The Borrower’s Practical Checklist: 10 Steps to Verify Any Online Loan Offer

When you need cash fast, the pressure can make you overlook red flags. But in the world of online lending—especially with microfinance organizations (MFOs) and digital credit apps—one wrong click can lead to data theft, hidden fees, or harassment. This checklist is about verifying the lender and the loan terms before you hand over your personal information. Use these 10 steps every time.

---

Step 1: Check the Official Domain – Never Trust a Lookalike

Before you enter a single letter of your passport data, confirm you are on the lender’s real website.

What to do:

• Look at the URL in the browser bar. The domain should match the official name of the organization (e.g., `example-mfo.ru`, not `example-mfo-loan.ru` or `example-mfo.xyz`).
• Check for a padlock icon (HTTPS encryption). This is a minimum security requirement, not a guarantee of legitimacy.
• Use a WHOIS lookup service (like `whois.ru`) to see when the domain was registered. A domain created very recently is a major warning sign.
• If you found the site via an ad, type the lender’s name directly into a search engine and compare URLs.

Red flag: The site uses a misspelling of a well-known lender (e.g., “SberLoanz.com” instead of the real bank site). Legitimate lenders own their exact domain.

---

Step 2: Read the Consent Text – Don’t Click “Agree” Blindly

Every legitimate loan application includes a consent agreement. This is not just fine print—it is a legal document that tells you exactly how your data will be used.

What to do:

• Look for a checkbox or a link labeled “Consent to the processing of personal data” or “Privacy Policy”.
• Click the link. Read the first page. It should specify:
• What data is collected (passport, phone, bank card, biometrics, etc.).
• The purpose of processing (only for loan origination and reporting to credit bureaus).
• Third parties who will receive your data (e.g., credit history bureaus, collection agencies).
• The storage period (should be clearly stated—be wary if it says “indefinitely”).
• If the consent text is missing, or if it says “data may be transferred to any third party for any purpose,” do not proceed.

Red flag: The consent is a single sentence that says “I agree to everything.” Legitimate MFOs and banks use detailed, legally compliant consent forms.

---

Step 3: Verify the Lender’s Legal Identity

You need to know exactly who you are borrowing from. A loan from “QuickCash” could be from a registered MFO or an unregulated shell.

What to do:

• Find the “About Us” or “Legal Information” page. Look for:
• Full legal name (e.g., “OOO Microfinance Company Example”).
• Tax identification number (INN) and primary state registration number (OGRN).
• Legal address (must match the registered business address).
• Cross-check the INN and OGRN using the Federal Tax Service database (nalog.ru) or a trusted legal entity search.
• If the lender claims to be a bank, confirm it is listed on the Central Bank of Russia’s register of credit institutions.

Red flag: The site hides the legal name, uses only a brand name, or provides an INN that does not match any active company.

---

Step 4: Check the MFO Registry or Source

For microfinance organizations (MFOs), registration with the Central Bank of Russia (CBR) is mandatory. If an MFO is not in the CBR register, it is operating illegally.

What to do:

• Go to the official CBR website: `cbr.ru`.
• Navigate to “Financial Markets” → “Registers” → “Register of Microfinance Organizations”.
• Search by the MFO’s full legal name, INN, or OGRN.
• Confirm the register shows:
• The date of entry into the register.
• The current status (active, not revoked).
• The types of activities permitted (consumer loans, microloans, etc.).
• Important: The CBR register is the only authoritative source. Do not rely on the lender’s own claim that they are “registered.”

Red flag: The MFO is not in the CBR register, or the register shows its license was revoked. Any loan from such an organization is illegal.

---

Step 5: Calculate the Full Cost of the Loan

The interest rate is only one piece of the puzzle. The “full cost of the loan” (PSK in Russian) includes all fees, charges, and insurance.

What to do:

• Look for the “Full Cost of the Loan” disclosure. By law, it must be shown in a clear, standard format (a table with percentages and a total amount in rubles).
• Calculate the total repayment amount: principal + all interest + any additional fees (application fee, service fee, insurance if mandatory).
• Use the formula: Total repayment = Loan amount × (1 + PSK/100). Example: If you borrow 10,000 rubles at a high PSK, the total repayment could be much larger than the principal.
• Compare the PSK to the legal maximum. For MFOs, there are legal limits on daily interest and total debt—check current CBR regulations for exact numbers.
• Remember: A low monthly payment can hide a very high total cost if the loan term is long.

Red flag: The PSK is not shown, or it is displayed in tiny font. Some lenders hide fees in the fine print (e.g., “account maintenance fee” per day).

---

Step 6: Assess Your Repayment Ability Honestly

Lenders do not check your ability to repay as thoroughly as they should. You must do it yourself.

What to do:

• Write down your monthly income after taxes (salary, pension, freelance work).
• Subtract your fixed monthly expenses: rent/mortgage, utilities, groceries, transportation, existing loan payments.
• The remaining amount is your “free cash.” A loan payment should not exceed a reasonable portion of this free cash—generally, aim for no more than 30–40%.
• Example: If you have 10,000 rubles free per month, a payment of 4,000 rubles is risky. A payment of 8,000 rubles is very dangerous.
• Consider the worst case: if you lose your job or have a medical emergency, can you still make the payment for a couple of months?

Red flag: The lender offers you a loan amount that is obviously more than you can afford. Some apps automatically suggest the maximum, but you should always choose less.

---

Step 7: Understand the Card Requirements

Many online lenders require you to link a bank card for disbursement and repayment. This is a common vector for fraud.

What to do:

• The lender should only ask for:
• Card number (16 digits).
• Expiration date (MM/YY).
• Cardholder name (as on the card).
• CVV/CVC code (three digits on the back).
• Never provide:
• PIN code.
• One-time SMS codes from your bank.
• Your online banking login and password.
• Check if the lender uses a secure payment gateway (e.g., Stripe, PayU, or a Russian equivalent like Yandex.Checkout). The payment page should show a trusted logo.
• For disbursement: the loan should be transferred to your card within a reasonable timeframe (typically a few hours to a business day). If the lender asks for a “commission” to activate the transfer, it is a scam.

Red flag: The site asks for your bank login credentials or a “test transaction” to verify your card. Legitimate lenders use standard card verification (a small deposit that you confirm).

---

Step 8: Prepare the Required Documents

Every legitimate lender needs specific documents to verify your identity and income. Knowing what to expect helps you spot unusual requests.

What to do:

• Standard documents for an online loan:
• Passport (scanned or photo of the main page and registration page).
• Second identity document (SNILS, INN, or driver’s license) – may be required for larger loans.
• Proof of income: bank statement, tax certificate, or a pension certificate.
• If the lender asks for:
• Your work contract (full text).
• Your tax return.
• Photos of your apartment or workplace.
• Access to your phone contacts or gallery (common in predatory loan apps).
• Do not provide these unless you fully trust the lender and understand why they need them. Most legitimate MFOs do not require access to your contacts.

Red flag: The lender asks for documents that are not related to loan assessment, such as photos of your family or your social media passwords.

---

Step 9: Review the Privacy and Data Protection Policy

Your personal data is valuable. A lender with weak privacy practices can expose you to identity theft or spam.

What to do:

• Find the “Privacy Policy” page. It should be accessible from the footer of every page.
• Look for:
• How data is stored (encrypted databases, not plain text).
• Whether data is transferred outside Russia (if so, to which countries and under which legal framework).
• Your rights: you can request deletion of your data after the loan is repaid (check local law for specific timeframes).
• The data retention period (should be clearly stated, not “indefinitely”).
• Check if the lender has a Data Protection Officer (DPO) or a contact for privacy questions.
• If the policy is missing, or if it says “we may share your data with partners for marketing purposes,” you should reconsider.

Red flag: The privacy policy is a single paragraph that does not mention encryption, data retention, or your rights. This is a sign of a low-effort, potentially fraudulent operation.

---

Step 10: Identify Common Scam Signals

Even if all the above steps pass, look for these classic warning signs that indicate a scam.

What to do:

• Upfront fees: No legitimate lender asks for a fee before disbursing the loan. Common fake fees: “insurance,” “certification,” “processing,” “guarantee deposit.”
• Pressure tactics: “This offer expires in 10 minutes!” or “Only a few loans left at this rate!” Legitimate lenders give you time to decide.
• No phone support: The site has no phone number, only a chatbot or email. Legitimate lenders provide a contact phone and a physical address.
• Fake testimonials: Photos of “happy borrowers” that look like stock images. Check the names and dates; if they are repeated across different sites, it is a scam.
• Promise of guaranteed approval: No legitimate lender guarantees approval without checking your credit history or income. Phrases like “100% approval” or “no credit check” are red flags.
• Request for remote access: If the support agent asks you to install remote desktop software to “help you apply,” hang up immediately. They will steal your data.

Red flag: You receive a loan offer via SMS or email that you did not apply for. Delete it and do not click any links.

---

Final Step: Verify Support Contacts

Before you sign any agreement, test the lender’s support.

What to do:

• Call the phone number listed on the site. A real person should answer during business hours. If you get a voicemail that doesn’t identify the company, be suspicious.
• Send an email to the support address. Ask a simple question: “What is the maximum loan term for first-time borrowers?” A legitimate lender will reply within a reasonable time (typically 1–2 business days).
• Check the “Contact Us” page for a physical address. Use Google Maps to see if the address is a real office building or a residential apartment. Many scams use fake addresses.

Red flag: The support line is always busy, emails bounce back, or the physical address is a P.O. box or a non-existent location.

---

Summary Checklist (Printable)

1. [ ] Domain matches the official name (HTTPS, no misspellings).
2. [ ] Consent text is detailed and specific to loan processing.
3. [ ] Legal identity (INN, OGRN) verified on nalog.ru.
4. [ ] MFO is in the CBR register (cbr.ru).
5. [ ] Full cost of loan (PSK) is shown and under legal limits.
6. [ ] Repayment amount is a reasonable portion of your free monthly income.
7. [ ] Card details requested are standard (no PIN, no SMS codes).
8. [ ] Required documents are reasonable (passport, income proof).
9. [ ] Privacy policy includes encryption, retention period, and your rights.
10. [ ] No upfront fees, no pressure, and support contacts work.

Remember: no legitimate lender will guarantee approval, promise government backing without proof, or ask for your bank login. Take your time. A few minutes of verification can save you from months of debt collection and identity theft.