How to Report Online Lending App Contact Access and Harassment in the Philippines

If an online lending app accessed your contact list, texted your family or coworkers, posted your photo, threatened you, or shamed you over an unpaid loan, you are not powerless. Philippine law allows lenders to collect legitimate debts, but it does not allow harassment, public shaming, unauthorized contact-list harvesting, fake threats of arrest, or excessive use of your personal data. This guide explains what counts as illegal or abusive conduct, which Philippine agencies handle each type of complaint, what evidence to prepare, and how to report online lending app contact access and harassment in the Philippines.

What Online Lending Apps Are Allowed to Do

A lending or financing company may remind a borrower about a loan, send billing notices, and use reasonable collection methods. A debt does not disappear just because the collector behaved badly.

But collection must be lawful, proportionate, and respectful of privacy. A lender cannot use your debt as an excuse to:

  • Harvest your entire phonebook.
  • Message your relatives, employer, neighbors, or friends who are not guarantors.
  • Tell other people that you owe money.
  • Threaten arrest, jail, public posting, barangay humiliation, deportation, or violence.
  • Use fake police, court, NBI, SEC, or barangay documents.
  • Post your photo, ID, loan details, or insults online.
  • Call or message at unreasonable hours.
  • Use obscene, insulting, or degrading language.
  • Process personal data beyond what is necessary for the loan.

The key idea is simple: a lender may collect a lawful debt, but it must not destroy your dignity, privacy, reputation, or safety while doing so.

Legal Basis: Your Rights Under Philippine Law

Data Privacy Act of 2012: Contact Lists Are Personal Data

The main privacy law is the Data Privacy Act of 2012, Republic Act No. 10173. It requires personal data processing to follow three basic principles:

Principle What it means for lending apps
Transparency The app must clearly tell you what data it collects, why, who receives it, and how long it will be kept.
Legitimate purpose The app must collect and use data only for lawful and declared loan-related purposes.
Proportionality The app must not collect or use more data than necessary. Full contact-list harvesting is usually difficult to justify.

Your phone contacts contain the names, numbers, and sometimes photos or email addresses of many people who never borrowed from the app. These people are also data subjects. They did not automatically agree to be contacted just because their number was saved in your phone.

Under the Data Privacy Act, you may also exercise rights such as:

  • The right to be informed about processing.
  • The right to object to unauthorized processing.
  • The right to access your data.
  • The right to correct inaccurate data.
  • The right to erasure or blocking, when legally proper.
  • The right to damages for privacy violations.

NPC Circulars on Loan-Related Transactions

The National Privacy Commission issued special rules for lending and financing companies because of repeated complaints against online lending apps. The key issuances are:

These rules are important because they directly address the usual online lending app problem: apps asking for unnecessary phone permissions, using contact lists for collection, and confusing “character references” with “guarantors.”

A character reference is usually someone who may confirm your identity or basic information. A guarantor is someone who expressly agrees to be answerable for the loan if you default. They are not the same.

An online lending app should not treat every person in your contact list as a guarantor. For debt collection, the lender may contact the guarantor, not random contacts who never agreed to guarantee the loan.

2026 DICT-NPC-SEC Advisory on Online Lending Platforms

The DICT, NPC, and SEC Public Advisory on Online Lending Platforms expressly warns against harassment, intimidation, public shaming, and unlawful use of personal data in online lending collection.

The advisory states that:

  • Unnecessary mobile app permissions are prohibited.
  • Unauthorized, excessive, or disproportionate processing of personal data, especially access to borrowers’ contact lists, is prohibited.
  • Contacting people in the borrower’s contact list other than named guarantors is prohibited for debt collection.
  • Apps should prompt users to turn off or revoke permissions once the purpose has been achieved.
  • Borrowers should download apps only from official or verified sources and check whether the operator is duly registered and licensed.

SEC Rules on Unfair Debt Collection

The Securities and Exchange Commission regulates lending companies under the Lending Company Regulation Act of 2007, Republic Act No. 9474, and financing companies under the Financing Company Act.

Under SEC Memorandum Circular No. 18, Series of 2019, the following may be treated as unfair debt collection practices:

  • Threats of violence or other criminal means.
  • Threats to take action that cannot legally be taken.
  • Obscene, insulting, or profane language.
  • Disclosure or publication of borrower names and personal information, except when legally allowed.
  • Communicating false loan information to other people.
  • False representations or deceptive means to collect.
  • Contacting borrowers before 6:00 a.m. or after 10:00 p.m., subject to the circular’s rules.
  • Contacting people in the borrower’s contact list other than named guarantors or co-makers.

Under SEC Memorandum Circular No. 19, Series of 2019, lending and financing companies must disclose important information in advertisements and online lending platforms, including their corporate name, SEC registration number, and Certificate of Authority number.

Financial Consumer Protection and Truth in Lending

Online loans are also covered by consumer protection rules.

The Financial Products and Services Consumer Protection Act, Republic Act No. 11765, strengthens the powers of financial regulators such as the SEC to protect financial consumers. It covers financial products and services, including credit, and recognizes rights such as fair treatment, disclosure, data privacy, and proper complaints handling.

The Truth in Lending Act, Republic Act No. 3765, requires disclosure of finance charges and the true cost of credit. This matters because some abusive apps combine harassment with unclear interest, hidden fees, short repayment periods, or deductions from the loan proceeds.

Civil Code, Criminal Law, and Cybercrime

If the harassment caused reputational damage, anxiety, humiliation, or financial loss, civil liability may also arise.

The Civil Code of the Philippines provides several useful bases:

  • Article 19 requires every person to act with justice, give everyone their due, and observe honesty and good faith.
  • Article 20 makes a person liable for damage caused contrary to law.
  • Article 21 covers willful acts contrary to morals, good customs, or public policy.
  • Article 26 protects dignity, personality, privacy, and peace of mind.
  • Article 32 allows damages for violations of rights, including privacy of communication and correspondence.
  • Article 33 allows a separate civil action in cases such as defamation, fraud, and physical injuries.

Criminal laws may also apply depending on the conduct:

Conduct Possible legal basis
Threats of harm, posting, or illegal action Revised Penal Code Articles 282 to 287 on threats and coercions
Publicly accusing you of fraud, estafa, or being a scammer online Libel under Articles 353 and 355 of the Revised Penal Code, and cyberlibel under RA 10175
Using fake authority, fake warrants, or fake government notices Possible usurpation, falsification, estafa, or cybercrime issues, depending on facts
Unauthorized access, identity misuse, or online fraud Cybercrime Prevention Act of 2012, RA 10175

The Cybercrime Prevention Act of 2012, RA 10175, may apply when threats, libel, fraud, or identity-related acts are committed through computer systems, apps, social media, email, or messaging platforms. The Supreme Court case Disini v. Secretary of Justice, G.R. No. 203335 is the leading case on the constitutionality and limits of the Cybercrime Prevention Act.

One more important point: under the 1987 Philippine Constitution, Article III, Section 20, no person may be imprisoned for debt. Non-payment of a simple loan is generally a civil matter. However, fraud, falsification, bouncing checks, identity misuse, or other criminal acts are separate matters.

Where to Report Online Lending App Harassment in the Philippines

Different agencies handle different parts of the problem. You may need to report to more than one.

Problem Main agency What they can address
Harassing collection, contact-list messaging, threats, abusive calls, unfair collection practices SEC Financing and Lending Companies Department Administrative sanctions, fines, suspension, revocation of authority
Unauthorized access or processing of contacts, photos, IDs, messages, or personal data National Privacy Commission Privacy investigation, orders to stop processing, deletion/blocking, fines, possible DOJ referral
Threats, fake warrants, public shaming, cyberlibel, extortion, hacking, scams PNP Anti-Cybercrime Group or NBI Cybercrime Division Criminal investigation and referral for prosecution
Local collector appears at your home or workplace and threatens you Barangay, local police, PNP Blotter, protection, local incident documentation
Scam app pretending to be registered lender or government agency SEC, DICT Cyber Hotline, PNP/NBI Scam reporting and enforcement coordination

The 2026 DICT-NPC-SEC advisory lists these reporting channels:

Concern Channel listed in the advisory
Unfair debt collection practices SEC FINLEND through SEC iMessage or hotline 1-4732 / 1-4SEC
Other harassment, threats, fraud, or scams DICT Cyber Hotline: 1326@dict.gov.ph
Cybercrime complaints NBI Cybercrime Division: ccd@nbi.gov.ph
Cybercrime complaints PNP Anti-Cybercrime Group: acg@pnp.gov.ph and onlinecims.ocs@gmail.com

Because agency contact details can change, check the official agency website before filing if your matter is urgent or time-sensitive.

Step-by-Step Guide: How to Report Online Lending App Contact Access and Harassment

1. Secure your phone and accounts first

Before filing, reduce the risk of continuing harm.

  • Revoke the app’s access to contacts, camera, photos, microphone, location, and storage.
  • Change passwords for your email, e-wallets, social media, and banking apps.
  • Enable two-factor authentication.
  • Do not send more IDs, selfies, passwords, OTPs, or screenshots of banking apps.
  • Do not click suspicious payment links sent by collectors.
  • If the app is still needed as evidence, take screenshots before uninstalling.

On Android or iPhone, check the app permissions under your phone settings. If contacts access is still enabled, turn it off.

2. Preserve evidence before messages disappear

Good evidence often decides whether a complaint moves forward. Collect everything in an organized folder.

Useful evidence includes:

  • Screenshots of harassing texts, chats, emails, calls, and social media posts.
  • Screen recordings showing the sender profile, phone number, app name, date, and time.
  • Call logs showing frequency and time of calls.
  • Screenshots from relatives, friends, employers, or coworkers who were contacted.
  • The app’s name as shown in the App Store, Google Play, APK source, or website.
  • App store links, screenshots of the app page, developer name, and reviews.
  • Privacy policy, terms and conditions, loan agreement, disclosure statement, and repayment schedule.
  • Proof of disbursement and payments made.
  • Receipts, GCash/Maya/bank transfer confirmations, and reference numbers.
  • Screenshots of fake legal threats, fake warrants, fake barangay notices, or fake police/NBI claims.
  • The names or aliases of collectors, phone numbers used, and email addresses used.
  • A short timeline of events.

For each screenshot, keep the original file if possible. Do not crop out the date, time, sender, or platform.

3. Send a written privacy and harassment complaint to the lender

For NPC complaints, there is usually an exhaustion of remedies requirement. This means you should first inform the respondent in writing and give it a chance to address the privacy violation. The NPC’s complaint guidance refers to a 15-calendar-day period from receipt of the written notice.

Send a short written complaint to the lending company, its customer service email, and its Data Protection Officer if available. Use clear language.

Include:

  • Your full name and loan account number, if any.
  • The app name and corporate name, if known.
  • The dates and times of harassment.
  • The personal data misused, such as contact list, photos, ID, employer, or references.
  • The names or numbers of non-guarantor contacts who were messaged.
  • A demand to stop contacting non-guarantors.
  • A demand to stop public shaming, threats, and abusive collection.
  • A request for the source, purpose, recipients, and retention period of your data.
  • A request to delete or block unlawfully processed contact-list data.
  • A request for a correct statement of account.

Keep proof of sending: email sent page, delivery receipt, ticket number, or courier proof.

4. File a complaint with the SEC for unfair debt collection

Report to the SEC when the main issue is abusive collection by a lending or financing company or its third-party collector.

Use the SEC iMessage complaint portal. In the complaint, state that the issue involves an online lending platform and unfair debt collection. Attach your evidence.

Include these details:

  • App name.
  • Corporate name, if visible.
  • SEC registration number and Certificate of Authority number, if shown.
  • App store link or website.
  • Loan amount, date borrowed, amount received, charges, and due date.
  • Collector numbers, names, and aliases.
  • Specific acts: contact-list messaging, threats, insults, public posting, calls outside reasonable hours, fake legal claims.
  • Names of non-guarantors contacted.
  • Screenshots and call logs.

The SEC can impose administrative penalties and may suspend or revoke authority to operate, depending on the facts and applicable rules. If the app is unregistered or unrecorded, the SEC may treat that as a separate regulatory issue.

5. File a complaint with the National Privacy Commission

Go to the NPC’s official File a Complaint page and Filing Formal Complaints guide. The NPC generally requires a formal complaint in the proper format, supporting evidence, and notarization.

Prepare:

  • Filled-out NPC complaint form or verified complaint.
  • Proof that you informed the respondent in writing and waited 15 calendar days, unless an exception applies.
  • Evidence of unauthorized contact access or misuse.
  • Screenshots from your contacts showing they were messaged.
  • Privacy policy, terms, consent screen, and app permission screenshots.
  • Affidavits from affected contacts if available.
  • Your valid ID.
  • Notarization.

The NPC may dismiss complaints that are insufficient in form, lack evidence, fail to show a Data Privacy Act issue, or do not identify the respondent despite reasonable effort. This is why the timeline, app details, and proof of prior written notice matter.

If the harassment is ongoing and the data misuse is serious, ask the NPC whether an application for a temporary ban or urgent relief is available under its rules.

6. Report threats, extortion, cyberlibel, or fake legal documents to cybercrime authorities

Go to the PNP Anti-Cybercrime Group, NBI Cybercrime Division, or the nearest police station if there are threats, fake warrants, public shaming, cyberlibel, identity misuse, hacking, or extortion.

Bring both printed and digital copies of evidence. Cybercrime investigators often ask for:

  • Your valid ID.
  • Screenshots with URLs, timestamps, and sender details.
  • Phone number or account used by the collector.
  • Device used to receive the messages.
  • Links to public posts.
  • Witness screenshots from contacts.
  • Proof of the loan transaction.
  • A written incident narrative.

A police blotter can sometimes be done quickly, but cybercrime investigation and case build-up can take weeks or months, especially if platform records, telco information, or account tracing is needed.

7. Inform your contacts calmly

If friends, relatives, or coworkers were contacted, send a short message:

“A lending app may have accessed my contacts and may send misleading or harassing messages. You are not my guarantor unless you personally signed or agreed to be one. Please screenshot any message, do not reply, and send the screenshot to me for reporting.”

This prevents panic and helps preserve evidence.

8. Deal with the valid debt separately

Do not let the harassment push you into unsafe payments.

Before paying, verify:

  • The legal corporate name.
  • SEC registration and Certificate of Authority.
  • Official payment channels.
  • Correct outstanding balance.
  • Interest, penalties, and fees.
  • Whether payments go to the lender, not a personal wallet of a collector.

Ask for a statement of account. Pay only through traceable channels. Keep receipts. If you dispute the charges, say so in writing and ask for a breakdown.

Required Documents, Costs, and Timelines

Item SEC complaint NPC complaint PNP/NBI cybercrime report
Valid ID Recommended Usually required Required
Screenshots and call logs Required Required Required
Loan documents Strongly recommended Strongly recommended Recommended
Proof contacts were messaged Very important Very important Important
Written demand to lender Helpful Usually important due to exhaustion of remedies Helpful but not always required
Notarized complaint Usually not for basic online ticket filing Usually required for formal complaint Affidavit may be required
Fees Usually none for online complaint filing Check NPC fee schedule; notarization costs vary Police/NBI reporting is generally free, but notarization/printing may cost money
Usual timing Acknowledgment may be quick; investigation may take weeks to months 15-day prior notice issue plus evaluation; full proceedings may take months Blotter may be same day; investigation varies

For OFWs or foreigners abroad, a notarized affidavit or Special Power of Attorney may need consular notarization or proper authentication. Philippine embassies and consulates can notarize documents for use in the Philippines, subject to their appointment rules and personal appearance requirements. If a local foreign notarization is used, check whether apostille or consular authentication is required for use in the Philippines.

Common Pitfalls That Can Hurt Your Complaint

Deleting the app before saving evidence

If you delete the app immediately, you may lose the app version, permission screens, loan records, or in-app messages. Take screenshots first.

Sending only emotional statements without proof

A complaint saying “they harassed me” is weaker than a complaint showing:

  • Who sent the message.
  • What was said.
  • When it was sent.
  • Which number or account sent it.
  • Which non-guarantor received it.
  • How it connects to the lending app.

Not identifying the app operator

Many apps use different names from the corporate entity. Check:

  • App store developer name.
  • Website footer.
  • Privacy policy.
  • Terms and conditions.
  • Loan agreement.
  • Disclosure statement.
  • SEC registration and Certificate of Authority number.

Paying collectors through personal accounts

Be careful if a collector asks you to pay to a personal GCash, Maya, bank account, or QR code. That can make it harder to prove payment to the company. Use official payment channels whenever possible.

Ignoring real court papers

Many threats of “warrant,” “subpoena,” or “barangay case” from collectors are fake. But if you receive actual court documents, prosecutor notices, or barangay summons from an official channel, do not ignore them. Verify directly with the issuing office.

Assuming “I clicked allow contacts” means everything is legal

Consent must be informed, specific, freely given, and tied to a legitimate purpose. A broad permission screen does not automatically authorize harassment, public shaming, or contacting your entire phonebook for collection.

Special Notes for OFWs, Foreigners, and Borrowers Outside the Philippines

Online lending harassment often reaches OFWs and foreigners because apps use Philippine phone numbers, local contacts, Facebook accounts, or family members in the Philippines.

The Data Privacy Act and its rules may still matter when:

  • The lending company or app operator is in the Philippines.
  • The borrower is a Philippine citizen or resident.
  • The data processing is done in the Philippines.
  • The app carries on business in the Philippines.
  • The affected contacts are in the Philippines.

Practical issues for people abroad:

  • You can start with online reporting channels, but agencies may later require affidavits.
  • If a representative in the Philippines will file for you, prepare a Special Power of Attorney.
  • Consular notarization may be needed if you sign documents abroad for Philippine use.
  • Keep screenshots showing the time zone and full phone number.
  • Ask affected contacts in the Philippines to save their own screenshots and prepare short affidavits if needed.

What Outcomes Are Realistic?

A complaint can lead to several possible outcomes, depending on evidence and jurisdiction.

Agency or process Possible outcome
SEC Warning, fines, suspension, revocation of authority, orders against unfair collection, action against unregistered platforms
NPC Orders to stop unlawful processing, delete or block data, administrative fines, compliance orders, referral for criminal prosecution
PNP/NBI/DOJ Cybercrime investigation, referral for inquest or preliminary investigation, criminal case if evidence is sufficient
Civil court Damages for defamation, privacy invasion, harassment, or other civil wrongs
Barangay/local police Blotter, local incident record, referral to proper agency, immediate help for threats in the community

Administrative complaints are usually faster than court cases, but they still require patience. Criminal and civil cases can take much longer.

Frequently Asked Questions

Can an online lending app access my contacts if I clicked “Allow”?

Not automatically for all purposes. The app must still comply with the Data Privacy Act, NPC circulars, and the principles of transparency, legitimate purpose, and proportionality. Access that is unnecessary, excessive, deceptive, or used for harassment can still be unlawful.

Can a lending app text my family, employer, or friends about my loan?

Generally, not for debt collection unless they are named guarantors or co-makers who expressly agreed to be contacted for that obligation. Contacting random people in your phonebook to shame or pressure you is a serious red flag.

Is it legal for collectors to threaten arrest for an unpaid online loan?

A simple unpaid debt does not by itself lead to imprisonment. The Philippine Constitution prohibits imprisonment for debt. Fraud or other criminal acts are different, but collectors cannot invent fake arrest threats just to force payment.

Where should I report first: SEC, NPC, PNP, or NBI?

Report to the SEC for unfair debt collection by lending or financing companies. Report to the NPC for unauthorized use of personal data, contact-list access, or privacy violations. Report to PNP or NBI if there are threats, extortion, fake legal documents, cyberlibel, identity misuse, hacking, or scams.

What if the online lending app is not SEC registered?

Still report it. An unregistered or unrecorded lending app may raise separate regulatory issues. Send the SEC the app name, screenshots, app store link, website, payment channels, and collector numbers.

Can my contacts also file complaints?

Yes. If your contacts received harassment or their personal data was used without lawful basis, they may also be affected data subjects. Their screenshots and affidavits can strengthen your complaint.

Do I need a lawyer to file with the SEC or NPC?

For many complaints, individuals file directly using agency forms and portals. A lawyer may be helpful for complex facts, large damages, criminal prosecution, or court action, but initial administrative reporting can usually be started by the complainant.

Can I claim damages for public shaming or privacy violations?

Yes, depending on proof. The Civil Code, Data Privacy Act, and laws on defamation or cybercrime may support claims for damages if the facts show unlawful conduct and actual injury, humiliation, reputational harm, or other compensable damage.

What if I really owe the loan?

You should still address the valid debt, but the lender must collect lawfully. Owing money does not authorize harassment, contact-list blasting, public shaming, threats, or misuse of personal data.

Key Takeaways

  • Online lending apps may collect lawful debts, but they cannot harass, shame, threaten, or misuse your contact list.
  • Contacting people in your phonebook who are not guarantors is generally prohibited for debt collection.
  • The main agencies are the SEC for unfair collection, the NPC for data privacy violations, and PNP/NBI for cybercrime, threats, extortion, or scams.
  • Save evidence before deleting messages or uninstalling the app.
  • Send a written complaint to the lender first when preparing an NPC case, because exhaustion of remedies is often required.
  • Do not pay through personal collector accounts without verifying the official lender and payment channel.
  • Non-payment of a simple debt is not, by itself, a basis for imprisonment in the Philippines.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login