How to Report Fraud by Online Lending Companies in the Philippines

This article explains how to recognize fraud by online lending companies (“OLCs”), what laws apply, which agencies have jurisdiction, and the practical, step-by-step process for reporting and pursuing remedies—civil, administrative, and criminal—under Philippine law.

1) What “fraud” looks like in the OLC context

Common red flags

Advance-fee requests (e.g., “processing,” “insurance,” or “unlock” fees) before any loan proceeds are released.
Unauthorized charges (mystery “service” or “renewal” fees, or automatic “top-ups” you never consented to).
Misrepresentation of key terms (rate, tenure, penalties) or bait-and-switch (approved at X% but contract shows much higher).
Identity theft / account takeovers: loans opened in your name after phishing, lost IDs, or breached data.
Debt shaming and doxxing: contacting your phonebook, posting on social media, or sending defamatory messages.
Unregistered or impersonation schemes: fake “SEC certificates,” cloned apps, or pages pretending to be a known lender.
Collection threats that are illegal (obscene language, threats of harm, fabricated “warrants,” fake “NBI/PNP notices”).

Key point: Abusive collection or privacy violations do not erase legitimate debt. You can pursue remedies for the abuse and still settle valid obligations through lawful channels.

2) Who regulates what (jurisdiction map)

Securities and Exchange Commission (SEC) – Primary regulator of lending companies (RA 9474) and financing companies (RA 8556). Issues rules on online lending platforms and unfair debt collection practices. Handles administrative complaints (unregistered lending, abusive collection, misleading ads, unlawful fees).
Bangko Sentral ng Pilipinas (BSP) – If the lender is a bank, EMI, or BSP-supervised financial institution, BSP handles financial consumer complaints and rate/fee rules applicable to those products.
National Privacy Commission (NPC) – Data Privacy Act (RA 10173) violations: scraping/using your contacts, non-consensual disclosure of debt, excessive data collection, insecure handling/breaches.
PNP Anti-Cybercrime Group (PNP-ACG) / NBI Cybercrime Division – Criminal conduct involving fraud, identity theft, computer-related offenses (RA 10175), extortion, defamation, threats, or estafa under the Revised Penal Code.
Department of Trade and Industry (DTI) – Misleading online marketing and platform compliance (for marketplace ads), but lending entities themselves fall under SEC/BSP.
Courts (civil & criminal) – Civil claims (damages, nullity of unconscionable terms, injunction vs. harassment); criminal complaints (estafa, grave threats, unjust vexation, libel, etc.).
App stores & platforms – Google Play / Apple App Store and social networks can take down abusive or non-compliant apps/pages upon report (helpful for immediate harm reduction).

3) Laws and rules you’ll likely rely on (high level)

RA 9474 (Lending Company Regulation Act) + IRR – Registration and conduct requirements for lending companies.
RA 8556 (Financing Company Act) – Similar for financing companies.
SEC circulars on online lending and debt collection – Prohibit unfair debt collection practices (e.g., harassment, threats, shaming) and set platform compliance expectations.
Financial Products and Services Consumer Protection Act (RA 11765) – Establishes financial consumer rights, internal dispute resolution (IDR), and enforcement powers of BSP/SEC/IC/CDA for their supervised entities.
Data Privacy Act (RA 10173) + NPC issuances – Lawful basis, transparency, proportionality, and security of personal data; remedies for unauthorized disclosure and excessive processing.
Cybercrime Prevention Act (RA 10175) – Computer-related fraud, identity theft, illegal access/interception, cyber-libel.
Revised Penal Code – Estafa (Art. 315), grave threats, unjust vexation, libel/slander, coercion, etc.
Civil Code – Abuse of rights, damages, void/unenforceable clauses, and rescission; courts may strike unconscionable interest/penalty terms.
Small Claims Rules – Money claims up to ₱1,000,000 (no lawyers required), useful to contest unlawful fees or recover money paid because of fraud/coercion.

Rates & fees note: Specific caps and fees can change via new circulars. When preparing a complaint, capture the exact rate/fee table shown to you, and—if applicable—point to the latest rule you believe was breached.

4) Immediate steps if you suspect fraud or abusive practices

Secure evidence (don’t argue in the app):
- Screenshots/screen recordings of ads, chat logs, app screens, rate/fee disclosures, and permissions the app requested.
- Contracts, SOAs, receipts, bank/GCash transactions, SMS or email messages, and call logs (with timestamps).
- Links/URLs to app store listings or pages.
- If your contacts were messaged: get copies of those messages and affidavits from contacts.
Preserve your device state:
- Don’t uninstall yet if you still need to capture evidence; after capturing, you may uninstall and revoke app permissions.
- Change passwords and enable MFA on email, e-wallets, and banking apps.
Stop further loss:
- Block the lender’s auto-debit arrangements if unauthorized.
- Ask your bank/e-wallet for a chargeback/dispute on clearly unauthorized transfers (follow their form and timeline).
- If identity theft occurred: place fraud alerts with relevant institutions.
Write a contemporaneous memo (dates, persons you dealt with, what was said, and when). This becomes the backbone of your complaint-affidavit.

5) Where and how to file (with practical checklists)

A. SEC (lending/financing companies and online lending apps)

When to go: Unregistered OLCs, sham registrations, unlawful/hidden fees, unfair collection, misleading ads, OLP (online lending platform) abuses.

What to submit:

Complaint narrative (facts, timeline, relief sought).
Your ID and contact details.
Evidence bundle (see Section 4).
Company/app identifiers: name as shown in app stores/ads, developer name, business address (if any), screenshots of registration claims.

What SEC can do: Order takedowns/cease-and-desist, impose fines, revoke registrations/permits, refer criminal aspects to prosecutors, and issue public advisories to warn others.

B. NPC (privacy and debt-shaming)

When to go: App scraped your phonebook; messaged your employer/family; published or threatened to publish your personal data; collected more data than necessary.

What to submit:

Complaint form citing DPA principles (lawful basis, transparency, proportionality).
Copies of messages to contacts, call recordings (if any), app permission logs, and app privacy policy (if available).
Proof of harm: embarrassment, threats, job repercussions, mental distress (for damages computation or mediation leverage).

Possible outcomes: Compliance orders, penalties, directives to erase unlawfully processed data, and orders to notify affected contacts or repair harm.

C. BSP (if the lender is a bank/EMI or BSP-supervised)

When to go: The entity is a bank, electronic money issuer, or otherwise under BSP. What to submit: Your complaint after using the provider’s Internal Dispute Resolution (IDR) and Consumer Assistance Mechanism (CAM). Include tickets/case numbers and all evidence.

D. PNP-ACG / NBI Cybercrime Division (criminal angle)

When to go: Estafa, extortion, threats, identity theft, computer-related fraud/access, or cyber-libel. What to submit:

Complaint-affidavit (see template below), valid ID, and digital evidence (with hash values if possible).
If there’s ongoing extortion or threats, ask for guidance on entrapment or forensic preservation.

Tip: For criminal filing with the City/Provincial Prosecutor, bring printed and digital copies; label exhibits (A, B, C…) and reference them paragraph-by-paragraph in your affidavit.

E. DTI / Platforms

If the scheme uses marketplace ads or social media pages, file ad/merchant complaints with the platform and DTI for deceptive online marketing.
Also report the app listing to Google/Apple for policy breaches (misrepresentation, invasive permissions, harassment).

6) Step-by-step reporting flow (practical playbook)

Check registration & supervision
- Is it an SEC-registered lending/financing company (or OLP tied to one)?
- Or a bank/EMI (BSP)?
- If unregistered or unclear, still file with SEC and note the impersonation/opacity.
Trigger the provider’s IDR/CAM (when applicable)
- Send a written complaint to the provider’s official consumer helpdesk, demand a written response in a fixed number of days, and request the complete loan computation and basis for any fees/charges.
Parallel filings (don’t wait if there’s harm)
- SEC (administrative), NPC (privacy), and PNP-ACG/NBI (criminal) can proceed in parallel, especially for debt-shaming or ongoing extortion.
Civil remedies
- If there are unauthorized charges or unconscionable penalties, consider Small Claims (≤ ₱1,000,000) for a refund and damages.
- Seek injunctive relief if harassment is severe (with counsel).
Harm-reduction
- Report and remove the app from your device and request platforms to takedown abusive listings.
- Notify your contacts/employer (briefly) if they were contacted by the collector; attach the official privacy complaint reference so they know you are addressing it.

7) Evidence packaging tips (to strengthen your case)

Chronology table (date/time, event, who spoke, where, exhibit tag).
Financial computations: show promised vs actual APR/fees; attach your own amortization sheet and the provider’s figures.
Technical capture: include file metadata, message headers, and—if possible—hashes (e.g., SHA-256) of key files to show integrity.
Witness statements: short sworn statements from contacts who received harassment.

8) Template: Complaint-Affidavit (criminal/administrative)

Title: Affidavit of [Your Full Name] I. Parties and capacity – Your name, age, address; respondent’s name (or “Name Unknown a.k.a. ‘XYZ Lending App’”), and capacity as operator/collector. II. Material facts – Numbered paragraphs narrating: (1) how you encountered the app; (2) key misrepresentations; (3) fees and rates demanded; (4) abusive collection (attach samples); (5) resulting loss/damage/fear. III. Elements of the offense / rule violations – Briefly map facts to: estafa elements, cybercrime acts, DPA principles, SEC unfair collection prohibitions. IV. Reliefs sought – Criminal prosecution and issuance of subpoenas/warrants as appropriate; for admin filings, cease-and-desist, fines, and public advisory. V. Annexes – List exhibits (A-1, A-2, …) with short descriptions. Jurats – Execute before a notary public or authorized officer.

9) Template: Letter to SEC / NPC / BSP Consumer Protection

Subject: Complaint vs. [OLC/App Name] for Fraud/Unfair Collection/Data Privacy Violations Complainant: [Name, Address, Contact, ID No.] Respondent: [Entity name as advertised / Developer name], App/Listing Links Facts (brief): 6–10 bullet points with dates; attach chronology. Violations Alleged: Cite applicable laws/rules (e.g., RA 9474, SEC unfair collection rules; RA 10173; RA 11765). Relief Sought: Investigation; cease-and-desist; fines; takedown; referral for criminal action; data erasure and notification to affected contacts. Attachments: Exhibits A-… (screenshots, contracts, proof of payments, witness statements).

10) Special situations

Identity theft loans – File police/NBI blotter and NPC complaint immediately; send dispute letters to the lender and any credit bureau involved; demand account closure and data rectification.
OFWs / cross-border apps – Philippine regulators can still act if victims are in the Philippines or the service targets Philippine residents. Preserve time-zone-stamped evidence and remit complaints electronically.
Harassment at work/school – Ask HR/admin to preserve messages and issue a cease-and-desist note to the collector; include it as evidence in NPC/SEC filings.

11) Remedies and outcomes you can expect

Administrative: Public advisories, app/page takedowns, fines, and revocation of authorization.
Criminal: Prosecution for estafa, threats, identity theft, cyber-libel, etc. (with possible arrest warrants upon judicial determination of probable cause).
Civil: Refunds, damages, and judicial reduction/striking of unconscionable interest or penalties; injunctions against further harassment.
Privacy: Erasure of unlawfully processed data, orders to stop contacting your phonebook, and penalties.

12) Practical FAQs

Q: Can I stop paying because they harassed me? A: No. Separate the valid loan (if any) from illegal practices. Pay only the lawful, correctly computed amount; dispute the rest in writing and, if needed, in Small Claims.

Q: What if the lender refuses to give a full computation? A: Note the refusal in your complaint and attach all you have (ads, in-app screens). Regulators can compel production.

Q: What if the company is “unknown” (no address, shell developer)? A: File anyway with SEC, NPC, and law enforcement using app store listings, payment trails, and device logs; agencies can trace through payment partners, gateways, and developer accounts.

Q: Can I recover damages for debt shaming? A: Yes—both privacy and civil law provide avenues for moral and exemplary damages if you prove the wrongful acts and the harm suffered.

13) Final checklist (print-friendly)

Identity of lender/app (name, links, screenshots)
Proof of registration/supervision status (or lack thereof)
Full timeline of events
Rate/fee disclosures vs. actual charges
Harassment evidence (messages to you/contacts)
Data privacy angle (permissions, contact scraping)
Financial records (receipts, statements, transfers)
IDR/CAM ticket numbers (if applicable)
Complaint-affidavit drafted and notarized
Parallel filings: SEC, NPC, PNP-ACG/NBI, and (if applicable) BSP
Platform takedown reports (app stores/social media)

Important closing notes

Keep communications in writing and insist on written responses.
Use calm, factual language; let the evidence do the work.
Consider consulting a lawyer for strategy (particularly for combined civil + criminal + administrative tracks).
Laws and circulars evolve; when filing, attach the exact contract/fee table and cite the current circulars you believe apply to your case.