On 6th April, many random people, who have nothing to do with Indiabulls or its ‘Dhani’ lending app, were bombarded with repeated personalised messages reminding them about payments and pending dues. Many people received an unnerving flurry of messages, causing alarm among those who tend to be diligent and alert about their credit history.
Those who had borrowings from Indiabulls through Dhani were concerned about receiving repeated payment reminders that mentioned ‘pending’ payments when there was none. Those who had no relationship with Indiabulls or Dhani had a bigger worry: Were they victims of fraud or an identity theft, given that the messages were very specific and personalised? Would clicking on the link in the message expose them to malware and phishing attacks? Many took to Twitter, to express their concern.
Their worry was legitimate. Payment delays and defaults affect a person’s credit score and the ability to borrow in future, while getting a loan account linked to another person with the same name is not unknown. It is also important to remember that Paytm filed litigation against Telecom Regulatory Authority of India (TRAI) and telecom companies, precisely on the charge that the latter were not doing enough to control phishing attacks by fraudulent registered telemarketers. A court order then triggered the effort to stop at least the more toxic and harmful spammers.
When asked, Indiabulls told me it was a ‘human error’ that caused the problem. A senior executive agreed to look into the issue and said that apology messages were sent out to all customers. But, by then, the issue had blown up on the social media. The company did, indeed, send out messages to say, “Please ignore the payment reminder SMS sent to you from Dhani yesterday. It was sent erroneously. We sincerely apologise for any inconvenience caused.”
A ‘human error’ is understandable, but the episode also raises some questions at a time when TRAI is ostensibly working to protect us from relentless spamming under court orders. A good chunk of those spammed by Dhani are not its customers and claim they have nothing to do with the Indiabulls group. Many are even registered on TRAI’s much-abused ‘do not disturb’ (DND) registry. So how and why does Dhani have their data in the first place, and is this going to change if TRAI is serious about finally protecting us from spammers?
TRAI had deliberately allowed the DND registry to become defunct over the years, largely under pressure from telecom firms that need revenue and large corporate spammers – mainly banks (mostly hawking credit cards) and insurance and finance companies who want access to customers at any cost.
Once it was clear that TRAI was unwilling to act, it quickly opened the doors to fraudsters and phishing attacks to scam people into parting with one-time-passwords (OTPs) for digital transactions. While it was possible to block tele-callers, there is absolutely no protection against text messages.
On 3rd February, Delhi High Court asked TRAI to ensure that telecom companies strictly enforce the Telecom Commercial Communication Customer Preference Regulation, 2018 (TCCCPR) rules to fake SMS headers, masquerading as legitimate ones. But telemarketers are still working to stop the implementation of the rules through litigation claiming that it would lead to a disruption in delivery of time-critical services. The court refused to quash the order and offer interim relief. But industry and telemarketers have already scored a victory, since the rules that were to become operational on 8th March were postponed after the panic caused by the delivery failure of OTP messages. However, the content scrubbing process was resumed on 1st April after “relevant entities were asked to take remedial measures.”
TRAI’s new guidelines require every SMS/text message to be verified before it is delivered. To comply with this, all telemarketers need to register themselves on a DLT (distributor ledger technology) platform, which also scrubs data against the DND registry. There is some friction over who is providing this service as well. According to The Economic Times (ET), telemarketers had alleged that ‘Tanla Solutions—an implementing partner’ of DLT for leading telecom companies, was ‘itself a telemarketer, controlling 40% of the market’. The stock has gone up 2000% in the past one year. But that is another story.
The TRAI notification on 1st April had says “regulatory provisions not only help in preventing spam but also help in preventing fraudulent messages purporting to originate from banks, financial institutions, or other trusted sources.”
But the Dhani episode shows that even after the new rules are in operation companies are in no hurry to scrub their databases against TRAI’s DND list.
Ankit Banga, Dhani’s marketing head wrote to say: “The ‘payment reminder’ SMS was erroneously sent out, the communication was directed towards a specific set of Dhani customers, but due to a human error, it was sent to non-targeted base. We would want to reassure you that there was no malaise in our intent and we are cognizant of the confusion this may have potentially caused and therefore we sent out a notification and SMS informing users to ‘Ignore the SMS’. We are working with our teams internally to ensure that such an error is not repeated in the future.”
In a phone conversation earlier, when I pointed out that many people who received the messages insisted they were on the DND list, he claimed that the company has built its database in-house, based on specific engagements and registrations with customers. Well, it is clear that this is a cleaned and verified database that could target people by name, they deny any engagement with the group and also don’t have an opt-out option, despite DND and the new TRAI regulations becoming operational.
Tech expert Srikanth (twitter handle: @logic) brought out another angle. He tweeted: “So a lot of people are complaining about @dhanicares SMS spam including message about payment reminder for a loan they never had. What happened here is @dhanicares/ their CPaaS partner @KarixMobile is basically using transactional pipe for promotional message to bypass DND.”
When specifically asked, Indiabulls has not commented on where the glitch happened or if KarixMobile had any role to play. What is clear is that payment reminders, that ought to have gone to specific borrowers, went out in the ‘promotional’ pipe that includes those registered on DND. Does this mean telemarketers will continue spamming people or, as Shrikanth puts it, “to skirt the DLT (Distributor Ledger Technology) based DND (which now stands postponed).”
If TRAI is serious about the new regulations, it ought to investigate Dhani’s 'human error' episode independently, at least to send out the signal that telemarketers cannot get away with a mere “Oops! sorry folks, we made a mistake.” Protecting subscribers and preventing spamming is more about TRAI’s intent and seriousness, rather than a set of regulations.