How to Report Harassment by Online Lending Apps to the NPC and SEC (Philippines)

This article explains, in Philippine context, how victims of abusive collection tactics by online lending apps can build their case and report effectively to the National Privacy Commission (NPC) and the Securities and Exchange Commission (SEC). It covers the legal bases, evidence to gather, step-by-step filing procedures, timelines, remedies, and practical templates.

1) What counts as “harassment” and why two regulators are involved

Typical abusive practices

“Shaming” tactics: Messaging or calling your family, employer, or contacts; group chats; social-media posts calling you a “scammer.”
Threats and intimidation: Arrest threats, “barangay blotter,” workplace exposure, or fake legal notices.
Excessive/odd-hour contact: Repeated calls or messages, especially at night or during work.
Unfair disclosures: Broadcasting your debt status, amount, or personal data to third parties.
Coerced data access: Requiring address book, photos, SMS, or location unrelated to loan servicing.

Why NPC and SEC?

NPC (Data Privacy Act of 2012, RA 10173): Handles privacy violations—unauthorized processing, unlawful disclosure, and disproportionate data collection/use.
SEC (Lending Company Regulation Act, RA 9474; Financial Products and Services Consumer Protection Act, RA 11765; and SEC rules on Unfair Debt Collection Practices): Oversees lending/financing companies and online lending platforms (OLPs); prohibits abusive collection, deception, and other unfair practices, and can suspend or revoke licenses.

If the app is a bank, EMI, or licensed payment operator, collection conduct may also fall under BSP jurisdiction; you can still pursue NPC for privacy breaches. If threats amount to crimes (e.g., grave threats, unjust vexation, cyber-libel), you may also go to PNP-ACG or NBI-CCD, but this article focuses on NPC and SEC.

2) Legal bases you can cite

Data Privacy Act (RA 10173) & IRR
- Lawful processing, transparency, proportionality, data minimization.
- Prohibitions on unauthorized disclosure and processing incompatible with original purpose.
- Security measures; accountability of personal information controllers/processors.
SEC Rules on Unfair Debt Collection Practices (applicable to Lending/Financing Companies and OLPs)
- Prohibit public shaming, contacting third parties about the debt (except in very limited circumstances), using threats, profane language, or false representation, and contacting at unreasonable hours.
- Require proper disclosure, fair collection, and respectful treatment of borrowers.
Financial Products and Services Consumer Protection Act (RA 11765)
- Outlaws abusive collection and imposes duties on financial service providers.
- Empowers SEC to penalize, suspend operations, order restitution, and require corrective measures.
Lending Company Regulation Act (RA 9474)
- Registration/licensing requirements for lending companies; operating without SEC authority is unlawful.

3) Build your case: evidence checklist

Collect original, unedited copies where possible. Preserve metadata (dates, times, numbers, usernames).

Core set

Screenshots/recordings of abusive messages, calls, voicemails, chat groups, or posts.
Call logs: dates, times, caller IDs; note frequency (e.g., “12 calls from 10:15–11:00 PM”).
Copies of the loan app’s permissions you granted, privacy notices, and in-app terms.
Proof of your identity and relationship with the lender (loan agreement, payment receipts, reference numbers).
List of third parties contacted (family, employer) + their screenshots/affidavits if willing.

Nice to have

Device permission history (e.g., screenshots showing app access to Contacts, Storage, SMS, Location).
Timeline of events (see template below).
If your contacts were harassed, their statements and evidence (with consent).
Any proof of reputational damage (HR memo, chat with supervisor, barangay report).

Preservation tips

Never edit or annotate the originals; keep a separate “marked-up” copy for your narrative.
Export chat histories where possible (e.g., text + media).
Back up to a cloud drive and an offline USB; label files with dates.

4) Decide where to file and what to allege

Decision guide

They messaged my contacts or posted about me → Privacy breach (NPC) and unfair collection (SEC).
They keep calling me at 1:00 AM with threats → Unfair collection (SEC); also NPC if they used excessive data or unlawfully processed your number.
They forced me to enable address-book & gallery access to get a small loan → Privacy breach (NPC) for disproportionate data collection; SEC for abusive design/collection if used to pressure repayment.
The app/company isn’t registered → SEC (operating illegally); still NPC if there are data abuses.

Best practice: File with both NPC and SEC when conduct overlaps. Cross-reference the other case in each complaint.

5) How to file with the National Privacy Commission (NPC)

The NPC accepts complaints from data subjects for violations of RA 10173 and its IRR. Processes and portals can change—follow current NPC instructions when you file.

NPC filing package

Complaint Letter / Statement of Facts
- Identify the Personal Information Controller (PIC) (the company) and, if known, Personal Information Processor (PIP) (e.g., the app developer or collection agency).
- Describe the data involved (name, number, photos, contacts) and unlawful acts (e.g., contacting contacts; public shaming).
- Cite legal bases (lawful processing, purpose limitation, proportionality, unauthorized disclosure, data security).
- State harm (anxiety, reputational damage, workplace risk).
- Indicate any prior steps (you asked them to stop; they refused).
- Prayer/Relief (see below).
Documentary evidence (see checklist), clearly labeled.
Affidavits (yours and, if any, from harassed contacts), notarized if required.
Proof of identity (government ID), and authority if filing for a minor or another person.
Service details (company email/office address if available) to assist NPC in notifying the respondent.

Typical NPC remedies you may request

Cease-and-desist against contacting your contacts or further unlawful processing.
Order to delete/stop processing specific personal data (e.g., contacts list, photos).
Access, correction, or erasure of your data in the app’s systems.
Administrative fines/penalties and directives for security/compliance measures.
Damages (when applicable), and referral to other authorities if crimes appear.

NPC process overview (what to expect)

Docketing & completeness check. You may be asked to supply missing details.
Mediation or conference (in some cases) to resolve quickly.
Investigation & compliance order if violations are found.
Appeals follow administrative law rules. Keep copies of all submissions and NPC reference numbers.

6) How to file with the Securities and Exchange Commission (SEC)

The SEC (through its Enforcement/Consumer Protection units) investigates lending/financing companies and OLPs for unfair debt collection, misrepresentations, and unlicensed operations.

SEC filing package

Complaint / Report of Unfair Collection Practices
- Identify the lender/financing company, trade names, app names, and any connected OLPs.
- Describe abusive behavior (e.g., “public shaming via mass texts to my contacts,” “threats of arrest”).
- Cite SEC rules on Unfair Debt Collection Practices and RA 11765 duties to treat consumers fairly.
- If suspected, allege lack of SEC registration/license or use of unregistered OLPs.
Evidence
- Screenshots/recordings, call logs, copies of in-app notices, and proof of any third-party disclosures.
Your borrower details
- Loan reference numbers, dates, amounts, and payment history (to show context).
Affidavits (yours and third parties), notarized if needed.

SEC remedies you may request

Show-cause orders and administrative sanctions for unfair collection.
Suspension or revocation of the lender’s/OLP’s license or registration.
Order to cease harassing acts and to implement proper complaint-handling.
Restitution or refunds of unlawful fees/charges (case-dependent).
Referral to law enforcement if criminal activity is indicated.

SEC process overview

Docketing & evaluation by the consumer protection/enforcement unit.
Directives to the company to explain and cease abusive practices.
Administrative proceedings possibly leading to fines, suspension, or revocation.
Public advisories may be issued against erring OLPs.

7) Writing a clear timeline (use this structure)

Keep it factual, chronological, and concise.

Day 0 — App install: Permissions requested (contacts, storage, location).
Day 2 — Disbursement: Loan amount, fees.
Day 9 — First late reminder: Tone neutral.
Day 12 — Harassment begins: Ten calls between 10:30–11:15 PM; messages threaten arrest.
Day 13 — Disclosure to contacts: Five relatives receive “scammer” message; attach screenshots.
Day 14 — Demand to cease: You emailed in-app support revoking consent; attach proof.
Day 16 — Continued harassment: Group chat created; employer contacted; attach evidence.
Day 18 — Filing: NPC and SEC complaints submitted; reference numbers (once issued).

8) Practical do’s and don’ts during harassment

Reply once in writing revoking consent to contact third parties and demanding they stop unfair practices; keep it short and polite.
Route further communication in writing and save everything.
Tell your contacts/employer that an abusive lender may reach out; provide them a short script to ignore/report.
Consider blocking numbers after you’ve captured enough evidence (screenshots, call logs).
Continue paying legitimate, agreed amounts if you can; your right to be free from harassment exists regardless of arrears.

Don’t

Don’t pay extra “collector fees” not in your contract.
Don’t send IDs/selfies through chats to unknown collectors.
Don’t sign new consent forms sent under pressure.
Don’t retaliate with threats or defamatory posts; let the evidence speak.

9) Model templates (copy-paste and customize)

A) NPC Complaint — Statement of Facts & Reliefs (excerpt)

Complainant: [Full Name, Address, Contact] Respondent PIC/PIP: [Company Legal Name, App Name(s)] Subject: Complaint for violations of the Data Privacy Act (RA 10173)

Facts:

On [date], I installed [App]. The app required access to my [Contacts/Storage/SMS/Location] which I enabled to proceed.

On [date], I began receiving collection messages. On [date], the Respondent disclosed my alleged debt to my [mother/employer] without my consent. Screenshots Annexes “A–C.”

Messages used threats of arrest and public shaming. Annexes “D–E.”

Grounds:

Unauthorized disclosure and processing of my personal data and my contacts’ data; lack of lawful basis and violation of the principles of transparency, proportionality, and legitimate purpose under RA 10173 and its IRR.

Failure to implement appropriate security and organizational measures.

Reliefs: a) Order Respondent to cease contacting my contacts and delete unlawfully obtained data; b) Direct Respondent to provide full account of my personal data processed and its sources; c) Impose administrative penalties; and d) Grant other just and equitable reliefs.

Verification & Certification of Non-Forum Shopping [Signature; Notarization if required]

B) SEC Complaint — Unfair Debt Collection (excerpt)

Complainant: [Full Name] Respondent: [Lending/Financing Company, OLP Names] Subject: Unfair Debt Collection Practices and Possible Unregistered Operations

Allegations:

From [dates], Respondent engaged in public shaming by mass messaging my contacts and creating group chats naming me a “scammer.”

Respondent issued threats of arrest and workplace exposure and called at unreasonable hours.

These acts violate SEC rules on Unfair Debt Collection Practices and RA 11765.

Prayer:

Order Respondent to cease abusive collection, investigate and penalize;

Suspend/revoke licenses as warranted;

Require restitution of unlawful fees and corrective measures.

10) Frequently asked questions

Q: Can I file with NPC even if I actually owe money? A: Yes. Harassment and privacy violations are unlawful regardless of your debt status.

Q: Do my contacts need to file their own complaints? A: It helps if they do, but your complaint may proceed with their affidavits or evidence (with their consent).

Q: What if the company says a third-party “agent” sent the threats? A: That’s not a defense. PICs remain accountable for their processors/agents’ acts in handling your personal data and collection.

Q: Will NPC or SEC get my money back? A: Their core powers are administrative. Restitution/refund may be ordered in some cases (especially under RA 11765), but civil damages can also be pursued in court if warranted.

Q: Should I delete the app? A: After you’ve preserved evidence, yes. Also revoke permissions and change credentials associated with the app.

11) Parallel actions that may help

Telco/Platform reporting: Report abusive numbers and accounts for spam/harassment; request takedowns of defamatory posts.
Employer briefing: Provide HR a one-page memo so they know it’s illegal harassment and should not engage.
Barangay note: File a brief blotter entry if harassment occurs locally (optional, to document events).
Law enforcement: For credible threats, extortion, or identity misuse, consider PNP-ACG/NBI complaints alongside NPC/SEC filings.

12) Filing checklist (one-page)

Identity docs and contact info
Loan details (agreement, references, receipts)
Evidence pack (screens, logs, voice, exports)
Timeline + index of annexes
Complaint letters: NPC (privacy) and SEC (unfair collection)
Affidavits (you + affected contacts)
Cross-reference each filing (mention other case)
Backup everything (cloud + offline)

13) Final notes

You are exercising statutory rights: privacy, fair treatment, and consumer protection.
Even if you intend to repay, you never consented to public shaming or abusive collection.
Processes evolve; follow the latest filing instructions of the NPC and SEC when you submit.
Keep your communications calm, factual, and documented—your evidence is your strongest advocate.

You can use the templates above as starting points. If you want, I can tailor them to your specific facts and assemble a clean, ready-to-file packet.