If you want to launch a lending operation today and do it all via an app, you have two choices: build or buy. Those with solid tech chops who believe tech is the real differentiator prefer to build. This can take as long as two years to build and deploy ultimately. The downside to this is that the lender’s focus is on technology and not their core business. The other option is to buy a white-labelled solution off the shelf.

This is where Fintech as a Service (FaaS) providers come into the picture.  With their help, anyone can launch a lending app in a matter of weeks. You only need to find someone to bankroll the initial capital and partner with an NBFC. For the rest, the FaaS companies offer SDKs and APIs—a set of technology plugs that lending apps can insert into their sockets to start operations. These APIs offer ID verification, alternative data scoring, facial recognition, collection, etc.

The use of SDKs and APIs by these FaaS players has allowed the Indian startup ecosystem to be competitive. It allows start-ups to take on digital behemoths by giving the same level of service. However, SDKs and APIs can also unwittingly become a backdoor for intermediaries to gain insight into its clients’ users. The more lenders send data back to FaaS providers, the richer the service gets. All this means that while lenders’ data of borrowers should just be for the lender’s eye alone, it is vulnerable to external intrusions.

Independent research analysed two dozen FaaS providers out of a database of 1,000 apps and found that over 500—both legit and illegal—used Chinese service for ID verification. Over 100 apps had APIs of another two-year-old Chinese company which claims it’s a one-stop shop for lending apps based in India.

With foreign APIs and SDKs deeply embedded in Indian digital lending, the risks of data flowing out can lead to a massive data breach. Most of the massive data breaches that have happened are because of API vulnerabilities. This includes Facebook’s infamous Cambridge Analytica scandal.

Fixing the issue

There’s little doubt that APIs and SDKs are essential for the internet economy. APIs are a must for scaling, and Digital Lending initiatives will go a long way in bringing the unserved and the underserved demographics under the umbrella of formal lending.

The RBI says that all NBFCs must conduct information security audits. But the audit only covers aspects of data transfer between the loan app and the lender; it doesn’t extend to the loan apps’ service providers.

At Decimal, we’re solving this problem using a two-pronged approach when it comes to integrating with API service providers on our VahanaHub API Marketplace. Before any API or a provider is integrated with out platform, we run thorough security audits and review of Information Security Policies to identify any potential security risks before making the API services available to lenders. Besides, our solutions provide complete transparency and control to the lender through a real-time API monitoring portal which allows the lender to view the various details about the APIs and SDKs currently being used in their loan application, so lenders know where each service is coming from. Being an ISO 27001 certified firm, we ensure the highest levels of information security practices compliant with the latest regulatory guidelines. All this translates to added security and complete control of data for our clients and partners.

To understand how better we can secure your data, contact us at – sales@decimal.co.in