How to File a Complaint Against Online Lending Apps with the SEC and NPC (Philippines)

How to File a Complaint Against Online Lending Apps with the SEC and NPC (Philippines)

This comprehensive guide explains your rights, the legal bases, who has jurisdiction over what, the evidence you need, and the exact, practical steps to file complaints with the Securities and Exchange Commission (SEC) and the National Privacy Commission (NPC) in the Philippines. It also includes templates you can reuse.

1) Why there are two regulators—and which one to choose

A. Securities and Exchange Commission (SEC) The SEC regulates lending companies and financing companies under:

  • Lending Company Regulation Act of 2007 (Republic Act No. 9474) and its rules
  • Financing Company Act (Republic Act No. 8556)
  • SEC Memorandum Circulars on unfair debt collection practices (e.g., prohibitions on harassment, threats, public shaming, contacting people in your phonebook, false representations, etc.)

File with the SEC primarily when:

  • The app/company is a lending or financing company (LCC/FC) or is posing as one.
  • There is harassment/abuse in collection (threats, doxxing, vulgar messages, public shaming, contacting friends/employers).
  • The company is unregistered, has no Certificate of Authority, or uses unapproved names/apps.
  • Interest, charges, or disclosures appear deceptive or predatory.

B. National Privacy Commission (NPC) The NPC enforces the Data Privacy Act of 2012 (RA 10173) and its IRR. Typical violations by abusive OLAs include:

  • Unauthorized processing of personal data (e.g., scraping your contacts, photos, SMS without valid consent)
  • Processing beyond declared purpose (e.g., using your contact list to shame you)
  • Unauthorized disclosure and malicious disclosure of your debt to third parties
  • Insufficient security measures or data breaches

File with the NPC when:

  • The core issue is privacy: collection of excessive permissions (contacts, photos), doxxing, spamming your contacts, or leaks of your personal information.

In many cases, you will file both: SEC (for abusive lending practices and registration issues) and NPC (for privacy violations). You may also file with law enforcement if there are threats, extortion, or other crimes.

2) Your rights and the legal bases (in brief)

Under the Data Privacy Act (NPC jurisdiction):

  • Right to be informed (who collects data, why, where it goes)
  • Right to object or withdraw consent
  • Right to access, rectify, and erase personal data (subject to lawful grounds)
  • Right to damages for violations

Violations may include unauthorized processing, unauthorized disclosure, malicious disclosure, or insufficient safeguards. Criminal penalties and administrative sanctions may apply.

Under SEC rules for lending/financing companies:

  • Prohibition of unfair debt collection practices, including harassment, threats of harm or public humiliation, use of profane/obscene language, shaming tactics, misrepresentation (e.g., pretending to be law enforcement), or contacting people not a party to the loan (like your employer, family, or contacts) for the purpose of shaming or coercion.
  • Registration requirements (corporation with SEC registration and Certificate of Authority to operate as a lending/financing company). SEC may impose fines, suspensions/revocations, or issue cease and desist orders.

3) What evidence to gather (checklist)

Identity and relationship

  • Government ID (blur sensitive numbers if sharing publicly).
  • Screenshots of your loan, app profile, and any payment records.

Loan and app details

  • App name(s), developer/publisher name, website/social handles.
  • Loan agreement (screenshots/PDF), interest breakdown, fees, due dates.
  • Proof of payments, e-receipts, bank/GCash transactions.

Harassment/abuse evidence (for SEC)

  • Threatening messages (SMS, in-app chat, Messenger, WhatsApp, email).
  • Call logs/recordings (if legally recorded).
  • Public shaming posts or messages sent to your contacts, employer, or social media.
  • Any misrepresentation (e.g., pretending to be police/attorney).

Privacy violations (for NPC)

  • Screenshots of the app requesting excessive permissions (contacts, photos).
  • Proof that your contacts were messaged or called by the collector because of your debt (screenshots from those contacts, with their permission).
  • Any data dumps/leaks, unsolicited public posts sharing your sensitive info.

Company status

  • If you can, note whether the app/company claims to be a lending/financing company and its corporate name. Keep screenshots of in-app “About,” website, or disclosures.

Keep originals. Export chats to PDF where possible. Preserve metadata (dates/times). Do not edit or annotate the originals—save a separate redacted set for filing.

4) How to file a complaint with the SEC

A) Determine your theory of the case

  • Unfair debt collection practices (harassment, shaming, threats)
  • Operating without required registration/authority
  • Deceptive or unconscionable terms (e.g., hidden fees)

B) Prepare your packet

  1. Cover letter / complaint form stating:

    • Your full name and contact info.
    • Company/app name(s), addresses/URLs if known.
    • Nature of the violations (concise bullet list).
    • Specific incidents (date, time, channel, who said what).
    • Relief sought (e.g., investigation, sanctions, cease abusive collection, correction of records).

  2. Sworn Statement (Affidavit) detailing facts in chronological order.

  3. Annexes: All evidence labeled (Annex “A”, “B”, etc.) with short captions.

  4. Proof of identity (ID copy).

  5. If representing someone: Authorization letter and ID of principal/authorized representative.

C) Filing channels

  • Online: The SEC maintains online submission windows/portals and dedicated email intake for complaints. Use the most current SEC online intake form or official complaint email indicated on the SEC website.
  • In person / by courier: Submit to the SEC Main Office or the nearest SEC Extension Office. Keep your receiving copy stamped “received,” or courier proof of delivery.

Practical tip: File electronically (for speed) and physically (for formal paper trail) when feasible. Always retain copies of everything you submit.

D) After filing

  • The SEC may acknowledge receipt and assign a reference number.
  • You may be asked for clarifications or additional documents.
  • The SEC can order the company to respond, conduct investigation, and, where warranted, impose administrative sanctions, cease and desist, or revoke the company’s authority. The SEC may coordinate with law enforcement or other agencies if crimes are implicated.

5) How to file a complaint with the NPC

A) Identify the privacy violations

Map your facts to Data Privacy Act violations (you can list multiple):

  • Unauthorized processing (e.g., scraping contacts without valid consent)
  • Processing beyond declared purpose (e.g., shaming your contacts)
  • Unauthorized/malicious disclosure (messaging third parties about your debt)
  • Insufficient security measures (leading to breach)

B) Prepare your packet

  1. NPC Complaint Form / Letter-Complaint including:

    • Your full name and contact details.
    • Name of the personal information controller/processor (the company or its third-party collector), app names, and channels used.
    • Specific legal bases you allege were violated under RA 10173 (e.g., Sections on unauthorized processing, disclosure).
    • Description of harms (emotional distress, reputational harm, employment issues), and relief sought (cease processing, deletion of unlawfully collected data, sanctions, damages).

  2. Sworn Statement (Affidavit) with chronology of events.

  3. Annexes: Evidence (screenshots of permission requests, messages to contacts, shaming posts), contact statements (if available), app screenshots.

  4. Proof of ID.

  5. If representing others: Authorization/SPA and IDs.

C) Filing channels

  • Online: The NPC accepts complaints through its online facility/email channels published on its official site.
  • Physical: You may file at the NPC office or via courier service.

Practical tip: If there is imminent harm (ongoing harassment/public shaming), say so prominently in your cover letter and subject line and request urgent action (e.g., order to cease processing/communications).

D) After filing

  • NPC typically assigns a case/reference number and may require additional documents.
  • The NPC can issue compliance orders, mandate cease-and-desist measures, require deletion/correction of data, and impose administrative sanctions.
  • Certain acts may be criminal under RA 10173; the NPC can coordinate referrals to prosecution.

6) Model documents you can reuse

A) Sworn Statement (Affidavit) – Template

REPUBLIC OF THE PHILIPPINES [City/Municipality] AFFIDAVIT

I, [Your Name], of legal age, Filipino, with address at [Address], after having been duly sworn, state:

  1. I installed and used the mobile application [App Name] on [Date] to obtain a loan of [Amount] with due date [Date].
  2. Beginning [Date], the company and/or its agents engaged in the following acts: [Brief bullets of harassment/shaming/unauthorized data use].
  3. On [Dates], they sent messages/calls to [list third parties contacted], disclosing my alleged debt and/or threatening me. Screenshots are attached as Annexes “A” to “__”.
  4. I did not give valid, specific, informed consent for the app to access my [contacts/photos/etc.] nor to disclose my personal information to third parties.
  5. These acts caused me [harm: anxiety, humiliation, work issues, etc.].
  6. I am filing complaints with the SEC and/or NPC for appropriate action and sanctions.

I execute this affidavit to attest to the truth of the foregoing.

[Signature over Printed Name] Affiant

SUBSCRIBED AND SWORN to before me this [Date] at [Place]. [Notary Public details]

B) SEC Complaint – Model Cover

  • Subject: Complaint vs. [Company/App] – Unfair Debt Collection / Unregistered Lending Activity

  • Body (bulleted):

    • Parties and contact details
    • Short statement of facts and violations (cite unfair collection, registration issues)
    • Specific relief requested (investigation, sanctions, cease and desist)

C) NPC Complaint – Model Cover

  • Subject: Data Privacy Complaint vs. [Company/App] – Unauthorized Processing & Disclosure

  • Body (bulleted):

    • Parties and contact details
    • Data privacy violations mapped to DPA provisions
    • Relief: cease processing/communications, data deletion/correction, sanctions

7) Frequently asked tactical questions

Q1: Do I need a lawyer? Not required. Clear affidavits and evidence often suffice. For complex cases or claims for damages, a lawyer helps.

Q2: Can I file anonymously? Regulators generally require your identity to process a complaint. If you fear retaliation, state this and request confidentiality to the extent allowed by law.

Q3: What if the company is overseas or the app keeps rebranding? Still file. The SEC can act against entities operating in the Philippines or targeting Philippine users (including takedown of local presence/marketing via coordination). The NPC can pursue privacy violations affecting Philippine data subjects and coordinate internationally.

Q4: Should I keep paying while disputing? Regulatory complaints do not automatically suspend contractual obligations. However, illegal interest/fees or abusive practices may be grounds for regulatory action and, in some cases, civil remedies. Document everything and seek legal advice if you contest the debt itself.

Q5: Can I claim damages? Yes, you may file a civil action for damages under the Civil Code and DPA (for privacy harms). Regulatory sanctions are separate from civil damages.

8) Parallel and supportive remedies

  • Law enforcement: If there are threats, extortion, identity theft, cyber libel, or other crimes, lodge a report with the PNP Anti-Cybercrime Group or NBI Cybercrime Division. Attach the same evidence pack.
  • Platform takedowns: Report abusive apps/accounts to Google Play/App Store and social platforms for policy violations.
  • Employers/schools contacted by collectors: Provide a short memo explaining that harassment/third-party disclosure by debt collectors may violate Philippine law/regulation; ask them to document and forward harassing messages for your case.
  • Financial consumer protection: If a bank/e-money issuer is involved (e.g., payout channels), you may also raise concerns under the Financial Consumer Protection Act with the relevant regulator (e.g., BSP for banks/e-money).

9) Practical do’s and don’ts

Do

  • Document every contact (save numbers, times, screenshots).
  • Back up evidence to an external drive or cloud.
  • Use written channels when possible (creates a record).
  • Tell your contacts (who were harassed) to take screenshots and provide brief statements.

Don’t

  • Argue with harassers or send threats back.
  • Share your original, unredacted files publicly—submit originals only to authorities.
  • Grant unnecessary app permissions. Revoke permissions after filing if not needed.

10) Plain-English “elements of violation” (quick map)

SEC (unfair collection) – Look for:

  • Harassment, intimidation, obscene language
  • Public shaming (group chats, social posts)
  • Contacting your employer/friends to shame or coerce payment
  • False claims (pretending to be police/lawyer)
  • Unregistered operation / no Certificate of Authority

NPC (privacy) – Look for:

  • Accessing/harvesting your contacts, photos, or messages without valid, specific, informed consent
  • Messaging your contacts about your debt (unauthorized disclosure)
  • Data leaks or publication of your personal information
  • Using your data beyond the purpose you agreed to

11) Submission checklist (ready to print)

  • Cover letter (SEC and/or NPC)
  • Sworn Statement (notarized)
  • Government ID (copy)
  • Screenshots (chat, SMS, call logs, app permissions) labeled as Annexes
  • Proof of loan and payments (receipts, bank/GCash statements)
  • Contact statements from people who were harassed (optional but helpful)
  • Authorization/SPA (if filing for someone else)
  • Two sets: electronic (PDF) and paper (for physical filing)

12) Short sample “Relief Sought” clauses you can paste

  • “Issue a cease and desist order against respondents and their agents from engaging in unfair debt collection practices, including contacting third parties and public shaming.”
  • “Direct respondents to delete unlawfully collected personal data (including my contact list) and cease processing my data for purposes not authorized.”
  • “Order respondents to rectify their records and stop sending misleading or harassing communications.”
  • “Impose appropriate administrative sanctions under applicable laws and regulations, and refer the matter to law enforcement/prosecution for any criminal violations.”
  • “Award damages as allowed by law.”

13) Final reminders

  • Filing with the SEC and NPC is free. Be precise, calm, and factual.
  • Keep all acknowledgments and reference numbers.
  • If you receive new harassment after filing, append it to your case with dates and screenshots.
  • If you settle, insist on written confirmation and data deletion commitments (and keep proof).

Need a quick start?

  1. Export your screenshots and receipts to a single PDF (chronological).
  2. Draft the Affidavit using the template above and have it notarized.
  3. Prepare two cover letters: one SEC (unfair collection/registration), one NPC (privacy).
  4. File electronically via each agency’s current official intake channel and, if possible, courier a hard copy.
  5. Track your case numbers and reply promptly to follow-ups.

You now have a complete, ready-to-use blueprint to hold abusive online lending apps accountable in the Philippines.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login