Digital lending: The two-way trust deficit and how lenders can crack data security

Aparna Chandrashekar   /    Content Specialist    /    2022-01-07

LinkedInLinkedIn

The Covid-19 crisis has brought the lending industry to an inflection point - digital adoption and finance consumption in India grew significantly. Fintech adoption rate in India is 87% as opposed to the global average rate of 64%, majorly bumped up by the working population (aged 18-33), where credit penetration is 8%. This meant people in dire need of money turned to doom-scrolling on their smartphones to get instant credit - something that evolved into fraud, hounding and social shaming. 

Approximately half of the digital borrower pool was exposed to fraud of some kind in the past two years, as per PwC’s Global Economic Crime and Fraud Survey 2020. That doesn’t even begin to cover the notorioriety of nefarious digital lending apps - which were essentially digital front for traditional lenders. Last year, there were several reports about harassment by unregulated digital lending apps that abetted suicides for a few, while threathening many with fake legal notices and even morphed images on pornograhpic content.​​ 

Such practices have dented borrower trust and confidence in digital lenders and started a wider conversation about data ethics, safety and security. 

Trust Deficit 

For as long as lending institutions have existed, they’ve been privy to personally identifiable  financial information about their customers. Trust was a one-way street back then - with lenders ‘assessing’ borrowers as trustworthy to lend or creditworthy. And with limited availability of lending institutions, desperate borrowers hardly cared about the consequences of what they do with their data. 

However, now there’s a deluge of lenders sitting one google search away and the scales have titled. Besides, borrowers expect hyper-personalised products. Here’s the catch - For hyper-personalisation, lenders need access to more than just a borrower’s financial history and account for borrowers’ intent and willingness to pay.

It’s not just personally identifiable information anymore, it’s the nitty-gritty details of someone’s lifestyle. 

For context, here are the broad categories of data digital lenders have access to -

Personally Identifiable Data

Any data that can be used to identify a particular person; PAN card, Aadhar card, bank account details, email address

Device data

For unsecured lenders, this  is one of the main sources of personal data. It covers any data generated by a person’s computer, mobile phone, web browser or other device which could personally identify them. For instance, online identities such as IP addresses, cookies, pixel & ad tags, JavaScript, radio frequency identification (RFID) tags, apps on your smartphone and SMSes etc. are all analyzed by modern lenders in addition to bureau scores to arrive at a more contextual lending decision.  

Bank statement

Most companies process bank statements to extract financials from account statements, organise & structure the data in a way to understand cash flow better. The processing is done to verify proof of employment, income, assess creditworthiness before approving loans/mortgages. 

Credit bureau data

In India, four agencies – CIBIL, Equifax, Experian, and CRIF Highmark – provide their proprietary detailed credit reports and score for every individual. These organisations predict customer behaviour, lending patterns and aid with faster credit decisions. 

Platform Transaction data

Information captured at the point of sale on any online platform. It records the time, place, price point of the transaction; payment method, discounts etc. For instance, Amazon can look through a customer’s transactions with the platform in the past and arrive at a decent approximation of their eligibility for a buy-now-pay-later programme. 

Security and privacy challenges faced by lenders

It’s no surprise then that potential customers stave-off a degree of hesitation before making the decision to borrow.  Data released by the Reserve Bank of India (RBI) for 2020-21 reveals that banks and other financial institutions reported cyber frauds worth Rs. 1.38 trillion. In a survey conducted by ACI Worldwide & Yougov in May 2021, 71% of the respondents were concerned about frauds and scams as a result of Covid-19, up from 47% at the onset of the pandemic. 

Some more food for thought from the survey - 42% were concerned about digital transactions (UPI/Wallets) resulting in fraud and 36% were worried about data privacy.

Digital payment volumes are reaching dizzy heights everyday and that should be telling of two sides of the same coin - the trust customers are bestowing on lenders & the urgency with which lenders need to address security challenges.  

Some of the most common security challenges faced by lenders - 

Cloning of digital identities

Involves manipulating existing photos, audio, videos that look real and can cause ethical and legal concerns. 

Malware contagian

Purposely designed software to cause damage to a network, computer, or server without the owner’s knowledge. 

Advanced persistent threats

Where an infiltrator or unauthorised user enters a lender’s systems or network undetected and remains there for an extended period with the intention to steal financial and personal data, cyber money laundering, ATM, credit card frauds

Distributed Denial of Service (DDoS)

A DDoS attack involves overloading a network with traffic to make it inaccessible to its intended audience. It usually happens via a botnet comprised of traffic from IoT devices, computers, and websites. 

Social engineering

Includes Phishing and other malicious actions accomplished through interactions and psychological manipulations that trick users to perform security mistakes or give away information. 

Risk Mitigation 

Data breach is perhaps the single biggest risk that lenders face today. A report from IBM reveals that the cost per data breach in the financial industry for 2020 averaged at about $5.85 million. The direct cost of breaches like lost funds, penalties, fines, increased insurance expense can be quantified, but the loss of reputation and borrower trust are not easy to quantify; guaranteed however is that the price of those factors are also very high.

Ensuring data security in the lending industry isn’t just the job of the CTO or the CSO. Every single role in the company, from the directors to the customer service representatives need to be integrated in a tight security plan. 

Data security has many nuances and managing it can broadly categorized into two categories - 

Data in transit

Data that moves from one location to another. Whether it’s travelling across the internet to the borrower and back, or through internal networks and company cloud storage platforms. For instance, borrowers uploading financial information, personally identifiable information on their lender’s server. In the lending ecosystem, most of the data in transit comes from the borrowers, who more often than not, use public, unsecure networks. This leaves data in transit at a greater risk of damage. 

Data at rest

Data that is static and remains in one location - database, off-site, warehouses, or another repository. The longer this data sits in one location, the longer they have to develop strategies to secure it from bad actors. All personally identifiable data that’s stored with your lender and their technology partners, for instance, is also at a big risk of leakage since it’s not constantly monitored like data in transit. 

A sound cyber security policy is then a multi-pronged approach that involves - 

Data classification

Classifying data governs how information is stored and who has access to it. There’s classification based on identity and financial information.​​ The former is unique to every borrower, is classified as highly sensitive data, and is encrypted with limited access even within an organisation’s hierarchy. 

Encryption

Think of encryption as a puzzle with a key for every piece. Broadly the pieces are - Sensitive information, network connection for data in transit, and internal database. If lenders are missing a key to even one of these pieces, there’s a chance of potential leakage. Hiding sensitive portions of data, transit connection encryption, database encryption are the key to ensuring data integrity. 

Application security

Tools to secure the application after deployment by penetration testing and enhancing with Web application firewall, Secret Key based authentication, threat detection service that monitors malicious activities and automatically reports through email or slack channel if suspicious activity is detected. This could prevent a potential account takeover attempt or even detect fraudulent loan applications, for instance 

Cloud security 

Procedures to secure cloud computing against external & internal threats. Virtual Private Clouds (VPC), for instance, allows enterprises to have their own private cloud space in a shared public cloud infrastructure. Imagine a cloud provider’s infrastructure akin to living in an apartment building. Being a public cloud tenant is like sharing an apartment with a few roommates, whereas a VPC is like having your private condo - no one has the key and nobody can enter the space without your permission. 

End-user education

Explicit consent communication that is easy-to-understand is the cornerstone of a solid security and compliance framework. Lenders must ensure that borrowers are informed of his/her choices - how data will be collected, stored, used, and what is the process to revoke such consent.. 

Conclusion 

Most cyber attacks can be prevented by making sure borrowers and lenders follow basic rules for their password security and two-factor authentication, and the measures in place with your lending automation platform.

For instance, at Finbox, all of the above is addressed with Finbox’s Risk Management and Analytics engine that preempts any suspicious activity and has automated workflows to detect, block and repair access before data moves out. 

We also follow a few basic guidelines to ensure a secure, compliant partnership environment - 

  • Compliant with ISO 27001 or similar certifications

  • Servers hosting customer data are located in India

  • We follow encryption of data in rest & motion

  • Tokenization of sensitive data and anonymization of all personally identifiable information

  • Working only with RBI-regulated entities for lending

  • A defined incident management & business continuity plans

  • A  data backup and recovery process

  • Annual internal and external security audits

  • Frequent, automated penetration testing and vulnerability scanning

Apart from the hygiene factors for third party partnerships mentioned above, we also have an explicit consent communication framework. 

FinBox is an ISO-27001 technology product company working with banks & NBFCs to help them launch modern lending products such as BNPL, Credit Lines and instant personal loans through its embedded finance infrastructure.