How to File Complaints Against Online Lending App Harassment and Illegal Collection Practices

1) Why this matters (and what it does not mean)

Online lending apps (OLAs) and their collectors often pursue repayment through aggressive messaging, repeated calls, public shaming, threats, or contact-blasting friends, family, employers, and co-workers. In the Philippine legal framework, owing money is not a crime, but harassment, unlawful threats, defamation, and privacy violations can be.

Filing complaints can:

  • stop abusive collection conduct;
  • trigger regulatory sanctions against the lending/financing company and its OLA;
  • support criminal, civil, or administrative liability for collectors and companies.

At the same time, a complaint about harassment does not automatically erase a valid debt. Debt issues (e.g., high interest, questionable charges, non-disclosure) may be challenged separately, while harassment and privacy violations can be pursued immediately.

2) Identify who regulates the lender (because the correct forum matters)

A. Most OLAs are tied to SEC-regulated entities

In general:

  • Lending companies are regulated under Republic Act (RA) 9474 (Lending Company Regulation Act of 2007).
  • Financing companies are regulated under RA 8556 (Financing Company Act of 1998).
  • OLAs usually operate as platforms of (or for) these SEC-registered companies, and the SEC has issued rules and circulars addressing online lending platforms and unfair debt collection practices.

If the app is an OLA connected to a lending/financing company, the SEC is usually the lead regulator for licensing and collection-practice enforcement.

B. If the lender is a bank, digital bank, or other BSP-supervised institution

If the lender is a bank or BSP-supervised financial institution, consumer-protection complaints can also go through the Bangko Sentral ng Pilipinas (BSP) consumer assistance channels, in addition to criminal/privacy routes if harassment/privacy violations exist.

C. Separate regulator for privacy violations: the National Privacy Commission (NPC)

If the collector:

  • accesses your phone contacts,
  • messages your contacts about your debt,
  • posts your personal data publicly,
  • uses threats involving disclosure of personal information,

then RA 10173 (Data Privacy Act of 2012) and NPC processes become central.

D. Criminal enforcement is separate from regulators

Threats, coercion, libel/defamation, and certain cyber-related offenses are handled through:

  • PNP / NBI (for assistance and cybercrime documentation), and
  • the Office of the City/Provincial Prosecutor (for filing criminal complaints).

3) What counts as illegal or actionable collection conduct

A. “Unfair/abusive collection practices” (regulatory)

Common prohibited conduct (as reflected in Philippine regulatory approach to fair collection) includes:

  • threatening violence or harm;
  • using obscene, insulting, or degrading language;
  • repeated calls/messages intended to harass;
  • contacting you at unreasonable hours (especially repeatedly);
  • impersonating lawyers, courts, sheriffs, government agencies;
  • sending fake “subpoenas,” “warrants,” or “court orders”;
  • public shaming (posting your info, labeling you a scammer/thief);
  • contacting your employer, co-workers, family, or friends to pressure you—especially by disclosing the debt or humiliating you.

Regulators generally treat companies as responsible for their employees and third-party collection agents.

B. Data privacy violations (RA 10173)

Potential red flags:

  • the app required broad permissions (contacts, photos, files) unrelated to lending;
  • the collector uses your contacts list to shame you;
  • disclosure of your debt status to third parties;
  • posting your personal data, photos, ID, or “wanted” posters online;
  • using your personal information beyond stated purposes.

Under the Data Privacy Act, personal information must be processed lawfully, fairly, and proportionately; disclosure to third parties without a valid basis can be actionable.

C. Possible crimes under the Revised Penal Code (RPC) and related laws

Depending on facts, the following may apply:

Threats and intimidation

  • Grave threats / light threats (e.g., threats of harm, threats to ruin reputation, threats to file fabricated cases).
  • Coercion (forcing payment through intimidation, threats, or pressure beyond lawful collection).

Harassment-type conduct

  • Unjust vexation (a catch-all for acts that cause annoyance/irritation without lawful justification; often used for persistent harassment patterns).

Defamation

  • Libel (written/online publications imputing a crime/vice or causing dishonor).
  • Slander / oral defamation (spoken defamatory statements).
  • If done online, RA 10175 (Cybercrime Prevention Act) can elevate certain offenses (notably cyber libel) and create related cybercrime angles if hacking/illegal access is involved.

Other possibilities

  • Usurpation/false authority issues if collectors pretend to be government officers.
  • Extortion-like patterns may be charged through threats/coercion frameworks depending on the precise acts.

D. Gender-based online sexual harassment (Safe Spaces Act)

If collectors use sexualized insults, threats, misogynistic slurs, sexual humiliation, or sexually harassing content online, RA 11313 (Safe Spaces Act) may apply.

E. Civil liability for damages (Civil Code)

Even if criminal prosecution is not pursued, abusive collection can support:

  • abuse of rights / human relations (Civil Code Arts. 19, 20, 21),
  • moral damages and other damages when harassment, humiliation, anxiety, or reputational harm is proven,
  • civil actions can run alongside or after administrative/criminal proceedings depending on strategy.

4) Before filing: build an evidence package that survives scrutiny

A. Capture communications correctly

Collect and preserve:

  • screenshots of texts, chats, in-app messages;
  • call logs showing frequency/time patterns;
  • screen recordings scrolling through conversations (to show continuity);
  • voicemails and audio messages (if lawfully obtained);
  • social media posts, comments, shares, group messages;
  • messages sent to your contacts (ask them to provide screenshots and a short written statement).

Keep originals on the device where possible and back up copies (cloud or external drive).

B. Document a timeline

Prepare a chronological log:

  • date/time of each incident,
  • platform used (SMS, Messenger, Viber, phone call),
  • name/number/account used,
  • exact words used (copy/paste where possible),
  • what personal data they disclosed and to whom.

C. Identify the responsible entity (not just the app name)

You want the registered company name behind the app. Save:

  • app store listing details,
  • in-app “About,” “Terms,” “Privacy Policy,” “Loan Agreement,”
  • official emails, addresses, company registration details shown in-app,
  • payment channels used (bank accounts, e-wallet details, merchant name).

This helps regulators link the conduct to an SEC-registered lending/financing company—or establish that the operator is unregistered.

D. Be cautious with call recording

Philippine law (notably RA 4200, Anti-Wiretapping) can create risk if private communications are recorded without proper consent. Safer evidence often includes screenshots, call logs, written threats, voice notes voluntarily sent to you, and third-party witness screenshots. Where recording is contemplated, consider obtaining explicit consent or relying on other proof.

E. Preserve proof of loan terms and payments

Include:

  • the loan contract/terms,
  • disclosures (or lack of disclosures),
  • amortization schedule,
  • payment receipts,
  • demand letters,
  • collection notices.

Even if the focus is harassment, loan documents help establish context and identify responsible parties.

5) Where and how to file complaints (Philippine forum-by-forum guide)

A) Securities and Exchange Commission (SEC) — licensing + collection-practice enforcement

Use this route when the lender is (or appears to be) a lending/financing company or an OLA linked to one.

What the SEC can do

  • investigate and penalize unfair collection conduct;
  • suspend/revoke certificates/authority to operate;
  • order compliance and issue cease-and-desist actions against illegal operators;
  • act against OLAs operating without proper registration/authority.

What to file

A practical SEC complaint package usually includes:

  1. Verified complaint / complaint letter:

    • complainant details (name, address, contact info),
    • respondent details (company name behind the app, app name, known addresses/emails),
    • narrative of facts and harassment pattern,
    • specific acts complained of (threats, contact-blasting, public shaming, impersonation),
    • relief requested (investigation, sanctions, stop harassment, take down posts).

  2. Attachments (labeled exhibits):

    • screenshots/screen recordings,
    • call logs,
    • copies of posts/messages sent to third parties,
    • loan documents and receipts,
    • IDs (as required by filing procedures),
    • witness screenshots + short statements (affidavits if possible).

Practical drafting tips

  • Use a clear structure: Parties → Facts → Violations/Issues → Evidence → Prayer.
  • Quote the worst lines verbatim (threats, shaming statements) and match each quote to an exhibit.
  • Emphasize third-party disclosures and humiliation tactics (regulators treat these seriously).
  • If multiple numbers/accounts are used, list them all.

B) National Privacy Commission (NPC) — Data Privacy Act complaints (RA 10173)

Use this route when collectors use your contacts, disclose your debt to others, post your personal data, or process your data beyond lawful purposes.

Core legal theory (how privacy complaints are commonly framed)

  • You are a data subject.
  • The lending company/app is a Personal Information Controller (PIC) or acts with one.
  • Their processing/disclosure lacked a lawful basis, exceeded stated purposes, or violated transparency/proportionality.
  • Contact-blasting and public shaming often involve unauthorized disclosure and unfair processing.

Steps that strengthen an NPC filing

  1. Exercise data subject rights first (when feasible) Send an email/message to the company (and/or its Data Protection Officer contact listed in the privacy policy) demanding:

    • stop processing your contacts for collection,
    • stop contacting third parties about your loan,
    • delete/erase improperly obtained data (where applicable),
    • identify the basis for processing and disclose what data they hold,
    • take down any posts containing your personal information.

    Keep proof of sending and any reply (or lack of reply).

  2. File a complaint with the NPC Submit:

    • a sworn narrative or complaint form (depending on current procedure),
    • evidence exhibits (screenshots, URLs, screen recordings),
    • proof you attempted to reach the company (if available),
    • IDs and contact details.

Remedies the NPC process can support

  • orders to stop unlawful processing,
  • compliance measures,
  • administrative accountability,
  • potential referral for prosecution of Data Privacy Act offenses where warranted.

C) Criminal complaints — Prosecutor’s Office (often with PNP/NBI support)

Use this route when there are threats, coercion, defamation, impersonation, or severe harassment.

The usual path

  1. PNP / NBI documentation (optional but often helpful)

    • Make a report and obtain documentation.
    • For cyber-related harassment/defamation, specialized cybercrime units can help preserve technical details.

  2. File a Complaint-Affidavit with the City/Provincial Prosecutor

    • The prosecutor determines probable cause and files the case in court if warranted.

What to prepare

  • Complaint-Affidavit (sworn), with:

    • complete narrative,
    • dates/times/places/platforms,
    • identification of accused persons if known (or “John/Jane Does” + company),
    • specific offenses alleged (threats, coercion, unjust vexation, libel/cyber libel, etc.).

  • Annexes/exhibits:

    • screenshots, URLs, screen recordings,
    • witness affidavits (your contacts who received messages),
    • call logs,
    • proof linking the accounts/numbers to the company/app where possible.

Matching common facts to possible charges (illustrative)

  • “Pay today or we will visit your house and hurt you” → threats/coercion.
  • “We will send your nude photos/ID to everyone” or “we’ll ruin you online” → threats + privacy offenses + possible Safe Spaces angles if sexualized.
  • Posting “wanted: scammer” with your name/photo → libel/cyber libel + privacy.
  • Repeated calls/messages intended to break you down + shaming → unjust vexation + regulatory + privacy.

D) Barangay remedies (Katarungang Pambarangay) — limited but sometimes useful

Barangay conciliation can apply to certain disputes between parties in the same city/municipality, but it has important exceptions, and it often becomes impractical where:

  • the respondent is a corporation,
  • parties reside in different jurisdictions,
  • the matter requires urgent legal action,
  • the case involves offenses/situations excluded by law.

Still, a barangay blotter record can help document ongoing harassment patterns.

E) Other avenues that may apply depending on the lender

  • BSP consumer assistance: if BSP-supervised institution.
  • DTI / consumer protection: where deceptive practices intersect with consumer rights (less central for pure lending collection issues, but may be relevant in certain setups).
  • Civil action for damages: where reputational harm, emotional distress, or privacy invasion is substantial and provable.

6) Step-by-step filing roadmap (a practical sequence)

Step 1: Stabilize safety and risk

  • If there are credible threats of violence, treat it as urgent and document immediately.
  • If doxxing/public posting occurs, capture evidence fast (posts can be deleted).

Step 2: Compile a “harassment dossier”

Create a single folder with:

  • timeline,
  • exhibits (numbered),
  • loan documents,
  • third-party witness screenshots/statements,
  • ID copies (as needed),
  • short summary: “what happened” and “what relief is requested.”

Step 3: Send a stop-processing / cease-harassment notice

A short written notice can be useful for:

  • showing regulators you demanded cessation,
  • triggering a clearer paper trail,
  • testing whether the company will correct conduct.

Key points to include:

  • demand to stop contacting third parties,
  • demand to stop threats/harassment,
  • demand to remove online posts and stop disclosure,
  • demand to communicate only through lawful channels.

Step 4: File parallel complaints where appropriate

Many victims file in parallel because each forum addresses different harms:

  • SEC (license/collection practices),
  • NPC (privacy/contact-blasting and data misuse),
  • Prosecutor / PNP/NBI (threats/coercion/defamation/cyber).

Step 5: Maintain a continuing evidence log

After filing, harassment sometimes escalates. Continue logging incidents and submit supplemental evidence if permitted.

7) Writing the complaint well: what makes it effective

A. Focus on the most provable, most serious conduct

Regulators and prosecutors respond best to:

  • direct threats (violence, harm, ruin),
  • third-party disclosures (friends/employer/co-workers),
  • public shaming posts,
  • impersonation of authorities,
  • persistent harassment patterns documented by call logs and repeated messages.

B. Tie each allegation to an exhibit

Example format:

  • “On 03 Jan 2026, collector stated: ‘…’ (Exhibit ‘C’ screenshot; Exhibit ‘C-1’ screen recording).”
  • “On 04 Jan 2026, my co-worker received: ‘…’ (Exhibit ‘D’ screenshot; Exhibit ‘D-1’ affidavit).”

C. Name the company where possible; include “unknown individuals” where not

Even if individual collectors are unknown, the complaint can:

  • name the company/app as respondent,
  • include phone numbers/accounts used,
  • describe collectors as “agents/representatives,”
  • add “John/Jane Does” pending identification.

8) Common defenses and how complaints typically address them

“You consented when you clicked Allow on contacts.”

Consent issues in privacy law are not purely technical. Complaints often argue:

  • consent was not genuinely informed (buried, unclear, bundled),
  • it was not freely given (take-it-or-leave-it essential service pressure),
  • it was disproportionate or unnecessary for lending,
  • processing exceeded purpose (using contacts for shaming).

“We outsourced collection to an agency.”

Regulators commonly treat the lender as responsible for its agents; outsourcing does not automatically eliminate accountability.

“We only reminded the borrower.”

Frequency, language, time, disclosure to third parties, threats, impersonation, and public shaming distinguish lawful reminders from abusive collection.

9) Additional issues often present in OLA disputes (not limited to harassment)

A. Disclosure rules (Truth in Lending Act)

RA 3765 (Truth in Lending Act) supports complaints where:

  • finance charges were not clearly disclosed,
  • effective interest rate/total cost was obscured,
  • fees ballooned beyond what was explained.

B. Unconscionable interest/charges

Even without a general usury ceiling, courts can reduce unconscionable interest and charges under civil law principles, depending on circumstances and proof.

C. Identity-related fraud

If an OLA account was opened using your identity, or collectors pursue you for a loan you did not obtain, the strategy shifts to:

  • fraud/identity issues,
  • immediate reports and evidence of non-participation,
  • stronger cybercrime and privacy angles.

10) Quick checklists

Evidence checklist

  • Screenshots of threats/harassment
  • Screen recording showing full thread continuity
  • Call logs (frequency + times)
  • Messages sent to your contacts (with their screenshots)
  • Links/archives of defamatory posts
  • Loan contract + disclosures + receipts
  • App privacy policy/terms screenshots
  • Timeline (date/time/event/exhibit reference)

Forum selection checklist

  • SEC: OLA tied to lending/financing company; unfair collection conduct
  • NPC: contact-blasting, disclosure to third parties, public posting of personal data
  • Prosecutor/PNP/NBI: threats, coercion, impersonation, defamation, cyber angles
  • Civil action: reputational harm/emotional distress with strong proof

11) Model “facts and prayer” outline (adaptable to SEC/NPC/prosecutor filings)

Facts

  1. Background of the loan (date, amount, app/company, terms, payments made).

  2. Start of collection (date) and escalation pattern.

  3. Specific illegal acts:

    • threats (quote),
    • obscene/insulting messages (quote),
    • disclosure to third parties (identify who received what),
    • public posting (platform, link, screenshots),
    • impersonation (fake legal documents, claims of being from courts/government).

  4. Harm caused:

    • anxiety/distress,
    • reputational damage,
    • workplace/family impact,
    • privacy invasion.

Prayer/Relief requested

  • immediate cessation of harassment and third-party contact,
  • investigation and sanctions against the company/app and responsible personnel/agents,
  • takedown/removal of posts and cessation of unlawful data processing,
  • other lawful relief available under the forum’s authority.

12) Final practical cautions

  • File promptly; delays can complicate enforcement, preservation of online evidence, and timelines for certain offenses.
  • Avoid retaliatory posts that could create counterclaims.
  • Keep communications factual and preserve everything; do not rely on verbal calls alone.
  • Continue paying only through verifiable channels if you choose to pay; do not pay into personal accounts without clear proof of legitimacy and proper crediting.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login