Gurgram-based digital payment firm MobiKwik is among the early bidders in the Indian tech startup ecosystem to be going public this year. The 2017 founded startup on July 12, 2021, had filed its draft red herring prospectus (DRHP) with SEBI and aims to raise INR 1,900 Cr.
An online payment company platform offering buy now pay later (BNPL) service has to be scrupulous to collect the kind of information to prevent fraud. At a time when hacking company servers to dump users’ data on the dark web is recurring, online payment firms have to let their guards up to protect users’ data. Moreover, MobiKwik earlier this year allegedly faced a major data breach.
The startup in its DRHP filings revealed that a critical element of its business is the ability to mitigate risk associated with BNPL operations, including identification of suitable users, appropriate underwriting, and development of a visible and efficient collection strategy.
The firm relies on MobiScore, which the company claims to be a data science-driven credit scoring algorithm that utilises more than 500 raw and derived variables for underwriting and risk assessment to pre-approve users and determine credit limits.
“We consider data beyond traditional credit scores, including, for example, spending patterns, device information, location history and mobile application usage. Any data, which is used for underwriting is done with explicit consent and following all applicable laws and regulations in India,” the filings read.
The company revealed that as of March 31, 2021, MobiKwik had 89 employees in its collection team. The startup also has third-party collection agencies across the country.
At the time of MobiKwik Zip activation, MobiKwik collects adequate digital and physical contact data of a user to enable the company to communicate through various methods during the disbursement and repayment process. MobiKwik uses machine learning models to determine the collection strategy at an individual user level based on payment patterns, outstanding amount, channel preference, contactability, and responsiveness.
The startup claims that it is a RBI-regulated fintech company and places an emphasis on data privacy and security of its users and merchant partners. MobiKwik mentioned that it undergoes various security and compliance audits, including the Payment System Data Storage – System Audit and the Information System Audit as under RBI-PPI Master Directions.
The company stated that it stores data in a secure data centre with access control based on firewall and user privileges. It underlined that MobiKwik releases products only once security assessments and re-assurance of applications are further verified by third-party security assessors. MobiKwik has also implemented firewalls to restrict access through public networks.
While MobiKwik is gearing up to go public and probably become the first Indian digital payment startup to get listed, even before Paytm which is expected to go public in November this year, alleged reports of data leaks containing MobiKwik’s users’ information remain fresh in people’s minds.
In March, reports surfaced that data of over 100 Mn Indian MobiKwik users’ remained unexposed. Independent cybersecurity researcher Rajshekhar Rajaharia earlier had reported records for 11 Cr MobiKwik users with 8.2 Tb of data were breached.
Back then, MobiKwik indirectly called Rajaharia a ‘media crazed’ security researcher presenting concocted files wasting precious time of MobiKwik as well as members of the media.
It claimed that the company had investigated and did not find any security lapses.
However, after a link from the dark web was reportedly spotted online where users claimed to see their details on the dark web. Following this development, Bipin Preet Singh, CEO and cofounder of MobiKwik in a statement on users’ data available said that MobiKwik cannot be accused as the source of the leak. He said that it was entirely possible that any user could have uploaded her/his information on multiple platforms. “Hence, it is incorrect to suggest that the data available on the dark web has been accessed from Mobikwik or any identified source,” he added.
However, he said that the company will get a third party to conduct a forensic data security audit.
In the DRHP filing to allay fear among its investors and users, MobiKwik said that forensic audit experts found no data breach. The company said , “The forensic audit expert subsequently reported that based on the analysis of logs/ data provided to them, there was no unauthorised access from outside of our company’s infrastructure or internally to the database server wherein customer data is stored, during the review period. The report however states certain limitations to the processes undertaken, including virtual walk-through of our systems, not analysing employee devices and that the review was based on logs made available by us and certain non-mandatory logs were not available for the audit.”