Hot Deal

Bollywood actor Sunny Leone is not a loan defaulter, but her credit report says otherwise.

The ghost loans haunting Indian fintechs like Dhani

From actor Sunny Leone to police constables in Jaipur, victims of ghost loans are legion. At fault are growth-hungry lenders, willing to take shortcuts and ignore safeguards in their quest to build out their loan books.

* Dhani’s loose KYC processes created the perfect ground for fraudsters to commit ID theft

* Dozens of people are waking up to loans they never took on their credit reports

* The true scale of this problem can be discovered only when people check their credit reports

* The KYC process is also riddled with cracks that let fraudsters slip past.

<blockquote> Ironically, Leone found this out while applying for a loan. “We bought a home last year, and as bank [home loan] rates had dropped, we were exploring a new bank,” recounts Daniel Weber, Leone’s husband and manager. Among the documents required for the loan was Leone’s credit report, which revealed that Leone had outstanding dues from a Rs 2,000 ($27) loan disbursed by Dhani, the lending arm of the Indiabulls Group. The loan had been availed some four to five months prior.</blockquote>

This blemish on her credit report saw Leone’s credit score dip by as much as 20%, Weber told The Ken, despite always having had “amazing credit”.

<blockquote>The only thing that linked Leone to the loan was her name and PAN number. Other details needed to take a loan—such as her address, phone number, email ID, date of birth, and bank account details—were incorrect.</blockquote>

Leone is one of the more high-profile instances of Dhani’s ghost loans but she’s hardly the only one. Data science professional Zubin Mehta came to know of a ghost loan taken in his name when collection agents showed up on his doorstep, demanding he repay Rs 1.3 lakh ($1,740) he supposedly borrowed from Dhani. And while both have since had their credit reports rectified, a growing chorus of users have raised similar complaints against Dhani.

These issues are something of a rude awakening for four-year-old Dhani Services which claims to have lent to 3.5 million borrowers over the past year. Primarily focused on borrowers who are new to credit, it has disbursed close to Rs 3,470 crore ($464.5 million) in credit. These complaints, however, raise question marks about the company’s lending practices—particularly, its Know Your Customer (KYC) processes. (We’ve written about Dhani’s questionable business model in the past). .

Sloppy and broken KYC processes have the potential to lead lenders down a rabbit hole of bad loans. And, as we’re starting to see with Dhani, plenty of legitimate credit seekers can also get caught in the crossfire. These people could see their credit scores impacted, resulting in higher interest rates or even becoming ineligible for credit, all because of a ghost loan haunting their credit report.

Dhani, for its part, maintains these are all cases of identity theft. However, while that may be the case, it’s the company’s lax KYC processes that enabled these alleged bad actors to take loans with falsified IDs. Even though the majority of Dhani’s users choose to do their KYC validation using Aadhaar, the company’s blindspot stems from between 25-40% of borrowers using other documents as proof of identity and address, according to a Dhani executive who spoke on condition of anonymity. The executive claims that about a quarter of these cases turn fraudulent. In response to questions sent by The Ken, Dhani maintained that its KYC processes were in line with industry standards but admitted that frauds were perpetrated by forging KYC documents.

<blockquote>Dhani isn’t the only lender. Srikanth Lakshmanan, part of CashlessConsumer, a consumer collective working on digital payments, noticed similar complaints from another company, Arth Digital, which serves as payments giant Paytm’s* lending partner. A three-year-old micro loan-focussed non-banking financial company (NBFC), Arth has issued 500,000 loans, mostly to borrowers who are new to credit. 35% of its loans originated via Paytm, according to a company spokesperson. The Ken presented 16 alleged ghost loan cases to the company. A company executive claimed that these borrowers were all genuine as per their KYC records.</blockquote>

These instances may only be the tip of the ghost loan iceberg.

“3-4% of digital onboardings will end up in ID theft if proper KYC norms are not followed,” says Ashok Hariharan, co-founder of IDfy, an ID authentication solution provider.

<blockquote>It is easy to find people’s PAN numbers, Aadhaar numbers, etc. One such way is through data leaks and hacks of central databases like CSDL. In October 2021, an attack on CSDL’s KYC arm exposed personal and financial information of 40 million Indians.</blockquote>

Modus operandi

Every lender needs to know three things before approving a loan. Is the borrower who they claim to be? Are they able to repay the loan? And if so, how much should the lender disburse?

To prove the first part, also known as KYC, lenders ask for proof of identity and address. The Reserve Bank of India, the country’s central bank, has mandated that potential borrowers provide photo proof, a PAN card for proof of identity, and one original verified document—either a driver’s licence, voter ID, NREGA Card or Aadhaar card—for proof of address.

It also allows fintechs to use one of three methods to carry out KYC:

a) In-person verification

b) Electronic KYC, or eKYC. Usually, this simply involves inputting one’s Aadhaar number, which can be used to verify that a borrower’s details, phone number, etc, are all genuine. However, a Supreme Court mandate in 2018 allows users to also use other documents for verification, which can then be vetted against the government’s own KYC repository

c) Video-based verification, where borrowers hold up their ID and address proof and speak their name, which is verified in real-time by a company representative.

The first and last methods are both more expensive, leading fintechs to rely largely on the eKYC route.

In truth, Dhani’s KYC process isn’t vastly different from most other fintechs.

Dhani, like many other fintechs, including Slice, Kreditbee, MoneyTap, and Early Salary, allowed users to upload documents to complete the KYC process. This allows fraudsters to bypass these safeguards using tampered documents to obtain loans.

In the case of Aditya Yogi Kalra, a senior journalist with international news agency Reuters, fraudsters used two tampered ID documents—a PAN card and an Aadhaar card—to take out a loan in his name. The former, issued by the Department of Income Tax, is used by credit bureaus to monitor all financial transactions. It’s also easily forged, with a number of Android apps allowing fraudsters to generate fake PAN cards.

“When you upload a PAN card image, it is hard to know if it has been tampered with,” says Anand Venkatanarayanan, strategic cyber-security advisor at Deep Strat, a New Delhi-based Think Tank. With the PAN card submitted in Kalra’s case, only his name and PAN number were accurate. All other details—Kalra’s photo, signature, and his father’s name—were incorrect. On the Aadhaar card, every detail barring Kalra’s name was incorrect.

The bank account to which the loan was issued was a Paytm Payments Bank account—a bank that has had its fair share of KYC issues, as we’ve noted in the past. The Ken discovered that the bank account bore a name similar to Kalra’s—Adity Yogi. While Dhani’s system should ideally have caught this discrepancy, it just goes to show how fallible the KYC system is. Dhani told The Ken that it has stopped onboarding via document uploads while it shores up it security measures.

The KYC mismatch

<blockquote>The issue ultimately comes down to verifying the KYC data submitted by borrowers. To do this, lenders need a set of APIs—software interfaces that allow different programmes to communicate with each other. In this case, lenders require a PAN card API, which pings government-owned National Securities Depository Limited to verify if such a PAN card exists. Similarly, a UIDAI API verifies the authenticity of an Aadhaar account and a bank account check returns information on whether the bank account exists along with the name of the holder.</blockquote>

However, none of these databases are linked to each other, says Venkatanarayanan. So, all that lenders doing digital KYC are checking for is whether these individual pieces of data are authentic rather than verifying who controls them. “Companies have to do a match between all these different proofs by themselves, make a determination, and then arrive at a risk score they are comfortable lending at,” adds Venkatanarayanan.

And that’s when all hell breaks loose.

Arriving at a risk score based on these thresholds is a fine balance. Increase the threshold too much, and even genuine customers won’t be eligible for credit. Lower it, and the fraud floodgates open.

What makes this particularly complex are the India-specific complexities on the ground. This begins with something as simple as names. It isn’t uncommon for Indians to have different names listed on their various IDs. Many women, for instance, change their names after marriage, leading to different names on different documents. Requiring names to match exactly across documents would result in even genuine candidates being flagged. “In those cases, we’ll need proof of the name change,” said the founder of a buy-now-pay-later (BNPL) company. Dhani told The Ken that it follows a stringent name-matching protocol for approving loans.

Birth dates are another issue. Pinging the NSDL site to verify the authenticity of a PAN card only confirms the holder’s name and PAN number. It does not confirm the date of birth. So, companies need to scrape this information from the uploaded documents and verify that it matches.

Matching addresses is also difficult since addresses on different IDs also rarely match. While some fintechs refuse to disburse loans unless all these matches others are wary of losing genuine customers due to this.

If we look for very high accuracy on names and address, my customer acquisition funnel drops by a fifth. The company spends Rs 700 ($9) to acquire a single customer

Beyond all this, companies also need to ensure that the photo proof provided by borrowers is accurate. Most companies mandate taking a selfie, as RBI mandates that lenders collect a photo. But the BNPL founder quoted earlier admits that their facial recognition algorithms can barely match the face across the PAN, Aadhaar, and selfie since the image quality varies across these documents. He said they don’t even try matching faces across IDs. Instead, they make sure the selfie captured is that of the borrower.

The final step is to verify that the bank account the loan is disbursed to belongs to the applicant. Companies check this by initiating a transfer to ensure the bank account details are correct. “We only disburse a loan if all the names across all the ID proofs and the bank account are a match,” said the founder quoted above. Dhani appears to have not done this in Kalra’s case.

The real cost of fraud

This whole process becomes even shakier since companies are adapting their systems to accommodate new-to-credit customers, some of whom aren’t tax payers and hence don’t even have a PAN card. Many of these people engage in ID fraud just to take a loan, and even diligently make repayments. This seems to be the case in many of the fake loans found on Arth Digital. Some of the victims’ credit reports showed that there was an overdue amount of between Rs 1-1,000 ($0.02-$13.4).

For Hansraj Choudhary, a 32-year-old police constable from Jaipur, he realised that something was amiss when an application to upgrade his SBI credit card was rejected. The reason, he was told, was that his credit score wasn’t good enough. That’s when he checked his report and saw that there was a loan for Rs 9,900 ($132.5) against his name in August 2021 from Arth Impact-Paytm. The outstanding amount was just Rs 999 ($13), which Choudhary simply offered to pay off to fix his credit score. The Ken reached out to two others with ghost loans from Arth-Paytm—both were contemplating the same solution to get their credit scores back to normal.

This was something Leone contemplated, too. “We thought of just paying back the Rs 2,000 and getting this off the credit report. But we decided to instead call it out. Imagine how much the companies would earn if people decided to just pay it,” says Weber. Dhani told The Ken that its customer care teams are working to help the impacted individuals, even as its tech and risk management team work to build more robust security solutions for the platform.

Arth’s spokesperson claims that the company closes loans when they see that outstanding dues are minimal. The company also said a reason behind the ghost loan issue, is also a case of users not understanding how to parse their credit scores. “With the rise in digital loans, customers are running [credit] bureau report checks for the first time. We also need to educate them on how to consume it,” says the company representative, adding that while working with a large brand as a partner, it is possible borrowers do not recall the financing partner.

For genuine victims of these loans, however, the damage goes beyond the monetary. Their identity is irreversibly compromised, and they are at risk of being targeted by similar scams across other financial institutions. For instance, using the fraudulently acquired loan, a fraudster could hit any of the digital gold lenders and buy an asset like digital gold. They could then pledge that as collateral and take a gold-backed loan, explains the Dhani executive quoted earlier. A default on this could further dent the victim’s credit score.

The damage to victims’ credit scores can have a significant impact on their access to credit going forward. “If someone’s credit score got whipsawed by 50 points at least, that is a 200 basis point impact. So, if they now apply for a home loan of Rs 1 crore ($13,387), they will be charged an interest rate of 12% rather than 10%. On a yearly basis, they just lost Rs 2 lakh ($2,678),” says Venkatanarayanan. Lenders like Dhani, on the other hand, will only lose the principal amount.

“Dhani may have lost a few crore as bad loans but that is nothing for them. Cost to scammed borrowers may be a few hundred crores and they will only know when they apply for a loan. The normal process for resolution is for the borrower to either pay off Dhani for a speedy resolution or do a dispute resolution with the credit bureaus, which is a lengthy process,” says Venkatanarayanan, highlighting how, at the end of the day, it is the victims rather than the lenders who are left counting the cost.


12 Dimers
  • Sort By
Deal Cadet Deal Cadet
Link Copied

We are giving PAN, Aadhar for ekyc purposes. Xerox centers can collect as many as they want. Privacy is a myth. Unrestrained growth results in incidents these.

Benevolent Benevolent
Link Copied

Who will wake up RBI?

Deal Captain Deal Captain
Link Copied

Nirmala sitharaman with suprabhatam

View 7 more replies
Generous Generous
Link Copied

As everything is linked with mobile no. there should be otp authentication for PAN, when someone punch it anywhere or atleast sms/mail intimation of use

Helpful Helpful
Link Copied

This is good idea everytime someone’s id is used than a sms/mail should be sent to them

Deal Cadet Deal Cadet
Link Copied


Deal Cadet Deal Cadet
Link Copied

Saw Twitter thread very Person’s PAN and Aadhar was also faked (except name, all other details are fake) for Dhani Loan. Scary. I will stay away from Dhani and suggest others too. Have heard too many such stories regarding this company.

Benevolent Benevolent
Link Copied

Deal Cadet Deal Cadet
Link Copied


Click here to reply