When an online lending app contacts your family, officemates, neighbors, or phone contacts about your loan without proper consent, the issue is not just “utang.” In the Philippines, this can involve data privacy violations, unfair debt collection practices, and, in serious cases, criminal harassment, threats, cyber libel, or scams. This article explains when contacting references is illegal, which government office handles each type of complaint, what evidence to prepare, and how to report an online lending app in a practical, step-by-step way.
Is it illegal for an online lending app to contact your references?
It depends on who was contacted, why they were contacted, and how their information was obtained.
Philippine rules allow a lending or financing company to ask for character references for identity verification or loan evaluation. But the law draws a clear line between a character reference, a guarantor, and random contacts harvested from your phone.
| Situation | Usually allowed? | Why it matters |
|---|---|---|
| The app asks you to manually provide 1–2 character references for identity verification | Yes, if limited and properly explained | Character references may be used to verify identity and truthfulness of loan information. |
| The app accesses your full phone contact list and messages many people | No, if excessive or used for pressure | NPC rules prohibit unbridled or excessive processing of contact lists. |
| The app contacts your reference only to verify that you know each other | Possibly | It must still be limited, transparent, and not abusive. |
| The app tells your reference that you owe money or threatens to shame you | Generally prohibited | Debt collection through non-guarantor contacts is prohibited. |
| The app treats your reference as a guarantor even though they never agreed | No | A guarantor must separately consent to be bound for the loan. |
| The app calls your employer, barangay, relatives, or Facebook friends to pressure payment | Strong basis for complaint | This may be unfair debt collection and unlawful use of personal data. |
Under NPC Circular No. 2022-02, a character reference is only a person whose contact information is provided to verify the identity and truthfulness of information supplied by the borrower. The same circular says a character reference must not automatically be treated as a guarantor, and for debt collection, the lender may contact only the guarantor. Contacting other persons in the borrower’s contact list for debt collection is prohibited.
The 2026 joint advisory of the DICT, National Privacy Commission, and Securities and Exchange Commission also states plainly that contacting persons on the borrower’s contact list other than named guarantors is prohibited for debt collection. It also says online lending platforms may access contacts only for limited purposes, such as allowing the borrower to select character references or guarantors, and that unbridled contact-list processing is prohibited.
Your key rights under Philippine law
1. Your right to data privacy under RA 10173
The Data Privacy Act of 2012, or Republic Act No. 10173, protects personal information in both government and private-sector systems. It defines consent as freely given, specific, and informed, and it recognizes the rights of the data subject, meaning the individual whose personal information is being processed. (National Privacy Commission)
For online lending apps, this means the lender cannot rely on vague, hidden, or blanket app permissions to justify harvesting your contacts and using them to shame or pressure you. Under NPC Circular No. 20-01, lending and financing companies are personal information controllers and must process borrower data only under lawful criteria, with proper security measures, and with respect for data subject rights.
NPC Circular No. 20-01 specifically prohibits online lending apps from harvesting phone contacts, email lists, or social media contacts for debt collection or harassment. It also requires separate interfaces where borrowers can provide character references or co-makers of their own choosing.
2. Your right to be free from unfair debt collection
The SEC regulates lending companies and financing companies under laws such as the Lending Company Regulation Act of 2007, or RA 9474, and the Financing Company Act, or RA 8556. SEC Memorandum Circular No. 18, Series of 2019 prohibits unfair debt collection practices by financing companies, lending companies, and their third-party service providers. It allows lawful collection, but requires good faith and reasonable conduct.
Examples of prohibited collection practices include:
- threats of violence or other criminal means;
- threats to take action that cannot legally be taken;
- obscenities, insults, or profane language;
- publication or disclosure of borrower names and personal information;
- telling other people loan information known or which should be known to be false, including failure to communicate that a debt is disputed;
- false representation or deceptive means to collect;
- contacting at unreasonable times; and
- contacting persons in the borrower’s contact list other than those named as guarantors or co-makers.
Violations of SEC MC 18 may result in fines, suspension of lending or financing activities, or revocation of authority to operate, depending on the number and gravity of offenses.
3. Your financial consumer rights under RA 11765
The Financial Products and Services Consumer Protection Act, or RA 11765, protects financial consumers, including people dealing with credit and digital financial products. It recognizes the right to fair treatment, disclosure and transparency, data privacy and protection, and timely handling of complaints. It also gives financial regulators, including the SEC, power to enforce consumer protection rules and provide complaint-handling mechanisms. (Supreme Court E-Library)
RA 11765 is useful because online lending abuse is often both a privacy issue and a financial consumer issue. The app may have violated your privacy by misusing contacts, while also violating financial consumer protection rules by using intimidation, deception, or unfair collection methods.
4. Possible civil and criminal liability
Even if the unpaid loan is real, collection must still be lawful. The Civil Code of the Philippines requires every person to act with justice, give everyone their due, and observe honesty and good faith. It also allows damages when someone causes injury contrary to law, morals, good customs, or public policy. (Lawphil)
If the messages include threats, coercion, public shaming, fake accusations, edited photos, or defamatory posts, other laws may become relevant, including the Revised Penal Code on threats, coercions, unjust vexation, and libel, and RA 10175, the Cybercrime Prevention Act of 2012, where unlawful acts are committed through computer systems or similar means. (Lawphil)
Be careful when gathering proof. Under the Anti-Wiretapping Act, or RA 4200, secretly recording a private communication without authorization from all parties can create legal risk. In Ramirez v. Court of Appeals, the Supreme Court treated unauthorized recording of a private conversation as covered by RA 4200, even if done by a participant in the conversation. Keep screenshots, call logs, texts, emails, app screens, and witness statements; avoid secret audio recordings unless all parties consent or lawful authority exists. (Lawphil)
Where to report online lending apps that contact references without consent
Different agencies handle different parts of the problem. In practice, many victims file with more than one office because one incident can involve privacy abuse, unfair collection, and cyber harassment at the same time.
| Problem | Main office to report to | Best for |
|---|---|---|
| App harvested contacts, accessed phone data, used contacts without lawful basis, or refused deletion/removal | National Privacy Commission (NPC) | Data Privacy Act violations |
| Lending or financing company used threats, insults, public shaming, unreasonable calls, or contacted non-guarantor references for collection | SEC Financing and Lending Companies Department / SEC iMessage | Unfair debt collection by SEC-regulated lenders |
| Threats, fake accounts, edited photos, cyber libel, extortion, phishing, identity misuse, or scam activity | PNP Anti-Cybercrime Group, NBI Cybercrime Division, or DICT Cyber Hotline | Cybercrime and digital threats |
| Bank, e-wallet, financing arm of a BSP-supervised institution, or financial service provider under another regulator | Relevant financial regulator, often BSP for BSP-supervised entities | Regulator-specific consumer complaint |
The DICT-NPC-SEC advisory identifies SEC FINLEND and the SEC iMessage portal for unfair debt collection complaints, and also lists the DICT Cyber Hotline, NBI Cybercrime Division, and PNP Anti-Cybercrime Group for harassment, threats, frauds, and scams.
The SEC iMessage portal is the SEC’s online channel for opening a complaint ticket and checking ticket status. (iMessage)
Step-by-step guide: how to report an online lending app
1. Stop further access to your contacts
Before filing, reduce the risk of more harassment:
- Go to your phone settings.
- Open the app permissions page.
- Turn off access to contacts, camera, photos, location, microphone, and storage if they are not necessary.
- Take screenshots of the permissions before and after changing them.
- Do not delete important messages, app screens, loan contracts, or payment records.
- Tell affected references to save screenshots and call logs on their own phones.
The 2026 government advisory reminds borrowers to review app permissions and states that online lending platforms must not request unnecessary permissions unless needed for specified and legitimate purposes.
2. Build an evidence folder
Organize your evidence before filing. A messy complaint is easier to ignore or dismiss; a clear timeline is easier to investigate.
Prepare a folder with:
- screenshots of text messages, Viber, Messenger, WhatsApp, Telegram, email, or in-app messages;
- screenshots showing the sender’s number, username, app name, and date/time;
- call logs showing the collector’s number and call frequency;
- screenshots from affected references showing what they received;
- the loan agreement, disclosure statement, repayment schedule, and collection notices;
- the app’s Google Play, App Store, Facebook, or website page;
- screenshots of app permissions requested;
- proof of payment, if any;
- names of collectors, if they identified themselves;
- the company name, SEC registration number, certificate of authority number, or business name, if visible;
- a one-page timeline of what happened.
For privacy complaints, the NPC emphasizes that complaints should be accompanied by supporting documents and affidavits, and that insufficient evidence can cause outright dismissal. (National Privacy Commission)
3. Identify the real company behind the app
Many online lending apps use trade names that are different from the company’s SEC-registered name. Look for the legal name in:
- the loan agreement;
- disclosure statement;
- privacy notice;
- app “About” page;
- Google Play or App Store developer name;
- text message footer;
- payment account name;
- email domain;
- SEC registration or certificate of authority details.
This matters because complaints need a respondent that can be identified or traced. The NPC’s complaint mechanics state that a case may be dismissed if the parties cannot be identified or traced despite diligent effort. (National Privacy Commission)
4. Send a written demand or notice to the app or company
For an NPC privacy complaint, you generally need to show exhaustion of remedies. This means you informed the respondent in writing about the privacy violation and gave them a chance to address it. The NPC explains that the respondent must have failed to take timely or appropriate action, or failed to respond within 15 calendar days from receipt of the written information. Proof of this must be attached to the complaint. (National Privacy Commission)
Your written notice can be simple:
I am informing you that your app/company contacted my references and/or persons in my contact list regarding my loan without proper authority and used my personal data for debt collection and harassment. I demand that you stop contacting non-guarantor third parties, delete unlawfully obtained contact information, identify the source and purpose of the processing, and confirm the action taken within 15 calendar days.
Send it through any channel you can prove:
- email to customer service or Data Protection Officer;
- in-app support ticket;
- registered mail or courier, if an office address is available;
- official Facebook page or support portal, if no other channel is visible.
Keep screenshots, email headers, delivery receipts, courier proof, or ticket numbers.
5. File a complaint with the National Privacy Commission
File with the NPC when the core issue is misuse of personal data, such as:
- harvesting your phone contact list;
- contacting people you did not name;
- using your photo, ID, or contact list to embarrass you;
- refusing to remove a reference’s personal data;
- using contact information for debt collection outside guarantors;
- accessing camera, gallery, location, or storage beyond what is necessary.
The NPC’s formal complaint page requires a specific complaint format: download the form, print and fill it out, have it notarized, and submit it in person, by courier, or by scanned email to the NPC complaints email. (National Privacy Commission)
Attach:
- completed and notarized complaint form or verified complaint;
- government ID of complainant;
- evidence folder;
- timeline;
- proof that you notified the respondent and waited 15 calendar days, unless there is a legally recognized urgent basis;
- affidavits from references or witnesses, if available;
- screenshots showing the app’s permissions and contact-list access;
- proof of your relationship to the account, such as loan agreement or app profile.
A reference who was contacted can also be a complainant because that person is also a data subject if their personal information was processed. The NPC rules allow data subjects who are the subject of a privacy violation or personal data breach to file a complaint. (National Privacy Commission)
6. File a complaint with the SEC for unfair debt collection
File with the SEC when the lender or collector:
- contacted people other than guarantors or co-makers;
- threatened to post your name, photo, ID, or loan details;
- used insults, profanity, or humiliating language;
- contacted you at unreasonable hours;
- falsely claimed you committed a crime merely because of unpaid debt;
- threatened arrest, barangay blotter, employer reporting, or legal action they cannot actually take;
- disclosed your loan to family, friends, coworkers, or social media groups.
Use the SEC iMessage complaint portal and include the same evidence folder, but frame the complaint as unfair debt collection by a lending company, financing company, or its third-party collector. SEC MC 18 makes the lender responsible for collection practices, including those done through third-party service providers.
7. Report urgent threats, scams, and cyber harassment
If the messages include death threats, edited sexual images, fake social media posts, identity theft, hacking, extortion, phishing links, or threats to harm you or your family, treat it as a cybercrime or safety issue as well.
Prepare:
- screenshots;
- URLs or profile links;
- phone numbers;
- usernames;
- dates and times;
- names of affected people;
- any payment or extortion demands;
- copies of fake posts or edited images.
The 2026 DICT-NPC-SEC advisory lists the DICT Cyber Hotline, NBI Cybercrime Division, and PNP Anti-Cybercrime Group for harassment, threats, frauds, and scams connected with online lending platforms.
8. If you are abroad, handle notarization and documents early
Filipinos overseas and foreigners outside the Philippines can still prepare complaints, but notarization can become the bottleneck. If a complaint, affidavit, or special power of attorney must be used in the Philippines, it may need consular notarization at a Philippine Embassy or Consulate, or apostille/legalization depending on where and how the document is executed. Philippine Embassy guidance commonly requires personal appearance for consular notarization, and notarized documents can be used in the Philippines. (Philippine Embassy)
If someone in the Philippines will file or follow up for you, prepare a Special Power of Attorney with proper notarization or consular acknowledgment, plus copies of IDs and a clear list of authorized acts.
Evidence checklist for a strong complaint
| Evidence | Why it helps |
|---|---|
| Screenshot of the abusive message | Shows the exact words used |
| Screenshot showing date, time, sender number, and platform | Connects the act to a collector or account |
| Screenshot from the reference’s phone | Proves a third party was contacted |
| Loan agreement or disclosure statement | Connects you to the app and company |
| App permission screenshots | Shows access to contacts, camera, gallery, location, or storage |
| Privacy notice or consent screen | Shows whether consent was specific and informed |
| Written notice to the app/company | Required for NPC exhaustion of remedies |
| Proof of no response or inadequate response after 15 calendar days | Supports NPC filing |
| SEC registration/company details | Helps regulators identify the respondent |
| Affidavit of witness/reference | Strengthens credibility, especially if messages were deleted |
Common scenarios
“I clicked agree. Does that mean they can contact everyone?”
No. Consent must be specific and informed. NPC rules also require that processing be suitable, necessary, and not excessive. A broad “I agree” button or forced app permission does not automatically justify harvesting your full contact list or using it for harassment. NPC Circular No. 2022-02 also warns against deceptive design patterns, such as pre-ticked boxes or interfaces that make consent easy but withdrawal difficult.
“My reference was contacted, but they never agreed to be a guarantor.”
A character reference is not the same as a guarantor. A guarantor is someone who expressly agrees to answer for the borrower’s obligation if the borrower fails to pay. NPC Circular No. 2022-02 says the guarantor’s separate consent must be obtained, and that a character reference must not automatically be treated as a guarantor.
“The app contacted my employer. Can I report that?”
Yes, especially if your employer was not a guarantor or co-maker. Contacting an employer to disclose your loan, shame you, threaten your job, or pressure payment can support both an SEC unfair debt collection complaint and an NPC privacy complaint.
“The debt is real. Do I still have rights?”
Yes. A lender may collect a valid debt through lawful means, but it cannot use threats, insults, public shaming, excessive data processing, or unauthorized contact-list disclosure. SEC MC 18 allows reasonable and legally permissible collection, but prohibits abusive and unfair practices.
“Should I file in barangay?”
Barangay proceedings may help for local personal disputes, especially if you know the collector or if a local person is harassing you. But for an online lending app, the more direct offices are usually the NPC for data privacy, SEC for unfair debt collection by lending or financing companies, and PNP/NBI cybercrime units for threats, fake accounts, scams, or online harassment.
“Can my references file their own complaint?”
Yes. If your reference received messages, calls, threats, or disclosures about your loan, that reference may be a separate data subject and victim. Their screenshots and affidavit can also support your complaint.
Typical timelines and bottlenecks
| Step | Practical timing |
|---|---|
| Evidence gathering | Same day to several days |
| Written notice to lender/app | Same day if email or in-app support is available |
| Waiting period for NPC exhaustion of remedies | 15 calendar days from respondent’s receipt of written notice |
| Notarization of NPC complaint or affidavits | Same day locally, longer if abroad |
| SEC online complaint ticket | Usually filed online once documents are ready |
| Cybercrime complaint | Faster if urgent threats, active scam, or ongoing harassment |
| Agency evaluation | Varies depending on completeness of documents, traceability of respondent, and case volume |
The most common bottlenecks are incomplete screenshots, missing respondent details, failure to prove the 15-day written notice for NPC complaints, and lack of evidence from the actual reference who was contacted.
Frequently Asked Questions
Can online lending apps access my contacts in the Philippines?
Only in limited, necessary, and lawful ways. NPC rules prohibit unnecessary permissions and unbridled contact-list processing. Contact-list access may be allowed only for specific legitimate purposes, such as letting you choose character references or guarantors, not for mass collection harassment.
Can an online lending app call my character reference?
It may contact a character reference for identity verification or to verify the truthfulness of information you provided, but not to shame you, collect from them, or treat them as a guarantor without separate consent.
Can a loan app tell my family that I owe money?
Generally, this is risky and may be unlawful if your family members are not guarantors or co-makers and the disclosure is used for debt collection, pressure, or shaming. SEC MC 18 also prohibits disclosure or publication of borrower personal information except in allowed circumstances.
Where do I report online lending app harassment?
Report data misuse to the NPC, unfair collection to the SEC, and threats, fake accounts, cyber libel, scams, or extortion to PNP-ACG, NBI Cybercrime Division, or the DICT Cyber Hotline. The 2026 DICT-NPC-SEC advisory identifies these channels for online lending platform abuses.
Do I need a lawyer to file an NPC or SEC complaint?
A lawyer is not required just to prepare a basic administrative complaint, but your complaint must be organized, evidence-based, and properly signed or notarized when required. For NPC complaints, the complaint form or verified complaint and supporting evidence are important because insufficient form or evidence can lead to dismissal. (National Privacy Commission)
What if the app is not registered with the SEC?
Still report it. An unregistered or unauthorized lending operation may raise additional regulatory concerns. Include screenshots of the app listing, developer name, payment account, website, messages, and any company name used. If the app is also using threats, fake identities, or scams, report to cybercrime authorities as well.
Can I demand deletion of my contacts from the lending app?
Yes. Under NPC rules, character references must be informed how their details were obtained and must be given the option to have their personal data removed as a character reference. Borrowers also have data subject rights under the Data Privacy Act, including rights related to correction, blocking, removal, or destruction of unlawfully obtained or unauthorized data.
Can I record calls from collectors as evidence?
Be very careful. RA 4200 prohibits secret recording of private communications without authorization from all parties, and the Supreme Court’s ruling in Ramirez v. Court of Appeals is commonly cited on this point. Safer evidence includes screenshots, call logs, written messages, emails, app notifications, witness affidavits, and recordings only where all parties consent or lawful authority exists. (Lawphil)
What if the app threatens to file a criminal case because I cannot pay?
Non-payment of a simple loan is generally a civil matter unless there are separate facts showing fraud, falsification, or another crime. Threatening arrest or criminal action that cannot legally be taken may itself be an unfair collection practice under SEC rules.
Key Takeaways
- Online lending apps in the Philippines cannot use your contact list as a weapon for debt collection.
- Character references are not guarantors; a guarantor must separately consent to be bound.
- Contacting people in your phone contacts other than guarantors for debt collection is prohibited.
- File with the NPC for misuse of personal data and contact-list harvesting.
- File with the SEC for unfair debt collection by lending or financing companies.
- Report threats, fake accounts, extortion, edited photos, scams, or cyber harassment to cybercrime authorities.
- Preserve screenshots, call logs, app permissions, loan documents, written notices, and witness affidavits.
- For NPC complaints, prepare proof that you notified the respondent and gave them 15 calendar days to respond, unless an urgent exception applies.
- Do not secretly record private calls without understanding the risks under RA 4200.
- A real unpaid debt does not give collectors permission to harass, shame, threaten, or misuse personal data.