How to File Complaints Against Online Lending Apps With Abusive Collection Practices

1) What “abusive collection practices” usually look like

Online lending app (OLA) collection becomes abusive when it crosses into harassment, intimidation, humiliation, unlawful disclosure of personal data, or coercion. Common patterns include:

  • Harassment and repeated calls/messages (especially at unreasonable hours), spamming, or using multiple numbers/accounts.
  • Threats (arrest, police raids, “warrants,” deportation, workplace termination) without lawful basis.
  • Public shaming: posting your photo, name, debt details, or accusations on social media; messaging your employer, co-workers, family, friends, or contacts with embarrassing claims.
  • Contact harvesting abuse: the app accesses your phone contacts (or gallery/files) and collectors message them to pressure you.
  • Impersonation: pretending to be from courts, government, police, barangay, law offices, or “field agents.”
  • Defamation: calling you a “scammer,” “criminal,” or accusing you of fraud publicly.
  • Extortion-like demands: demanding money with threats of exposing you or harming your reputation.
  • Unfair/opaque charges: undisclosed fees, inflated penalties, “rolling” interest, forced refinancing.
  • Fake legal documents: fabricated subpoenas, warrants, or “final demand” letters with official-looking seals.

These behaviors are not “normal collection.” They are potential violations of privacy, criminal laws, and regulatory rules.

2) Know who regulates what (this determines where you complain)

A. If the lender is a lending company or financing company

Most OLAs fall under SEC regulation (Securities and Exchange Commission), because lending companies/financing companies are typically SEC-registered entities.

B. If the lender is a bank, digital bank, or BSP-supervised financial institution

If the lender is BSP-supervised, complaints often go through the BSP (Bangko Sentral ng Pilipinas) and the institution’s internal complaints channel first.

C. If the issue is personal data / privacy abuse

Harassment tied to contact access, doxxing, disclosure to third parties, or unauthorized processing falls under the National Privacy Commission (NPC).

D. If the conduct is potentially criminal

Threats, libel, online harassment, extortion, identity misuse, and cyber-related offenses may be reported to:

  • PNP Anti-Cybercrime Group (ACG), and/or
  • NBI Cybercrime Division, and/or
  • DOJ Office of Cybercrime (as appropriate), along with local law enforcement for on-the-ground assistance.

You can file multiple complaints in parallel (e.g., SEC + NPC + PNP/NBI), because each addresses a different legal angle.

3) Core Philippine laws commonly implicated

This section explains the legal hooks you’ll typically cite (you don’t need to cite everything—pick those that match your facts).

A. Data Privacy Act of 2012 (RA 10173) + IRR

Often the strongest tool when OLAs:

  • access contacts or data beyond what’s necessary,
  • disclose your debt to third parties,
  • post your data publicly,
  • process data without valid consent, or
  • fail to provide transparency, lawful basis, or proper safeguards.

Key concepts:

  • Personal information / sensitive personal information and processing (collection, recording, sharing, disclosure).
  • Consent must be informed, freely given, specific—and not obtained through deception or coercion.
  • Data minimization and proportionality: only what is necessary for the declared purpose.
  • Transparency: privacy notice, purpose, retention, sharing, rights.

Possible consequences:

  • NPC enforcement, cease-and-desist orders, and potential criminal liability depending on the violation type and evidence.

B. SEC regulation of lending/financing companies

SEC rules and circulars (including those governing fair collection conduct and prohibiting harassment/shaming) are a primary basis for action against abusive collections by SEC-registered lenders and their agents.

What SEC commonly acts on:

  • harassment,
  • contacting third parties improperly,
  • threats and intimidation,
  • misleading communications,
  • unauthorized charges/terms and non-disclosure.

C. Revised Penal Code (RPC) and related criminal provisions

Depending on the facts, abusive collection can trigger:

  • Grave threats / light threats (threatening harm, crime, or wrongful injury).
  • Coercion (forcing someone to do something against their will through intimidation).
  • Unjust vexation (persistent annoyance/harassment; often used when facts don’t neatly fit other crimes).
  • Libel / slander if defamatory statements are made; if done online, it may implicate cyber-related rules.

D. Cybercrime Prevention Act of 2012 (RA 10175)

When acts occur through ICT (messages, social media posts, online publication), RA 10175 can apply—especially for online defamatory publication and other cyber-enabled conduct, subject to legal requisites and evidence.

E. Civil Code (civil remedies)

Even if criminal/regulatory cases are not pursued (or are pending), you may have civil claims for:

  • damages for bad faith, harassment, privacy invasion,
  • reputational harm,
  • and other injury depending on circumstances.

4) Before you file: preserve evidence the right way

Your complaint rises or falls on documentation. Start building a clean evidence file immediately.

A. Capture communications

  • Screenshots of SMS, chat apps, call logs, emails.
  • Screen recording showing the sender profile, number, timestamps, and message thread continuity.
  • For calls: keep call logs, note the date/time, and write a short call summary right after the call.
  • If your phone supports it and it is lawful in your context, keep recordings; if unsure, focus on logs and written summaries and consult counsel for recording issues.

B. Preserve social media proof

  • Screenshot the post, comments, shares, and the profile/page.
  • Capture URL links, timestamps, and visible identifiers.
  • Use screen recording to show navigation from profile to the post.

C. Gather app and loan documentation

  • The app’s permissions (contacts, storage, etc.)—screenshot your permission settings.
  • Loan contract, disclosures, repayment schedule, receipts, e-wallet/bank proof of payment.
  • Truth-in-lending style disclosures (if provided), in-app terms, and privacy policy.
  • The lender’s registered business name, address, and registration number if shown.

D. Identify the real entity

Many apps use one brand name but are operated by a different corporate entity.

  • Record the legal name from the contract, official receipts, email footers, app store developer name, or in-app “About” section.
  • List collector names and numbers; collectors may be third-party agencies—note this.

E. Organize an “evidence index”

Create a simple index:

  1. Exhibit A – Screenshots of harassment messages (dates).
  2. Exhibit B – Call logs.
  3. Exhibit C – Social media shaming post.
  4. Exhibit D – Loan contract/terms.
  5. Exhibit E – Proof of payments.
  6. Exhibit F – App permission screenshots. This helps regulators act faster.

5) Choose your complaint path (you can do more than one)

Path 1: File with the SEC (for SEC-registered lending/financing companies)

When this is the best route

  • The lender is a lending/financing company (typical OLAs).
  • You want regulatory sanctions: license suspension/revocation, penalties, orders to stop abusive practices.

What to include

  • Your identity and contact details.
  • The lender’s corporate name (and app brand name), and any address/contact info.
  • Narrative of facts (chronological).
  • Specific abusive acts: third-party disclosure, threats, harassment, shaming.
  • What you want: investigation, sanctions, cease-and-desist, refund/adjustment (if applicable), and action against agents.

Practical tips

  • Be precise with dates and attach exhibits.
  • If collectors are third-party agencies, name them and attach evidence showing they acted for the lender.

Path 2: File with the National Privacy Commission (NPC) (privacy/data abuse)

When this is the best route

  • Your contacts were messaged.
  • Your debt was disclosed publicly or to third parties.
  • Your photo/personal data were posted.
  • The app appears to have accessed data beyond necessity or without valid lawful basis/consent.

Potential legal framing (fact-dependent)

  • Unauthorized disclosure of personal information.
  • Processing not proportional to declared purpose (collection doesn’t justify mass disclosure to contacts).
  • Invalid consent if consent was bundled, deceptive, or not informed.
  • Failure to respect data subject rights (access, deletion, objection) and transparency.

What to submit

  • Completed complaint format (or narrative letter).
  • Exhibit pack: harassment messages to third parties, screenshots of permission access, privacy policy copies, proof of disclosure, your account details.
  • A clear statement of harm (emotional distress, reputational harm, workplace issues).

What you can ask for

  • Orders to stop processing/disclosure,
  • deletion/rectification,
  • investigation and enforcement action,
  • possible referral for prosecution if warranted.

Path 3: Criminal complaint (PNP ACG / NBI Cybercrime / Prosecutor)

When this is the best route

  • Threats of harm/arrest.
  • Extortion-like demands.
  • Defamatory posts/messages.
  • Identity misrepresentation (posing as police/court/government).
  • Coordinated harassment that causes fear or serious reputational damage.

What to expect

  • You’ll execute a sworn statement/affidavit.
  • You may be asked to provide the device for forensic extraction (plan for backups).
  • They’ll want original files (not only screenshots) if possible—keep them intact.

Offenses commonly alleged (depending on facts)

  • Threats/coercion/unjust vexation (RPC).
  • Defamation/libel (especially if published).
  • Cyber-related counterparts where applicable (RA 10175).
  • Privacy-related criminal provisions may be implicated if your data was mishandled.

Path 4: Civil remedies and protective relief

When this is useful

  • You need damages, injunction-like relief, or structured settlement recognition.
  • You want to stop ongoing harassment through formal legal channels.

Possible options:

  • Demand letter requiring cessation of harassment and data disclosure.
  • Civil action for damages if harm is substantial.
  • Protection strategies may include requests for court orders in extreme cases, depending on counsel assessment and venue.

6) Step-by-step: how to write a strong complaint (template structure)

You can use this structure for SEC/NPC and even as a base for affidavits.

A. Heading / Parties

  • “Complainant: [Your Name], [Address], [Contact]”
  • “Respondent: [Company Legal Name], doing business as [App Name], [Address/Contacts], and its agents/collectors [if known]”

B. Statement of Facts (chronological, numbered)

Include:

  1. When you downloaded the app and obtained the loan.
  2. Amount borrowed, net proceeds received, key terms, due date.
  3. Payment history and any dispute on charges.
  4. When collection started and what happened (dates/times).
  5. Third-party messages: who was contacted, what was said.
  6. Public shaming posts: where, what content, how you discovered it.
  7. Threats/impersonation: exact wording.
  8. Your harm: anxiety, workplace impact, family distress, reputational damage.

C. Violations / Legal grounds (short, fact-tied)

Example style (adapt to your facts):

  • “Respondent disclosed my personal information and alleged debt to third parties without lawful basis and beyond any necessary purpose for collection.”
  • “Respondent’s agents engaged in harassment and intimidation through repeated messages and threats.”
  • “Respondent publicly shamed me by posting my personal data and accusations online.”

D. Reliefs requested

For SEC:

  • investigate and sanction,
  • order cessation of abusive practices,
  • hold company accountable for third-party collectors,
  • impose penalties / suspend or revoke authority as warranted.

For NPC:

  • stop processing/disclosure,
  • require deletion of unlawfully disclosed data,
  • investigate and enforce compliance measures,
  • refer for prosecution if appropriate.

For law enforcement/prosecutor:

  • conduct investigation and file charges,
  • preserve digital evidence,
  • identify perpetrators behind numbers/accounts.

E. Verification / signature

  • Signed name and date.
  • If affidavit: include jurat/notarization requirements.

F. Attachments

Attach your evidence index and exhibits.

7) Key factual issues regulators and prosecutors care about

To improve the chance of action, make these points clear:

  1. Identity of the respondent (legal entity, not just the app name).
  2. Clear proof of third-party disclosure (screenshots of messages to your contacts; statements from contacts can help).
  3. Threat language (exact words, frequency, timing).
  4. Publication (posts are more serious than private messages).
  5. Pattern and persistence (daily harassment, multiple numbers).
  6. Disproportionate collection (shaming tactics unrelated to legitimate collection).
  7. Contract vs actual charges (if the amount demanded seems inflated, show math and receipts).
  8. Your attempts to resolve (optional, but can show reasonableness—e.g., you asked them to stop contacting third parties).

8) Dealing with common collector claims (and how to respond in complaints)

“You consented when you installed the app.”

Consent is not a free pass. In privacy analysis, consent must be informed and specific; processing must still be proportional and for a legitimate purpose. Messaging your contacts to shame you is typically outside what’s necessary for collection.

“We’re just informing your contacts for verification.”

Verification is different from mass messaging, shaming, or repeated disclosure of debt details.

“You’ll be jailed if you don’t pay.”

Nonpayment of debt is generally not a crime by itself. Criminal liability requires elements like fraud, issuance of bouncing checks (if applicable), or other specific crimes. Threatening arrest to coerce payment may be unlawful intimidation.

“We’ll file a case tomorrow / warrant is coming.”

A “warrant” is issued by a court under strict requirements. Collectors commonly misuse legal terms. Preserve these messages as evidence of intimidation/misrepresentation.

9) Practical safety measures while cases are pending

These steps are not legal filings, but they reduce harm:

  • Revoke app permissions (contacts/files) and uninstall if safe to do so after you’ve captured evidence and retained contract details.
  • Change key passwords (email, financial apps) and enable 2FA.
  • Tighten privacy settings on social media; document any posts first.
  • Tell close contacts briefly that harassment may occur and ask them to save screenshots.
  • Keep payments documented; avoid cash without receipts.
  • Communicate in writing when possible; avoid phone calls that leave no record.

10) If the loan terms themselves look abusive (fees/interest/rollovers)

Aside from collection behavior, you can also complain about unfair or undisclosed charges:

  • Compare: amount received vs amount demanded; itemize fees and interest.
  • Highlight missing disclosures or changing terms.
  • Attach screenshots showing in-app breakdowns and any inconsistency between what you agreed to and what they demand.

Regulators are more likely to act when you show:

  • lack of transparency,
  • misleading disclosures,
  • and collection abuses.

11) Special situations

A. You never took a loan but you’re being contacted

This can be:

  • wrong number,
  • identity misuse,
  • contact harvesting where they treat you as a “reference.”

Actions:

  • Save proof you are not the borrower.
  • Demand cessation and deletion of your number/data.
  • File with NPC if your data is being processed without lawful basis.
  • Report to SEC if it is a lending entity using unlawful tactics.

B. Your employer was contacted

Include:

  • screenshot of the employer message,
  • HR or supervisor confirmation (even an email statement),
  • and any workplace consequences. This is strong evidence of reputational harm and third-party disclosure.

C. They posted your ID or selfies

This heightens privacy and reputational harm issues. Preserve the post and request takedown through platform reporting after collecting evidence; NPC complaint is typically central here.

12) What outcomes to realistically expect

  • SEC: investigation, show-cause orders, penalties, suspension/revocation of authority, and directives to stop prohibited collection conduct.
  • NPC: compliance/enforcement orders, directives to stop disclosure/processing, corrective measures; potentially referral for prosecution where warranted.
  • Law enforcement/prosecutor: case build-up depends heavily on identifying perpetrators behind accounts/numbers and the completeness of digital evidence.
  • Civil: damages and injunctive relief depend on evidence of harm, causation, and identifiable defendants.

13) Quick checklist (copy/paste)

  • Identify lender legal name + app name
  • Screenshot/record: threats, harassment, call logs
  • Screenshot: app permissions + privacy policy/terms
  • Save: contract + proof of disbursement + payment receipts
  • Collect: proof of third-party messages + social media posts
  • Write: chronological narrative + exhibit index
  • File: SEC (regulatory) + NPC (privacy) + PNP/NBI (criminal), as applicable

14) Key takeaways

  • Abusive collection is not “part of lending”; it can violate privacy, criminal laws, and SEC rules.
  • The most effective complaints are evidence-driven, chronological, and target the right agency (SEC for lenders, NPC for data abuse, PNP/NBI for threats/online offenses).
  • You can pursue parallel remedies to stop harassment faster and increase accountability.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login