From digital lending startups to payment companies, cyber criminals are targeting almost every facet of the fintech industry to gain access to critical customer data.
Non-banking finance companies – account aggregators (NBFC-AAs), which has just started to take off, has now become the latest target of fraudsters.
Two people in the know said the Indian Cyber Crime Coordination Centre (I4C) recently met top executives of some of the major NBFC-AAs to address issues of cyber fraud attacks and ways to tackle them.
Consequently, the AA participants decided to shut access to certain features like balance enquiry, and customer profile, which they were offering previously on their consumer-facing applications in a bid to protect customer data.
NBFC-AAs are a newly regulated sector directly under the purview of the Reserve Bank of India. They are tasked with managing a consent-based architecture for free flow of financial data between multiple financial services entities.
Consumers seeking credit from a particular bank can give consent for fetching their financial statements from a second bank, which can help in better underwriting. With the help of the AA ecosystem, consumers do not need to depend solely on their banks to get the best services and can use any financial services provider.
The RBI has licenced 16 companies to offer account aggregation as a service. Perfios Account Aggregation Services, Finvu, Cams Finserv and NeSL Asset Data Ltd are some of the major AA licence holders. PhonePe, DigiO and Setu are other prominent fintechs which recently received AA licence.
Modus operandi of fraudsters
Fraudsters who manage to compromise a consumer’s mobile number could easily generate an OTP and access this data, one of the persons said. In some cases, they also use a customer’s compromised mobile number to generate a duplicate debit card, the person added.
Henceforth, AA applications will only show consents given by a customer and those accessing this data on their applications. All other features have been shut down, the people said.
Setting up guardrails
“The Account Aggregators have been taking additional steps on a continuous basis to strengthen their security measures. You would agree that strengthening any ecosystem is an evolving and continuous process and all the participants in the ecosystem are looking at it very seriously,” said BG Mahesh, chief executive officer, Digisahamati Foundation (Sahamati), a not-for-profit alliance of account aggregators.
Sahamati had also constituted an anti AA fraud prevention group comprising financial firms and NBFC-AAs to track and recommend additional steps for combating cyber frauds, said Mahesh.
“We are stepping up our vigil to ensure fraudsters cannot enter into formal financial services through our systems,” said another industry executive, who attended the meeting.
The evolution of the AA ecosystem
The actions follow the Reserve Bank of India alerting the AA industry of misuse by fraudsters in closed-door industry meetings.
Data from Sahamati shows there are around 77.2 million accounts linked to the AA ecosystem. Around Rs 42,000 crore worth of loans have been disbursed to 4.2 million consumers and enterprises as of June-end. The current monthly run rate of loans processed through NBFC-AA ecosystem is around Rs 4,000 crore.
Commenting on the technical strength of the network, Mahesh said data via NBFC-AAs has delivered great results in reducing fraud in lending and other financial services.
“ReBIT (RBI’s information technology subsidiary) has put in a strong technical framework for Account Aggregator for it to be able to offer a secure and consented manner,” he said.
ET wrote on June 26 that the Centre through I4C and RBI is conducting regular workshops and sessions to arrest cases of mule accounts, used for illicit money transfers.
RBI data shows the number of fraud incidents jumped almost 300% in two years through 2024. Around 36,000 fraud attacks were reported in FY24.