Can Online Lending Apps Message People Who Are Not Your Contacts?

Online lending apps in the Philippines should not freely message random people, relatives, co-workers, Facebook friends, or people who are not part of your loan. The clearest rule is this: for debt collection, lending and financing companies may contact only the borrower and, in proper cases, the borrower’s guarantor or co-maker. A “character reference” may be contacted for limited verification, but that person is not automatically liable for the debt. If an online lending app is messaging people who are not your contacts, not your references, and not guarantors, the issue is usually both a debt collection violation and a data privacy problem.

The direct answer: when can an online lending app message another person?

An online lending app may contact another person only when there is a lawful, specific, and proportionate reason. In everyday terms, that usually means one of these situations:

Person contacted May the lender contact them? Important limit
Borrower Yes Collection must still be fair, non-abusive, and within reasonable hours.
Guarantor or co-maker Yes The person must have agreed to be bound, not merely named by the borrower.
Character reference Sometimes Only for identity or verification purposes, not to shame or pressure payment.
Family member, friend, officemate, HR, boss, neighbor, Facebook friend Generally no Especially if they are not guarantors, co-makers, or properly informed references.
A person who is not in your phone contacts Generally no The app must still explain where the data came from and its lawful basis for processing it.

The 2026 joint advisory of the DICT, National Privacy Commission (NPC), and Securities and Exchange Commission (SEC) specifically reiterates that contacting persons in a borrower’s contact list other than guarantors is prohibited for debt collection, and that online lending platforms may only contact guarantors for debt-collection purposes.

Why this became a common problem in the Philippines

Many complaints against online lending apps involve the same pattern:

  1. A borrower downloads an app and grants phone permissions.
  2. The app accesses contacts, photos, storage, call logs, social media data, or other information.
  3. When payment is delayed, collectors send messages to relatives, office contacts, neighbors, or group chats.
  4. The messages may say things like “pakisabihan si borrower,” “scammer,” “criminal,” “may kaso na,” or “we will post you online.”
  5. Some recipients were never contacts, references, guarantors, or co-makers.

This is exactly the kind of conduct Philippine regulators have tried to stop. The NPC has previously found that some online lending apps accessed borrowers’ mobile contact lists, treated that access as a dangerous permission, and investigated complaints involving harassment and public shaming. (National Privacy Commission) The NPC also ordered takedowns of certain online lending apps after finding unauthorized, excessive, or unnecessary harvesting of personal and social media data that could be weaponized to harass borrowers and their contacts. (National Privacy Commission)

Legal basis under Philippine law

Data Privacy Act of 2012: personal data cannot be harvested freely

Republic Act No. 10173, or the Data Privacy Act of 2012, applies to personal information handled by private companies, including lending and financing companies. The law requires a lawful basis for processing personal information. Consent is one lawful basis, but it must be valid, specific, informed, and tied to a legitimate purpose. (National Privacy Commission)

The Data Privacy Act and its implementing rules are built on three core principles:

  • Transparency — the person must know what data is collected, why, who controls it, and how rights can be exercised.
  • Legitimate purpose — the use of data must match a declared and lawful purpose.
  • Proportionality — the data collected must be adequate, relevant, necessary, and not excessive. (Supreme Court E-Library)

This means an online lending app cannot simply say, “You clicked agree,” and then use your phonebook, social media, or unrelated personal information for public shaming or pressure tactics. Consent obtained through confusing screens, bundled permissions, pre-ticked boxes, or a “take it or leave it” design may be challenged, especially where the processing is excessive.

NPC rules on loan-related data: unbridled contact-list processing is prohibited

NPC Circular No. 20-01, as amended by NPC Circular No. 2022-02, directly addresses loan-related transactions. The amended rule allows limited access to contact lists only when necessary, such as allowing a borrower to select character references or guarantors. It prohibits unbridled processing of contact lists, including processing that leads to harassment, debt collection outside guarantors, or unfair collection practices.

The same amended circular says online lending apps must have separate interfaces where borrowers can provide character references and guarantors of their own choosing. Access to the contact list must be limited to the minimum extent necessary.

This is important because many apps used to ask for broad contact-list access at installation or loan application stage. Current rules do not allow unlimited harvesting of contacts just because a borrower wants a loan.

SEC rules on unfair debt collection

SEC Memorandum Circular No. 18, Series of 2019, applies to financing companies, lending companies, and third-party service providers collecting for them. The SEC allows lenders to use reasonable and legally permissible means to collect debts, but they must act in good faith and avoid abusive or unfair collection practices.

The circular treats the following as unfair collection practices:

  • using or threatening violence or other criminal means;
  • using threats that cannot legally be taken;
  • using obscenities, insults, or profane language;
  • publishing or disclosing names and personal information of borrowers who allegedly refuse to pay;
  • communicating false loan information;
  • contacting at unreasonable hours, generally before 6:00 a.m. or after 10:00 p.m.; and
  • contacting people in the borrower’s contact list other than guarantors or co-makers.

The SEC has also publicly reminded borrowers that lenders are prohibited from contacting people in a borrower’s contact list who are not guarantors or co-makers. (Philippine Information Agency)

Financial Products and Services Consumer Protection Act

Republic Act No. 11765, or the Financial Products and Services Consumer Protection Act, protects financial consumers. It recognizes rights to fair treatment, disclosure and transparency, protection against fraud and misuse, data privacy and protection, and timely handling of complaints. (Supreme Court E-Library)

Loans and credit products are financial products. So when an online lending app uses intimidation, deceptive notices, or abusive collection tactics, the issue is not just a private loan dispute. It may also be a financial consumer protection issue.

Civil Code and Revised Penal Code remedies

If the conduct becomes humiliating, intrusive, or threatening, other Philippine laws may also matter.

Article 26 of the Civil Code says every person must respect the dignity, personality, privacy, and peace of mind of others. It recognizes civil actions for acts such as disturbing a person’s private life or family relations, intriguing to alienate a person from friends, or humiliating another on account of personal condition. (Supreme Court E-Library)

Depending on the facts, threatening messages may also raise issues under the Revised Penal Code, such as:

  • grave threats under Article 282, when a person threatens another with a wrong amounting to a crime;
  • grave coercion under Article 286, when violence or intimidation is used to compel someone to do something against their will; or
  • unjust vexation under Article 287, for acts that unjustly annoy, irritate, or distress another person. (Lawphil)

A person also cannot be imprisoned merely for non-payment of debt. Article III, Section 20 of the 1987 Constitution states that no person shall be imprisoned for debt or non-payment of a poll tax. (Supreme Court E-Library) This does not protect fraud or other crimes, but it does mean a collector cannot lawfully scare ordinary borrowers with “kulong ka bukas” simply because a loan is unpaid.

Character reference vs. guarantor: the difference matters

This is one of the most misunderstood issues in online lending.

A character reference is someone whose contact information is provided to verify the borrower’s identity or the truthfulness of information in the loan application. Under NPC Circular No. 2022-02, lenders must inform the character reference that they were chosen, explain how their details were obtained, and give them an option to have their personal data removed as a character reference.

A guarantor or co-maker is different. This person may be contacted about the loan obligation because they agreed to assume liability or support repayment. The 2026 joint advisory emphasizes that guarantors must have expressly consented to assume responsibility for the loan in case of default.

So if your cousin, officemate, or former classmate receives a message saying, “You are responsible for this loan,” that is not automatically true. Being named by a borrower does not, by itself, make someone a guarantor.

What if they message people who are not your contacts?

If the person is not in your phonebook, the lender may have obtained the information from another source, such as:

  • a contact list uploaded from a different device;
  • a social media scrape;
  • an old phone number database;
  • a group chat, tagged post, or public profile;
  • a previous borrower’s contact list;
  • a data broker or third-party service provider;
  • mistaken identity; or
  • a fake or unauthorized lending operator.

Even then, the lender must still have a lawful basis to process that person’s data. The Data Privacy Act gives data subjects the right to be informed whether their personal information is being processed, the purposes of processing, and the right to dispute errors or seek blocking, removal, or destruction of information that is unlawfully obtained, used for unauthorized purposes, or no longer necessary. (National Privacy Commission)

In practical terms, the recipient can ask:

  • “Where did you get my number?”
  • “What is your lawful basis for processing my personal data?”
  • “Am I listed as a character reference, guarantor, or co-maker?”
  • “Please remove my number from your system and stop contacting me.”

What to do if an online lending app messages third parties

1. Preserve evidence before blocking

Before deleting messages or uninstalling the app, save evidence. Regulators and investigators need details, not just a general statement that “they harassed me.”

Keep:

  • screenshots showing the sender’s number, username, email, or profile;
  • date and time of each message;
  • full message content, including threats or insults;
  • call logs;
  • voice recordings where legally and safely available;
  • screenshots from relatives, co-workers, or friends who received messages;
  • app name, developer name, website, and advertised corporate name;
  • loan agreement, disclosure statement, repayment schedule, and privacy notice;
  • proof of payment, if any;
  • proof that the contacted person is not a guarantor or co-maker.

Ask affected third parties to send their own screenshots with the date, time, and sender visible. If the case becomes serious, a sworn statement or affidavit from them can help.

2. Do not admit liability for someone else’s loan

If you are the person being messaged and you are not the borrower, guarantor, or co-maker, keep your reply short:

“I am not the borrower, guarantor, or co-maker. I do not consent to the processing of my personal data for this loan. Please stop contacting me and remove my number from your records.”

Avoid arguing, insulting the collector, or sending your ID unless you are filing with an official agency. Some abusive operators use replies to confirm active numbers.

3. Revoke app permissions and secure accounts

If you are the borrower:

  1. Go to your phone settings.
  2. Find the lending app.
  3. Revoke permissions for contacts, camera, storage, photos, microphone, location, and SMS unless truly necessary.
  4. Change passwords for email, social media, and e-wallet accounts if you suspect access.
  5. Avoid granting permissions again through pop-ups inside the app.

The 2026 joint advisory states that permissions must not be unnecessary, and that access to camera or photo gallery should be for legitimate purposes like identity verification or KYC and turned off after the purpose is fulfilled. It also says unbridled processing of contact lists is prohibited.

4. Check whether the lender and platform are legitimate

A lending company should be registered with the SEC and should have authority to operate. The specific online lending platform should also be recorded or properly reported, not merely using a similar-sounding corporate name.

Use official SEC channels, including SEC iMessage, to submit complaints or inquiries. SEC iMessage is the SEC’s public ticketing platform for inquiries, complaints, incidents, and requests. (Securities and Exchange Commission)

Be careful with fake apps using names similar to real companies. A legitimate-looking logo, Facebook page, or app-store listing is not enough.

5. File the right complaint with the right office

Different agencies handle different parts of the problem.

Problem Where to report What to include
Contacting relatives, officemates, or non-guarantors for collection SEC, especially for lending or financing companies App name, company name, screenshots, loan account, messages to third parties
Unauthorized access to contacts, data harvesting, doxxing, public shaming National Privacy Commission Evidence of personal data misuse, app permissions, privacy notice, screenshots
Threats, extortion, fake subpoenas, hacking, impersonation PNP Anti-Cybercrime Group, NBI Cybercrime Division, DICT Cyber Hotline Threat messages, sender numbers, profiles, payment demands, account details
Immediate personal safety concern Local police station or PNP Threats, location details, identity of sender if known
Civil damages for humiliation or privacy invasion Proper court, depending on amount and location Evidence of harm, witnesses, proof of publication or disclosure

The 2026 advisory lists SEC FINLEND through SEC iMessage and hotline 1-4732 for unfair debt collection, and also points the public to DICT, NBI Cybercrime Division, and PNP Anti-Cybercrime Group for harassment, threats, frauds, or scams.

6. For NPC complaints, follow the required form

A formal NPC complaint must be filed in the required format. The NPC says the complainant should download the form, print and fill it out, have it notarized, and submit it in person, by courier, or by scanned email. (National Privacy Commission)

Expect common bottlenecks:

  • incomplete screenshots;
  • no clear company or app name;
  • no proof that the contacted person was not a guarantor;
  • missing notarization for a formal complaint;
  • vague allegations without dates and sender details;
  • fake or offshore operators hiding behind changing numbers.

Investigations can take time, especially when several agencies are involved. Serious cases with ongoing public shaming, threats, or large-scale data misuse should be documented quickly.

Documents and evidence to prepare

Document or evidence Why it helps
Valid government ID Needed for formal complaints or notarized submissions
Loan agreement or app screenshots Shows the lender, loan amount, terms, and platform
Disclosure statement Helps prove interest, charges, due date, and lender identity
Privacy notice and consent screen Shows what data the app claimed it would collect
App permission screenshots Shows whether contacts, photos, camera, SMS, or location were requested
Screenshots of messages to third parties Proves contact with non-borrowers or non-guarantors
Statements from relatives, co-workers, or friends Shows actual third-party harassment
Proof of payments Prevents false claims of non-payment or inflated balance
SEC or NPC ticket numbers Helps track prior reports
Police blotter or cybercrime report Useful if there are threats, extortion, or impersonation

For Filipinos or foreigners abroad, documents signed outside the Philippines may sometimes need consular acknowledgment or apostille if they will be used as sworn evidence in a formal proceeding. For an initial online report, however, agencies usually focus first on clear screenshots, sender details, and the identity of the app or company.

Common scenarios

“The app messaged my boss and HR. Is that allowed?”

Generally, no. Contacting your workplace to embarrass you or pressure payment is a classic unfair collection issue, especially if your boss or HR is not a guarantor or co-maker. The SEC has specifically flagged workplace embarrassment as problematic and has emphasized that only guarantors or co-makers may be contacted for collection. (Philippine Information Agency)

“They messaged my relatives even though I did not list them.”

That may indicate contact scraping, social media harvesting, or another unauthorized source of personal data. The lender should be able to explain where the data came from and why processing it is lawful. If the message includes debt details, insults, threats, or public shaming, preserve the evidence for SEC and NPC complaints.

“They contacted someone who is not in my contacts.”

That does not make the conduct legal. If the person is unrelated to the loan, the lender must still justify the collection and use of that person’s data. If there is no valid basis, the recipient can invoke data subject rights and request removal or blocking.

“They said they will post me on Facebook if I do not pay.”

That may violate SEC rules against publishing or disclosing borrowers’ names and personal information to pressure payment. It may also involve data privacy violations and, depending on the wording, possible threats or cyber-related offenses.

“They said I will be arrested tomorrow.”

Non-payment of an ordinary loan is not, by itself, a ground for imprisonment. Debt collectors cannot pretend to be police, prosecutors, sheriffs, or court officers. If they send fake subpoenas, fake warrants, or fake barangay/court notices, save the message and report it as possible fraud, harassment, or impersonation.

“Does the debt disappear if the lender violated privacy rules?”

Not automatically. A valid loan may still be owed, but the lender can face administrative, civil, data privacy, or criminal consequences for illegal collection methods. The borrower should separate two issues: repayment of the legitimate debt, and accountability for abusive collection.

Frequently Asked Questions

Can an online lending app message my contacts in the Philippines?

For debt collection, it generally cannot message your contacts unless they are guarantors or co-makers. Character references may be contacted only for limited verification and must not be treated as debt collectors or substitute payers.

Can a loan app message people who are not even saved in my phone?

Not freely. The app must have a lawful source, a legitimate purpose, and a proportionate reason for using that person’s data. Random messaging, harassment, or public shaming is not justified just because the app found the number somewhere.

Is a character reference required to pay my online loan?

No. A character reference is not the same as a guarantor or co-maker. A guarantor must have clearly and separately agreed to assume responsibility for the loan.

Can a lending app tell my family or office that I owe money?

Generally no, if they are not guarantors or co-makers. Disclosing loan information to shame you, pressure your family, or embarrass you at work may be an unfair debt collection practice and a data privacy violation.

What should I do if I am receiving messages about someone else’s loan?

Reply once, clearly state that you are not the borrower, guarantor, or co-maker, demand removal of your number, then preserve screenshots. If the messages continue, report the app or sender to the NPC, SEC, or cybercrime authorities depending on the content.

Can I file a complaint even if I still owe the loan?

Yes. Owing money does not give a lender permission to harass, shame, threaten, or misuse personal data. A lender may collect through lawful means, but abusive collection can still be reported.

Can the online lending app access my contacts if I clicked “allow”?

Permission is not a blank check. Under Philippine data privacy rules, processing must still be transparent, legitimate, and proportionate. Contact-list access must be limited and cannot be used for harassment or unfair debt collection.

Are online lending apps allowed to use my photo for collection?

No. Camera or photo access may be allowed for legitimate KYC or identity verification, but a borrower’s photo must not be used to harass or embarrass the borrower in collecting a delinquent loan.

Where do I report abusive online lending apps?

Report unfair debt collection to the SEC, data privacy violations to the NPC, and threats, scams, fake legal documents, hacking, or extortion to the PNP Anti-Cybercrime Group, NBI Cybercrime Division, or DICT Cyber Hotline.

Can foreigners complain about Philippine online lending apps?

Yes, when the lender operates in the Philippines, the processing occurs in the Philippines, or the case has sufficient links to the Philippines. The Data Privacy Act IRR applies to certain acts done in or outside the Philippines, including where the entity is established in the Philippines, the processing relates to a Philippine citizen or resident, the processing is done in the Philippines, or the entity has links to the Philippines. (Supreme Court E-Library)

Key Takeaways

  • Online lending apps should not message random people, relatives, co-workers, or social media contacts for debt collection.
  • For collection, lenders may generally contact only the borrower and proper guarantors or co-makers.
  • A character reference is not automatically liable for the loan.
  • Broad contact-list harvesting, public shaming, and messaging third parties can violate the Data Privacy Act, NPC circulars, SEC debt collection rules, and financial consumer protection laws.
  • Non-payment of an ordinary loan does not allow collectors to threaten arrest, post your name online, or embarrass you at work.
  • Preserve screenshots, sender details, app information, loan documents, and statements from affected third parties before filing with the SEC, NPC, or cybercrime authorities.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.