFCs usually rely on the last mode. Online or digital KYC verification works to their advantage in a number of ways because it reduces a) massive onboarding costs b) long turnaround times c) errors arising from manual verification d) hassles and guarantees remote verification.

Nevertheless, online KYC relies to a great extent on third-party verification services like banks or the UIDAI (the organisation issuing Aadhaar cards). It is also limited in exercise on account of being a secondary verification process because it involves verifying the information in the officially valid documents (like Aadhaar etc.) but not verifying the document’s authenticity per se.

As you can see, loopholes abound.

Is the System Really That Weak?

Well, not exactly. Digital and tech ecosystems are evolving every day and with it, the number of fraudulent activities is increasing too. There are meticulous risk management systems in place to guard against loopholes and redundancies in the system. The two-factor authentication, for example, is the single-biggest bulwark of digital financial security and hence it is justifiably employed by entities to fortify their networks against fraudsters.

What happened with the Dhani app, however, sounds like a gross operational oversight. There are two theories to consider here. First, that it was an external racket which ended up duping people out of their pockets through fraudulent means. If this was the case, then Dhani’s authentication process and the basis on which it sanctions loans are now questionable and it merits reform at once.

But then again, a heist of this nature requires immense capital and manpower to pull off and even then, there are chances of some details not being checked out before the actual disbursement of loans happen. If it did check out, however, it suggests extremely lax safeguards in the system which can be manipulated easily without trace.

The second possibility, on the other hand, is an inside job. If the application API of Dhani had been working seamlessly so far then there would be reason to believe that human intervention was at the core of the ongoing scam. Without personnel from inside the company greenlighting the loans (despite witnessing such glaring irregularities), such mishaps would have been impossible. In that case, the fraud happened at the company’s end which is inexplicable to say the least and unconscionable at the worst.

To that effect, two heads rolled back-to-back at Indiabulls recently with Sameer Gehlaut (founder promoter) and Gagan Banga (non-executive Director of Dhani) resigning in quick succession. What’s peculiar is also the fact that this isn’t the first time Indiabulls has been accused of misappropriating public money.

Allegations of close to ₹98,000cr ($12.8bn) being syphoned off through loan transfers to shell firms floated in June 2019 with multiple petitions calling for the resignation of the top executives. In fact, the Group was accused of being party to illegal transactions in the amount of thousands of crores involving real estate firms who were associated with the 2G scam and Dawood Ibrahim.

In any case, the story has revived the debate on the digital lending framework surrounding fintechs and NBFCs in the country. If all it takes is half-baked identity details and photoshopped PAN cards to defraud a legion of digital banking infrastructure, then are the lending platforms reliable enough to service credit facilities. It’s also concerning from a data security perspective with more and more firms reporting data breaches and sales on the dark web lately.

So, trust your lending app, but tie up your… no, actually, don’t trust your lending app… until it checks out every single box on data security parameters before you use its service.

(Originally published March 17th 2022 in the TRANSFIN E-O-D Newsletter)

Loans
Debt
Loan Scam
Fraud
Banking

--

--

Padmini Das

Written by Padmini Das

16 Followers

Lawyer and policy professional. Passionate about international law and governance.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams