Harassment by Online Lending Apps in the Philippines
A comprehensive legal overview as of 17 July 2025 (Philippine context)
1. Background and Phenomenon
Smart-phone–based “quick cash” lending apps exploded in the Philippines around 2016-2019. Most relied on access to the borrower’s contacts, photos, location and device data to underwrite a loan within minutes. As soon as a payment became overdue—even by a single day— many operators deployed harassment “collection playbooks”: mass-texting the borrower’s contact list (“utang-shaming”), doctored photo memes, threats of criminal prosecution or arrest, and incessant calls at any hour.
Borrower complaints triggered parallel action by four regulators:
| Regulator | Mandate implicated | Typical sanction |
|---|---|---|
| Securities and Exchange Commission (SEC) | Licensing of lending/financing companies (RA 9474, RA 8556) and unfair debt-collection practices (SEC MC 18-2019, MC 10-2021, MC 05-2022) | Revocation of certificate of authority, cease-and-desist orders (CDOs), ₱25 000–₱1 000 000 fines per offense, app take-downs |
| National Privacy Commission (NPC) | Data Privacy Act of 2012 (RA 10173); unlawful processing & unauthorized disclosure | Compliance orders, ban on data processing, fines up to ₱5 000 000 per act, criminal referral |
| Bangko Sentral ng Pilipinas (BSP) | Consumer Protection Act of 2022 (RA 11765) & BSP Circular 1166-2023 on debt-collection by BSP-supervised institutions | Monetary penalties, suspension of lending operations, disqualification of directors/officers |
| Department of Justice & law enforcement (NBI-CCD, PNP-ACG) | Cybercrime Prevention Act of 2012 (RA 10175), Revised Penal Code (RPC) | Cyber-libel, grave threats, unjust vexation, identity theft prosecutions |
2. Key Primary Laws & Regulations
2.1 Lending & Financing Company Regulation
| Instrument | Core obligations | Relevance to harassment |
|---|---|---|
| RA 9474 (Lending Company Regulation Act of 2007) | Requires a Certificate of Authority (CA) from the SEC and compliance with “sound and fair” lending practices. | Operating without a CA is punishable by ₱10 000–₱50 000 fine and/or 6 months–10 years’ imprisonment. Many abusive apps lacked a CA. |
| RA 8556 (Financing Company Act of 1998) | Analogous requirements for companies that extend credit beyond the narrow definition of a “lending company.” | Same enforcement arm (SEC). |
2.2 Unfair Debt-Collection Rules
SEC Memorandum Circular 18, Series of 2019 – “Prohibition on Unfair Debt Collection Practices.” Prohibits:
- Use of violence, threats, or obscene language.
- Contacting the borrower’s phone book, employer, or family without consent.
- Publicly humiliating or defaming a borrower.
- Contacting the borrower between 10 p.m. and 6 a.m.
- False threats of arrest, legal action, or service of court pleadings.
First offense: ₱25 000–₱100 000; third offense: CA revocation.
SEC MC 10-2021 & MC 05-2022 – tightened documentary requirements before launching or changing an online lending platform (OLP); mandatory disclosure of collection policies; suspension of new app clearances after multiple complaints.
2.3 Data Privacy & Data Protection
RA 10173 (Data Privacy Act of 2012). Key violations seen in harassment cases:
- Unauthorized processing (s. 25-26). Installing the app was held not to be valid consent for scraping an entire phonebook.
- Data privacy principles (transparency, proportionality, legitimate purpose) flouted by blanket permissions.
NPC precedent: Fynamics Lending Inc. (2022) – first publicly announced NPC decision finding unauthorized contact-scraping; ordered deletion of all unlawfully collected data and a ₱1 million fine per count.
2.4 Financial Consumer Protection Act
RA 11765 (2022). Gives the BSP, SEC, IC and CDA cross-cutting powers to:
- Issue cease and desist orders for abusive collection practices;
- Award restitution to consumers;
- Impose director/officer fit-and-proper disqualifications.
BSP Circular 1166-2023 implements the Act for BSP-regulated entities, extending MC 18-2019‐style prohibitions to banks, e-money issuers, and “non-bank credit grantors”.
2.5 Criminal Law Anchors (selected)
| Offense | Statute | Typical elements in lending-app cases |
|---|---|---|
| Libel / Cyber-libel | RPC Art. 353-355; RA 10175 §4(c)(4) | “Shaming” posts or mass messages accusing borrower of fraud |
| Grave threats | RPC Art. 282 | Threats to harm borrower or family, or cause arrest without basis |
| Unjust vexation | RPC Art. 287 | Repeated late-night calls/texts causing annoyance or distress |
| Alarm & scandal | RPC Art. 155 | Posting scandalous edited images to borrower’s social media |
| Violation of Anti-Photo & Video Voyeurism Act | RA 9995 | Some apps sent lewd altered images to contacts |
Conviction rates remain low, but the threat of arrest under cyber-libel has pressured several operators to settle with borrowers.
3. Enforcement Milestones (Illustrative)
| Year | Agency action | Outcome |
|---|---|---|
| 2019 | SEC Task Force “OLP” launched; first wave of CDOs vs 19 apps. | Google Play delisted all 19 within a week. |
| 2020 | NPC raided servers of FastCash & WeLoan with NBI. | 125 GB of scraped contact data seized; criminal raps filed. |
| 2021 | SEC MC 10-2021: moratorium on new OLP certificates while rules tightened. | Number of active legal apps temporarily dropped from 216 to 90. |
| 2022 | Passage of RA 11765; BSP issues consumer protection circular. | Harmonised complaints desk (One-Stop Action Centre) created. |
| 2023 | SEC revokes CA of Upeso, Inc. after 1 400 harassment complaints. | ₱1 million fine + lifetime director disqualification. |
| 2024 | NPC imposes first multi-million aggregate fine (₱5.5 M) on JuanHand for repeat privacy violations. | Ordered 30-day suspension of processing operations. |
4. Remedies and Complaint Pathways for Borrowers
- File an SEC complaint (online portal / e-mail). Free, no lawyer required. Attach screenshots and call logs.
- File an NPC complaint for privacy breaches; must first write a “privacy concern letter” to the company and give 15 days to act.
- Report to BSP if the lender is a bank, EMI or pawnshop regulated by the BSP.
- Criminal affidavit before the NBI Cybercrime Division or PNP Anti-Cybercrime Group.
- Civil action / small-claims – collect proof of mental anguish, damages.
- Barangay protection order (if threats amount to Violence Against Women and Children under RA 9262).
5. Compliance Checklist for Legitimate Operators
| Area | Minimum-compliant practice |
|---|---|
| Licensing | Valid CA, business name registered as an OLP with the SEC. |
| Privacy | Collect only NIDA-compliant data (name, ID, selfie, optional alternate contact); no full contact scraping; privacy notice in Filipino & English. |
| Consent Management | Granular Android/iOS permissions; disable auto-deny if user revokes. |
| Debt Collection | Scripts reviewed for MC 18-2019 compliance; recorded phone calls; calls only 8 a.m.–5 p.m. weekdays. |
| Governance | Board-approved Compliance Manual; Data Protection Officer registered with NPC. |
| Dispute Resolution | 15-day internal complaint handling; free cancellation letters upon full payment. |
6. Emerging Issues and Legislative Outlook
- Draft “Fair Debt Collection Practices Act” (House Bill 6683/Senate Bill 1360) – would codify MC 18-2019 and extend it to all creditors, including informal “5-6” lenders.
- Proposed amendment to RA 10173 – elevates maximum NPC fine to 2 % of global annual turnover, mirroring GDPR.
- Digital Lending Sandbox under the Financial Sector Forum: cross-agency licensing passport to encourage legit fintech while weeding out abusive actors.
- AI-driven credit scoring – NPC has issued draft guidelines on automated decision-making and explainability obligations; may curb opaque “black-box” rejections.
- Cross-border enforcement – SEC & NPC signed 2024 MOU with Indonesia’s OJK and Singapore’s PDPC for joint action when servers are offshore.
7. Practical Advice for Borrowers
- Preserve evidence: screenshot messages (with timestamp), record calls (RA 4200 allows one-party consent).
- Never pay from fear. Verify if the company is SEC-registered (sec.gov.ph → OLP list).
- Lock down app permissions: Android → Settings → Apps → LendingApp → Permissions → Contacts = “Deny.”
- Use small-claims court (₱1 million threshold) to recover illegal fees.
- Seek psychosocial support; harassment often leads to anxiety and depression—grounds for moral damages.
8. Conclusion
The Philippine legal ecosystem now offers a layered web of administrative, civil, and criminal remedies against harassment by online lending apps, though challenges remain (slow case build-up, cross-border servers, borrower fear of litigation). Continued vigilance by regulators—and informed assertion of rights by borrowers—are crucial to ensuring that fintech innovation serves genuine financial inclusion rather than digital predation.