How to Report Online Lending Harassment to the SEC and NPC

A Philippine Legal Guide

Online lending harassment has become one of the most complained-of consumer abuses in the Philippines. Borrowers do not only deal with collection pressure; many also face public shaming, threats, repeated calls, messages to relatives or co-workers, unauthorized use of contact lists, and disclosure of personal information. In Philippine law, these acts may trigger issues under securities and lending regulation, data privacy law, cybercrime law, consumer protection, and even criminal law.

This article focuses on two major government channels often relevant in these cases: the Securities and Exchange Commission (SEC) and the National Privacy Commission (NPC). In practical terms, the SEC is usually the agency to approach when the problem involves an online lending app or lending company’s abusive collection conduct or questionable authority to operate, while the NPC is usually the agency to approach when the harassment involves misuse of personal data, unauthorized access to contacts, disclosure of debt status to third parties, or invasive data processing.

Because online lending harassment often involves overlapping violations, many victims may have grounds to report to both the SEC and the NPC at the same time.

I. What counts as online lending harassment

In the Philippine setting, online lending harassment commonly includes:

  • repeated calls or texts meant to intimidate rather than legitimately collect;
  • threats of arrest, imprisonment, violence, or humiliation;
  • profanity, insults, or degrading language;
  • contacting relatives, employers, co-workers, or friends to embarrass the borrower;
  • posting the borrower’s photo or debt status online;
  • sending messages that label the borrower a scammer or criminal;
  • use of the borrower’s phone contacts without lawful basis;
  • mass messaging of third parties about the borrower’s loan;
  • unauthorized collection of photos, IDs, location data, contact lists, or device information;
  • use of fake legal threats, fake court forms, or false claims of criminal liability.

Not every collection effort is illegal. A lender may lawfully remind a borrower of a debt and seek payment through lawful means. The problem begins when collection becomes deceptive, abusive, coercive, humiliating, or privacy-invasive.

II. Why the SEC matters in online lending cases

In the Philippines, many online lenders operate through a lending company or financing company. These entities are commonly regulated by the SEC. The SEC’s role is important for at least three reasons.

First, the SEC can determine whether the entity is properly registered and authorized to operate as a lending or financing company.

Second, the SEC has issued rules against unfair debt collection practices. In Philippine practice, borrowers often invoke these rules when a lender or its agents use threats, insults, public shaming, coercion, or false representations during collection.

Third, the SEC can receive complaints and take regulatory action, which may include investigation, sanctions, suspension, or revocation of authority depending on the violation and the evidence.

Typical SEC-related issues in online lending harassment

A complaint to the SEC may be appropriate when:

  • the lender is using abusive or unfair collection tactics;
  • the app appears to be tied to an unregistered or unauthorized lender;
  • the company or its collectors use false legal threats;
  • the lender harasses the borrower through excessive communications;
  • the company misrepresents the consequences of nonpayment;
  • the app’s collection methods appear systematically unlawful.

Conduct often associated with unfair debt collection

In Philippine legal discussion, the following are often treated as red flags:

  • threats of criminal prosecution merely for inability to pay;
  • threats of imprisonment for ordinary debt;
  • use of obscene, insulting, or defamatory language;
  • disclosure of the borrower’s debt to unrelated third persons;
  • contacting third parties to shame the borrower;
  • pretending to be a lawyer, court officer, police officer, or government agent;
  • use of false urgency or fabricated legal documents;
  • collection at unreasonable hours or with unreasonable frequency.

As a rule, failure to pay a debt is not, by itself, a criminal offense. A collector who tells a borrower that nonpayment automatically leads to arrest is often using pressure that should be examined very carefully.

III. Why the NPC matters in online lending cases

The NPC is the principal agency for the enforcement of the Data Privacy Act of 2012. It becomes central when the harassment involves personal data.

Online lending harassment often depends on data misuse. Many complaints arise from apps that allegedly accessed phonebooks, photos, messages, or other device data, then used that information to pressure the borrower. Even when a borrower clicked “allow,” that does not automatically make all downstream uses lawful. Consent under Philippine data privacy law is not a blanket excuse for any form of intimidation or disclosure.

Typical NPC-related issues

A complaint to the NPC may be appropriate when:

  • the app accessed the borrower’s contacts and messaged them about the debt;
  • the borrower’s data was processed beyond what was necessary for the loan;
  • the app used personal data for public shaming or harassment;
  • the company disclosed debt information to relatives, co-workers, or friends;
  • the app collected excessive data without proper transparency;
  • the privacy notice was unclear, deceptive, or absent;
  • the borrower’s account information or identification documents were exposed;
  • the company refused to answer a legitimate data privacy complaint.

Data privacy principles commonly implicated

In this setting, the main issues usually involve:

  • transparency: Was the borrower clearly informed what data would be collected and why?
  • legitimate purpose: Was the data used only for lawful and declared purposes?
  • proportionality: Was the scope of data collection and use excessive relative to a small consumer loan?
  • lawful processing: Was there a valid legal basis for collecting and using the data?
  • data subject rights: Was the borrower able to access, correct, object to, or complain about misuse of data?

A lender’s business interest in collection does not automatically permit it to expose a borrower to third parties or weaponize personal data.

IV. Common fact patterns: when to report to the SEC, the NPC, or both

A. Report primarily to the SEC

This is often the best first route when the problem is mainly:

  • abusive collection language;
  • threats and intimidation;
  • false legal claims;
  • harassment by collectors;
  • suspicious registration or authority to operate;
  • repeated coercive collection practices.

B. Report primarily to the NPC

This is often the best first route when the problem is mainly:

  • unauthorized access to contacts;
  • texting relatives, friends, or co-workers;
  • disclosure of debt status to third parties;
  • publication of photos or personal details;
  • excessive data collection by the app;
  • privacy notice defects;
  • unlawful data sharing.

C. Report to both

Many of the strongest complaints involve both:

  • the lender used contact-list data without proper basis; and
  • the lender used that data to harass, shame, or coerce payment.

That creates a strong reason to file parallel complaints: one focused on collection misconduct before the SEC, and another focused on personal data misuse before the NPC.

V. Before filing: build your evidence properly

A strong complaint depends heavily on documentation. The victim should preserve evidence as early as possible.

Core evidence to gather

  1. Screenshots of the app Capture the app name, loan account, payment demand, permissions requested, and any relevant pop-ups or privacy notices.

  2. Screenshots of text messages and chat messages Preserve the full thread, including dates, times, phone numbers, usernames, and abusive language.

  3. Call logs Save records of repeated calls, including frequency and time of day.

  4. Recordings, if lawfully obtained Keep voice recordings if available and lawful in the circumstances.

  5. Messages sent to third parties Ask relatives, friends, co-workers, or employers to send you screenshots of what they received.

  6. Social media posts Save screenshots and links if the borrower was publicly shamed online.

  7. Loan documents Preserve the loan agreement, disclosure statement, promissory note, terms and conditions, and privacy notice.

  8. Proof of payment Collect receipts, bank transfers, e-wallet records, and screenshots showing what was already paid.

  9. App permissions Capture what device permissions were requested or granted, such as contacts, camera, storage, location, or microphone.

  10. Identity of the company Save the company name, app developer name, website, email addresses, phone numbers, and any stated SEC registration details.

Preserve evidence in a usable form

It is not enough to keep scattered screenshots. Organize them by folder and label them by category:

  • calls;
  • texts;
  • third-party messages;
  • app screenshots;
  • payment proofs;
  • loan documents;
  • public posts.

Prepare a short chronology with dates. Agencies understand a complaint more quickly when the facts are arranged in sequence.

VI. How to identify the lender before reporting

A practical challenge in online lending cases is that the app name and the legal company name may differ. Before filing, the borrower should try to identify:

  • the exact app name;
  • the stated lender or operator;
  • any SEC registration details shown in the app or website;
  • the privacy policy or terms page;
  • any customer service email or address.

This matters because the SEC and NPC will need a respondent that can be identified. Even if the identity is incomplete, file with all available details. Attach screenshots showing the names, logos, links, and app-store listing information.

VII. How to write a complaint to the SEC

A complaint to the SEC should read like a regulatory report, not just an emotional narrative. The goal is to show that the company engaged in unfair debt collection or is operating in a questionable manner as a lending or financing entity.

Suggested structure of an SEC complaint

1. Caption or subject line Complaint against [company/app name] for online lending harassment and unfair debt collection practices.

2. Complainant details State your full name, address, mobile number, and email address.

3. Respondent details State the company name, app name, website, phone numbers, email addresses, and any known office address or SEC registration information.

4. Facts Present the events chronologically:

  • when you applied for the loan;
  • how much you borrowed;
  • due date and payments made;
  • when the harassment started;
  • what threats or abusive acts occurred;
  • whether third parties were contacted;
  • how often and by whom.

5. Regulatory violations alleged State that the collection conduct appears to constitute unfair debt collection practices and abusive or misleading collection behavior. If uncertain of the exact legal labels, describe the acts clearly rather than guessing.

6. Harm suffered State the effects:

  • reputational harm;
  • embarrassment at work;
  • anxiety or distress;
  • disruption of family life;
  • invasion of privacy;
  • interference with employment.

7. Attachments List the supporting documents and screenshots.

8. Prayer or request Ask the SEC to:

  • investigate the lender/app;
  • determine whether it is duly registered and authorized;
  • determine whether its collection practices violate SEC rules;
  • impose proper sanctions and order compliance as allowed by law.

Sample SEC complaint language

A borrower may write in substance:

I am filing this complaint against [company/app name] for unfair and abusive online lending collection practices. After obtaining a loan through its mobile application, I began receiving repeated calls and messages containing threats, insults, and coercive statements. The company or its agents also contacted third persons and disclosed my alleged debt, causing embarrassment and distress. I respectfully request an investigation into its authority to operate and its compliance with laws and regulations governing lending and debt collection.

The complaint does not need ornate legal language. Facts and supporting evidence matter more than style.

VIII. How to write a complaint to the NPC

An NPC complaint should focus on data processing, not merely collection pressure. The central question is how the lender obtained, used, shared, or disclosed personal data.

Suggested structure of an NPC complaint

1. Subject line Privacy complaint against [company/app name] for unauthorized processing and disclosure of personal data.

2. Complainant details State your identity and contact information.

3. Respondent details Identify the app, company, developer, website, email, and other known information.

4. Description of data involved Specify what data was involved:

  • contact list;
  • names of relatives or co-workers;
  • mobile number;
  • photos;
  • IDs;
  • debt status;
  • messages sent to third persons.

5. Facts State:

  • when the app was installed;
  • what permissions it requested;
  • what personal data it accessed;
  • how the company used the data;
  • when third parties were contacted;
  • what disclosures were made.

6. Data privacy issues Allege, based on facts, that the respondent processed and disclosed personal data without lawful basis, beyond legitimate purpose, and in a manner inconsistent with transparency and proportionality.

7. Harm State reputational damage, anxiety, workplace issues, and invasion of privacy.

8. Relief requested Ask the NPC to:

  • investigate the unlawful processing and disclosure of personal data;
  • order the respondent to stop contacting third parties or misusing data;
  • require compliance with the Data Privacy Act and related rules;
  • take appropriate enforcement action.

Sample NPC complaint language

I respectfully file this privacy complaint against [company/app name] for unauthorized processing and disclosure of my personal data. After I used the lending application, the respondent accessed or used my contacts and sent messages to third persons about my alleged debt. This disclosure was used to shame and pressure me. I believe the respondent processed my personal data beyond lawful, transparent, and proportionate purposes, in violation of my rights as a data subject.

Again, clarity is more important than sounding like a lawyer.

IX. What facts are especially persuasive to the SEC and NPC

Certain facts tend to strengthen complaints significantly.

For the SEC

  • screenshots showing direct threats or insults;
  • fake legal warnings or false claims of arrest;
  • evidence of repeated calls at unreasonable times;
  • proof that collectors contacted unrelated third parties;
  • proof that the app or lender misrepresented itself;
  • proof that the borrower already made payment but harassment continued.

For the NPC

  • screenshots showing third-party recipients received messages about the debt;
  • evidence that contacts were accessed from the phone;
  • app permission records;
  • privacy policy inconsistencies;
  • evidence that the data used was excessive or unrelated to loan servicing;
  • screenshots of public shaming posts or circulated images.

X. Should you complain to the company first

As a practical matter, it is often helpful to send the lender a short written demand or complaint before or at the same time as filing with regulators. This can help show that:

  • the borrower objected to the conduct;
  • the company was informed of the abusive acts;
  • the company had a chance to stop but did not;
  • the borrower asserted data privacy rights.

A concise written notice may state:

  • stop contacting third parties;
  • stop using abusive collection methods;
  • remove any public posts;
  • delete or restrict improperly used personal data;
  • communicate only through lawful channels.

This is not always required before regulatory reporting, but it often improves the record.

XI. Can the borrower ask for deletion of data or stop processing

In a data privacy setting, the borrower may assert rights as a data subject, depending on the facts and the lawful basis being invoked by the company. These may include requests to:

  • access personal data being processed;
  • correct inaccurate information;
  • object to certain processing;
  • limit disclosure;
  • complain about unlawful processing;
  • seek deletion or blocking where appropriate under data privacy law.

These rights are not absolute in every case. A lender may retain some data for legitimate business, legal, accounting, audit, or regulatory purposes. But that does not justify humiliation campaigns, unauthorized contact-list use, or unnecessary disclosure to third parties.

XII. What not to do when reporting

Victims sometimes weaken their own cases by reacting in ways that create evidence problems.

Avoid the following:

  • deleting abusive messages before saving them;
  • engaging in prolonged insults with collectors;
  • making unsupported public accusations without preserving proof;
  • sending altered screenshots;
  • submitting vague complaints without dates or names;
  • assuming the app name alone is enough without collecting company details.

A regulatory complaint should be factual, chronological, and document-backed.

XIII. What legal theories may overlap beyond SEC and NPC

Although this article focuses on the SEC and NPC, online lending harassment in the Philippines can also overlap with other legal issues.

A. Data Privacy Act of 2012

This is central when there is unauthorized processing, disclosure, or misuse of personal data.

B. Cybercrime-related issues

If the harassment involves online publication, threats, or misuse of digital systems, separate cybercrime considerations may arise.

C. Defamation or libel concerns

Public posts accusing a borrower of being a criminal or scammer may raise separate issues, depending on the wording and circumstances.

D. Grave threats, unjust vexation, or coercion

Extreme collection conduct may, depending on the facts, implicate criminal law.

E. Consumer protection and electronic commerce issues

Misrepresentation in app practices, deceptive disclosures, or hidden terms may support additional complaints elsewhere.

The same set of facts can therefore justify several parallel remedies.

XIV. Is the borrower’s debt erased by harassment

No. As a general rule, abusive collection does not automatically erase a valid debt. The borrower may still owe the lawful obligation under the loan contract, subject to defenses concerning the validity, amount, interest, penalties, or illegal terms.

That said, the lender’s misconduct can still be actionable. A borrower may both:

  • recognize that a debt dispute exists; and
  • complain that the collection method is illegal.

These are separate issues. Regulators are concerned not only with whether money is owed, but also with how collection is carried out.

XV. Does clicking “allow contacts” defeat the privacy complaint

Not necessarily.

This is one of the most misunderstood parts of online lending cases. A borrower’s tap on an app permission screen does not automatically legalize every future use of the data. Philippine data privacy principles still require that processing be lawful, transparent, for a legitimate purpose, and proportionate.

Even where some access was technically permitted, the following may still be highly questionable:

  • contacting unrelated people to shame the borrower;
  • mass disclosure of debt status;
  • use of personal data far beyond what was explained;
  • coercive processing inconsistent with declared purposes.

Consent that is unclear, bundled, excessive, or used as a shield for harassment is vulnerable to challenge.

XVI. Practical drafting tips for stronger complaints

A good complaint avoids emotional overstatement and uses precise facts.

Instead of writing:

They ruined my life and are the worst scammers.

Write:

On 14 March 2026 at around 8:15 a.m., a representative using mobile number [number] sent a message to my co-worker stating that I was refusing to pay a debt and should be shamed. A screenshot of that message is attached as Annex C.

Regulators respond best to:

  • dates;
  • times;
  • names or numbers;
  • exact words used;
  • identities of third-party recipients;
  • copies of evidence.

XVII. Organizing annexes

For both SEC and NPC filings, label evidence clearly:

  • Annex A – loan agreement;
  • Annex B – screenshot of app permissions;
  • Annex C – abusive text messages;
  • Annex D – call logs;
  • Annex E – messages sent to co-workers;
  • Annex F – proof of payment;
  • Annex G – screenshot of privacy policy;
  • Annex H – public social media post.

A messy annex set can slow down the complaint. A clean annex list helps both agencies see the pattern faster.

XVIII. What outcomes can a complainant realistically expect

A complainant should be realistic. Filing with the SEC or NPC does not guarantee instant relief or monetary recovery. But it can lead to meaningful regulatory consequences.

Possible results may include:

  • investigation of the company or app;
  • directives to explain or respond;
  • findings of regulatory noncompliance;
  • orders to cease certain practices;
  • sanctions or other enforcement action;
  • creation of a stronger record for later legal remedies.

For many victims, the first regulatory value is that the complaint formalizes the abuse and places the company under official scrutiny.

XIX. A practical combined strategy

In severe online lending harassment cases, a sensible Philippine strategy is often:

  1. preserve all evidence immediately;
  2. identify the app and company;
  3. send a concise written objection to the company;
  4. file a complaint with the SEC for abusive collection and regulatory issues;
  5. file a complaint with the NPC for unauthorized processing and disclosure of personal data;
  6. consider separate civil or criminal remedies if the facts justify them.

This combined approach addresses both sides of the misconduct:

  • the harassment as collection abuse; and
  • the harassment as data misuse.

XX. Suggested complaint checklist

Before submitting, make sure you have:

  • your full identity and contact details;
  • the app name and company name;
  • dates of the loan and the harassment;
  • screenshots of messages and calls;
  • screenshots from third parties contacted by the lender;
  • payment records;
  • app permissions and privacy policy screenshots;
  • a clear chronology;
  • a concise statement of what relief you want.

XXI. Final legal takeaway

In the Philippines, online lending harassment is not merely a customer service problem. It can amount to a regulatory and legal violation, especially where collectors use threats, humiliation, deception, or third-party disclosure of debt information. The SEC is the key reporting agency for abusive conduct by lending or financing entities and unfair debt collection practices. The NPC is the key reporting agency when the harassment depends on the unlawful collection, use, disclosure, or weaponization of personal data.

The most important legal insight is this: a lender may pursue payment, but it may not do so through intimidation, public shaming, or unlawful misuse of personal data. When an online lending app crosses that line, a borrower in the Philippines may have solid grounds to report the matter to the SEC, the NPC, or both.

This article is for general legal information and should not be treated as a substitute for case-specific advice, especially where criminal charges, damages, or urgent injunctive relief may be considered.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login