Disclaimer: This report has been written with a view to inform, educate and assess developments that impact public well-being. As such, it relies exclusively on open source information collected and analysed by the author while exercising the Right to Freedom of Speech as elaborated in Article 19 of the 1973 Constitution of Pakistan.
It's time to discuss yet another shady loan app that has its origins in China but operates through one or more front-persons in Pakistan; it's called 'Mera Rupiya' ('My Rupee').
Origins & Emergence
On 13 July 2022, a company was registered online using the portal of Securities and Exchange Commission of Pakistan (SECP). It is named Blue Ocean IT Solutions (SMC-Private) Limited having incorporation number 0206114. Its physical address is listed as No. 9 Ground Floor, Crescent Plaza, F-10 Markaz, Islamabad. This SMC (Single Management Company) is apparently managed by Gul Nawaz, its CEO and only (concurrent) Director.
More than a week later, on 22 July 2022, the domain name mera-rupiya(dot)com is registered by proxy through Amazon. Its primary IP address 139.162.14.250 is based in Singapore but its data is hosted on a server AS63949 owned by Linode LLC of the US. Domain WHOIS details could not be ascertained.
On 28 July 2022, the Android app of Mera Rupiya is published on Google Play Store. It has achieved more than 10,000 installations to date. Name of the affiliated SECP-registered company and address is taken from its description. Examination of publisher details also leads to the following:-
Email address for correspondence: [email protected]. Research reveals this address is maintained by a Filipino citizen named Lea Mae Sobior [same as mentioned in email username].
Privacy Policy: https://archive.vn/UePCw
Terms & Conditions: https://archive.vn/ARthk
A day later, on 29 July 2022, a YouTube channel is setup, incorrectly spelled as "Mear Rupiya Office".
And then finally, on 9 August 2022, a Facebook page is created [one like only, to date]. This page mentions the same email address as included in the app's Play Store description, with the addition of a mobile number (+86 181 9295 0845); it is used by someone based in Xi'an, the capital of Shaanxi province in China.
It's worth noting that unlike other similar apps, Mera Rupiya has not been reviewed yet by any Pakistani YouTuber (most of whom are sponsored for promoting such apps).
Data Security Concerns
Extracts from its Privacy Policy:
to create an account on the Platform, you must provide us with certain basic information required to provide customized services. The information we collect from you, inter alia, includes:
a.your full name;
b.email;
c.gender;
d.photograph;
e.mailing address;
f.postal code;
g.family details;
h.educational qualification;
i.phone number;
j.linked prepaid wallet details;
k.bill details;
l.vehicle details;
m.Official Identification Document;
n.Information from credit bureaus and customer service providers;
Our app reads and transmits your SMS data to Mera Rupiya servers which helps us in identifying the various bank accounts that you may be holding, cash flow patterns, description and amount of the transactions undertaken by you as a user to help us perform a credit risk assessment which enables us to determine your risk profile and to provide you with the appropriate credit analysis. This data also includes your historical data and may be collected even when the app is closed or not in use. This process will enable you to take financial facilities from the regulated financial entities available on the Platform.
We collect and monitor the information about the location of your device to provide serviceability of your loan application, to reduce risk associated with your loan application and to provide pre-approved customized loan offers. This also helps us to facilitate verification the address, making a better credit risk decision and know your customer (KYC) process.
In the Android app versions 1.4.2 and below and Android app versions 1.4.7 and above, as a part of the loan journey facilitated through Mera Rupiya, we collect, upload to Mera Rupiya servers, store and monitor your contact information which includes name, phone number, account type, contact last modified, favorites and other optional data to enable you to autofill the data during the loan application process.
conduct KYC for our third-party lending partners based on the information shared by the User;
From the Terms & Conditions:
1. THE COMPANY HAS DEVELOPED, OWNS, OPERATES AND MAINTAINS A TECHNOLOGY PLATFORM. THE COMPANY IS NOT A LENDER. THE COMPANY HAS CONTRACTUAL RELATIONSHIPS WITH LENDERS PURSUANT TO WHICH SUCH LENDERS OFFER CREDIT FACILITIES TO THE USERS OF THE APP. ANY CREDIT FACILITY MADE AVAILABLE TO YOU BY ANY LENDER SHALL BE GOVERNED BY TERMS AND CONDITIONS AGREED BETWEEN YOU AND THE LENDER AND THE COMPANY SHALL NOT BE A PARTY TO THE SAME.
2.5 Mera Rupiya group owns and powered by “E BLUE OCEAN IT SOLUTIONS (SMC-PRIVATE) LIMITED”, an Non-banking Financial Company duly registered with Reserve Bank of Pakistan.
Critical Observations
Observation 1: The app claims it is not a lender, rather a technological facilitator between unidentified lenders and the user. On the other hand, it openly claims to be an NBFC. Per the SECP rules, no SMC can be an NBFC; they require at least one Chairman and multiple Directors with defined suitability criteria.
Observation 2: The Terms & Conditions mentions registration as NBFC with the "Reserve Bank of Pakistan". This is a major error, and it appears the content for this policy was copy-pasted from an Indian app. India does indeed have a Reserve Bank of India (RBI) but its Pakistani equivalent is the State Bank of Pakistan (SBP).
Observation 3: On two instances within the Privacy Policy, the Mera Rupiya app quotes compliance with the "Information Technology Act 2000". This is a law by the Government of India, not Pakistan.
NBFC status with SECP?
I've contacted the SECP for comments and will update this section once I receive a response. I was initially told that the app and its registered company are not licensed to be a NBFC.
Sponsored ads on Facebook
There are multiple ads for the app active on Facebook. One of them is openly exploiting the official logo of SECP to attract unsuspecting victims:
Assessment
Based on the findings shared above, my personal assessment is as follows:
Mera Rupiya is a Chinese-origin app which is operating illegally as an NBFC through one or more front-persons in Pakistan. Blue Ocean IT Solutions (SMC-Private) Limited is one among them.
Extent of collecting sensitive personal information is unprecedented, especially asking for vehicle details which are unusual and unnecessary.
Data of Mera Rupiya users is strongly suspected to be transmitted to, stored and processed by unknown entities in mainland China.
What can be done?
The SECP and SBP can initiate a joint investigation into the dubious operations of Blue Ocean IT Solutions (SMC-Private) Limited/ Mera Rupiya.
Necessary inquiry into the company can be initiated from an AML/ CFT perspective by the Financial Monitoring Unit (FMU) based on app's claims that it "facilitates loans" from "third-party lenders". Who are they, where are they based and what are their motives?
The Pakistan Telecommunication Authority (PTA) can write to Google Play Store and request a take-down of Mera Rupiya. Access to website IP addresses can also be restricted.
The National Telecommunications Information Security Board (NTISB) within Cabinet Division, Prime Minister's Office, can issue a warning about Mera Rupiya via notification, as done for Barwaqt and other malicious apps.
Ideally, as a long-term measure, the Government of Pakistan can write to Google and request that stringent evaluation protocols be followed before allowing dubious apps to flourish on Play Store in the future.
If you appreciate the effort I put into this report, you can support me by buying me a cup of coffee. Supporters will get early (and in some cases permanently exclusive) access to future reports.