The proliferation of online lending applications in the Philippines since 2018 has provided quick credit access to millions of unbanked and underbanked Filipinos. However, a significant number of these platforms — many operating illegally or with predatory practices — have engaged in grossly abusive debt collection methods, particularly the unauthorized access to borrowers’ phone contacts and systematic harassment of borrowers and their families, friends, and employers.

These practices constitute multiple violations of Philippine law, including the Data Privacy Act of 2012 (RA 10173), the Cybercrime Prevention Act of 2012 (RA 10175), the Financial Products and Services Consumer Protection Act of 2022 (RA 11765), the Revised Penal Code, and regulations issued by the Securities and Exchange Commission (SEC), Bangko Sentral ng Pilipinas (BSP), and National Privacy Commission (NPC).

This article comprehensively explains the illegal nature of these practices, the rights of affected borrowers, available remedies, complaint procedures, and preventive measures.

I. Nature of the Abusive Practices

Most predatory online lending apps employ the following tactics:

1. Mandatory access to contacts, SMS, gallery, and location as a condition for loan approval.
2. Upon default or delay (even by one day), automated or manual sending of derogatory, threatening, or shaming messages to all or selected contacts.
3. Public shaming through posting of borrower’s photos (sometimes edited to appear obscene or criminal) on social media or messaging groups.
4. Threats of legal action, physical harm, or exposure of alleged infidelity or criminality.
5. Disclosure of loan details to employers, resulting in workplace humiliation or termination.
6. Use of multiple phone numbers and spoofing to evade blocking.

These actions are not legitimate debt collection. They are designed to coerce payment through fear, shame, and social pressure.

II. Legal Prohibitions and Violations

A. Data Privacy Act of 2012 (RA 10173) and NPC Issuances

1. Unauthorized access to contacts and SMS constitutes illegal processing of personal and sensitive personal information without valid consent (Sections 11, 12, 13).

   • Consent obtained by making contact access a condition for the loan is not “freely given” and is therefore invalid (NPC Advisory No. 2020-01 and NPC Circular 2022-01).
   • Contacts of the borrower are third-party data subjects who never gave consent to the lender.

2. Sharing of borrower and contact information with collection agents or the public violates the rights to confidentiality and data portability.

3. NPC has repeatedly declared that “access to contacts for debt collection purposes is disproportionate, unnecessary, and illegal.”

Penalties:

• Administrative fines up to PHP 5,000,000 per violation
• Criminal imprisonment of 1–6 years and fines up to PHP 4,000,000
• Cease-and-desist orders and permanent bans on data processing

B. Financial Products and Services Consumer Protection Act (RA 11765)

Section 17 expressly prohibits the following unfair debt collection practices:

(a) Use of threat, violence, or intimidation
(b) Use of obscene or profane language
(c) Disclosure of borrower information to third parties without consent
(d) Public shaming or humiliation
(e) Harassment through repeated calls or messages

Violation is punishable by fines of PHP 50,000 to PHP 2,000,000 per day and imprisonment of up to 6 years.

C. Cybercrime Prevention Act of 2012 (RA 10175)

1. Cyberlibel (Section 4(c)(4)) – sending defamatory messages to contacts or posting online.
2. Computer-related identity theft and illegal access (Section 4(a)(1) and (b)(3)).
3. Online harassment and stalking.

Penalties are one degree higher than ordinary libel (prision mayor to reclusion temporal).

D. Revised Penal Code

1. Unjust vexation (Art. 287) – up to 30 days arresto menor or fine
2. Grave threats (Art. 282) – if threats of harm are made
3. Light threats (Art. 283)
4. Grave slander/oral defamation (Art. 358)
5. Intrusion of privacy (Art. 280 in relation to RA 10173)

E. SEC Regulations

• Only entities registered with the SEC as lending or financing companies may legally engage in lending (SEC Memorandum Circular No. 18, series of 2019; SEC MC No. 19, s. 2019).
• Unregistered apps are operating illegally.
• Registered lenders are strictly prohibited from shaming or contacting third parties without court order.

SEC may revoke certificates of authority and impose fines up to PHP 1,000,000.

III. Rights of Borrowers and Contacts

1. Right to refuse contact access without losing loan eligibility (if the lender is legitimate).
2. Right to demand deletion of all collected data (right to erasure/blocking under RA 10173).
3. Right to file complaints without fear of retaliation.
4. Right to have the loan declared unenforceable if obtained through illegal means.
5. Right to damages (actual, moral, exemplary) and attorney’s fees in civil suits.

IV. Where and How to File Complaints

1. National Privacy Commission (NPC) – fastest and most effective for contact access violations

• File online via npc.gov.ph → File a Complaint → Privacy Violation
• Required: screenshots of app permissions, harassment messages, loan agreement, borrower’s affidavit
• NPC can issue CDO within 72 hours and impose fines within months
• Many apps have been ordered closed by NPC (e.g., CashJeep, QuickPeso, Pesoloan, etc.)

2. Securities and Exchange Commission (SEC)

• File via sec.gov.ph → Enforcement and Investor Protection Department
• Report unregistered lending or abusive practices by registered entities
• SEC coordinates with NTC to block apps and websites

3. Bangko Sentral ng Pilipinas (BSP)

• For BSP-supervised financial institutions or their agents
• File via bsp.gov.ph → Consumer Assistance

4. Philippine National Police Anti-Cybercrime Group (PNP-ACG) or NBI Cybercrime Division

• For criminal acts (cyberlibel, threats, unjust vexation)
• File blotter first at local police, then elevate to prosecutor
• Bring printed messages, screenshots with timestamps, call logs

5. Civil Action for Damages

• File in Regional Trial Court for moral/exemplary damages (PHP 100,000–500,000 commonly awarded in successful cases)
• Injunction to stop harassment can be obtained within days via TRO

V. Practical Remedies Already Granted by Authorities

• NPC has ordered over 300 lending apps to cease operations since 2020.
• SEC has revoked licenses of several registered lenders engaged in shaming (e.g., Fynamics Lending, 2019).
• Courts have awarded PHP 200,000–500,000 in damages plus debt cancellation in multiple cases (e.g., RTC Quezon City, 2021–2023 decisions).
• DICT and NTC regularly block domains and apps upon NPC/SEC recommendation.

VI. Preventive Measures for Borrowers

1. Never grant contact, SMS, or gallery access. Legitimate lenders (JuanHand, Tala, UnaCash, etc.) do not require it.
2. Check SEC list of registered lending/financing companies before borrowing.
3. Use virtual numbers or secondary phones for loan applications when necessary.
4. Document everything: screenshots, recordings, messages.
5. Report immediately — the sooner the complaint, the faster the app can be blocked.

VII. Conclusion

The practice of accessing contacts and harassing borrowers and third parties is not only unethical but categorically illegal under multiple Philippine laws. Victims are not helpless — the combined machinery of the NPC, SEC, BSP, PNP, NBI, and the courts has repeatedly demonstrated its ability and willingness to punish offenders severely.

Every complaint filed weakens these predatory operations. Borrowers who have been victimized must come forward. Silence only enables the abuse to continue.

The Philippines has one of the strongest consumer financial protection frameworks in Southeast Asia when properly enforced. The law is unequivocally on the side of the borrower against these abusive practices. Report them. Fight back. The apps rely on your shame — deny them that power.