Cyber ​​fraud attacks: Government offers technical assistance to account aggregators struggling to cope with wave of scams

Cybercriminals, from digital lending startups to payments companies, are targeting nearly every aspect of the financial technology industry to gain access to crucial customer data.

Non-banking financial firms – account aggregators (NBFC-AA), which are just starting to grow, have become the latest target for fraudsters.

Two people in the know said that the Indian Cyber ​​Crime Coordination Centre (I4C) recently met top executives of several major non-bank financial institutions to discuss cyber fraud attacks and how to deal with them.

As a result, AA members have decided to block access to certain features, such as balance checking and customer profile creation, that they previously offered on their customer-facing apps in order to protect customer data.

NBFC-AA is a new regulated sector directly supervised by the Reserve Bank of India. Their mandate is to manage a consent-based architecture for the free flow of financial data across multiple financial services entities.

Consumers looking for a loan from a specific bank can opt in to have their financial statements downloaded from the other bank, which can help better assess risk. With the AA ecosystem, consumers don’t have to rely solely on their banks to get the best services and can use any financial service provider.

RBI has granted licenses to 16 companies offering account aggregation as a service. Perfios Account Aggregation Services, Finvu, Cams Finserv and NeSL Asset Data Ltd are some of the major AA license holders. PhonePe, DigiO and Setu are other prominent fintech companies that have recently received AA license.

How scammers operate

Fraudsters who manage to compromise a consumer’s mobile number can easily generate an OTP and access that data, one of the people said. In some cases, they also use the customer’s compromised mobile number to generate a duplicate debit card, the person added.

From now on, AA apps will only show consent granted by the customer and those accessing that data in their apps. All other features have been disabled, the people said.

Installation of protective barriers

“Account aggregators are constantly taking extra steps to strengthen their security measures. You will agree that strengthening any ecosystem is an evolving and continuous process, and all participants in the ecosystem take it very seriously,” said BG Mahesh, CEO of Digisahamati Foundation (Sahamati), a non-profit alliance of account aggregators.

Mahesh said Sahamati has also set up an anti-cyber fraud group, which includes financial firms and NBFC-AA companies. The group is tasked with tracking cases of online fraud and recommending additional steps to combat online fraud.

“We are increasing our vigilance to ensure that fraudsters cannot access formal financial services through our systems,” said another industry official who attended the meeting.

Evolution of the AA ecosystem

The move follows a warning from the Reserve Bank of India against malpractices committed by fraudsters at closed industry meetings.

Data from Sahamati shows that there are around 77.2 million accounts linked to the AA ecosystem. Around Rs 42,000 crore of loans have been disbursed to 4.2 million consumers and businesses till June-end. The current monthly rate of loans processed through the NBFC-AA ecosystem is around Rs 4,000 crore.

Commenting on the technical strength of the network, Mahesh said that data transferred through NBFC-AA has yielded great results in curbing frauds in lending and other financial services.

“ReBIT (RBI’s information technology subsidiary) has implemented a robust technical framework for Account Aggregator to be able to offer secure and consent-based solutions,” he said.

ET had written on June 26 that the central government, through I4C and RBI, has been conducting regular workshops and sessions to crack down on cases of use of shell accounts used for illegal money transfers.

RBI data shows that fraud incidents have increased by almost 300% in the two years to 2024. Around 36,000 fraud attacks were reported in fiscal 2024.