How to Report an Online Lending Scam to the SEC and NBI in the Philippines

How to Report an Online Lending Scam to the SEC and NBI in the Philippines

Last updated for general guidance; not legal advice. Laws and procedures change. If you’re in immediate danger or being extorted, contact law enforcement right away.

Quick game plan (TL;DR)

  1. Secure yourself first: stop contact with the scammer; don’t pay “processing/cancellation” fees; freeze or dispute transfers with your bank/e-wallet; change passwords; uninstall shady apps.
  2. Gather evidence: screenshots, messages, call logs, app/website URLs, ad links, bank/e-wallet records, IDs you submitted, and a clean timeline.
  3. Report to the SEC (Securities and Exchange Commission): for unregistered/illegal lenders, abusive online lending apps (OLAs), and unfair collection practices by lending/financing companies.
  4. Report to the NBI (National Bureau of Investigation): for criminal investigation (estafa, threats, coercion, cybercrime, data privacy violations, etc.).
  5. Also notify the National Privacy Commission (NPC) if your contacts/data were misused for “debt-shaming,” and your bank/e-wallet/telco for freezes, reversals, or SIM issues.

What counts as an “online lending scam”?

Common red flags in the Philippine context:

  • Unregistered lender/OLA (no SEC registration or authority) or a “clone” of a legit firm.
  • Upfront fees for “approval,” then ghosting or piling new fees.
  • Debt-shaming: contacting your phone contacts, posting on social media, sending edited photos, threats, or harassment.
  • Predatory terms hidden behind misleading ads; bait-and-switch interest or fees.
  • Malicious apps that demand excessive permissions or install spyware.
  • Fake “investment-lending” hybrids (Ponzi/“pay to unlock bigger loans”).

Jurisdiction basics

  • SEC: supervises lending and financing companies and their online lending platforms (OLPs/OLAs). It can issue cease-and-desist orders (CDOs), revoke registration, and impose administrative sanctions. Consumer protection powers are reinforced by the Financial Products and Services Consumer Protection Act (FCPA).
  • NBI: conducts criminal investigation (e.g., estafa, grave threats/coercion, cyber offenses), builds cases, and coordinates with prosecutors/courts.
  • NPC: handles Data Privacy Act violations (e.g., unauthorized disclosure to your contacts).
  • BSP: if the entity is a bank, EMI/e-wallet, or BSP-supervised—complaints go to their consumer assistance plus BSP.
  • PNP-ACG: alternative avenue for cybercrime complaints if NBI is not accessible.

Step 1: Protect yourself and your device

  • Stop paying “processing,” “tax,” “unlock,” or “settlement” fees.
  • Freeze or dispute transfers with your bank/e-wallet immediately (follow their dispute window and provide your evidence).
  • Uninstall the loan app; revoke permissions (Contacts, SMS, Camera, Accessibility). Run reputable mobile security scans.
  • Change passwords on email, social media, e-wallets; enable 2FA.
  • SIM safety: set a SIM change lock or PIN with your telco; watch for SIM-swap alerts.
  • Warn your contacts not to respond to messages “about you” and to report harassment.

Step 2: Evidence checklist (build a clean case file)

Create a single folder containing:

  1. Identity of the lender/app: name used in ads/app store, app package name, website, social pages, phone numbers, email addresses, and any company details shown.
  2. Advertising/offer: screenshots of ads, messages, or referral posts.
  3. Loan journey: screenshots of the application, terms shown (APR/fees/tenor), approvals, and payment instructions.
  4. Transactions: bank/e-wallet receipts, account numbers, reference numbers, timestamps.
  5. Communications: SMS/chat/email/call logs, especially threats or debt-shaming materials; capture sender IDs and links.
  6. Device evidence: list of permissions requested; screen showing app permissions; antivirus report if malware found.
  7. Your timeline: a dated narrative of what happened, amounts involved, and what you lost or risked.
  8. Your IDs/data submitted (if any): note exactly what you shared (ID front/back, selfies, contacts access, etc.).
  9. Witnesses: if someone saw threats or received shaming messages, get their statements/contact details.

Keep originals plus PDFs. Don’t alter files; add short captions instead.

Step 3: Report to the SEC (administrative/consumer protection)

When to go to the SEC

  • The lender/OLA appears unregistered, uses multiple aliases, or refuses to disclose its SEC registration.
  • There are unfair debt collection practices (e.g., harassment, threats, shaming, contacting your employer/contacts).
  • Interest/fees seem abusive or non-transparent, or terms weren’t clearly disclosed.
  • The platform’s OLP/OLA itself seems unlawful (e.g., not duly notified/cleared with the SEC).

What to file

  • SEC complaint letter or form (concise but detailed).
  • Your evidence set (see checklist).
  • Your government-issued ID and contact details.
  • Affidavit (sworn statement) if requested—sample below.

How to file

  • Through the SEC Enforcement and Investor Protection Department (EIPD) online channels or by walk-in at SEC offices. (Keep the acknowledgment/docket number.)
  • If the company is bank/EMI (not an SEC-supervised lender), still file with SEC if lending activity is involved, but also lodge a complaint with the BSP and the provider’s consumer desk.

What the SEC can do

  • Issue CDOs/take down illegal OLAs, fine or revoke registration of non-compliant lending/financing companies.
  • Coordinate with app stores, telcos, and law enforcement.
  • Refer criminal aspects to the NBI/DOJ when warranted.

Step 4: Report to the NBI (criminal investigation)

When to go to the NBI

  • There’s estafa/swindling (you paid and didn’t get a loan; you were tricked into sending money).
  • Threats, extortion, grave coercion, unjust vexation, or defamation (incl. online).
  • Cybercrime conduct (phishing, unauthorized access, malware) under the Cybercrime Prevention Act.
  • Data Privacy violations (e.g., doxxing, non-consensual disclosure to your contacts) that may also breach criminal provisions.

What to bring

  • Complaint-Affidavit (see template below), two valid IDs, and your evidence set.
  • Printed copies of key screenshots and a USB with originals if possible.
  • If money moved, bring bank/e-wallet dispute reference numbers.

Where/how to file

  • NBI Cybercrime Division or Anti-Fraud Division at NBI Main or regional offices.
  • You’ll receive instructions on inquest/regular filing with the City/Provincial Prosecutor. In some cases, the NBI may conduct forensics on your device (consent required).

What happens next

  • Case evaluationinvestigationreferral to prosecutor → possible filing of information in court → warrant issuance by court where appropriate.
  • Preserve your availability for clarifications or testimony.

Step 5: Also notify these, as applicable

  • National Privacy Commission (NPC): if your contacts were messaged or your personal data was misused/over-collected. Attach the threatening/shaming messages and a list of affected contacts.
  • Your bank/e-wallet: file an official dispute (fraud/authorized-but-induced). Provide timestamps and reference numbers; ask about reversals, freezes, and chargebacks (if card networks were involved).
  • Your telco: report harassing numbers, enable SIM locks, and request guidance on legal preservation of call/SMS logs.
  • App stores/social platforms: flag the app/page/ad used to victimize you.

Laws & rules commonly invoked (high level)

  • Lending Company Regulation Act (R.A. 9474) and Financing Company Act (R.A. 8556): registration, conduct, and sanctions for lending/financing companies and their online platforms.
  • Financial Products and Services Consumer Protection Act (R.A. 11765): admin powers of SEC/BSP/IC over abusive practices.
  • Data Privacy Act (R.A. 10173): unlawful processing/disclosure; “debt-shaming” often violates this.
  • Cybercrime Prevention Act (R.A. 10175): covers online fraud, threats, libel, illegal access, and provides for real-time collection/preservation orders via law enforcement/courts.
  • Revised Penal Code: estafa (Art. 315), grave threats (Art. 282), grave coercion (Art. 286), unjust vexation (Art. 287), and related offenses.
  • Access Devices Regulation Act (R.A. 8484): if cards/OTPs were involved.

Interest/fee caps and disclosures applicable to small, short-term loans have been the subject of SEC circulars. Check the current SEC circulars for exact limits and computation rules when you file (include screenshots of the rates you were shown).

How to structure your complaint files

A) SEC complaint (outline)

  1. Complainant details (name, address, contacts).
  2. Respondent (lender/OLA name(s), aliases, app/URL, numbers).
  3. Nature of complaint (unregistered lending; abusive collection; misleading terms; illegal OLP).
  4. Facts & timeline (dates, amounts, what was promised vs. what happened).
  5. Evidence list (annexes).
  6. Relief sought: cease-and-desist; administrative sanctions; takedown; referral for criminal action; assistance with fund recovery where possible.

B) NBI Complaint-Affidavit (sample template)

REPUBLIC OF THE PHILIPPINES )
__________________________ ) S.S.

                     COMPLAINT-AFFIDAVIT

I, [Your Full Name], Filipino, of legal age, with address at [Address], after having been duly sworn, depose and state:

1. I am the complainant in this case. I can be contacted at [mobile/email].
2. The respondent(s) operate(s) an online lending scheme under the name(s) [names/aliases], through [app/website/social media], contact number(s) [numbers], and email(s) [emails].
3. On [date/s], I saw/received [ad/message] offering a loan of [amount] with [terms advertised].
4. Relying on said representations, I [applied/installed app/submitted documents] and on [date] was instructed to pay [“processing fee”/“tax”/etc.] amounting to [₱____] to [account/e-wallet], Ref. No. [____].
5. After payment, [state what occurred: no loan released/asked for more fees/harassment/debt-shaming, etc.]. I received threats on [dates] via [SMS/chat], copies attached as Annexes “A” to “__”.
6. I suffered loss/damage in the amount of [₱____]. My contacts [were/were not] messaged without my consent.
7. I respectfully charge the respondent(s) for violation of [estafa, Data Privacy Act, Cybercrime Prevention Act, and other applicable laws], and pray for investigation and prosecution.

Attached are true copies of relevant evidence marked as Annexes “A” to “__”.

IN WITNESS WHEREOF, I hereunto affix my signature this [date] in [city/province].

______________________
[Your Name], Affiant

SUBSCRIBED AND SWORN to before me this [date] in [place], affiant exhibiting [ID type and no.].

Bring two valid IDs. Sign before the administering officer or have it notarized, as instructed.

Practical tips that help cases stick

  • Name the app precisely (include the package name shown in your phone’s App Info).
  • Preserve headers/metadata: show phone numbers, message timestamps, and URL bars in screenshots.
  • Don’t edit screenshots; add a separate caption if needed.
  • Summarize money flow in a one-page table (date, amount, recipient account, reference number).
  • List all aliases used by the lender (FB page name, Telegram/WhatsApp handles, domain variations).
  • If the entity seems legit (with an SEC registration number), still file if conduct is abusive; attach proof of the abusive conduct.
  • Cross-file with NPC for privacy breaches; agencies often coordinate.

What outcomes to expect

  • From the SEC: acknowledgment and docketing, evaluation, possible show-cause order to the entity, and, if warranted, CDO, fines, or revocation; requests to takedown apps/pages; referrals to law enforcement.
  • From the NBI: investigation (may include device forensics and subpoenas), referral to prosecutors, and, if probable cause is found by the court, warrants and criminal proceedings.
  • From banks/e-wallets: fraud dispute handling, potential reversal/freeze, and account risk controls (case-by-case, time-bound).

Special cases

  • Cross-border operators: still report; NBI/SEC can coordinate with platforms and foreign counterparts, and app stores may remove unlawful apps used in PH.
  • Employer/contacts harassed: let them know to keep messages, avoid replying, and provide sworn statements if needed.
  • Civil recovery: for pure money claims (no ongoing criminal case), consider small claims if within the current threshold under the Supreme Court’s rules; check latest limits and venue rules.

Do’s and don’ts

Do

  • Act fast on disputes/fund freezes.
  • Build a tight timeline and annex your proof.
  • Keep your case number and follow up professionally.

Don’t

  • Pay “cancellation” or “BIR/insurance/unlock” fees.
  • Use fixers or pay for “guaranteed recovery.”
  • Share more data or grant new permissions to the app.

Simple one-page checklist (you can copy/paste)

  • Stopped contact & blocked numbers
  • Uninstalled app & revoked permissions
  • Changed passwords; enabled 2FA
  • Bank/e-wallet dispute filed (Refs: ________)
  • Evidence folder complete (ads, chats, receipts, IDs, timeline)
  • SEC complaint submitted (Docket No: ________)
  • NBI complaint-affidavit filed (Case Ref: ________)
  • NPC complaint (if debt-shamed) (Case Ref: ________)
  • Telco notified (SIM lock / harassment report)
  • Witness statements (if any)

If you want, tell me what happened (no sensitive details here), and I’ll tailor your SEC and NBI filings into polished, ready-to-print drafts.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login