If an online lending app has accessed your phone contacts and started calling, texting, shaming, or threatening your family, friends, co-workers, employer, or customers, you are not just dealing with an “utang” problem. In the Philippines, this can involve unfair debt collection, data privacy violations, and, in serious cases, cybercrime or criminal harassment. This article explains what is prohibited, which government agency to report to, what evidence to prepare, and how to file complaints with the SEC, National Privacy Commission, PNP, NBI, DICT, or BSP depending on the facts.
What Counts as Online Lending App Harassment Using Contact Lists?
Online lending app harassment usually happens when a lender or collector uses personal data from your phone, especially your contact list, to pressure you into paying.
Common examples include:
- Calling or texting your relatives, friends, co-workers, boss, customers, churchmates, or neighbors about your loan
- Sending messages like “scammer,” “magnanakaw,” “estafador,” “wanted,” or “hindi nagbabayad ng utang”
- Threatening to post your face, valid ID, loan details, or chat history online
- Creating group chats with your contacts to shame you
- Sending fake police, court, barangay, or NBI threats
- Telling your employer that you committed fraud
- Contacting people who were only character references, not guarantors
- Using different numbers every few minutes to intimidate you
- Calling before 6:00 a.m. or after 10:00 p.m. in circumstances prohibited by SEC rules
- Demanding payment from your contacts even if they never agreed to guarantee your loan
The important legal point is this: having a debt does not give a lender the right to humiliate you, threaten you, or misuse your personal data.
A 2026 public advisory issued by the DICT, National Privacy Commission, and Securities and Exchange Commission specifically addressed reports of online lending platforms engaging in harassment, intimidation, public shaming, and unlawful use of personal data. It states that unnecessary app permissions, excessive access to borrowers’ contact lists, and contacting persons in the borrower’s contact list other than guarantors are prohibited.
Character Reference vs. Guarantor: Why This Difference Matters
Many borrowers are confused because lending apps often ask for “references.” A reference is not automatically a guarantor.
| Person | What They Usually Mean | Can They Be Contacted for Collection? |
|---|---|---|
| Character reference | Someone who may confirm your identity or contact details | Generally, no. They are not automatically responsible for your loan. |
| Guarantor | Someone who expressly agrees to answer for the loan if you default | They may be contacted about the loan obligation, but only if they gave proper consent. |
| Random contact from your phonebook | Someone stored in your phone | No. They should not be contacted for collection. |
The DICT-NPC-SEC advisory says online lending platforms must have separate interfaces for character references and guarantors, and a person must give consent to be considered a guarantor.
This is crucial in real life. If the app messaged your mother, officemate, client, or former classmate simply because their number was saved on your phone, that is very different from contacting a person who knowingly signed or consented as a guarantor.
Legal Basis: Your Rights Under Philippine Law
Data Privacy Act of 2012, RA 10173
The main privacy law is the Data Privacy Act of 2012, or Republic Act No. 10173. It protects personal information and requires organizations to process data according to the principles of transparency, legitimate purpose, and proportionality. In simple terms, a lending app must be clear about what data it collects, collect it for a lawful purpose, and collect only what is necessary. (National Privacy Commission)
For online lending harassment, the most relevant rights include:
- The right to be informed how your personal data will be used
- The right to object to unlawful or excessive processing
- The right to access information about how your data was processed
- The right to request blocking, removal, or destruction of unlawfully obtained or misused data
- The right to damages for unauthorized or improper use of personal data
Unauthorized processing of personal information, processing for unauthorized purposes, and unauthorized disclosure may lead to administrative, civil, or criminal consequences under the Data Privacy Act. (National Privacy Commission)
NPC Circular No. 20-01 and NPC Circular No. 2022-02 on Loan-Related Transactions
The National Privacy Commission issued special rules for loan-related transactions because of repeated complaints against online lenders. NPC Circular No. 20-01, later amended by NPC Circular No. 2022-02, restricts how lending and financing companies may process personal data in loan applications, credit scoring, collection, and account closure.
Under these rules and the later 2026 advisory:
- Online lending apps must not require unnecessary permissions.
- Access to contact lists must not be excessive or disproportionate.
- Contact lists must not be used for harassment or debt collection outside proper guarantors.
- Apps must allow borrowers to provide character references or guarantors through a separate interface.
- Guarantors must separately consent to being treated as guarantors.
- Personal data must be kept only as long as necessary, then securely disposed of. (National Privacy Commission)
The NPC has already handled cases involving lending apps that required access to contacts or failed to provide a separate way to input references. In the Cashalo case, the NPC decision discussed an app process where access to phone, messaging, contacts, location, and external data was requested, and the loan application could not proceed without contact-related permissions. In the Pesopop case, the NPC found that requiring access to a user’s entire phone contact list and failing to provide a separate interface for character references violated the Loan-Related Transactions Circular and the Data Privacy Act’s proportionality principle.
SEC Memorandum Circular No. 18, Series of 2019: Unfair Debt Collection Practices
The Securities and Exchange Commission regulates lending companies and financing companies under RA 9474, the Lending Company Regulation Act of 2007, and RA 8556, the Financing Company Act of 1998. RA 9474 requires lending companies to have authority from the SEC before conducting lending business. (Lawphil)
SEC Memorandum Circular No. 18, Series of 2019 prohibits unfair debt collection practices by lending companies, financing companies, and their third-party service providers. It covers abusive conduct often seen in online lending cases, including:
- Use or threat of violence or other criminal means to harm a person, reputation, or property
- Threats to take action that cannot legally be taken
- Use of obscenities, insults, or profane language
- Disclosure or publication of names and personal information of borrowers who allegedly refuse to pay
- Communicating false or misleading loan information to other persons
- False representations or deceptive means to collect a debt
- Contacting borrowers at unreasonable or inconvenient times
- Contacting persons in the borrower’s contact list other than those named as guarantors or co-makers
The circular also states that lending and financing companies remain responsible for the collection activities of outsourced collectors or third-party service providers. This matters because many apps blame “collection partners,” “agents,” or “outsourced collectors.” Under SEC rules, that explanation does not automatically excuse the lending company.
Possible SEC penalties include fines, suspension of lending or financing activities, revocation of authority to operate, and other penalties depending on the facts and repeat violations.
Financial Products and Services Consumer Protection Act, RA 11765
Republic Act No. 11765, the Financial Products and Services Consumer Protection Act, applies to financial products and services, including credit and digital financial products. It gives financial regulators such as the SEC and BSP authority over financial service providers under their jurisdiction. It also allows enforcement actions such as fines, suspension, penalties, and cease-and-desist orders in appropriate cases. (Supreme Court E-Library)
This law strengthens the argument that borrowers are not powerless consumers. A lender’s right to collect must still follow fair market conduct, consumer protection rules, privacy rules, and lawful collection procedures.
Revised Penal Code and Cybercrime Law
Some harassment may also amount to a criminal offense, depending on the exact words, acts, and evidence.
Possible legal issues include:
- Grave threats under Article 282 of the Revised Penal Code, if there is a threat to inflict a wrong amounting to a crime
- Light threats under Article 283 or Article 285, depending on the nature of the threat
- Grave coercions under Article 286, if threats, violence, or intimidation are used to compel a person to do something against their will
- Unjust vexation under Article 287, for acts that unjustly annoy, irritate, or disturb another person
- Cyber libel under RA 10175, if defamatory statements are published through a computer system, such as social media posts, group chats, or online messages accusing you of a crime, vice, or dishonorable conduct (Lawphil)
The exact charge is assessed by law enforcement or the prosecutor. What matters at the reporting stage is that you preserve the evidence clearly.
Civil Code Remedies for Privacy, Dignity, and Damages
Even if a collector’s conduct does not result in a criminal conviction, it may still create civil liability.
Article 26 of the Civil Code says every person must respect the dignity, personality, privacy, and peace of mind of others. It allows actions for damages and other relief for acts such as disturbing private life or family relations, intriguing to alienate a person from friends, or vexing and humiliating another. (Lawphil)
Moral damages may also be recoverable in cases involving defamation, acts under Article 26, and similar wrongful acts under Article 2219 of the Civil Code. (Law Library - Legal Resource PH)
Which Government Agency Should You Report To?
Different agencies handle different parts of the problem. In many serious cases, you may need to report to more than one.
| Problem | Where to Report | Main Purpose |
|---|---|---|
| Abusive collection, threats, contacting non-guarantor contacts, unfair debt collection | SEC Financing and Lending Companies Department / SEC iMessage | Administrative action against lending or financing company |
| Harvesting contacts, excessive app permissions, unauthorized use or disclosure of personal data | National Privacy Commission | Data privacy complaint, orders, fines, possible referral for prosecution |
| Threats, extortion, fraud, fake police/court threats, online shaming, cyber libel | PNP Anti-Cybercrime Group, NBI Cybercrime Division, DICT Cyber Hotline | Criminal investigation and cybercrime reporting |
| Lender is a bank, digital bank, e-wallet, or BSP-supervised financial institution | BSP Consumer Assistance Mechanism | Financial consumer complaint against BSP-supervised entity |
| Actual criminal case | Office of the City or Provincial Prosecutor | Preliminary investigation and possible filing in court |
| Immediate safety concern in your community | Police station or barangay blotter | Incident record and immediate local assistance |
The 2026 DICT-NPC-SEC advisory identifies the SEC iMessage portal for unfair debt collection practices and lists DICT, NBI Cybercrime Division, and PNP Anti-Cybercrime Group channels for harassment, threats, frauds, and scams.
Step-by-Step Guide: How to Report an Online Lending App for Contact List Harassment
1. Preserve Evidence Before Blocking, Deleting, or Uninstalling
Do not rely on memory. Complaints are stronger when supported by screenshots, recordings, documents, and witness statements.
Save the following:
- Screenshots of all messages from collectors
- Screenshots sent to your relatives, friends, employer, or co-workers
- Caller numbers, call logs, dates, and times
- Voice recordings, if lawfully obtained by a party to the conversation
- Screenshots of group chats created by collectors
- The app name, icon, Google Play or App Store page, and developer name
- The loan agreement, disclosure statement, promissory note, or terms and conditions
- The privacy notice and consent screen of the app
- App permission screens showing access to contacts, camera, SMS, storage, location, or microphone
- Proof of payments, repayment schedule, and outstanding balance
- Names of collectors, if they identify themselves
- Payment account names, e-wallet numbers, bank accounts, or QR codes used by the lender
- Any fake legal documents, warrants, subpoenas, barangay notices, or police threats
For disappearing messages, take a screen recording showing the message thread, sender details, date, and time. Ask affected contacts to send you their screenshots with a short written statement describing what they received and when.
2. Identify the Real Company Behind the App
The app name is often different from the corporate name. A complaint is easier to act on when you identify the actual company.
Look for:
- Corporate name in the loan agreement
- SEC registration number
- Certificate of Authority number
- Privacy policy company name
- Data Protection Officer contact details
- Developer name on the app store
- Email domain used by the app
- Name appearing in GCash, Maya, bank transfer, or payment portal
- Collection agency name, if any
If the lender claims to be a lending company, it should generally be incorporated and authorized under SEC rules. RA 9474 and its IRR require a Certificate of Authority from the SEC for lending companies. (Lawphil)
3. Send a Written Privacy and Collection Complaint to the Lender
For a National Privacy Commission complaint, the NPC generally requires exhaustion of remedies. This means you should first inform the respondent in writing about the privacy violation or personal data breach and give them a chance to act. If they do not take timely or appropriate action, or if there is no response within 15 calendar days from receipt, proof of this written notice must be attached to the NPC complaint. (National Privacy Commission)
A short written complaint may say:
I am formally demanding that you stop processing my contact list and stop contacting persons who are not my guarantors or co-makers. Your collectors have contacted my relatives, friends, and co-workers regarding my loan and have sent humiliating and threatening messages. Please preserve all records, identify your Data Protection Officer, provide the lawful basis for accessing my contacts, delete unlawfully collected contact data, and confirm what action you have taken within the period required by NPC rules.
Send it through channels you can prove:
- Email to customer service or the Data Protection Officer
- In-app complaint ticket
- Official website complaint form
- Registered mail or courier, if you have the office address
Keep screenshots, sent email copies, delivery receipts, and ticket numbers.
If there are ongoing threats, extortion, or public shaming, you do not have to wait before making an initial report to the SEC, PNP, NBI, or DICT. The 15-day exhaustion issue is specifically important for the NPC’s formal complaint process.
4. File a Complaint with the SEC for Unfair Debt Collection
For unfair debt collection by lending or financing companies, file through the SEC iMessage portal. The SEC describes iMessage as its official web-based platform for public inquiries, complaints, incidents, and requests, with electronic ticketing. (Securities and Exchange Commission)
Prepare a concise complaint with:
- Your full name and contact details
- App name and corporate name, if known
- Loan account number, if any
- Date you borrowed and amount released
- Amount demanded by the app
- Description of harassment
- Names or numbers of collectors
- List of contacts who were messaged or called
- Screenshots and call logs
- Privacy/data issue, if the app accessed your contacts
- Specific request: investigation for violation of SEC MC No. 18, Series of 2019
Focus on facts, not insults. Instead of saying “scammer sila,” write:
On 12 May 2026 at 8:43 p.m., collector number 09xx sent my office supervisor a message saying I was a criminal and that my salary should be withheld. My supervisor was not a guarantor, co-maker, or party to the loan. Attached are screenshots from my supervisor and the collector’s messages to me.
5. File a Complaint with the National Privacy Commission
File with the NPC when the main issue is misuse of personal data, such as harvesting your contact list, sending messages to contacts, accessing unnecessary app permissions, or disclosing your loan details to third parties.
The NPC complaint mechanics require a filled-out and notarized complaint-assisted form or a verified complaint, copies of evidence, and witness affidavits. Filing may be done personally, by registered mail, by courier, or by electronic mail as authorized by the Commission. Electronic documents should be digitally signed and in PDF format where practicable. (National Privacy Commission)
For an NPC complaint, prepare:
- Notarized complaint-assisted form or verified complaint
- Valid government ID
- Proof you notified the lender in writing
- Proof of no response or inadequate response after 15 calendar days
- Screenshots of app permissions and privacy notice
- Screenshots showing contacts were messaged
- Affidavits or written statements from affected contacts
- Loan documents and app screenshots
- Any demand for deletion or blocking of unlawfully processed data
The NPC may evaluate whether the complaint involves a Data Privacy Act violation or personal data breach. If a complaint is upheld, the records may be brought for enforcement of civil damages, fines, administrative sanctions, or referral to the Department of Justice for possible prosecution. (National Privacy Commission)
6. Report Threats, Extortion, Fraud, or Public Shaming to Cybercrime Authorities
If collectors threaten harm, use fake law enforcement identities, extort money, post defamatory accusations online, or circulate your photo and loan details, report to cybercrime authorities.
The 2026 advisory lists the following reporting channels for harassment, threats, fraud, and scams:
- DICT Cyber Hotline: 1326@dict.gov.ph
- NBI Cybercrime Division: ccd@nbi.gov.ph
- PNP Anti-Cybercrime Group: acg@pnp.gov.ph and onlinecims.ocs@gmail.com
For criminal complaints, expect that law enforcement may ask you to appear personally or submit a sworn complaint-affidavit. Bring printed screenshots, digital copies, valid ID, and contact details of witnesses.
7. Use BSP Channels Only if the Entity Is BSP-Supervised
Some borrowers report everything to the BSP, but most standalone lending apps and lending companies are under SEC, not BSP. Use BSP if the entity is a bank, digital bank, e-money issuer, remittance company, pawnshop, or other BSP-supervised financial institution.
The BSP says unresolved complaints against BSP-supervised institutions may be filed through BSP Online Buddy or by submitting a Complaints, Inquiries and Requests form, with supporting documents and proof of the complaint first filed with the institution. (Bangko Sentral ng Pilipinas)
8. Consider a Prosecutor’s Complaint for Serious Cases
If the conduct is severe, such as repeated threats, cyber libel, extortion, identity misuse, or fake criminal accusations, a criminal complaint may be filed with the Office of the City or Provincial Prosecutor.
A prosecutor’s complaint usually needs:
- Complaint-affidavit
- Affidavits of witnesses
- Screenshots and printouts
- Certification or explanation of how screenshots were obtained
- Valid IDs
- Evidence linking the collector or company to the messages
- Police or NBI cybercrime report, if available
The prosecutor, not the complainant, determines whether there is probable cause for a criminal case.
Documents and Evidence Checklist
| Requirement | SEC Complaint | NPC Complaint | PNP/NBI/DICT Report | Prosecutor Complaint |
|---|---|---|---|---|
| Valid ID | Useful | Required | Required | Required |
| App name and corporate name | Required | Required | Required | Required |
| Loan agreement or disclosure | Required | Useful | Useful | Useful |
| Screenshots of harassment | Required | Required | Required | Required |
| Screenshots sent to contacts | Required | Required | Required | Required |
| Call logs and numbers | Required | Useful | Required | Required |
| App permission screenshots | Useful | Required | Useful | Useful |
| Privacy notice/consent screen | Useful | Required | Useful | Useful |
| Written notice to lender | Useful | Required for NPC exhaustion | Useful | Useful |
| Witness affidavits from contacts | Useful | Strongly useful | Useful | Often required |
| Notarized complaint | Usually not for initial ticket | Required for formal NPC complaint | Sometimes later | Required |
| SPA for representative | If representative files | If representative files | If representative files | If representative files |
For OFWs and foreigners abroad, a representative in the Philippines may need a Special Power of Attorney. If the affidavit or SPA is executed abroad for use in the Philippines, it may need consular notarization or an apostille depending on where it is executed and the type of document. Philippine government apostille guidance distinguishes Philippine documents for use abroad from foreign documents for use in the Philippines. (Apostille.gov.ph)
Practical Timelines and Bottlenecks
| Step | Usual Practical Timing | Common Bottleneck |
|---|---|---|
| Evidence gathering | Same day to several days | Borrower deletes app or blocks numbers before saving proof |
| Written notice to lender for NPC exhaustion | Day 1 | No clear DPO or official email |
| Waiting period for NPC exhaustion | 15 calendar days from receipt | No proof that lender received the complaint |
| SEC iMessage complaint | Can be filed once evidence is ready | Wrong app/company name or incomplete screenshots |
| NPC formal complaint | After documents and notarization are ready | Missing notarization, affidavits, or proof of prior written notice |
| PNP/NBI cybercrime report | Immediate for serious threats | Need for personal appearance or sworn statement |
| Prosecutor complaint | After affidavits and evidence are ready | Difficulty identifying individual collectors |
The biggest practical problem is usually identity. Collectors often use prepaid SIMs, fake names, or rotating numbers. That is why you should connect the messages to the app through timing, content, payment demands, account numbers, app screenshots, and identical wording used in collection notices.
Common Mistakes That Weaken Complaints
Deleting the App Too Early
Uninstalling the app may remove useful evidence, such as permissions, loan terms, notices, repayment records, and chat logs. Capture everything first.
Reporting Only on Social Media
Posting about the app on Facebook may warn others, but it is not the same as filing a complaint with the SEC, NPC, PNP, NBI, DICT, or BSP. A formal complaint needs evidence, dates, names, screenshots, and a clear request for action.
Focusing Only on “High Interest”
High interest, hidden fees, and unfair terms are important, but contact-list harassment should be framed separately as unfair debt collection and unlawful personal data processing. Mention both issues if both happened.
Assuming Consent Makes Everything Legal
Many apps argue that the borrower “consented” to access contacts. Consent is not a magic shield. Under Philippine data privacy law, processing must still be transparent, legitimate, and proportionate. Excessive contact-list harvesting or use of contacts for harassment can still violate the law. (National Privacy Commission)
Treating a Reference as a Guarantor
A person who was merely listed as a character reference is not automatically liable for the loan. A guarantor must give separate consent to assume responsibility.
Sending Screenshots Without Context
A folder of random screenshots is harder to evaluate. Add a short chronology:
- Date of loan
- Date due
- First collection message
- First contact-list harassment
- Names of affected contacts
- Threats or defamatory statements
- Written complaint to lender
- Response or no response
Paying Under Threat Without Receipts
Some borrowers pay “extension fees” or “settlement amounts” under pressure, only to be harassed again. Keep proof of every payment, including recipient name, number, reference number, and screenshot of confirmation.
Can You Still Be Collected From If You Report the App?
Yes. Reporting harassment does not automatically erase a valid debt. A lender may still use lawful means to collect what is legally due.
But lawful collection means they must not:
- Shame you publicly
- Threaten illegal action
- Pretend to be police, court, NBI, or barangay officials
- Contact random people from your phonebook
- Publish your personal information
- Use abusive language
- Misrepresent the debt
- Use excessive or unauthorized personal data
The legal goal is not to avoid legitimate obligations. It is to stop unlawful collection behavior and misuse of personal information.
Frequently Asked Questions
Can online lending apps contact my contacts in the Philippines?
Generally, they should not contact persons in your phone contact list for debt collection unless those persons are proper guarantors or co-makers. The 2026 DICT-NPC-SEC advisory states that contacting persons on the borrower’s contact list other than guarantors is prohibited.
What if I clicked “Allow Contacts” when installing the app?
Giving app permission does not automatically make all use of your contacts lawful. Processing must still follow the Data Privacy Act principles of transparency, legitimate purpose, and proportionality. Excessive access, harassment, or debt collection through non-guarantor contacts may still be unlawful. (National Privacy Commission)
Can a lending app message my employer?
A lender should not message your employer to shame you, disclose your loan, threaten your employment, or force payment unless there is a specific lawful basis. If your employer is not a guarantor or co-maker, this may support a complaint for unfair debt collection and data privacy violation.
Where is the best place to report online lending harassment?
Report unfair debt collection to the SEC, privacy violations to the National Privacy Commission, and threats, fraud, extortion, or cyber libel to PNP-ACG, NBI Cybercrime Division, or DICT Cyber Hotline. If the lender is BSP-supervised, use BSP consumer assistance channels.
Do I need a lawyer to file a complaint against an online lending app?
For initial reports to the SEC, NPC, PNP, NBI, DICT, or BSP, many complainants file on their own if they have organized evidence. For prosecutor complaints, civil damages claims, or complex cases involving many victims, sworn affidavits, company tracing, or court filings may require more careful legal preparation.
Can my relatives or friends file their own complaint?
Yes, especially if their own personal data was used, they received harassment messages, or their privacy was violated. Under NPC rules, data subjects affected by a privacy violation may file complaints, and representatives may also file if properly authorized. (National Privacy Commission)
What if the app is not registered with the SEC?
Include that in your SEC complaint. Operating as a lending company without proper authority may be a separate regulatory issue. Provide the app name, developer name, payment channels, screenshots, and any company name used in the loan documents.
Can I sue the lending app for damages?
Possible remedies may include civil damages under the Civil Code, privacy-related relief under the Data Privacy Act, and the civil aspect of a criminal case if a crime is charged. Article 26 of the Civil Code protects dignity, privacy, and peace of mind, while Article 2219 allows moral damages in defamation and certain analogous cases. (Lawphil)
Is a barangay blotter enough?
A barangay blotter may help document an incident, especially if there is a local safety concern, but it is usually not enough for online lending app harassment. The more relevant agencies are usually the SEC, NPC, PNP-ACG, NBI Cybercrime Division, DICT, BSP, or the prosecutor’s office, depending on the facts.
What should I do if collectors keep using new numbers?
Keep recording each number, date, time, and message. Do not argue emotionally. Reply once, if needed, that they must stop contacting non-guarantors and communicate only through lawful channels. Then preserve the messages and update your complaint with the new evidence.
Key Takeaways
- Online lending apps cannot use your debt as an excuse to harass, shame, threaten, or misuse your contact list.
- Contacting people from your phonebook who are not guarantors or co-makers may violate SEC debt collection rules and Philippine data privacy regulations.
- File with the SEC for unfair debt collection, the NPC for data privacy violations, and PNP/NBI/DICT for threats, fraud, extortion, or cybercrime.
- For NPC complaints, prepare proof that you first notified the lender in writing and waited 15 calendar days, unless the issue is being reported elsewhere for urgent threats or criminal conduct.
- Strong complaints are built on organized evidence: screenshots, call logs, app permissions, loan documents, witness statements, and a clear timeline.
- A valid loan may still be collected, but only through lawful, fair, and privacy-compliant methods.