A practical legal guide in Philippine context (borrowers, co-borrowers, contacts, and affected third parties)

1) Why complaints against lending apps are different

“Lending apps” typically operate as Online Lending Platforms (OLPs)—they market, accept applications, and collect payments through mobile apps, SMS, calls, and social media. The app may be run by:

a SEC-registered lending company or financing company (lawfully allowed to lend, subject to SEC supervision), or
a non-registered / illegal operator using an app and payment channels, sometimes with shell entities or rotating names.

Complaints usually involve at least one of these problem areas:

Illegal lending / unregistered operation
Excessive interest, hidden fees, misrepresentation of loan terms
Harassment, threats, shaming, contact-spamming, disclosure to your phonebook
Data privacy violations (accessing contacts/photos, publishing personal data)
Fraud / identity issues (loan taken under your name, “ghost loans,” fake accounts)
Unfair collection practices even where a loan is valid

Because multiple laws and agencies can apply at once, the best outcomes come from choosing the correct forum(s) and presenting good evidence.

2) Key laws and legal frameworks you’ll encounter

A. Regulation of lending and financing companies (SEC supervision)

If the operator is a lending company or financing company, it generally falls under the Securities and Exchange Commission (SEC).

Lending Company Regulation Act of 2007 (RA 9474) – regulates lending companies.
Financing Company Act (RA 8556) – regulates financing companies.
SEC can impose administrative sanctions (fines, suspension/revocation of authority), and act against prohibited acts and abusive practices.

Practical point: Many abusive apps are either not registered, or registered but still violate SEC rules/standards. Your complaint can target both.

B. Disclosure of credit terms / misleading charges

Truth in Lending Act (RA 3765) – requires clear disclosure of finance charges and credit terms.
If the app advertises one thing but imposes another (fees deducted upfront, “processing fees,” “service fees,” daily penalties not disclosed), that can support complaints for deceptive/unfair practices.

C. Data privacy and phonebook harassment

Data Privacy Act of 2012 (RA 10173) – regulates collection, processing, sharing of personal data. Common violations in lending app cases include:
- collecting more data than necessary (contacts, photos, files)
- using contacts to pressure repayment (“contact blasting”)
- disclosing your debt status to third parties
- publishing personal info or IDs
- retaining data longer than needed
- processing without valid legal basis or without meaningful consent

Enforcement is through the National Privacy Commission (NPC) (administrative) and, in appropriate cases, criminal prosecution under the DPA.

D. Harassment, threats, and cyber-enabled wrongdoing

Depending on the facts, these may apply:

Revised Penal Code offenses such as:
- Grave threats / light threats
- Slander / oral defamation (if they malign you)
- Unjust vexation (often used in harassment patterns)
- Coercion (forcing acts through intimidation)
Cybercrime Prevention Act of 2012 (RA 10175) – if threats/defamation/harassment are committed through ICT (texts, social media, online posting), penalties may be affected and cybercrime units may assist.

E. Civil remedies (money/damages and injunction)

Even if you still owe money (or even if the loan is voidable/illegal), you may pursue:

damages (for harassment, privacy invasion, reputational harm)
injunction / restraining relief (to stop ongoing disclosures/harassment, subject to court standards)

F. Local dispute mechanisms (barangay)

For many personal disputes, the Katarungang Pambarangay process may apply before filing in court—especially if parties are individuals residing in the same locality. For app operators with unclear addresses or corporate entities, this may be impractical, but it can still be useful for documenting harassment and attempting settlement when identities are known.

3) Who regulates what (the “where do I complain?” map)

1) SEC (Securities and Exchange Commission)

File here when the lending app is a lending company/financing company, or representing itself as such, or when you suspect unregistered lending.

Typical SEC issues:

operating without proper SEC authority
abusive collection practices
misleading loan terms, prohibited acts under SEC rules
failure to comply with SEC registration/requirements for OLPs
using multiple business names/apps to evade enforcement

What SEC can do: investigate, require explanations, penalize, suspend/revoke authority, act against illegal operators.

2) NPC (National Privacy Commission)

File here for data privacy violations, including:

contact blasting
unauthorized access to contacts/media/files
disclosing debt info to third parties
publishing personal data or IDs
refusing to delete/stop processing without basis
lack of transparency about data use

What NPC can do: mediation, orders to comply, directives to stop unlawful processing, administrative sanctions; DPA-related matters may also support criminal complaints.

3) Law enforcement / prosecutors (PNP, NBI, City/Provincial Prosecutor, DOJ)

File here for criminal conduct:

threats, extortion-like demands, coercion
cyber harassment, online shaming, doxxing
identity theft / fraud / falsification issues
organized schemes and repeat offenders

Path: police blotter → referral to cybercrime unit (if appropriate) → complaint-affidavit filed with prosecutor → preliminary investigation.

4) BSP (Bangko Sentral ng Pilipinas) – only for BSP-supervised institutions

If the entity is a bank, e-money issuer, or BSP-supervised financial institution, BSP consumer channels may apply. Many standalone lending apps are not BSP-supervised; still, their payment rails may be.

5) Platforms and intermediaries (non-government but effective)

Not a “legal forum,” but often crucial:

Google Play / Apple App Store reports
Meta/Facebook reports for harassment posts
Telcos for spam/abuse patterns
E-wallets / payment providers for abusive merchant accounts (where applicable)

Platform reports won’t replace legal action, but they can reduce ongoing harm.

4) Before you file: build your evidence pack (this matters more than people think)

A. Identify the operator (not just the app name)

Gather:

app name + developer name
website links, in-app “About,” privacy policy, terms
screenshots of company name, SEC registration claims, address, emails, hotlines
payment instructions: bank accounts, e-wallet handles, reference numbers
collectors’ numbers, email addresses, FB accounts, Viber/WhatsApp IDs

B. Capture harassment properly (make it admissible and persuasive)

Screenshot entire conversation threads (include timestamps, phone numbers/usernames)
Screen-record scrolling threads to show continuity
Save voicemails; record calls only if lawful and safe in your situation (and be mindful of privacy rules)
Keep a log: date/time, number used, summary of what happened, witness (if any)

C. Prove data misuse / disclosure

screenshots of messages sent to your contacts (ask them to forward)
screenshots of posts tagging you or publishing your info
screenshots showing the app requested permissions (contacts/files/media) and any prompts forcing consent

D. Document the loan itself

loan summary, disbursement proof, cash-in/cash-out
amortization schedule (if any), penalties, “service fees”
proof of partial payments
proof of “net proceeds” (many abusive apps deduct large fees upfront)

5) Your first move: send a firm, written demand to stop unlawful conduct

Even if you plan to complain immediately, a written notice is useful because it:

creates a timeline
shows you demanded cessation
can support willfulness/bad faith

Your notice can state:

you dispute unlawful practices (harassment, disclosure, unauthorized processing)
demand they stop contacting third parties and stop publishing data
demand they identify the collecting entity and provide full accounting of the loan
instruct that future communications be limited to lawful channels (email) and during reasonable hours

Keep it factual. Avoid insults. Save proof of sending.

6) Filing with the SEC (for lending/financing companies and illegal lending)

A. What to allege (common, strong grounds)

Operator is unregistered or misrepresenting authority to lend
Collection practices are abusive, coercive, threatening, or humiliating
Loan terms are misrepresented or not clearly disclosed
Multiple app names/collector identities used to evade accountability

B. What to include in your SEC complaint

Your details and contact info
App name and alleged company behind it
Chronology (loan date, disbursement, due date, payments)
Specific abusive acts (with screenshots)
Relief requested: investigation, cease abusive collection, penalties, revocation/suspension (as applicable)

C. What outcomes to expect

SEC may request clarifications or require the company to explain
If there’s a pattern and good proof, SEC action can be swift and impactful (especially for registered entities)
For unregistered operators, SEC action helps build enforcement cases and warnings; pairing with NPC and criminal routes is often stronger

7) Filing with the National Privacy Commission (NPC)

A. Best NPC theories in lending app cases

No valid consent / invalid consent (consent forced as a condition, not informed/specific)
Excessive collection (not necessary to evaluate credit or service the loan)
Unauthorized disclosure (debt status, personal information to third parties)
Unlawful processing (continued use of data to harass, shame, threaten)
Failure of transparency (unclear privacy policy, identity of controller, retention)

B. What to submit

narrative complaint
evidence bundle (screenshots, recordings, forwarded messages to your contacts)
proof that data came from app access (permissions, collector references to your contacts list)
copy of your stop-processing demand (if you sent one)

C. What NPC can do that’s uniquely helpful

compel explanations about data processing
order steps to stop or limit processing
drive compliance changes, not just “punishment”
build an official record that strengthens criminal/civil cases

8) Criminal complaints (when collectors cross the line)

A. When you should consider criminal action

threats of harm to you or family
“pay or we will…” threats, especially involving reputational ruin
posting your photo/ID, doxxing, contacting employer, mass messaging your contacts
identity fraud, loans created without your participation
repeated harassment from rotating numbers/accounts

B. Where and how (typical path)

Police blotter for documentation (especially if immediate safety concerns)
If cyber-enabled, coordinate with cybercrime units or investigative bodies
Prepare a complaint-affidavit and file with the Office of the City/Provincial Prosecutor for preliminary investigation
Include evidence in organized annexes; name respondents as best you can (numbers, usernames, company name, “John Does” where necessary, plus the corporate entity if identifiable)

Tip: Even if you don’t know the real names, evidence that links the collectors to the entity (emails, payment accounts, in-app instructions, consistent scripts) helps.

9) Civil options (often overlooked but powerful)

A. If you want the harassment to stop: injunction-type relief

Courts can, under appropriate circumstances, restrain continuing wrongful acts. This is fact-sensitive and usually needs a lawyer, but it becomes realistic when:

there’s ongoing disclosure/harassment,
there’s clear evidence,
the respondent is identifiable and reachable.

B. Damages

Possible bases:

privacy invasion (DPA-related harms)
moral damages for humiliation, anxiety, reputational damage
exemplary damages when bad faith is provable
attorney’s fees in proper cases

10) Important reality check: owing money vs. abusive collection

A borrower can be in default and still be a victim of unlawful practices.

Complaints about harassment and privacy violations are not “excuses” to avoid a valid debt.
Likewise, abusive apps sometimes structure charges so aggressively that the obligation becomes disputable or legally questionable.
Your strategy can be: (1) demand lawful accounting and terms disclosure, (2) pay what is legitimately due if you choose/are able, (3) separately pursue complaints for unlawful conduct.

11) Special scenarios and what to do

A. You never took a loan but you’re being collected (“ghost loan”)

Immediately dispute in writing.
Demand proof: application logs, KYC steps, disbursement proof.
File with NPC (identity/data misuse) and consider criminal complaint (fraud-related), plus SEC if it’s a lending company/OLP.

B. Your contacts are being harassed

Ask contacts to forward messages and provide brief statements.
Add their evidence as annexes (NPC loves clean third-party proof).
Demand cessation and file NPC complaint.

C. You paid but they still claim you owe (or “reloan” issues)

Compile receipts and transaction references.
Demand a written ledger.
File with SEC (abusive/unfair practices) and consider civil action if amounts justify.

D. They threaten to sue you, arrest you, or garnish wages without due process

Arrest for debt is not how collection works; criminal liability depends on specific crimes, not mere nonpayment.
Wage garnishment generally requires a court process.
Save these threats—they often support harassment/coercion theories.

12) How to write a strong complaint (structure you can copy)

A. One-page executive summary (highly recommended)

Who you are
Who they are (as identified)
What happened (dates, amounts)
What unlawful conduct occurred (bulleted, with annex references)
What relief you want

B. Chronology section

Use numbered entries:

Date – downloaded app; permissions requested
Date – loan approved; disbursement amount vs. net received
Date – first harassment; first contact blasting
Date – disclosure to employer/contacts; threats
Date – you demanded stop; they continued

C. Annex system

Label evidence clearly:

Annex “A”: screenshots of app info
Annex “B”: loan terms/screens
Annex “C”: harassment texts
Annex “D”: messages sent to contacts
Annex “E”: payment proofs
Annex “F”: your demand letter

Agencies take action faster when they can navigate your evidence in seconds.

13) Practical safety and digital hygiene (while complaints are pending)

Do not reinstall the app “to check,” especially if it requests broad permissions again.
Review phone permissions; remove contacts/media/file access for suspicious apps.
Consider changing passwords if you reused them anywhere.
Warn close contacts not to engage with collectors; ask them to screenshot and block.
Keep communications in writing; avoid phone arguments.

14) What not to do

Don’t post defamatory accusations online that you can’t prove; focus on formal complaints.
Don’t pay “privacy deletion fees,” “clearance fees,” or “processing fees” demanded by collectors outside documented loan terms.
Don’t ignore court papers if you actually receive official summons (rare in many abusive-app cases, but treat any formal service seriously).

15) When to consult a lawyer (high-yield triggers)

threats of physical harm or persistent stalking-like behavior
doxxing/public shaming causing job risk
large amounts involved or multiple loans
identity fraud cases
you want injunctive relief or damages
you received formal legal notices, subpoenas, or summons

16) A workable “multi-forum” strategy that often succeeds

For serious harassment + privacy abuse, many complainants do best by:

NPC complaint (data misuse/contact blasting)
SEC complaint (abusive OLP conduct/registration issues)
Police blotter + prosecutor complaint if threats/doxxing/extortion-like conduct exists
Platform takedown reports for ongoing posts/app presence

You’re not “forum shopping”—you’re addressing different legal wrongs handled by different authorities.

If you want, paste (remove your sensitive info if needed) a short timeline of what the app did—amount borrowed, net received, due date, and the worst harassment behaviors—and I’ll turn it into a clean, agency-ready complaint narrative with a suggested annex list for SEC and NPC.