A large percentage of instant loan apps have the same software backend – but different frontend branding. Chinese investors then bring these apps to India with proxy directors.
Bhumana Prasad, a resident of Hyderabad, took a loan of Rs 3,500 from ‘My Bank’ – a digital lending app – in November 2019. Within a week, he repaid the amount along with interest, and soon, took another micro-loan, of Rs 4,400, from the same app. Within a few days, however, Bhumana noticed something strange. There was Rs 26,000 deposited in his SBI bank account from various sources – namely, 14 different lending apps that he had never downloaded – and very soon, all of them started harassing him, demanding a repayment totalling Rs 44,000.
How did these apps ‘lend’ money to Bhumana? And why? Police believe that ‘My Bank’ shared his details with other apps run by the same company – Jhia Liang Technology in Pune. As for the why investigators and experts say that this is part of the modus operandi adopted by fraudulent instant loan apps. They collect your personal data, use that personal data as collateral to manipulate and harass you, and use other predatory methods to collect high-interest rates – sometimes going up to even 200 or 500%.
And just like many other things – like phones, plastic toys, and clothes – this product, a FinTech scam, was Made in China.
How the fraud works
The COVID-19 pandemic led to job losses and pay cuts, starting in March 2020, and the need for credit among people increased significantly. It also became an opportune time for instant loan apps to set up shop and garner customers in India.
These companies give out a huge number of loans in smaller amounts at a very high-interest rate to everyone. This way, even if there is a default, it doesn’t cause much of a loss to the company.
The reason why these apps became so popular, is also because they give loans to everyone, irrespective of their creditworthiness and without KYC documents, a definite loan agreement, etc.
“For example, at Moneytap we reject 95% of people. These apps approve 95% of people. In lending you are supposed to reject more than approve because you are not supposed to give money to those who don’t have the means, ability or intent to pay back,” says Anuj Kacker, the Secretary and Chair of the Digital Lenders Association of India and COO of MoneyTap.
But once people like Bhumana are trapped, recovery agents adopt coercive means for loan recovery, accessing phone contacts, images, location and much more. Data from the phones of these loan defaulters were used to make threatening calls, made from call centres operated by the loan apps. Instances emerged where pictures of women defaulters were taken from phone gallery, morphed with pornographic material and shared with the contacts of the defaulter and through WhatsApp groups.
Several of these tactics were used in China by instant loan apps, as early as 2012 until a government clampdown in 2016 over predatory recovery tactics by the instant loan apps in China had issued loans worth 100 billion dollars. The move nearly killed the sector.
As China even set up an Internet Financial Risk Special Rectification Work Leadership Team Office and gave instant loan apps, also referred to as Peer-2-Peer (P2P), 2 years time to clear outstanding loans and exit the industry, it seems many of these lenders have turned their attention to India.
The police crackdown on the China-owned apps has, so far, resulted in the arrest of 7 Chinese nationals and over 35 Indians by three police forces in south India. Police say they are still investigating the web of companies, and the Enforcement Directorate too has started a probe.
Balaji Vijayaraghavan, a student of criminology based in Chennai had installed the app Snapit (later taken down by Google) in October 2020 but soon observed his bank account being used for transactions that were not linked to him, “There was a death in the family and I needed a little more money so I identified a few places where to get a loan. I didn’t even log into the app but they were still able to gain access to my bank account. I had Rs 90,000 in my bank account but noticed transactions worth Rs 8.49 lakh being carried out in my account,” says Balaji who is now assisting the Telangana and Maharashtra police with their investigation into the apps.
Balaji is a member of SaveIndia Foundation, a team of cybersecurity professionals investigating instant loan apps operating in India. The researcher says instant loan apps gained entry to India through Fintech expos held annually in Indonesia, Malaysia and Singapore.
“While the event is held in a positive spirit, a few exhibitors from China demonstrate their instant loan apps there and a few Indian businessmen get attracted to the business model. The Software Development Kits (SDKs) are then either sold at a nominal rate or with equity for the Chinese that invest in the Indian firm,” says Balaji.
“About 85% of these apps were deployed using the same Software Development Kits, so it’s one company that makes a white label app – and then individual companies put their brand name on it. The technology backend remains the same. We saw three to four white label companies that these apps are based on,” says Srikanth L of Cashless Consumer, a consumer collective working on increasing awareness around digital payments. The collective has looked into 1,050 instant loan apps and found a range of irregularities in their functioning. About 750 of those apps are still available on Google Play Store; of them, just 300 have websites – with very little information; and only 90 have a physical address.
Chinese nationals looking to set up these instant loan app companies are said to be using proxies as directors and then take the help of Chartered Accountants to set up the company.
A data war?
In 2020, a large uptake in the registration of instant loan apps was observed in India, says Cashless Consumer. All the apps were found to be storing user information, such as Facial Recognition data and personal data, on Chinese servers. The exact number of instant loan apps is yet to be fully known.
In one model that was observed, individuals came and set up a company with the help of a few Indians. “It would be set up as a micro-financing company with loan amounts as low as Rs 2,000 and the transactions are done through digital payment gateways such as Google Pay, Paytm and others,” says Srikanth L of Cashless Consumer.
Srikanth while speaking at a webinar, KillerApps – Detecting Predatory FinTech apps – said that about 600 of the 1,050 apps analysed were found using some form of ‘liveness detection’ – to authenticate the user in the form of a selfie.
Cashless Consumer found that the selfie taken over these apps is run through Artificial Intelligence (AI) software with servers in China. “It may seem non-trivial, but has a national security concern,” the researcher says.
“It collects Facial Recognition (FR) worthy images along with personal details of the individual, so practically it has the potential to mirror the Aadhaar database if the person also provided Aadhaar while applying for the loan. These entities then collect other ID proofs. They can build a parallel Aadhaar system. This needs to be studied in-depth as to what kind of data they are storing and processing,” he adds.
Anuj Kacker says that payday lending is an extremely profitable business, and hence has attracted many as a way of making a quick buck. While it has shown over the years and across the globe that it is profitable, it has led to all kinds of debt traps and therefore banned in most countries. It has happened in the UK, in many African countries, China, and Indonesia.
India, say experts, was ripe for this business because we’re not new to unorganised lending at high-interest rates – it has been rampant among local unorganised moneylenders. What has happened now, according to Anuj, is that instead of doing it in a physical marketplace, people have created apps for it.
He adds that despite India’s regulators being stricter compared to most countries, for those looking to make a quick buck, it’s a risk worth taking.
“They are very opportunistic and are not here for the long term. They are here as long as they can make some money and then move on,” Anuj adds.
The Reserve Bank of India (RBI), in December, took notice of the practices of these instant loan companies and put out a warning, asking the public to stay away from unauthorised digital lending applications.
It also urged people never to share KYC documents with unidentified persons, unverified/unauthorised apps and asked people to report such fraudulent activities to law enforcement agencies or RBI’s Sachet portal.
RBI has also mandated digital lending platforms used on behalf of banks and NBFCs to disclose the name of the Bank(s) or NBFC(s) upfront to the customers.
While there are also reports that RBI is looking into the source of funds of these lending apps, no further action has been taken by the banking regulator.
The Digital Lenders Association of India (DLAI) suggests that there should be a law in place not allowing short term loans with a tenure of below 60 days and interest rates should be shown upfront before processing the loan.
“When you start doing minimum 60, 90 or 120 days, it’s not easy to rotate money and companies will need to raise a lot of capital, do proper collections etc. You can’t ask for very high-interest rates either, which also makes the business less profitable and margins are reduced,” Anuj says.
Chinese owners, Indian proxies
Wading through the maze of shell companies throws up names of benamis – people who, in another context, could just as well have been the victims of these lending apps’s predation.
The gate of Selvaraj Singi’s house in the Kothagudem town of Khammam district in Andhra Pradesh is firmly shut. Though one can see faint movements inside the house, no one comes to open the gate. Curious neighbours confirm that Selvaraj is a teacher employed at a private school nearby. But according to the Registrar of Companies, Selvaraj is a director in four technology companies including Nabloom Technologies Private Limited. All four are being investigated by the Hyderabad police for running dubious loan apps in connivance with Chinese individuals, and are accused of harassing four borrowers, driving them to die by suicide.
Cut to Bengaluru where the busy Residency Road in the heart of the city is home to several businesses. One of them is ‘Business Hut’, a co-working space that seats around 50 people every day. When TNM reached their property to find one of their ‘clients’ Nabloom Technologies Private Limited, they told us that there’s no cubicle reserved for Nabloom at Business Hut, nor have they met its founders/directors. In 2019, a chartered accountant from Delhi representing Selvaraj Singi paid money to book a space and use the address for the company registration. The chartered accountant in turn told TNM that he does not know Selvaraj directly, but a ‘contact’ had asked for help.
Law enforcement agencies took notice of instant loan apps only in December 2020 when Telangana reported a series of suicides by those who had defaulted on loans they took from these apps. The users had taken micro loans – amounts as low as Rs 1,000 – but found themselves paying high-interest rates and processing fees. Those who defaulted faced inhuman harassment by recovery agents – if some were humiliated in front of friends and acquaintances, others had their pictures morphed and shared on social media as blackmail.
Suicides and cases of harassment were also reported from Andhra Pradesh and Tamil Nadu. As of today, Hyderabad, Cyberabad, Chennai, and Bengaluru police teams are investigating hundreds of dubious loan apps, lakhs of bank transactions and a maze of proxy directors.
And every new detail they unearth is leading them to suspect a strong involvement of Chinese nationals and companies.
Who runs and owns these apps?
Selvaraj Singi is a director in four companies according to his DIN (Director Identification Number) – Nabloom, Liufang, Hotful, and Mashangfa. Liufang’s registered address is in a building in Bengaluru’s Ejipura. The office is closed, even the sticker with the name of the company has been ripped off.
“They all left one night and never came back. The police came here to ask about them,” informs the watchman.
But Selvaraj Singi is just a rubber stamp. His name was used by his son Madhu Kumar Singi.
Two Chinese nationals and an Indian national approached Madhu with a lucrative offer sometime in 2019 – a big jump in his career from being a telecaller calling people to recover loans, to heading call centres.
Madhu Singi has told the Hyderabad police that he had responded to a job advertisement in a leading jobs portal and was introduced to Nagaraj Prem Kumar. Nagaraj was already running three call centres in Gurgaon for Aglow fintech – another company.
Nagaraj along with two Chinese women – Qui Yaan Yaan or Jennifer as she was called, and Angela – set up Aglow in 2019, and four more companies in 2020. In January 2020, the women flew back to China, taking Madhu along for training purposes. “While the women did not return to India, Madhu did after a month and started the three call centres in Hyderabad, employing around 600 people. Nagaraj and another Chinese national called Zhu Wei (Lambo) were in charge of the entire operation of running 37 odd apps,” says KVM Prasad, Assistant Commissioner, Hyderabad Cyber Crime.
A look at the directors of these companies – and others that run digital lending apps – throws up a curious ‘coincidence’. Several of the people are listed as directors of multiple companies in the sector. Two of them – Palle Jeevana Jyothi, and Selvaraj Singi– turn up as directors in four companies, while another person Manjunatha Nutham Ram is a director in 15 companies.
The lockdown in March posed a small hurdle, but operations started full swing again in July. By then, a maze of shell companies was created – and most of the directors are benamis, stand-in benefactors earning small sums of money, while the actual owners of these companies remain unknown. Selvaraj, Jeevana, and Manjunatha are people who, in another context, could just as well have been the victims of these lending apps’s predatory policies.
Madhu Raj Singi and Lambo’s operation is just one example. Currently, the Hyderabad police is investigating six companies, and the Cyberabad police one company; the Chennai Crime Branch is probing a company based out of Pune. The Bengaluru Crime Branch has filed three FIRs, and is investigating four companies.
The investigations are all moving along simultaneously, but one thing that all investigators #KhabarLive spoke to said is – they’ve just scratched the surface of the issue. “There are many financial transactions and we are waiting for clarity from the RBI and from various banks. We suspect that these companies have also got money from hawala transactions, Non Banking Financial Companies (NBFC), and even from online gambling,” says Avinash Mohanty, Joint Commissioner, Central Crime Station of Hyderabad.
The call centres were mainly based in Bengaluru, Pune, Hyderabad and Gurugram. If the call centre was in one city, the company was most likely registered in another city. But the bank accounts in all these cases were being operated by the handlers in China.
The police crackdown on the Chinese-owned apps has, so far, resulted in the arrest of seven Chinese nationals and over 35 Indians by four police forces in south India. Police say they are still investigating the web of companies, and the Enforcement Directorate too has started a probe.
But the big mystery remains: which are the Chinese companies behind these fraudulent operations in India? Who were Jennifer, Angela and Lambo reporting to?
How lending apps works?
Traditionally, banks and NBFCs that provide loans have several rules in place – and require many documents from their clients in order to approve loans. Typically, loans are for specific uses – like a home loan, vehicle loan etc. And while personal loans are also available, there is a threshold below which the institutions will not lend to customers.
Digital lending apps, on the other hand, have no such floors. They provide micro-loans – as little as Rs 1,000. They also have a shorter repayment period, and a much higher interest rate. They typically also charge 14% to 15% of the loan amount as processing fee, and a standard interest rate of 1% a day on average. The interest rates also compound on a weekly or fortnightly basis.
When one downloads one of these apps from the Google Play Store or iOS App Store, the app demands some permissions that are, logistically, simple to provide: access to your phone contacts, access to your messages, and other permissions that we are used to routinely providing for apps we download. Although, logically, there is no need for a lender to know who’s in your phonebook, these apps cannot be downloaded without these permissions. Where traditional lenders would ask for a guarantor or proof of property, your personal data – all of it – is the collateral that these apps collect.
They also demand other information that is par for course in our daily lives: Aadhaar, PAN number, ID proof, bank account details.
And while any of this information in isolation can be considered ‘harmless’ by the lay person, all of it combined is a vulnerability ready for exploitation by the lenders.
Dhiraj Sarkar, 25, from Assam was arrested from Haryana in August 2020 by the Hyderabad police for his role as one of the Directors at Dokypay, a gambling app operated by Linkyun technologies private limited, a subsidiary of a foreign owned company. The Hyderabad police arrested one Chinese national and three Indians accusing them of cheating online gamers of over Rs 1,100 crore through this gaming app.
His lawyer Pankaj Singh, however, claims that Dhiraj merely worked in branding and marketing; he was never the Director of the gambling app.
“My client wasn’t aware that he was the director of the company until his arrest. He admits that he signed a few documents without question but the company was completely operated by the Chinese and my client was merely an employee,” says the lawyer.
Dhiraj is presently at Cherlapally jail and the cases against him are being investigated by the Telangana police and the Enforcement Directorate.
“We have many reasons to suspect a China connection,” says Avinash Mohanty. “We have unearthed at least 350 bank accounts from which transactions were made for instant loans. But many of these accounts are being operated by users who live abroad, even usernames and passwords are in Mandarin.”
“Most of the websites for these companies were started by their Chinese owners,” he adds.
The modus operandi
Balaji Vijayaraghavan is a student of criminology based in Chennai, and a victim of an instant loan app fraud. He is also a member of SaveIndia Foundation, a team of cybersecurity professionals investigating instant loan apps operating in India.
The researcher says instant loan apps gained entry to India through Fintech expos held annually in Indonesia, Malaysia and Singapore.
“While the events are held in a positive spirit, a few exhibitors from China demonstrate their instant loan apps there and a few Indian businessmen get attracted to the business model. The Software Development Kits (SDKs) are then either sold at a nominal rate or with equity for the Chinese that invest in the Indian firm,” says Balaji.
Chinese nationals looking to set up instant loan app companies in India, he says, have been using proxies as directors and then taking the help of chartered accountants to set up companies. Balaj alleges that one such CA helped Chinese investors float 40 companies; 12 of those companies were instant loan apps against whom police have now booked cases. “We have shared details of these CAs with the Hyderabad cyber crime police,” he adds.
These instant loan companies declare themselves to be IT consultants or service providers in their documentation with the Registrar of Companies (RoC) under the Ministry of Corporate Affairs.
While disbursing loans and collecting them back, transactions carried out are many in number but small in terms of the value of the transaction. Srikanth L of Cashless Consumer, a consumer collective working on increasing awareness around digital payments, says that some of them use digital payment apps such as Google Pay, Paytm, among others and as per the police, digital payment gateway Razorpay was also used by many for transactions.
In June 2020, the RBI had come out with a notification bringing in guidelines for digital lenders linked to NBFCs. However, the guidelines don’t apply to the ones that are not registered as such, and barely affected these apps. Under Section 45-1A of the RBI Act 1934, any non-banking financial company requires proper registration to operate.
A company is allowed to lend by partnering with a bank or a non-banking financial company. According to DLAI, there are several defunct, yet valid NBFC licences. Several companies are partnering with such firms to be able to lend.
Anuj says that since these loan apps don’t really do KYC or check a person’s credit score, they technically don’t even need an NBFC at the back-end.
Further, these companies manage to get away because they are set up and operate as shell companies. There is no real physical address, directors are proxies, names are changed frequently, holding structures and board members constantly change, making it easy for them to stay under the radar. #KhabarLive #hydnews