Updated for the Philippine legal and regulatory landscape as of late 2025. This is general information and not a substitute for legal advice.

---

Executive Summary

If a lending app is harassing you, shaming you on social media, accessing your phone contacts, charging sky-high or hidden fees, or lending without proper registration, you can take action. In the Philippines, three primary regulators handle these issues:

• Securities and Exchange Commission (SEC) — supervises lending companies and financing companies, including online lending apps (OLAs), and cracks down on illegal lenders and unfair debt collection.
• Bangko Sentral ng Pilipinas (BSP) — oversees banks, e-money issuers (EMIs), and other BSP-supervised financial institutions (BSFIs); enforces the Financial Products and Services Consumer Protection Act (FCPA, R.A. 11765).
• National Privacy Commission (NPC) — enforces the Data Privacy Act (DPA, R.A. 10173) against contact scraping, doxxing, public shaming, and unlawful processing of personal data.

For criminal conduct (threats, extortion, cyber libel, stalking), escalate to NBI–CCD or PNP–ACG under the Cybercrime Prevention Act (R.A. 10175) and the Revised Penal Code.

---

The Legal Framework at a Glance

1. Lending Company Regulation Act of 2007 (R.A. 9474) and Financing Company Act of 1998 (R.A. 8556)

   • Lending/financing companies must be SEC-registered and comply with SEC rules on disclosures, advertising, interest/fees, and collections.
   • Operating a lending business without SEC authority is penalized.

2. Financial Products and Services Consumer Protection Act (R.A. 11765, 2022)

   • Applies across BSP, SEC, and Insurance Commission supervised entities.
   • Requires fair treatment, truthful marketing, transparent pricing, suitable products, and effective redress/complaints handling.
   • Regulators may order restitution, cease-and-desist, administrative fines, and other corrective measures.

3. Data Privacy Act (R.A. 10173) and its IRR

   • Prohibits unlawful processing of personal data (e.g., harvesting contacts without valid consent, doxxing, group chats to shame debtors).
   • Provides remedies (complaints, compliance orders, penalties; and civil damages).

4. Cybercrime Prevention Act (R.A. 10175) & Revised Penal Code

   • For grave threats, unjust vexation, extortion, cyber libel, identity theft, and related crimes, file with law enforcement.

5. Civil Code & Jurisprudence on Unconscionable Interest

   • No usury ceilings (CB Circular 905), but courts may reduce or nullify unconscionable interest/penalty charges and deem hidden/abusive fees invalid.
   • You can sue to reform or annul unconscionable terms and recover illegal charges.

---

What Counts as “Predatory” or Abusive Conduct

• Unregistered or fictitious lender; app name differs from any SEC-registered entity.
• Unfair debt collection: threats, profanity, repeated late-night calls, contacting your employer/contacts, public shaming posts/GCs.
• Privacy abuses: auto-harvesting contacts, access to photos/SMS, posting your ID/face online, “exposing” you to friends.
• Deceptive pricing: “0% interest” ads but high “service/convenience” fees; short tenors with rollover traps; hidden penalties.
• Misrepresentation: claiming to be “BSP-licensed bank” or “gov’t approved” when not.
• Loan stacking and dark patterns: forced permissions, confusing opt-outs, fake countdowns, coercive UX.

---

Decide Where to File: A Quick Routing Guide

1. Is the lender a bank or e-money issuer (wallet)?

   • Yes → Use the BSP route (see Step B) and the FCPA.
   • No/Unsure → Treat as SEC-supervised lending/financing company (Step A) and also consider an NPC complaint for privacy issues (Step C).

2. Were your contacts messaged or your data misused?

   • Yes → File with NPC (Step C), regardless of regulator.

3. Were there threats, extortion, or doxxing?

   • Yes → File a criminal complaint with NBI–CCD or PNP–ACG (Step D). You may do this in parallel with SEC/BSP/NPC.

You can file with multiple bodies at once if issues overlap.

---

Evidence Checklist (Prepare Before Filing)

• Identity & relationship: your valid ID; your mobile number(s) and email used; screenshots of the app profile and loan details.
• Proof of transactions: loan agreements/terms, disbursement proofs, payment receipts, ledger, in-app statements.
• Pricing: screenshots of the advertised APR/tenor; fee breakdowns; any misleading ads.
• Harassment/collection: call logs, recordings (if lawful), SMS/GC screenshots, social media posts, chat transcripts.
• Privacy violations: permissions screens, device prompts, contact list access logs, messages sent to your contacts (with their permission to share), evidence of doxxing/public shaming.
• Regulatory status: the app’s claimed corporate name, business address, and registration claims shown in the app/store listing.
• Your own attempts to resolve: emails/tickets to the lender, reference numbers, and responses (important under the FCPA).

Preserve originals; export PDFs; keep clear, dated screenshots (show device time). Draft a sworn narrative affidavit to attach across filings.

---

Step-by-Step: How to File

Step A — SEC (Lending/Financing Companies & Illegal Apps)

When to use: Non-bank lenders; suspected illegal lending; abusive collections; deceptive ads; excessive/undisclosed fees.

1. Confirm the entity: Identify the exact corporate name used in the contract/app. (Many apps brand differently from their SEC registered entity.)

2. Draft your complaint to the SEC Enforcement/Investor Protection arm. Include:

   • Your full name, contact details, and government ID.
   • The lender’s exact corporate name (or “unknown”) and all brand/app names used.
   • The facts in chronological order (application, disbursement, repayment, harassment, etc.).
   • Violations alleged: operating without registration; unfair debt collection; deceptive advertising; unconscionable interest/fees.
   • Attachments: contracts, screenshots, payments, harassment proofs.

3. Relief requested:

   • Immediate cessation of harassment/unfair collection;
   • Investigation of illegal lending operations;
   • Order to delete unlawfully collected personal data;
   • Administrative sanctions; referral to prosecution if warranted; and
   • Restitution of illegal charges/fees (as applicable).

4. File through SEC’s public complaint channels (email/portal or in person). Keep acknowledgment copies/ref. numbers.

Tip: If the entity appears on the SEC’s list of illegal or suspended OLAs, say so in your complaint; attach proof (e.g., a screenshot of the list entry captured with date).

---

Step B — BSP (Banks, EMIs, and Other BSP-Supervised Firms)

When to use: The lender is a bank, e-money issuer, or other BSFI (sometimes wallet apps that offer credit lines).

1. Use the lender’s CAM first: Under the FCPA, providers must run a Consumer Assistance Mechanism (CAM). Lodge a formal complaint with them and give them a reasonable time (often 7–15 business days) to respond.

2. Escalate to BSP if unresolved or if you face grave/irreparable harm:

   • Submit a complaint with: proof you used the CAM; account/loan details; detailed narrative; and all attachments.
   • Cite R.A. 11765 violations: unfair treatment, deceptive marketing, lack of transparency, failure to handle complaints, unauthorized data sharing, abusive collections.

3. Reliefs: directive to rectify errors, refund illegal charges, correct records, cease unfair collection practices, and administrative sanctions.

---

Step C — NPC (Privacy & Harassment via Data Misuse)

When to use: Contact scraping, doxxing/shaming GCs, mass texts to your contacts, publishing your personal info, collecting excessive permissions without valid consent.

1. Build a privacy-focused brief:

   • What personal data were processed? (contacts, photos, ID, location, messages)
   • Legal basis claimed vs. actual consent obtained (was consent specific, informed, freely given, and documented?).
   • Harms suffered (reputational, emotional distress, workplace impact).

2. Allege violations under the DPA:

   • Unlawful processing, processing without consent, processing beyond declared purpose, insufficient security, and unauthorized disclosure.

3. Ask for: compliance orders, cease-and-desist, data erasure/deletion, penalties, and referral to other regulators if needed.

4. File through the NPC’s complaint intake (portal/email). Keep your case number; respond quickly to clarifications or mediation offers.

---

Step D — Criminal Complaints (NBI–CCD / PNP–ACG)

When to use: Threats to harm, extortion, stalking, cyber libel, unjust vexation, identity theft, unauthorized access, or sextortion-style tactics.

1. Prepare sworn statements, device forensics (if any), and all screenshots/recordings.
2. Identify the suspect: the corporate entity and/or the individual collector accounts (usernames, numbers, profile links).
3. File with NBI–Cybercrime Division or PNP–Anti-Cybercrime Group. Request take-down and preservation orders where applicable.

---

Optional: Civil Remedies You Can Pursue

• Small Claims (for money claims ≤ ₱1,000,000; thresholds may change): recover illegal charges, penalties, or over-collections without a lawyer.

• Ordinary civil action:

  • Annul/reform unconscionable interest/penalties; courts may reduce them.
  • Damages for privacy breaches, harassment, reputational harm.

• Injunction: ask courts to restrain continued harassment or unlawful processing.

---

Protect Yourself While the Case Is Pending

• Keep paying what you legitimately owe (net of disputed illegal fees) if safe and affordable, to avoid ballooning debt—document any disputed computation.
• Write a cease-and-desist letter to the lender demanding: (a) stop harassment and third-party contacts; (b) limit communications to written channels; (c) delete unlawfully obtained data; (d) provide full loan ledger and fee basis.
• Data rights under the DPA: submit Access, Correction, Deletion, and Objection requests; request the lawful basis for each data processing activity.
• Device hygiene: revoke app permissions, uninstall the app after exporting records, change passwords, enable 2FA, and consider a fresh device backup/restore if you suspect spyware-like behavior.
• Inform your employer/contacts briefly**:** explain you’re resolving a dispute with a lender and that contacting them is illegal; ask them to forward any messages to you for evidence.

---

Practical Timelines

• Internal CAM (BSP/FCPA): expect an acknowledgment in 2–3 business days, resolution attempt within 7–15 business days (varies by provider).
• SEC/NPC administrative complaints: intake acknowledgment within days to a few weeks; investigation and orders can take weeks to months, depending on docket.
• Criminal cases: timelines vary; urgent cases may obtain preservation/takedown faster.

(Actual durations vary by docket and completeness of your evidence.)

---

Red Flags That Strengthen Your Case

• App demands full contact list access “to proceed.”
• Shaming GCs with your photo/ID, or messaging your boss/HR.
• Mismatch between app brand and any registered corporate name.
• Microloans with “0% interest” claims but 30–50% “fees” for 7–14-day terms (effective APRs in the thousands of %).
• Threats to publish your nudes/IDs or to “file criminal cases” for mere non-payment (debt is usually civil, not criminal).

---

Templates You Can Reuse

1) SEC Complaint Cover Letter

Re: Complaint vs. [Full Corporate Name, if known] (Brand: [App Name]) — Illegal Lending and Unfair Debt Collection

I, [Your Name], of legal age, Filipino, residing at [Address], respectfully file this complaint against [Entity].

Facts: [Chronological narrative: date applied, amount disbursed, fees, harassment incidents with dates/times, privacy violations].

Alleged Violations: Operating without proper registration/authority; deceptive advertising and non-transparent pricing; unfair and abusive debt collection; imposition of unconscionable interest/fees.

Prayer: (1) Immediate cease-and-desist from unfair collection and data misuse; (2) Investigation and administrative sanctions; (3) Order to delete unlawfully processed personal data; (4) Restitution/refund of illegal charges; and (5) Referral for criminal prosecution if warranted.

Attached are copies of my valid ID and evidence marked Annexes “A” to “__”.

Respectfully, [Signature] / [Printed Name] [Mobile/Email]

2) NPC Privacy Complaint

Respondent: [Corporate Name] / [App Brand] Acts complained of: Unauthorized access to and use of my phone contacts; disclosure of my personal data to third parties; publication of my images/IDs; harassment and shaming through group chats/social media. DPA Grounds: Unlawful processing; processing without consent or beyond stated purpose; failure to implement appropriate safeguards; unauthorized disclosure. Relief sought: Compliance order; cease-and-desist; erasure of data; penalties; referral to SEC/BSP and law enforcement.

3) Cease-and-Desist to the Lender

This is a formal demand to stop the following illegal acts: (1) contacting my employer or phone contacts; (2) creating shaming groups/posts; (3) threatening criminal cases for civil debt.

All communications should be in writing to this email: [address]. Provide within 7 days: (a) full loan ledger; (b) legal basis for your processing of my contacts and images; (c) corporate registration details and physical address.

Continued violations will be reported to the SEC, NPC, BSP, and law enforcement.

(Notarize your cover letters/affidavits when feasible.)

---

If the Lender Sues You or Sends a “Demand Letter”

• Don’t ignore it. Reply in writing, dispute illegal fees and unconscionable interest, and request the full ledger and basis for charges.
• Keep envelopes and registry receipts; deadlines run from receipt.
• If served with court papers, file an Answer within the rules’ period (usually 30 days for ordinary civil actions; 10 days for small claims), raising defenses: lack of cause of action, unconscionable interest, illegal charges, privacy violations, set-off for damages.

---

Frequently Asked Questions

Do I have to pay if the lender is illegal? You are liable for principal actually received, but illegal/unconscionable charges can be voided; regulators may order refunds. Courts can reduce interest/penalties.

Can they send messages to my contacts? Generally no. Messaging third parties about your debt without a lawful basis violates the Data Privacy Act and may constitute harassment or cybercrime.

Can I keep using my SIM? Yes; but if you’re barraged by threats, consider blocking/reporting numbers and preserving messages for evidence before blocking.

Can I settle while complaining? Yes. If you settle, document the terms and insist on data deletion and a no-harassment clause.

---

Final Pointers for a Strong Complaint

• Be specific: dates, times, names, numbers, URLs/usernames.
• Be organized: paginate exhibits; label Annexes.
• Be consistent across SEC/BSP/NPC filings; use the same chronology.
• Ask for data deletion and records correction explicitly.
• Keep backup copies of everything in cloud storage and printouts of critical evidence.

---

One-Page Checklist (tear-off)

• Identify regulator: SEC (lender), BSP (bank/EMI), NPC (privacy), NBI/PNP (criminal).
• Gather evidence: ID; contract; disbursement; payments; harassment logs; screenshots; permissions prompts.
• Draft sworn narrative.
• File CAM complaint (if BSP-supervised); wait 7–15 business days or escalate sooner if serious harm.
• File SEC complaint (unfair collection/illegal lending).
• File NPC complaint (data misuse/shaming).
• File NBI/PNP complaint (threats/extortion/cyber libel).
• Send Cease-and-Desist to lender; demand data deletion and ledger.
• Consider Small Claims or civil suit for refunds/damages.
• Maintain payment of undisputed principal if feasible; dispute illegal fees in writing.

---

You’ve got options. With complete documentation and the right routing—SEC/BSP for market conduct, NPC for privacy, and NBI/PNP for crimes—you can stop harassment, clean your data trail, and recover what’s been wrongfully taken.