This legal explainer is written for borrowers, guarantors, referees/“contacts,” and members of the public who are being harassed by online lending apps (OLAs) or third-party collectors. It covers what counts as harassment, the laws that apply, which authorities accept complaints, what evidence to gather, and step-by-step reporting options—plus practical templates you can use right away.

1) What counts as “harassment” in debt collection?

Harassment is any abusive, coercive, or deceptive conduct meant to force payment. In the OLA context, it commonly includes:

Threats of harm, arrest, or criminal cases; doxxing; shaming posts
Contacting your phone contacts or employer to disclose your debt
Repeated calls or messages at unreasonable hours, using profane or degrading language
Impersonating officials (e.g., “from court/NBI/BIR/pulis”) or sending fake “warrants”
Manipulated images (“mugshots,” edited IDs) or public shaming group chats
Unconsented data scraping of your phonebook, photos, SMS, or gallery through app permissions
False statements about the amount due, fees, or legal consequences

You can report these behaviors even if you actually owe money. Owing a debt does not authorize abuse or privacy violations.

2) Laws and rules that protect you

Data Privacy Act of 2012 (RA 10173) – Protects your personal data. Using your contacts/photos without a lawful basis, excessive processing, and unauthorized disclosure can violate this law. You have rights to object, access, erasure/blocking, damages, and to complain to the National Privacy Commission (NPC).
Financial Products and Services Consumer Protection Act (RA 11765) – Prohibits abusive debt collection, misleading statements, and harassment by financial service providers and their agents; empowers regulators to investigate and penalize.
Lending Company Regulation Act (RA 9474) and Revised Financing Company Act (RA 8556) – Lending/financing companies must be registered and comply with SEC rules. Unregistered lenders and those violating SEC unfair debt collection prohibitions may be sanctioned and ordered to cease operations.
SEC rules on unfair collection practices (e.g., prohibitions on threats, contacting persons not the borrower except as allowed, public shaming, obscene language, and false representation). These apply to lending/financing companies and their third-party collectors.
Cybercrime Prevention Act (RA 10175) – Covers crimes committed through ICT, such as cyber-libel, illegal access, computer-related identity theft, etc.
Revised Penal Code – Possible offenses include grave or light threats, unjust vexation, libel/slander, coercion, and usurpation of authority when collectors pretend to be officers.
Safe Spaces Act (RA 11313) – Covers online gender-based harassment (e.g., sexualized, gendered insults or threats).

Bottom line: Multiple laws may apply at once. You may pursue administrative action (NPC/SEC/BSP/IC), and criminal or civil cases in parallel.

3) Who regulates what?

Securities and Exchange Commission (SEC) – Complaints against lending companies and financing companies, including illegal (unregistered) lenders and unfair collection. The SEC’s Enforcement and Investor Protection Department (EIPD) handles reports; SEC can issue show-cause orders, cease-and-desist orders, fines, and recommend criminal charges.
Bangko Sentral ng Pilipinas (BSP) – Complaints against banks, e-money issuers, credit card issuers, and other BSP-supervised financial institutions (BSFIs). BSP enforces RA 11765 and consumer protection standards.
National Privacy Commission (NPC) – Complaints on privacy/data misuse (e.g., scraping phonebooks, unauthorized disclosure to contacts, excessive data collection).
Insurance Commission (IC) – If the collector works for an insurance or HMO entity under IC.
NBI / PNP Anti-Cybercrime Group – For criminal conduct, such as threats, cyber-libel, identity theft, or extortion.
App stores & telco – You can also report abusive apps to Google Play / Apple App Store for policy violations, and ask your mobile network to assist with number blocking where available.

If you’re unsure whether the entity is an SEC-registered lender or a BSP-supervised institution, report to both the SEC and BSP and they will route or coordinate as needed; also file with NPC if privacy was abused.

4) Evidence you should collect before reporting

Screenshots of messages, calls, voicemails, chat threads, group chats, social media posts, edited images, call logs
- Make sure timestamps, senders, and numbers/usernames are visible.
The app name and developer/company name, version, download source, and consents/permissions granted (e.g., screenshots of app permissions).
Identity trail of the collector: numbers used, email addresses, usernames, GCASH numbers for payment instructions, bank accounts, and reference codes.
Your loan documents: app loan details, terms, payment history, ledger/receipts; note any hidden fees or unilateral changes.
Witness statements from contacts or HR if they were called or messaged.
Proof of harm: missed work, emotional distress, medical consults, costs incurred, or reputation damage (for damages claims).
Device forensic basics: do not delete the app or chats until you have backups; export chats where possible.

5) Immediate steps to reduce harm (without waiving rights)

Revoke permissions (Contacts/Storage/SMS/Phone) in your phone settings; restrict background data.
Change privacy settings in messaging and social media; notify close contacts that any shaming messages are abusive debt collection.
Communicate in writing only with the lender/collector; ask for the agent’s full name, employer, and authority to collect.
Offer a repayment plan if you intend to pay but cannot meet current terms—this helps show good faith while you challenge harassment.
Do not send IDs/selfies to unknown agents; verify official channels.
If there are threats or fake warrants, take screenshots and consider filing a criminal complaint.

6) How to report: step-by-step

A. Report to the SEC (for lending/financing companies and illegal OLAs)

When: The app is a lending/financing service, or you suspect it is unregistered; there’s unfair collection or public shaming; or the company operates multiple “clone” apps.

Prepare:

Your ID and contact details (you may request confidentiality)
App name, company name (if any), website/Facebook page, and download source
Proof of registration (if any) or note “unknown/unregistered”
All evidence (see Section 4) consolidated in a single PDF/drive link if possible
Short narrative: dates, what was said, who was contacted, and relief you seek (cease & desist, sanctions)

Ask the SEC to:

Investigate for unregistered lending and unfair collection practices
Order the entity to cease harassment; take down illegal apps/pages
Coordinate with BSP/NPC/PNP as applicable
Inform you of action taken

Tip: If you’re a non-borrower (e.g., a contact who was harassed), you can still complain—note that your personal data was processed and disclosed without consent.

B. Report to the NPC (privacy & data misuse)

When: The app or its agents scraped your contacts/photos/SMS, disclosed your debt to others, sent mass texts to your contacts, or collected excessive data beyond necessity.

Prepare:

Identity and contact info of the respondent (company/app)
Specific data collected and how (permissions, screenshots)
Lawful basis claimed by the app (from its privacy policy/consent screen) and why it’s invalid or excessive
Harm suffered: reputational, employment, mental distress, doxxing
Your requests: order to cease processing/disclosure, erase/block data, and penalize the respondent; claim damages under the DPA

Ask the NPC to:

Conduct compliance checks and issue compliance orders
Direct the app to stop contacting your phonebook and delete unlawfully obtained data
Coordinate with other regulators and law enforcement

C. Report to the BSP (for banks, e-money issuers, credit card issuers)

When: The lender is a BSP-supervised entity. What to raise: Abusive collection, misleading statements, unfair fees, or failure to act on your written complaint. Sequence: First file a written complaint with the bank/EMI; if unresolved or the response is unsatisfactory, escalate to BSP with proof of your initial complaint and the bank’s reply.

D. File a police/NBI report (criminal acts)

When: There are threats of harm, extortion, fake warrants, defamatory posts, or identity theft. Where: PNP Anti-Cybercrime Group or NBI Cybercrime Division. Bring: Government ID, device with original messages, printed screenshots, and a brief affidavit of complaint. Possible charges: Grave threats, unjust vexation, coercion, usurpation of authority, cyber-libel, identity theft, and violations of RA 10175.

E. Inform app stores & platforms

Report the app and abusive developer accounts for policy violations (harassment, illegal activities, data misuse).
Report shaming posts/groups to social platforms for privacy violation, bullying, or impersonation.

7) If you’re an HR officer or contact who was harassed

Keep copies of the messages sent to the company or staff.
Reply once, briefly: you are not the borrower, demand they stop contacting the workplace, and ask for the lawful basis for processing employee data.
Escalate to SEC (unfair collection) and NPC (unauthorized processing/disclosure).
Consider internal support for your employee (documentation time, mental health resources).

8) Civil remedies you can consider

Damages under the Civil Code (Articles 19, 20, 21) for abuse of rights, willful or negligent acts contrary to law or morals.
Damages under the DPA (for unlawful processing/disclosure).
Injunction/TRO to stop continued harassment or public shaming.
Habeas Data petition to compel disclosure and deletion/blocking of unlawfully obtained personal data (especially when safety is at risk).

Consult a lawyer or the Public Attorney’s Office (PAO) if you plan to file in court, especially for injunctions or damages.

9) Practical scripts & templates

A. Cease-and-Desist to Collector (send by email/chat; keep proof)

Subject: Cease and Desist from Abusive Collection and Privacy Violations

I am writing regarding Account/Reference No. ______ with [Company/App]. Your representatives have: – repeatedly contacted me outside reasonable hours and used threatening/abusive language; – disclosed my personal data/debt details to third parties (including my contacts/employer) without lawful basis; and/or – misrepresented themselves as law enforcement/court officers.

These acts violate the Data Privacy Act (RA 10173), RA 11765, and SEC prohibitions on unfair debt collection.

I demand that you immediately:

stop all harassment and third-party contacts;

communicate only in writing to this email/number;

provide the full legal name of your company and authorized agent; and

delete/block personal data obtained from my device/contacts and confirm in writing within five (5) days.

Non-compliance will be reported to the SEC, NPC, and law enforcement, and I will seek legal remedies.

B. Notice to Employer/Contacts (to neutralize shaming)

If you receive messages about me from [App/Collector], please ignore and report them. I’m addressing the matter through proper channels. Disclosing my debt and sending edited images is illegal harassment and a privacy violation.

C. Complaint Outline (for SEC/NPC/BSP portals)

Complainant: Name, address, contact details
Respondent: App name, developer/company, numbers, pages/links
Facts: Timeline with dated bullets; who contacted whom; copies of messages/posts
Legal grounds: DPA violations; unfair debt collection; abusive practices; criminal acts (if any)
Relief sought: Cease and desist, deletion of data, penalties, confirmation of action, referral to law enforcement
Attachments: Screenshots (labeled), loan documents, app permissions, witness statements

10) Frequently asked questions

Q: I borrowed and I’m late. Can I still complain? Yes. Harassment and privacy violations are unlawful regardless of delinquency.

Q: What if the lender is unregistered or uses multiple clone apps? Report to SEC for illegal lending. Include every app name and link you can find; SEC can issue takedown orders and sanctions.

Q: They messaged my contacts and posted edited photos. Is that criminal? Possibly. Beyond administrative sanctions, conduct may constitute libel/cyber-libel, grave threats, identity theft, and unjust vexation. Preserve evidence and consider a police/NBI complaint.

Q: Should I delete the app? Not before you back up data and screenshots. After preserving evidence, you may uninstall or at least revoke permissions.

Q: Can they have me arrested for unpaid personal loans? No arrest for civil non-payment. Threats of arrest for private debt are abusive and reportable.

Q: They keep calling at midnight. Is there a “legal time” for collections? Collectors must act fairly and reasonably; repeated calls at unreasonable hours are typically considered harassment under consumer protection and SEC rules.

11) Checklist (print and tick off)

Took screenshots with timestamps and numbers/usernames
Saved loan documents, receipts, and app permission screens
Sent cease-and-desist note; kept proof
Filed SEC report (lending/financing or illegal app)
Filed NPC report (privacy violations)
Filed BSP escalation (if bank/e-money issuer)
Filed PNP/NBI report for threats/cyber-libel/identity theft
Reported the app/post to app store/social platform
Notified employer/contacts with a brief explainer
Considered legal counsel/PAO for injunctions or damages

12) Key takeaways

Harassment and shaming by OLAs are unlawful, even if you owe money.
You can report simultaneously to SEC (unfair collection/illegal lending), NPC (privacy), BSP (if BSFI), and law enforcement (criminal acts).
Preserve evidence carefully, assert your privacy and consumer rights, and use written channels.
Seek civil and criminal remedies if the abuse continues.

This article is for general information and does not create a lawyer-client relationship. For case-specific advice, consult counsel or PAO.