Moneycontrol PRO
Upcoming Event:Super25 3.0- India’s Largest Online Stock Traders Conference brought to you by Moneycontrol Pro & Espresso

Navi spams users with loan offers containing PAN data, faces social media backlash

Spotlight again on the safety of personal data. Experts say people should avoid giving consent to third-party websites and mobile applications to use their personal information.

December 21, 2021 / 02:18 PM IST

On December 3, Rohit Kulkarni (name changed on request), a 38-year-old New Delhi-based marketing executive, got a text message.

The message read: “Dear Rohit, Congratulations!! Your PAN <his actual 10-digit PAN unmasked> is eligible for a pre-approved personal loan of Rs 5 lakh from NAVI. Apply now (followed by a link).”

At first, Kulkarni thought it was spam—someone trying to sell something. No surprises there; he was used to such unsolicited messages. Then, Kulkarni saw something unusual in the message: his permanent account number (PAN). And it wasn’t even masked.

“How can the company send an SMS so blatantly to random individuals with the full PAN card details in it and unmasked?” a stunned Kulkarni asked, noting that even the income tax department sends messages with PAN details masked.

Several others too complained on Twitter of being approached by Navi in a similar fashion, getting text messages with their unmasked PAN details.

After a backlash on social media, Navi, a digital lending company, stopped sending such text messages, a senior industry official privy to the matter said, asking not to be identified.

Navi did not immediately respond to a Moneycontrol query on where it got the PAN and phone data.

Aggressive selling

To be sure, Navi isn’t the first company to get hold of mobile phone numbers and PAN data. However, the aggressive selling tactics adopted by some firms once again turn the spotlight on the vulnerability of users’ personal data.

Several real estate companies, share brokers and credit card companies, among others, constantly solicit potential customers with text messages or calls. Such companies cross-sell products, offer loans at low interest rates and dangle discounts or cashback schemes to get customers onboard – a practice typically deployed by buy-now-pay-later firms.

However, what appears to have irked those approached by Navi was the leakage of PAN, which was displayed in full in the text messages. The question is: how safe is personal data and what can be done to protect it?

Navi Technologies, a new-age fintech company, was started by former Flipkart cofounder Sachin Bansal and his college friend Ankit Agarwal in 2018. It owns Navi Mutual Fund, renamed after acquiring Essel Mutual Fund acquired from Subhash Chandra’s Essel Group in February 2021. Its other businesses include lending, general insurance and microfinance. Navi has also applied for a universal banking licence.

Elaborating on its fintech ambitions, Bansal had said in an earlier interview with Moneycontrol that Navi aims to give out loans in under 20 minutes.

Third party

Kulkarni said he doesn’t recall registering for any service that Navi provides, where he may have shared his PAN details. Neither did he install the Navi app on his smartphone. Yet, Navi has his correct PAN, name and mobile number.

Other users who complained on Twitter – Moneycontrol went through some of them – also claimed they didn’t avail of any Navi service where they might have shared similar data. Many said they had not even downloaded Navi’s app.

“Navi might have sourced the personal information from a third party,” said the cofounder of a digital lending firm on condition of anonymity. “Nowadays, the personal information of customers is easily available and can be accessed easily.”

He added that the fintech firm should not use acquired databases for marketing campaigns that offer personal loans. The use of personal details of individuals should be restricted to internal analysis, he said.

Also read: How CIBIL and Experian score first-time loan applicants

Kulkarni suspects his personal information might have been leaked when he applied for a credit score report through a private bank website in mid-November.

“The credit bureau has my phone number, name, PAN card and other details to access my loan eligibility. So, a data leakage might have happened between a private banker and a credit bureau,” he said.

However, an industry official said it was unlikely that a credit bureau would share personal information with other entities.

“Nobody can use consumer data without his or her knowledge or consent. A credit bureau doesn’t share the personal data of an individual with a third party, when he or she applies for a credit report,” said the country head of a credit bureau on condition of anonymity.

Loan aggregator websites and fintech firms such as BankBazaar, PaisaBazaar and CRED give out credit score reports at no cost throughout the year. It’s important to check their terms and conditions before applying for credit reports.

Some credit bureaus ask for an applicant’s consent to share updates on loan eligibility and loan offers from partner banks or non-banking finance companies. These banks and NBFCs then call the applicants and try to persuade them to borrow by offering low interest rates.

However, an unnecessary loan is just that: a loan. That apart, personal data is shared – even with companies that applicants have nothing to do with. Avoid giving such consent to loan aggregators and fintech firms.

Reduce digital footprints

Often, people leave their digital footprints and personal details online, which help fintech lenders to assess their loan eligibility and approach them with loan offers.

“There is a possibility you would have put your details on shopping websites or bought consumer electronics on equated monthly instalment (EMI) during the festive season from a retail shop. While shopping on EMI, you are giving your PAN card and personal details to process your purchase into EMI,” said Raj Khosla, founder of MyMoneyMantra.

Fintech lenders could then source the data from shopping websites and retailers to create their own database. Reducing one’s digital footprints as much as possible will minimise the possibility of personal data being leaked and information being misused.

Download your money calendar for 2022-23 here and keep your dates with your moneybox, investments, taxes

Hiral Thanawala is a personal finance journalist with 9 years of reporting experience. Based in Mumbai, he covers financial planning, banking and fintech segments from personal finance team for Moneycontrol.
first published: Dec 21, 2021 12:16 pm
ISO 27001 - BSI Assurance Mark