Between digital loan sharks and weak regulation, Pakistanis are stuck between a rock and a hard place

Predatory practices by instant lending apps raise alarming questions about users' exploitation and the need for tighter regulations in Pakistan.
Published August 16, 2023

When an unemployed man recently committed suicide due to “threats” for failing to pay back a loan, the parasitic nature of these transactions and the modus operandi employed by digital lending apps quickly became the topic of discussion across the country.

Mohammad Masood, 42, from Rawalpindi, had obtained two loans from separate mobile apps, one of which had seen its principal plus interest amass to Rs0.7 million, his wife told

Unable to make the payments and hounded by recovery agents, Masood decided to end his life. This is, however, not the first time that reports of threats and blackmails by recovery agents of such apps have emerged.

In the last two years, the industry has grown from the fringes to the mainstream, though for all the wrong reasons. At least twice since June 2022, complaints have been raised by both citizens and the media about the exploitative practices of nano lenders, including but not limited to predatory interest rates, harassment of borrowers and misuse of data.

But how did we get here?

While the early origins of the country’s instant lending space can be traced back to 2018, it was only three years later that the industry really took off. Around mid-2021, a number of players surfaced on Google Play and soon started dominating the top category charts. At the same time, their growth trajectory, in terms of downloads, was steeply upwards and scale significant — at least by Pakistani standards.

In FY22, the top eight apps had been downloaded around 15.4 million times in the country, according to Data Darbar.

 The top eight apps were downloaded around 15.4 million times in the country in FY22 — Data Darbar
The top eight apps were downloaded around 15.4 million times in the country in FY22 — Data Darbar

It wasn’t only a case of downloads either — the industry has grown exponentially since 2021 onwards in terms of loans. According to the Securities & Exchange Commission of Pakistan (SECP), Rs97 billion has been disbursed till April 2023 to around 4.5 million borrowers. That’s since inception. Unfortunately, year-wise data is not available, but going by the regulator’s press statements, the value of (cumulative) disbursements by 2022 had crossed Rs63bn.

One of them was Barwaqt, now among the biggest nano lenders in the country. Though it has since obtained a non-bank financial company (NBFC) licence, back in June 2021, when the app was launched, it didn’t have any. In the coming months, new apps appeared online in droves and by June 2022, 27 instant lending apps were featured in Google Play’s top 100 finance category.

We revisited the numbers again and found that instant lending apps have at least 27.4M installs in Pakistan between July 2021 and June 2023, according to Appfigures estimates. Though we had 34 unique products in our sample (which was as exhaustive as humanly possible), it was Barwaqt that accounted for 48.3 per cent, or 13.2 million, of the total downloads.

 Month-wise downloads of Barwaqt app over the last couple of years — Data Darbar
Month-wise downloads of Barwaqt app over the last couple of years — Data Darbar

Only six publishers of the 34 apps have the required NBFC licence while the remaining were operating freely, and illegally. During these 24 months, unlicensed apps amassed 4.9 million installs, or 17.85pc of the total. It was only recently that they were finally removed from the Play Store, even though the issue had been highlighted countless times over the last year.

Troubling threats

Muzammil Husain, brother of late Masood, shared with the chain of events leading up to his brother’s death.

Masood had come across these loan apps through advertisements on the internet. “They were the big ones, like Bharosa, Barwaqt, etc,” Husain said. Initially, these apps said that the loan has to be repaid in 90 days, he explained. “Is chakar mai unho ne loan le liya tha [He took the loan for this reason].”

However, hardly six days had passed the calls began. Husain explained that the callers not only verbally threatened his brother to pay back the amount but also were blackmailing him on the basis of the data on his phone.

When one downloads these apps or any payment apps for that matter, a notification pops up to ask for their permission to access the phone’s contacts list, gallery and other data. This is to fulfil the KYC — know your customer — requirements.

Similarly, the instant loan apps that Masood downloaded did so too. The problem here arose when the data being accessed by the apps was used for threatening and blackmailing purposes. These malicious practices can also be seen in other countries in the global South with a developing digital space, such as in Kenya, India, Nigeria, the Philippines and Indonesia.

In Masood’s case, while the money was being arranged from various sources, the actual issue was that recovery agents were blackmailing him with the release of private and compromising pictures. “The real [cause of] tension was that about a month back, a person sent him a private picture and said if you don’t pay us, we will send this to your contacts.

Bhai ka ye akhri marhala chal raha tha jismai unho ne pictures viral karni theen, agay peeche saray contact numbers pe [This was the last phase in which they were going to spread his pictures among his contact list],” stated Husain.

“After the threat, my brother stopped eating and barely talked to anyone. He knew that if they would send this picture to his relatives, it would be [humiliating],” he said.

They would call after every 15 minutes. On the day of Masood’s demise, Husain told them that his brother was out of town and instead, he would pay them. The agents also called the female family members and found out that Masood had passed away. Upon learning this, the agents asked Husain to “send them pictures of his grave as proof and arrange the money.”

Speaking about action being taken against the agents, he added, “They [FIA] have arrested some people but I don’t feel very satisfied [with the progress]. You know how institutions work here. Right now, they have sprung into action but after time will pass, who knows.

“The main thing is to hold the owners accountable, block their accounts [and apps],” Husain said. According to him, “the whole business involves everyone.”

Where is the accountability?

Before one can discuss the regulatory inaction in this entire situation, it is crucial to understand who exactly has the mandate to regulate these apps? This is where things get a little complicated.

Lending is a regulated business where the State Bank Pakistan (SBP) oversees banks, while the SECP has the mandate for non-banking finance companies. Therefore, in order to offer instant nano credit, an entity needs to have the NBFC licence.

However, as stated earlier, only a handful of the apps operating on the Play Store actually had the required licence. The rest were not only operating outside the licensing regime but were often not even registered in Pakistan. So how could the SECP regulate entities that have no legal presence in the country?

Here comes the ban

That’s where the Pakistan Telecom Authority (PTA) came in, or at least should have, for it is usually all too eager to ban everything, including the internet itself. But when it comes to literal loan sharks, the regulator has hidden behind claims that lending apps are the SECP’s domain.

Similarly, the SBP has also conveniently evaded any responsibility for the entire situation, claiming that it has nothing to do with the supervision of NBFCs. While that is true, it misses one simple detail — the central bank nevertheless has the responsibility to oversee payments. And guess what? All the transactions to and from these instant lending apps were and are processed largely by two companies — JazzCash and EasyPaisa — both regulated by the SBP.

All payments companies have to do KYC, which in this case involves some due diligence on the nature of their business to ensure the merchant is engaged in legal activities. But apparently, no such conditions were applicable when it came to shady lenders often operating outside Pakistan?

For its part, the SECP too has tried to hide behind the lazy distinction between licensed and unlicensed apps for the most part. Even back in July 2022, after some media hype, it called a meeting with NBFCs and subsequently issued a press release, bashing illegal players who were bringing disrepute to the industry.

This is strange because there’s hardly any difference in the modus operandi of licensed and unlicensed players. Both have exorbitantly high interest rates, mis-sell the product, harass borrowers and don’t give a damn about distractions like data privacy. Admittedly, the SECP has indeed become more proactive in regulating its own subjects over the last few months.

On December 27, 2022, it issued a circular detailing a set of guidelines for NBFCs engaged in digital lending, addressing some of the more pressing concerns. For example, it explicitly banned them from making any deductions upfront. Previously, it was quite common for lenders to charge as much as 30pc of the loan amount in processing or other fees. Similarly, the regulator disallowed any NBFC to have more than one app at a time, thus ending the practice of licence outsourcing to unauthorised players.

— Data Darbar
— Data Darbar

More importantly, the SECP started engaging with other regulators. Part of the new guidelines was for NBFCs to have an audit from a PTA-approved cybersecurity firm. This was probably the beginning of the two organisations cooperating to crack down on predatory lending. It also worked with the SBP to block the payments for illegal apps, which was notified in a circular earlier this June.

But with respect to the predatory pricing of loans, the SECP has shied away from taking any action, saying it “does not regulate the interest rates, neither on the loans disbursed through digital apps, nor through any other means.”

The reason is pretty simple — it’s the market’s job to determine the cost based on the borrowers’ risk profile and the regulator has no business in it.

While in theory, it may appeal to the finance types, there are countless examples of countries regulating interest rates including through explicit caps. For example in the US, the mecca for libertarians, there are 18 states that have enacted interest rate caps of 36pc or less.

Google also has a similar policy regarding payday loan apps for specific markets, though they too waited almost a year before taking any action despite being aware of the proliferation of predatory lenders on Play Store in Pakistan.

Given Pakistan’s prevailing interest rate levels of over 22pc, it’s understandable why the same 36pc cap can’t be applicable here. However, the regulator has entirely ruled out any action with respect to pricing, except asking for disclosures.

Trying to catch the culprits

After Masood’s ordeal came into the spotlight, the Cybercrime Wing of the Federal Investigation Agency (FIA) also announced that it had arrested nine individuals and filed charges against 19 others for engaging in the blackmail of citizens using mobile applications that offer loans from the office of the online loan service on Saidpur Road in Rawalpindi.

According to the FIA, the arrested suspects were assigned specific targets to make between 100 to 150 calls daily to citizens, as well as their friends and family members. Moreover, during the raids conducted at their offices, it was revealed that a separate department was operating specifically to carry out what they referred to as “torture calls”.

These departments’ modus operandi involved collecting personal information of citizens through the loan apps, which they then used to subject people to harassment and intimidation.

FIA Assistant Director Tahir Tanveer told that they went to the late victim’s house in Rawalpindi and registered a complaint by his brother. “We confiscated and forensically analysed the victim’s mobile phone to find out which apps he had borrowed money from,” said Tanveer.

Two of the companies that the FIA subsequently took action against were Hamrah and Sarmaya. What is key here is that a single company can run multiple loan apps.

“We have arrested their employees and seized their computers,” said Tanveer. “We are currently raiding these call centres and making lists. Additionally, we have stress counsellors available for the victims that could be facing such threats and blackmails so something like [the Rawalpindi incident] doesn’t happen again,” he added.

The action is being taken across Pakistan in different cities. According to Tanveer, people get attracted to these apps on the internet through their vigorous marketing, adding that besides invasion of privacy that includes accessing pictures, videos and the contacts list to later blackmail, the apps also carry out “auto-loaning” where they automatically give loans to users without their consent.

Later, they harass the users to pay back the given amount with the additional interest.

“One of the challenges we are facing is that when people are coming to us with their complaints, when we analyse the numbers, for example, let’s say it’s [showing as] a Jazz number, then [when we contact] Jazz, we will learn that the number is not issued by Jazz.

“This is called spoofing, where whatever number the culprit wants, would show on the other person’s mobile phone screen. The original number will not show,” he added.

Contrary to popular misconception, these apps don’t have third-party employees. Instead, they have their own call centres where hundreds of employees work.

For example, Sarmaya, which runs the Easy Loan app previously fired 250 agents out of their total work force of 2,500 employees following reports of misconduct and complaints of aggressive behaviour towards clients, according to a company official.

Number of employees working at various loan apps across Pakistan — Data Darbar

The FIA says it is taking action against these apps under the Prevention of Electronic Crime Act, 2016. “The law isn’t that strict. There is a loophole in the law — these kinds of acts that one can call cyber-stalking or financial/electronic frauds don’t have major punishments. Secondly, they are not cognisable.

“That means that we can’t file an FIR directly. Instead, we must make a report and challan and submit that to the judge. Moreover, it is a bailable offence,” said Tanveer, adding that even if a case was brought to court, it would most likely take years for the culprits to face any real consequences.

The FIA, said Tanveer, can only list the apps that exploit the law and commit these crimes, but can’t make policies relating to their use.

The shifting of responsibilities between these organisations continues as each blames the other for the existing cracks in the digital lending space. With millions of lives at stake, however, there is an urgent need for accountability and consensus between the SBP, PTA, SECP and FIA; only then we can move towards any pragmatic solutions.

Header image: Shutterstock