How to File a Complaint Against Online Lending Apps in the Philippines

(A practical, Philippine-specific legal guide — updated to general rules as of 2025; verify any regulator links/addresses before filing since these change.)

Quick take

Figure out who supervises the app.
- Most online lending apps (OLAs) are lending or financing companies → Securities and Exchange Commission (SEC).
- If the product is offered by a bank or BSP-supervised non-bank (e-money issuer, thrift/rural bank, etc.) → Bangko Sentral ng Pilipinas (BSP).
- Data privacy/“debt-shaming” → National Privacy Commission (NPC) (regardless of SEC/BSP).
- Criminal harassment, threats, cyber-libel → PNP Anti-Cybercrime Group (PNP-ACG) / NBI Cybercrime Division.
Document everything (screenshots, audio, caller IDs, app permissions, loan contracts, receipts).
Complain to the provider first (required under the Financial Consumer Protection law), then escalate to SEC/BSP/NPC as appropriate.
You cannot be jailed for non-payment of debt. (1987 Constitution, Art. III, Sec. 20.) Threats of jail for mere non-payment are abusive.
Unfair debt collection and privacy abuses are illegal, even if you owe money. You can seek regulatory penalties, takedowns, damages, and in some cases criminal accountability.

The legal landscape (what rules apply)

Lending Company Regulation Act (R.A. 9474) and Financing Company Act (R.A. 8556): Lending/financing companies must register with the SEC and comply with disclosure and conduct rules. Only entities with the proper primary registration and certificate of authority may operate lending businesses.
SEC rules on OLAs & collections: SEC memoranda (including 2019 circulars) require online lending platforms to be operated only by duly authorized companies and prohibit unfair debt collection practices such as harassment, threats, use of obscene language, contacting your phonebook/“references” to shame you, and misrepresenting authority (e.g., claiming they can jail you). The SEC regularly issues cease-and-desist and revocation orders against violators.
Truth in Lending Act (R.A. 3765): Lenders must clearly disclose total finance charges and the effective interest rate before you borrow.
Financial Products and Services Consumer Protection Act (R.A. 11765): Core protections for financial consumers; mandates internal complaints handling by the provider and gives SEC/BSP/IC powers to order restitution, disgorgement, refunds, and administrative sanctions.
Data Privacy Act (R.A. 10173): Protects your personal data. Collecting your entire contact list, using it to shame you, processing beyond stated purposes, or failing to secure your data can be unlawful. You have rights to be informed, access/correction, object, erasure, and to file a complaint with the NPC.
Cybercrime Prevention Act (R.A. 10175) & Revised Penal Code: Abusive collectors may commit grave threats, grave coercion, unjust vexation, libel/cyber-libel, and related offenses. These are criminal matters for law enforcement.
On “usurious” interest: There’s no fixed statutory cap because usury ceilings were lifted decades ago, but courts can strike down unconscionable interest and penalty charges under the Civil Code and jurisprudence, and reduce them to reasonable rates. You may challenge these in negotiation, before regulators, or in court.

What counts as abusive or illegal conduct by OLAs?

Operating without SEC authorization, or misrepresenting regulatory status.
Failing to disclose the total cost of credit (interest, fees, penalties).
Unfair collection tactics, e.g., repeated harassment, threats, profane language, contacting your employer/family/friends to shame you, doxxing, posting your photos online, or “demand letters” pretending to be from courts or prosecutors.
Privacy violations: scraping your phonebook or photos, demanding intrusive permissions unrelated to lending, processing your data beyond disclosed purposes, sharing your data with third parties without a lawful basis.
False advertising or deceptive statements about rates, fees, or approvals.

Evidence checklist (collect before you file)

The app’s name, developer, and links; screenshots of its listing.
Your loan agreement, payment history/receipts, transaction IDs, and in-app messages.
Screenshots/recordings of calls, texts, chats, caller IDs, dates/times, and the abusive content.
Proof that the app requested contact list, SMS, camera, or microphone access (screenshot of app permissions).
Copies of any threatening “legal notices” or posts used to shame you.
Your ID and contact info (for regulators), and a short timeline of events.

Tip: Export the app’s data (if possible). Back up files securely. Keep a running log of incidents with dates and persons involved.

Step 1 — Complain to the provider (required “first stop”)

Under R.A. 11765, providers must have a Consumer Assistance/Complaints Mechanism. Send a concise written complaint:

Identify yourself, your loan account, and the product.
State the specific violations (e.g., no rate disclosure; harassment; privacy breach).
Demand concrete relief: stop harassment, delete unlawful data, correct charges, refund, give a written explanation.
Attach evidence.
Give a reasonable response window (e.g., 10 business days).

Keep proof of delivery (email, ticket number, registered mail, or in-app confirmation). If the provider is unresponsive or the response is inadequate, escalate.

Step 2 — Escalate to the correct regulator

A) If it’s a lending/financing company → SEC

What to file: A sworn complaint detailing the acts, with evidence. Identify if the app is unregistered or uses unfair collection or deceptive practices.
What the SEC can do: Investigate; order cease-and-desist; impose administrative sanctions; revoke/suspend licenses; order corrective action/refunds under the financial consumer law. SEC also coordinates with app stores to delist illegal OLAs.

B) If it’s a bank/e-money issuer/other BSP-supervised entity → BSP

Use the bank/EMI’s internal helpdesk first; then complain via BSP’s consumer channels (commonly known as BOB – BSP Online Buddy).
What BSP can do: Require corrective action, consumer redress, and impose supervisory sanctions.

Unsure whether it’s SEC or BSP? Check who the actual lender is in the contract and the app’s disclosures. If the app “fronts” for a bank, BSP has jurisdiction; if it’s a stand-alone lending/financing company, it’s SEC.

C) Data privacy abuses (contact list scraping, debt-shaming, over-collection) → NPC

When to file: After you’ve notified the company’s Data Protection Officer (DPO) and given a chance to address the issue, or immediately if there’s ongoing harm.
What to file: Complaint affidavit, your ID, timeline, screenshots/recordings, the app’s privacy policy (if available), and proof you invoked your data subject rights (e.g., right to object/erasure).
What NPC can do: Order the company to stop unlawful processing, delete data, adopt safeguards, and refer for prosecution of criminal privacy offenses.

D) Criminal conduct → PNP-ACG / NBI-Cybercrime

File if you received threats, extortion, defamation/cyber-libel, or similar. Bring your evidence and IDs. Law enforcement may subpoena the firm, trace numbers/accounts, and file cases with prosecutors.

E) Other possible venues

DTI (deceptive marketing not squarely within SEC/BSP rules);
NTC (spam/illegal texting patterns) — usually supporting, not primary.

Step 3 — Consider civil remedies

You can file suit to:

Invalidate or reduce unconscionable interest/penalties and recover overpayments and damages (moral, exemplary, attorney’s fees) for abusive collection.
Seek injunctions against harassment or unlawful processing of your data.
Use Small Claims Court for money claims up to ₱1,000,000 (no lawyers required, rules simplified). Bring receipts, statements, and your sworn narrative.

Practical tip: Even if you plan to sue, also complain to SEC/BSP/NPC; regulators can order faster corrective measures while a case is pending.

How to draft your complaint (structure & sample language)

Core structure (for SEC/BSP/NPC)

Complainant details (name, address, contact, ID).
Respondent details (company name, app name, known addresses, numbers, emails).
Jurisdiction (explain why the agency has authority).
Facts (dated timeline; attach exhibits labeled A, B, C…).
Violations cited (laws/rules; keep it short and plain).
Relief sought (what you want ordered).
Verification & signature (notarize if required).

One-page sample (adapt as needed)

Subject: Complaint vs. [Company/App] for Unfair Collection & Privacy Violations I. Parties. I am [Name], borrower under Loan ID []. Respondent is [Company/App], with known contact []. II. Facts. On [date], I obtained a loan of ₱[amount]. The app did not clearly disclose the total finance charge. Starting [date], collectors called/texted me [number] times per day, threatened jail, and messaged my contacts [names/relationships]. I never consented to sharing my phonebook. Screenshots/recordings are attached as Exhibits A–F. III. Violations. (a) Unfair debt collection practices prohibited by SEC rules; (b) Data Privacy Act violations (unauthorized processing, harassment via disclosure to third parties); (c) Truth in Lending deficiencies. IV. Relief. (1) Order Respondent to cease harassment and delete unlawfully processed data; (2) Direct corrective billing/refund of illegal charges; (3) Impose administrative sanctions; (4) Coordinate app takedown; (5) Other just reliefs. V. Attachments. IDs; contract; payment proofs; call logs; screenshots; privacy policy; complaint to the company and its DPO; proof of receipt. [Signature & date; notarization if required]

Data privacy “rights invocation” template (send to DPO)

Subject: Exercise of Data Subject Rights – [Your Name] I object to further processing of my personal data for collection activities involving third parties (contacts/employer) and demand erasure of: (a) my phonebook and any data taken from it; (b) photographs and files accessed by your app; (c) posts/messages shaming me. Provide written confirmation within 10 business days, including processing logs and recipients of my data.

Special scenarios & answers

“Can they jail me if I can’t pay?” No. Imprisonment for debt is unconstitutional. Criminal liability requires a separate crime (e.g., threats, libel, estafa for fraud). Mere non-payment isn’t a crime.
“They keep calling my boss and family.” That is classic unfair collection and often a privacy violation. Preserve proof and file with SEC and NPC (and law enforcement if threats/defamation are involved).
“The interest is insanely high.” You can challenge unconscionable interest and penalties through negotiation, before regulators, and in court. Courts regularly reduce excessive rates.
“The firm is foreign / no Philippine office.” If they process data of individuals in the Philippines or offer loans here, NPC/SEC can still assert jurisdiction. Enforcement may be harder, but app-store delisting, payment-rail complaints, and law-enforcement coordination are effective.
“Should I stop paying?” Keep paying what you legitimately owe if you can, to limit exposure—but dispute unlawful interest/fees in writing and reserve your rights. If harassment continues, tell them to communicate in writing only and elevate to regulators.

Practical filing tips

Name the real lender. Many apps are just fronts for registered entities. The contract usually names the real company.
Swear/Notarize affidavits when possible to strengthen the record.
Organize evidence: A single PDF with a table of contents helps examiners.
Protect your phone: Revoke app permissions (Contacts, SMS, Storage, Camera, Microphone). Change passwords.
Watch for impostors. Scammers pose as “SEC/BSP agents.” Regulators don’t ask for fees to “close” your case.
Use your language. English or Filipino complaints are accepted.
Legal aid: If money is tight, approach PAO, local IBP chapters, or law-school legal clinics.

Where to file (channels to look for)

(Don’t rely on exact emails/URLs without checking the current regulator site.)

SEC – Enforcement/Investor Protection & financing/lending divisions host online complaint forms and accept email submissions; they also publish lists of registered lenders and authorized online lending platforms.
BSP – BOB (BSP Online Buddy) accepts complaints via web, SMS, and messaging; banks/EMIs must also maintain their own complaint desks.
NPC – “Complaints & Investigation” portal for data privacy complaints; look for a web form and email options; you can attach large files.
PNP-ACG / NBI-Cybercrime – Field offices and online intake for cybercrime reports; bring IDs, devices, and media.

What outcomes to expect

From SEC/BSP: Orders to refund/adjust charges, stop abusive practices, fix disclosures, suspend or revoke licenses, cease-and-desist illegal apps, and administrative fines.
From NPC: Orders to cease unlawful processing, delete data, implement remedial measures, and referral for criminal action under the Data Privacy Act.
From law enforcement/courts: Prosecution of threats/coercion/libel/privacy crimes; civil judgments reducing/voiding unconscionable interest and awarding damages.

Minimal document pack (you can copy this list into your filing checklist)

Government ID (masked copy).
Loan contract & amendments.
Payment proofs (receipts, bank statements).
Screenshots/recordings of harassment or shaming.
Call/SMS logs with timestamps and numbers.
App permission screenshots & privacy policy.
Prior complaint to provider & DPO, and replies.
Sworn complaint/affidavit with exhibit list.

Final notes & disclaimers

This guide provides general legal information, not specific legal advice. Laws, regulator processes, and contact points change; always verify current filing portals and requirements on the regulator’s official site.
If you’re in immediate danger (e.g., direct threats), prioritize PNP/NBI and personal safety.
Keep communications in writing and avoid verbal arguments with collectors.

If you want, tell me the app’s name (and what the contract says about the lender), and I’ll map out the most precise filing path and tailor the complaint text to your case.