For borrowers, guarantors, references, employers, and compliance teams. Covers banks, financing/lending companies, collection agencies, and online lending apps (OLAs).

1) The legal foundations

A. Consumer & financial regulation

Financial Products and Services Consumer Protection Act (FCPA) — imposes fair treatment, truthful disclosure, complaint handling, and empowers regulators (BSP for banks/NBFIs; SEC for lending/financing companies; Insurance Commission for insurers) to sanction abusive collection and deceptive practices.
Lending Company Regulation Act / Financing Company Act — require a Certificate of Authority; SEC may suspend/revoke and issue cease-and-desist orders for unfair collection and illicit OLAs.

B. Privacy & communications

Data Privacy Act (DPA) — requires lawful basis, purpose limitation, data minimization, security, and grants rights to complain; penalizes unauthorized processing, malicious disclosure, improper disposal, and breach.
Cybercrime Prevention Act — covers cyber libel, unauthorized access, and other ICT-facilitated offenses that often accompany shaming.
Anti-Wiretapping Act — generally prohibits recording private voice communications without the consent of all parties. Texts/chats are outside its “wiretapping” scope but are still subject to privacy and anti-libel laws.

C. Civil & criminal codes

Civil Code (quasi-delict) — damages for negligent or abusive acts.
Revised Penal Code — grave threats, grave coercion, unjust vexation, libel/slander, usurpation of authority (impersonating public officials).

2) What counts as harassment in collections

Actions that routinely violate law and/or regulator rules:

Shaming: texting/calling your contacts, employer, or posting on social media to expose the debt.
Threats & intimidation: threats of arrest, deportation, or public exposure; profanity; doxxing.
Impersonation: posing as police, prosecutors, judges, or regulators.
Excessive/untimely contacts: repeated calls or messages, especially late night/early morning or at work after you asked them to desist.
False statements: misstating the amount due, “immediate warrant,” or “case filed” when none exists.
Unauthorized data use: phonebook scraping, mass messaging your references, scraping social media, or asking for unrelated IDs/photos.
Unsecure processing: sending your personal data in open group chats, public posts, or to third parties without need-to-know.
Visiting your home/workplace to shame or coerce, especially after being told to use written channels.

Legit collection is possible without harassment: clear billing, single-point contact, reasonable frequency/time windows, truthful statements, and identity disclosure by the collector.

3) What a collector may do (and must do) lawfully

Identify themselves, their company, and the creditor; provide official contact channels.
State the correct amount due, basis (contract/statement), and how to dispute.
Communicate in reasonable hours/frequency; switch to the channel you prefer when reasonable.
Use only necessary data; secure it; limit access to authorized personnel and vendors bound by data processing agreements.
Stop contacting third parties except guarantors/co-makers and references for locator purposes only—and without disclosing your debt.

4) Privacy violations commonly seen in collections (and why they’re illegal)

Phonebook/contact scraping — no valid lawful basis; not necessary to perform/collect the contract; violates data minimization and purpose limitation.
Mass messages to contacts — unauthorized disclosure of personal/financial information; can be malicious disclosure under the DPA and libel if defamatory.
Oversharing to vendors/agents — transferring your files to third parties without a DPA or beyond stated purposes.
Retention creep — keeping your ID photos, selfies, or proofs long after closure; improper disposal can be a DPA offense.
Posting your data in social media or group chats — unlawful processing and potentially cyber libel.

5) Your options & where to complain (by issue)

Problem	Primary Law	Regulator / Venue	Usual Outcomes
Harassment, shaming, threats	FCPA; Civil/Criminal Code	SEC (lending/financing/OLAs); BSP (banks/NBFIs); IC (insurers)	Fines, CDOs, license suspension, mandated remediation
Impersonating officials	RPC crimes	PNP/NBI	Criminal case; arrest upon finding of probable cause
Cyber libel / doxxing	Cybercrime Law; RPC	NBI-CCD / PNP-ACG	Criminal complaints; takedown requests
Data privacy violations	DPA	National Privacy Commission (NPC)	Compliance orders, penalties, breach notices, possible criminal referral
False threats of arrest/“warrants”	RPC; FCPA deception	SEC/BSP/IC; PNP/NBI	Administrative sanctions; criminal action if elements met
Unregistered/illicit OLA	LCRA/FinCoA; SEC rules	SEC	Takedown, CDO, revocation, criminal referral
Contract disputes, damages	Civil Code	Courts (incl. Small Claims for money-only up to the cap)	Damages, injunctions, affidavits of loss of earnings, etc.

If the entity is a bank or BSP-supervised, go to BSP Consumer Assistance; if it’s a lending/financing company/OLA, go to SEC; for privacy, go to NPC. For criminal acts, file with NBI/PNP.

6) Evidence you should gather (without breaking the law)

Screenshots of texts, chats, social posts (include handles, numbers, timestamps).
Call logs and voicemails; names of collectors and their caller IDs.
Letters/e-mails (headers preserved).
List of third parties who were contacted, with copies of messages they received.
Proof of payments and your contract/loan statements.
Incident log (date, time, conduct).
CCTV exports if collectors visited.

⚠️ Voice recording: The Anti-Wiretapping Act generally requires all-party consent to record private voice conversations. If you wish to record, ask for consent on the call and capture the “yes.” Texts/chats are not “wiretapping,” but handle them lawfully.

7) Practical response plan (borrower side)

Switch to documented channels: “Please use e-mail only. Do not contact my employer/family.”
Demand compliance (short written notice): request the collector’s legal identity, authority, and their privacy notice/collections code; instruct them to cease third-party contacts and to preserve evidence.
Secure your device: revoke app permissions (contacts, storage, location), change passwords, and enable 2FA.
Pay what’s valid—through official corporate channels (not personal e-wallets). Dispute junk fees and unconscionable penalties in writing.
Complain concurrently to the proper regulator (BSP/SEC/IC) and to the NPC for privacy breaches; copy NBI/PNP for criminal threats.
Consider court relief: Small Claims (money claims), or injunction/damages for harassment and defamation.

8) Template: Cease-and-Desist & Privacy Demand (sample)

Subject: Demand to Cease Harassment & Unauthorized Disclosure; Request for Compliance

I am [Name], the data subject and borrower under [Account/Contract No.]. Your personnel have: [describe harassment/third-party contacts]. You are directed to: (1) cease contacting my contacts/employer and using non-official numbers; (2) communicate only via [your e-mail] between [time window]; (3) provide within 3 days your corporate name, registration/CA, registered address, privacy notice, and collections code; (4) delete any copies of my contact list and confirm deletion in writing. Continued violations will be reported to [Regulator], NPC, and law enforcement, and I reserve my right to seek damages and injunctive relief.

9) Compliance playbook (for creditors/collectors)

Identity & authority: disclose corporate name, registration/CA, and official contacts in every touchpoint.
Policies: written Collections Code, Privacy Notice, Complaint SOP; QA and escalation paths.
Contact rules: reasonable hours/frequency caps; no third-party disclosure; honor channel preferences.
Truthfulness: amounts, status, and legal steps must be accurate; no legalese threats you won’t pursue.
Data governance: minimization, DPAs with vendors, secure retention/disposal, breach plan.
Training: harassment, privacy, and cyber-libel modules; script bans (threats, impersonation).
Audit trails: calls, letters, approvals; remediate promptly upon complaint.

10) Civil remedies & damages

Actual/compensatory: medical/therapy bills, lost wages, device/number changes, security costs.
Moral damages: anxiety, humiliation (especially with shaming).
Exemplary damages: to deter wanton conduct.
Attorney’s fees & interest: where justified.
Injunctions: to stop harassment and social-media postings.

Courts may strike down unconscionable interest/penalties and recompute your liability. Paying the valid principal while disputing abusive charges strengthens equity and reduces exposure.

11) Special contexts

Online Lending Apps (OLAs): Many abuses arise from unregistered apps. Even if you owe, they cannot lawfully scrape contacts or shame you; report to SEC and NPC.
Employers: If contacted, you can demand they stop harassing your staff; document and cooperate in complaints.
Guarantors/Co-makers: Collectors may contact you for liability, but harassment rules still apply; insist on proper documents and computations.
Overseas Filipinos: Save Viber/WhatsApp logs; cyber offenses may still be pursued. Coordinate with consular posts for affidavits.

12) Frequently asked questions

Is it legal to call my family about my debt? Generally no. They can contact guarantors/co-makers and references for locator purposes—without disclosing your debt.

They say they’ll have me arrested tomorrow. Can debt alone lead to arrest? No. Nonpayment is civil. Arrest requires a criminal case and warrant; false threats are actionable.

Can I record calls? Only with all-party consent to avoid Anti-Wiretapping liability. Prefer written channels and keep call logs/voicemails.

They posted my photo and balance online. What do I do? Take screenshots/links, file with NPC (privacy), SEC/BSP (harassment), and NBI/PNP (cyber libel/coercion). Seek injunction and damages.

If I pay in full, do past privacy violations disappear? No. You can still pursue complaints and damages for prior unlawful acts.

13) Bottom line

Debt collection must be lawful, truthful, and respectful of privacy. Shaming, threats, impersonation, and phonebook scraping are illegal—even if you owe money. Document everything, channel communications in writing, pay only what’s valid through official corporate accounts, and don’t hesitate to escalate to the proper regulator, the NPC, and law enforcement. For creditors, a robust collections + privacy program isn’t optional—it’s your best defense against penalties and litigation.