How to Stop Harassment by Online Lending Apps in the Philippines and File a Complaint with the NPC/BSP

How to Stop Harassment by Online Lending Apps in the Philippines—and File a Complaint with the NPC/BSP

For informational purposes only; not a substitute for advice from a Philippine lawyer. Laws and procedures change—always check the latest official guidance.

Executive summary

If a lending app is harassing you (or your contacts), you have rights and clear avenues for relief in the Philippines. Abusive collection—including threats, public shaming, contacting your phone contacts, and misuse of your personal data—is illegal. You can:

  1. Contain the harassment fast (revoke app permissions, preserve evidence, notify your contacts).

  2. Assert your data-privacy and financial-consumer rights directly to the company.

  3. Complain to the correct regulator(s):

    • NPC (National Privacy Commission) for any data privacy abuse (e.g., scraping and messaging your contacts).
    • BSP (Bangko Sentral ng Pilipinas) if the collector is a bank or BSP-supervised financial institution (BSFI).
    • SEC (Securities and Exchange Commission) if it’s a lending/financing company (most non-bank lending apps).

  4. Escalate to law enforcement if there are threats, coercion, or extortion.

This guide explains the laws, your options, the evidence you need, and gives ready-to-use templates.

What counts as “harassment” or unlawful collection?

Common red flags include:

  • Threats, intimidation, or obscene language; threats of arrest or public “blacklisting.”
  • Shaming tactics: mass texts to your contacts, posting your details/photos online, messaging your employer or clients.
  • Contacting third parties (family, friends, coworkers) about your debt when they are not guarantors/co-borrowers.
  • Excessive or odd-hour calls, robo-texts, or using multiple new numbers after you said to stop.
  • Misuse of your data: copying your contacts/photos/IDs from your phone or cloud, or using permissions beyond what’s necessary to process a loan.

Whether or not you owe money, abusive collection and unlawful data processing are prohibited.

The legal backbone (Philippine context)

  • Data Privacy Act of 2012 (RA 10173) and its rules: You have the right to be informed, to object, to access/correct, to erasure/blocking, and to damages. Personal data must be collected for a legitimate, proportionate purpose. Harassing your contacts or scraping your phonebook is typically unlawful processing.
  • Financial Products and Services Consumer Protection Act (RA 11765): Protects financial consumers’ right to fair treatment, data privacy, clear disclosures, and effective recourse. Empowers regulators (BSP, SEC, IC) to sanction abusive actors.
  • SEC rules on unfair debt collection (applicable to lending/financing companies): Prohibit threats, profanities, shaming, contacting persons other than the borrower/authorized parties, and other abusive practices. Violations can lead to fines, suspension, or revocation of license/app takedown.
  • Cybercrime Prevention Act (RA 10175) and the Revised Penal Code: Depending on the conduct, grave threats/coercion, libel/cyber libel, unjust vexation, and related offenses may apply.
  • Anti-Wiretapping Act (RA 4200): The Philippines generally requires consent of all parties to record private phone conversations. Don’t secretly record calls; if you want a record, announce you are recording or insist on text/email.

Immediate containment plan (Step-by-step)

  1. Preserve evidence (before uninstalling anything)

    • Screenshots/screen recordings of app pages, permissions, threats, messages, caller IDs, and dates/times.
    • Keep the original files (not just copies). Export call/SMS logs if possible.
    • Ask harassed contacts to take screenshots and forward raw messages to you.

  2. Lock down your device and accounts

    • On your phone: Settings → Apps → [App] → Permissionsdeny Contacts/Storage/Camera/SMS. Then force stop and clear cache. Only then consider uninstalling.
    • Change your passwords (email, cloud drives, social media, banking). Turn on 2-factor authentication.
    • In app stores, disable background data/notifications for the offending app.

  3. Inform your contacts

    • Send a short advisory: “I’m dealing with an abusive lending app. If you receive messages/calls about me, please ignore and screenshot them for evidence. Don’t engage.”

  4. Tell the company to stop (in writing)

    • Email and in-app chat: demand they cease harassment, erase unlawfully collected data, and stop contacting third parties. Ask for the name/email of their Data Protection Officer (DPO) and a case/ticket number. (Template below.)

  5. If there are threats of violence or extortion

    • File a police blotter with the PNP (consider the Anti-Cybercrime Group) or NBI (Cybercrime Division). Provide the numbers/screenshots and a timeline.

Decide where to complain (BSP, SEC, NPC)—a quick map

  1. Is the lender a bank/BSFI? (e.g., bank-owned app, digital bank, EMI supervised by BSP)

    • Yes → BSP complaint route (and NPC if there’s data misuse).
    • No/Unsure → Likely a lending/financing company → SEC complaint route (and NPC if there’s data misuse).

  2. Was your data (or your contacts’ data) misused?

    • Yes → NPC complaint (regardless of BSP/SEC status).

You can file both with the sector regulator (BSP/SEC) and the NPC if issues overlap.

What you should prepare (evidence package)

  • Your valid ID and contact details.
  • Loan documents (screenshots suffice): app name, loan ID, dates, advertised rates/fees.
  • Narrative (chronological): What happened, when, who called, what was said, how often, including any harassment of contacts.
  • Proof of attempts to resolve: your cease-and-desist email, ticket numbers, any reply.
  • Harassment proof: screenshots, audio with consent notice, call logs, public posts/PMs, and statements from contacts (even simple signed narratives help).
  • Entity info if known: registered company name, app name(s), addresses, website links, pages showing license claims.

Filing with the NPC (National Privacy Commission)

When: Any unlawful processing (e.g., scraping and messaging your contacts, public shaming, processing beyond necessity), breach of your privacy rights, or failure to honor your data rights (to object/erasure/access).

Before you file: The NPC generally expects that you try to resolve with the company’s DPO first (assert your rights and give reasonable time to act). Keep proof.

What to ask the NPC to do (sample relief):

  • Order the company to cease unlawful processing/harassment.
  • Order erasure/blocking of unlawfully obtained data (e.g., your phonebook).
  • Direct the company to notify and remediate harm to affected contacts.
  • Impose appropriate administrative penalties; refer for criminal action if warranted.
  • Require a written commitment on future lawful processing.

How to file:

  • Submit a verified complaint (sworn statement), with your narrative, evidence, and proof you first reached out to the DPO.
  • Include your government ID and contact details for notices.
  • If your contacts were harassed, they may file their own NPC complaints too (they are data subjects as well).

Filing with the BSP (if the collector is a bank/BSFI)

Start with the bank:

  • File a complaint with the bank’s Consumer Assistance Unit (CAU) via email, hotline, or in-app support.
  • Clearly cite abusive collection and privacy breaches, and ask for a written resolution. Keep the reference number.

Escalate to BSP if:

  • The bank did not resolve your complaint satisfactorily, or
  • The harassment is serious/continuing.

What to include:

  • Your CAU reference number and the bank’s response (if any).
  • Evidence bundle (as above).
  • Your specific asks: stop harassment, delete unlawfully gathered data, confirm corrective measures, and compensate for any proven loss.

What BSP can do:

  • Require the bank to address your complaint, improve controls, and comply with RA 11765; regulators can impose sanctions for abusive practices and privacy violations.

Filing with the SEC (if it’s a lending/financing company)

Why SEC: Most non-bank online lending apps operate as lending/financing companies under SEC authority. SEC rules ban unfair debt collection, including threats, shaming, contacting non-borrowers, and similar tactics.

What to submit:

  • Company/app name(s) and any license/registration claims.
  • Your narrative and evidence bundle.
  • Cite unfair debt collection practices and data-privacy violations (you may still file at NPC in parallel).

Possible outcomes:

  • Show-cause orders, fines, suspension or revocation of the company’s authority, and takedown of abusive apps/pages.

If you actually owe money—what changes?

  • Harassment is still illegal. They can collect lawfully (formal demand letters, compliant calls/SMS), but not threaten or shame you or your contacts.
  • Ask for a statement of account and a clear breakdown of principal, interest, fees, and penalties. Dispute unconscionable or undisclosed charges.
  • Propose a repayment plan you can afford. Put everything in writing.
  • Never pay through personal accounts of collectors; use official channels only.

Special notes for your contacts (family, friends, employer)

  • They can reply once (if safe) with: “I do not consent to processing or receiving messages about [Name]. Cease contact and delete my number. Further contact will be reported to the NPC and authorities.”
  • They should screenshot messages/calls, block the numbers, and avoid engaging.
  • They may file their own NPC complaints as data subjects whose numbers were processed without consent or lawful basis.

Practical do’s and don’ts

Do

  • Keep a clean timeline of events (dates/times, numbers used, what happened).
  • Use email or in-app chat so there’s a written trail.
  • When answering calls, you may say: “For compliance, I’m keeping a record of this conversation; please speak respectfully.” Then ask them to move to email.

Don’t

  • Secretly record calls (risk under RA 4200).
  • Share new personal data (IDs, selfies, contacts) in calls or chats.
  • Click unknown links or give OTP/PIN codes.
  • Post defamatory rants (avoid creating libel/cyber-libel exposure).

Templates (copy-paste and edit)

1) Cease-and-Desist + Data-Privacy Rights Letter (to the lender/app)

Subject: Cease Harassment; Exercise of Data-Privacy Rights

Dear Data Protection Officer/Compliance Team,

I am [Your Name], borrower under [App/Account/Loan ID]. Your representatives have engaged in unfair debt collection and unlawful processing of personal data, including [briefly list: threats, contacting my phone contacts, shaming, etc.], on [dates] from [numbers/accounts].

Under the Data Privacy Act (RA 10173) and the Financial Products and Services Consumer Protection Act (RA 11765), I hereby:

  1. Object to further unlawful processing and withdraw any consent to access/use my contacts or other unnecessary data.
  2. Demand erasure/blocking of all unlawfully obtained personal data (including my phonebook/contacts, photos, and any third-party data you copied).
  3. Demand you cease all harassment and stop contacting third parties about my account.
  4. Request the name and contact details of your Data Protection Officer and a written response within [5–10] business days outlining remedial steps.

Failure to comply will leave me no choice but to file formal complaints with the NPC and the appropriate sector regulator (BSP/SEC), and consider other legal remedies.

Sincerely, [Your Name] [Mobile/Email] [Date]

2) NPC Complaint—Outline

  • Complainant details: Name, address, mobile, email, valid ID.
  • Respondent: Company/app name(s), DPO contact if known.
  • Allegations: Unlawful processing (list acts), harassment of contacts, failure to honor rights (object/erasure), lack of proportionate purpose.
  • Timeline: Dates/times of events and attempts to resolve with the DPO (attach proof).
  • Evidence: Screenshots, logs, statements, links.
  • Relief sought: Cease-and-desist, erasure/blocking, sanctions, corrective actions, damages where appropriate.
  • Verification: Sworn statement/verification page.

3) BSP Complaint—Outline (for banks/BSFIs)

  • Your details + valid ID.
  • Bank/BSFI details and CAU reference number.
  • Issue: Abusive collection; privacy breaches; failure to resolve.
  • Evidence: Threats/shaming/third-party contact screenshots; logs; letters.
  • Relief sought: Stop harassment, delete unlawfully processed data, implement controls, compensate proven loss.

4) Statement for Harassed Contacts (they can send to the collector)

“I am not a party to any loan. I do not consent to the processing of my number for collection. Erase my data and stop contacting me. Further contact will be reported to the NPC.”

Law-enforcement route (when to consider)

  • Grave threats, extortion, doxxing, or stalkingPNP/NBI blotter and cybercrime unit report.
  • Bring printed screenshots, numbers/handles, your ID, and a concise timeline.

Civil remedies and small claims

  • If you suffered quantifiable loss (e.g., lost income due to shaming), consult counsel about damages.
  • For money disputes below the small-claims threshold (which has changed over time), you may explore small claims court—no lawyer required—but verify the current limit and rules before filing.

Frequently asked questions (quick hits)

  • Can they call my boss or clients? Generally no, unless your boss is a guarantor or you’ve given lawful, specific consent. Even then, harassment is prohibited.
  • Is it legal to scrape my contacts? Usually no. It’s disproportionate and lacks a valid basis under the Data Privacy Act.
  • Do I lose my rights if I clicked “Allow Contacts”? No. Consent must be informed, specific, and freely given—and you can withdraw it. Processing must also be necessary and proportionate.
  • Should I pay just to make them stop? Paying doesn’t legalize abusive conduct. If the debt is valid, negotiate properly; if not, dispute and report the abuse.

Action checklist (print this)

  • Evidence captured (screenshots, logs, numbers, dates).
  • App permissions revoked → app uninstalled (after evidence).
  • Passwords changed, 2FA on.
  • Contacts notified.
  • Cease-and-desist/Data-privacy letter sent (saved copy + ticket #).
  • NPC complaint prepared (if data misuse/harassment).
  • BSP or SEC complaint prepared (depending on the entity).
  • Police/NBI blotter if threats/extortion.
  • Consider repayment plan/dispute in writing (no unofficial channels).

Final notes

  • You can file simultaneous complaints (NPC + BSP/SEC).
  • Keep everything in writing.
  • If the harassment is intense or reputational harm is high, consult a lawyer promptly (Public Attorney’s Office or private counsel).

If you want, tell me whether your lender is a bank or a non-bank app, and I’ll tailor the filing steps and language to your exact situation.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login