This is practical legal information for the Philippine setting. It is not a substitute for tailored legal advice.
Why this matters
Abusive online lending apps (OLAs) often engage in:
- Unfair debt collection (harassment, shaming, threats to family or employer, doxxing)
- Illegal operations (unregistered lending/financing)
- Privacy intrusions (contact scraping, excessive permissions, unauthorized data disclosure)
In the Philippines, three authorities commonly handle these issues:
- Securities and Exchange Commission (SEC): registration, licensing, and unfair collection conduct of lending/financing companies and their online platforms.
- National Privacy Commission (NPC): data privacy violations under the Data Privacy Act of 2012.
- Philippine National Police (PNP): criminal acts (threats, coercion, libel/slander, extortion, cyber harassment), usually through the Anti-Cybercrime Group (ACG).
Many cases require parallel reports to all three.
Quick navigator: Who handles what?
| Problem | Primary Agency | What they can do |
|---|---|---|
| Unregistered lending app; revoked/cancelled license; sham “service fee” lending | SEC | Investigate, issue show-cause/cease-and-desist orders, revoke or suspend CA, refer for prosecution, penalize unfair collection practices |
| Harassment via SMS/IM calls; debt shaming posts; threats to publish photos/data | PNP–ACG (criminal) and SEC (collection misconduct) | Criminal complaint; digital forensics; arrest with warrant after inquest; SEC sanctions for abusive collection |
| Contact scraping; access to gallery; sharing borrower’s contacts/photos; unsolicited messages to contacts | NPC | Order to stop processing, require deletion/correction, impose administrative sanctions, refer for prosecution |
| Hacking, doxxing, online extortion (“pay or we post”) | PNP–ACG (and optionally NBI–CCD) | Cybercrime investigation, preservation orders, filing of criminal cases |
Tip: If you’re unsure, file with all three. Each agency will act on its mandate and may coordinate with the others.
Legal foundations at a glance
- Lending/Financing Regulation: Lending Company Regulation Act (with IRR) and related SEC rules; Financing Company Act. SEC also issues memorandum circulars prohibiting unfair debt collection practices (e.g., public shaming, profane language, threats, contacting persons not the borrower except for limited locator purposes).
- Data privacy: Data Privacy Act of 2012 and NPC issuances (lawful basis, proportionality, purpose limitation, data subject rights; breach notification; security measures).
- Criminal law (Revised Penal Code & special laws): grave threats, grave coercion, libel/slander, unjust vexation, extortion/robbery with intimidation, and cyber counterparts. Other special laws may apply depending on the conduct.
Evidence: what to collect and how to preserve it
Identity & app details
- App name, publisher/developer shown in app store, website/social page.
- Screenshots of app listing and permissions requested (contacts, camera, gallery, SMS, etc.).
Your transaction trail
- Loan amount, fees/deductions, disbursement proof, due dates, payment proofs, statements/receipts.
Harassment & threats
- Screenshots of messages/calls (show number, account handle, date/time).
- Recordings (if lawful to do so), voicemail, group chats, posts tagging you/your contacts.
- Affidavits from affected contacts (boss, HR, relatives) if they received shaming messages.
Privacy violations
- Evidence the app accessed/scraped contacts/photos; messages sent to your contacts; any doxxing posts.
Chain-of-custody
- Export device logs or back up conversation threads.
- Save original files (not just screenshots). Keep metadata (EXIF, headers).
- Consider screen recordings showing navigation from message list → specific message to capture context.
Keep a chronology: date, time, actor, conduct, evidence file name.
How to report to the SEC
When to go to the SEC:
- The app is engaged in lending/financing without SEC authorization; or
- It is a licensed entity using unfair debt collection practices; or
- It disguises loans as “service fees” or “cash advances” from a non-registered entity.
Steps:
Prepare your complaint packet
- Cover letter or Complaint-Affidavit (see template below).
- Your valid ID and contact info.
- Evidence bundle (zip/folder): app details, transaction records, harassment proofs.
- If the entity name is unclear, include all identifiers (brand names, in-app names, payment account names, merchant references).
File the complaint
- Submit through SEC’s public complaint channel (online or walk-in) or by mail to the Enforcement and Investor Protection arm handling lending/financing complaints.
After filing
- Monitor for docket/reference number.
- Respond promptly to requests for clarifications; provide raw files if asked.
- If harassment persists, update the case with new evidence.
What outcomes to expect:
- Cease-and-Desist Orders, takedown requests to platforms, revocation/suspension of authority, administrative fines, and referral for criminal prosecution for illegal lending.
How to report to the NPC
When to go to the NPC:
- The app scrapes contacts, accesses photos/files unrelated to lending purpose, or discloses your data to third parties for shaming/pressure.
- The app processes your data without a valid lawful basis, lacks consent transparency, or ignores data subject requests (access, deletion, objection).
Steps:
Identify the privacy harms
- Overcollection (e.g., requiring full contact list), unauthorized disclosure to your contacts, failure to secure your data, or refusal to honor your privacy rights.
Send a data rights request (optional but helpful)
- Email the company: demand they stop unlawful processing, delete unlawfully obtained data, and identify recipients they shared data with. Keep copies; set a reasonable deadline (e.g., 5–15 days).
File your NPC complaint
- Include: Complaint form/letter; your narrative affidavit; copies of your rights request and any reply/non-reply; and your evidence bundle.
Preserve ongoing violations
- If the app continues contacting your family or posting, document each instance and supplement your complaint.
What outcomes to expect:
- Compliance orders, directives to cease processing, delete unlawfully obtained data, improve security/consent, administrative sanctions, and referrals for criminal prosecution when warranted.
How to report to the PNP (Anti-Cybercrime Group)
When to go to the PNP–ACG:
- You receive threats, extortion, coercion, defamation, stalking, or other crimes, especially online.
- Someone posted/shares your photos or personal data to shame or blackmail you.
Steps:
Go to the nearest police station or ACG office (regional/city) for blotter and intake. Bring your ID and evidence.
Execute a Complaint-Affidavit describing the acts, platforms, accounts, and personas involved.
Request digital evidence preservation
- Ask officers to issue preservation letters to platforms (messaging apps, social media) while a subpoena/warrant is pursued through proper channels.
Inquest or preliminary investigation
- Depending on the case, police may refer to the City/Provincial Prosecutor. You might be asked to authenticate your screenshots and devices.
What outcomes to expect:
- Criminal case filing if probable cause is found, and potential arrest upon warrant issuance. Parallel to this, the same facts can support SEC/NPC actions.
Model Complaint–Affidavit (adapt as needed)
Title: Complaint–Affidavit Complainant: [Name, age, address, contact details] Respondent(s): [App name, company name if known, aliases, numbers, pages, emails] Statement of facts:
- On [date], I downloaded “[App]”. The app requested access to [contacts/photos/SMS], which I did not reasonably expect for loan processing.
- I received a loan of ₱[amount] on [date], with [fees/deductions], due on [date].
- Beginning [date], Respondents engaged in abusive collection: [calls/messages frequency], [exact threats/words], and contacted my relatives [names/relationship] on [dates].
- They sent/shared my personal data to [recipients], without my consent, as shown in Annexes A–F.
- These acts violate [cite: unfair debt collection rules/SEC; Data Privacy Act; relevant criminal provisions]. Prayer: – That Respondents be investigated and sanctioned; – That abusive collection and unlawful processing cease; – That my data be deleted and recipients instructed not to further process/disclose it; – Other reliefs as are just and equitable. Verification & Certification Against Forum Shopping: [standard paragraphs] Signature; ID details; Jurat (notarization).
Attach: copies of IDs, screenshots, recordings list, transaction proof, list of harassing numbers/accounts, your data rights request (if any), and a chronology.
Do’s and Don’ts while your case is pending
Do
- Pay only what is legally due (principal + legitimate interest/charges under your contract) and keep receipts.
- Block harassing numbers/accounts after preserving evidence.
- Tell your HR/family you are pursuing official complaints; give them a one-page instruction on how to screenshot and forward any harassment they receive.
- Secure your device: revoke app permissions; change passwords; enable 2FA.
Don’t
- Don’t engage in heated exchanges; reply, if needed, with a short legal notice (“All communications must be lawful. Your threats and disclosure of my data are being reported to SEC/NPC/PNP.”).
- Don’t share your government IDs or selfie videos via chat to “verify”—send only through secure, official channels when necessary.
- Don’t uninstall the app before you’ve captured evidence of permissions and behavior.
Coordinating filings (best practice)
- File SEC + NPC + PNP together (or within a short window). Attach the same evidence index so each agency sees the full picture.
- Cross-reference docket numbers in each filing; send updates if new threats occur.
- If the lender claims to be a bank/e-money issuer, you may also notify the Bangko Sentral ng Pilipinas (BSP) consumer protection unit. (SEC covers lending/financing companies; BSP covers banks/EMIs.)
- If posts are public, file takedown requests with the platform citing (a) privacy violation, (b) harassment, and (c) ongoing government complaints (include docket numbers once assigned).
Frequently asked questions
Q: The app name on my phone is different from the entity in the receipt—who do I list? List all identifiers: app brand, developer name, company name on receipt, payment account names, numbers/emails used, and social pages. Agencies can sort out corporate relationships.
Q: I borrowed a small amount and the harassment is huge. Will agencies still act? Yes. Illegality and abusive conduct do not depend on loan size.
Q: Will reporting stop the harassment immediately? Not guaranteed, but documenting and reporting often reduces abusive contact, and agencies can order cessation and pursue sanctions.
Q: Do I have to keep paying if the lender is abusive? Separate the debt obligation (if valid) from illegal conduct. Keep proof of any payments; contest illegal charges and report the misconduct.
One-page checklist (printable)
- Capture app listing and permissions
- Save contracts, loan disbursement, payment proofs
- Screenshot harassing messages/calls (with date/time/number)
- List affected contacts and gather their statements
- Draft Complaint–Affidavit + chronology
- File with SEC (unfair collection/illegal lending)
- File with NPC (privacy violations)
- File with PNP–ACG (criminal threats/coercion/libel/extortion)
- Send platform takedowns for doxxing/shaming posts
- Keep a log of all new incidents; supplement filings
Final notes
- Multiple agencies can act simultaneously. Parallel filings strengthen your case.
- Keep your case folder organized: “01–Affidavit”, “02–Transactions”, “03–Harassment”, “04–Privacy”, “05–Updates”.
- Consider consulting a lawyer or a paralegal clinic for representation, especially if you receive court documents or subpoenas.
Stay safe, document everything, and use the system—there are remedies against abusive OLAs.