Identity Theft and Unauthorized Online Loans in the Philippines: How to Dispute and File Complaints

This is general information for the Philippine setting and not legal advice. Laws and regulators’ procedures evolve; consult a lawyer for advice on your specific case.

Executive summary

Identity theft occurs when someone uses another person’s identifying information (e.g., name, government IDs, selfies, biometrics, mobile number, email) without authority—often to open or draw down online loans. Philippine law provides criminal, administrative, civil, and consumer-protection pathways to (1) stop the fraud and harassment, (2) clear your name and credit record, (3) obtain reversals/refunds where applicable, and (4) pursue the offender and negligent entities.

At a high level:

Freeze, dispute, and demand records from the lender/app immediately.
Escalate to the right regulator (BSP for banks/e-money; SEC for lending/financing companies; NPC for privacy violations).
Report to PNP-ACG or NBI Cybercrime and prosecute under the Cybercrime Prevention Act and related laws.
Dispute your credit report with the Credit Information Corporation (CIC) and the submitting lender.
Document everything—screenshots, call logs, app screens, SMS/OTP traces, and ID compromise trail.

Quick-action checklist (first 24–48 hours)

Preserve evidence: screenshots (full device status bar), videos of app screens, emails/SMS, call logs, loan agreements, disbursement records, IDs/selfies the fraudster used (if visible to you), and harassment messages.
Notify the lender/app in writing that the account/loan is fraudulent; demand immediate suspension/marking as “disputed,” a full investigation, and copies of KYC artifacts (ID image, selfie, liveness check results), device/IMEI, IP, geolocation logs, and transaction logs.
Invoke your Data Privacy rights: object to processing for collection/harassment; demand erasure/blocking of data not needed for investigation; require cessation of contacting your phone contacts.
Report to law enforcement: file a police blotter and go to PNP Anti-Cybercrime Group (ACG) or NBI Cybercrime Division; prepare a Complaint-Affidavit.
Escalate to the regulator:
- BSP – banks, digital banks, e-money issuers/wallets, and their lending.
- SEC – lending/financing companies and online lending platforms (OLPs); also for unfair debt collection/“debt shaming.”
- NPC – privacy violations (contact scraping, over-collection, unauthorized processing, breach).
Check your credit record (CIC) and file a dispute to block or annotate the fraudulent loan.
Secure your SIM and devices: change passwords, enable MFA, replace SIM if compromised; request carrier assistance if your number was cloned/swapped.

What counts as identity theft and an “unauthorized online loan”

Identity theft in the cyber context generally involves unauthorized acquisition, use, or misuse of personally identifying information to impersonate a person or obtain a benefit or cause damage, commonly via mobile apps and web forms.
An unauthorized online loan is a credit facility or disbursement opened, approved, or drawn in your name without your knowledge or consent (or with consent vitiated by fraud, coercion, or misrepresentation).

Legal framework (Philippine law)

1) Criminal liability

Cybercrime Prevention Act (RA 10175) – penalizes computer-related identity theft and related offenses (e.g., computer-related forgery/fraud, illegal access). Penalties include imprisonment and/or fine; crimes committed through ICT may carry higher penalties.
Revised Penal Code (RPC) – falsification, estafa/swindling, and related offenses may apply where forged IDs, signatures, or deceit are used.
Access Devices Regulation Act (RA 8484) – prohibits fraudulent use/possession of access devices (credit/debit cards, account numbers, OTPs), often implicated in e-wallet or card-based drawdowns.
Electronic Commerce Act (RA 8792) – recognizes e-signatures; electronic forgeries may trigger liability.

2) Data protection and privacy

Data Privacy Act (RA 10173) – governs processing of personal data; provides rights to be informed, object, access, correct, and erasure/blocking; penalizes unauthorized processing and disclosure; empowers National Privacy Commission (NPC) to investigate and issue compliance orders.

3) Lending regulation and debt collection

Lending Companies Act (RA 9474) and Financing Company Act, with SEC oversight.
SEC circulars prohibit unfair debt collection practices (e.g., threats, profane/abusive language, contacting people in your phonebook, public shaming, excessive or odd-hour calls). OLPs have disclosure, registration, and conduct requirements.

4) Financial consumer protection

Financial Products and Services Consumer Protection Act (RA 11765) – strengthens BSP/SEC/IC authority; mandates FSPs to have internal dispute resolution, fair treatment, and redress mechanisms; regulators may order restitution, reimbursements, or corrective action.

5) Credit reporting

Credit Information System Act (RA 9510) – establishes the CIC. You can obtain your report and dispute erroneous data. While under dispute, entries can be annotated and corrected if found inaccurate.

6) SIM and communications integrity

SIM Registration Act (RA 11934) – supports tracing/curbing SIM-based fraud; you can coordinate with your telco to address SIM compromises (e.g., SIM swap, OTP interception).

Proving non-authorization (and what to demand from the lender)

To clear your name, you must build a record that the lender’s KYC/controls were bypassed or fraudulently satisfied:

KYC artifacts: copies of ID images, selfie/liveness results, timestamps, device/IMEI, IP and geolocation logs, login history, and audit trails of account creation and approvals.
Transaction logs: application data, underwriting notes, drawdown/disbursement account details (e-wallet, bank), and destination account holder information.
Risk flags: mismatched device fingerprint, unusual IP geolocation, multiple attempts, failed liveness checks, or reused documents.

Legally grounded demands: In your dispute, cite (a) your privacy rights (Data Privacy Act), (b) the lender’s duty to have adequate controls (FCPA and sector rules), and (c) the prohibition on unfair collection (SEC rules). Request:

Immediate suspension of collections and reporting; mark the account “disputed/fraud.”
Official case/incident number and written acknowledgment.
Copies of all KYC/transaction records and the investigation report.
Cessation of contact with your phone contacts and deletion/blocking of scraped data.
Correction/withdrawal of negative reporting to CIC/credit bureaus.
Reversal/refund of disbursements wrongly debited from your accounts, where applicable.

How to dispute with the lender/app (step-by-step)

Identify the regulator:
- Banks, digital banks, e-money issuers/wallet lenders → BSP.
- Lending / financing companies and OLPs → SEC.
- Insurers/plan providers → IC (less common for loans).
File a written Notice of Dispute (keep proof of sending):
- Attach your Affidavit of Identity Theft, valid ID, police blotter (if available), and evidence.
- Demand a hold/suspension, investigation, and document production (KYC/logs).
Insist on redress timelines: ask when they will provide proof and resolution; request a written resolution letter.
If they insist you pay: reiterate the account is fraudulent, refuse to pay, and warn that harassment or contacting your phonebook violates SEC rules and privacy law.
Record every call and message (when lawful) and route further communications in writing/email.

Regulator and law-enforcement escalation

A. Bangko Sentral ng Pilipinas (BSP)

Use when the entity is a bank/non-bank financial institution under BSP (e.g., e-money wallets with lending).
File a consumer complaint after you first attempted resolution with the institution. Provide: account numbers, dates, screenshots, your Notice of Dispute, and the bank’s response.
Possible outcomes: orders for correction of records, reversal/restitution, compliance directives, and sanctions.

B. Securities and Exchange Commission (SEC)

Use for lending/financing companies and OLPs, notably for unfair debt collection (threats, doxxing, harassment) and for failures in registration/disclosure.
Submit evidence of harassment (audio, SMS, call logs), the app’s practices (contact scraping, debt-shaming), and your dispute letter.

C. National Privacy Commission (NPC)

File a privacy complaint for unauthorized processing, insufficient security measures, malicious/unauthorized disclosure, or contact scraping.
Ask for a compliance order (e.g., stop processing, delete unlawfully obtained contact data, secure systems) and administrative fines as appropriate.

D. PNP-ACG / NBI Cybercrime (and the Prosecutor)

Prepare a Complaint-Affidavit narrating the fraud, with annexes: screenshots, timelines, lender replies, and KYC/logs you obtained.
Offenses may include computer-related identity theft, computer-related fraud, falsification, estafa, and violations of RA 8484.
After investigation, the case proceeds to the Prosecutor for preliminary investigation; if probable cause is found, an Information is filed in court.

Credit Information Corporation (CIC): monitor and dispute

Obtain your credit report and look for the fraudulent loan.
File a dispute with the submitting entity (the lender). While under review, the entry should be annotated as “disputed.”
If unresolved, escalate through CIC’s dispute channel. Provide your Affidavit, dispute letters, and any regulator correspondence.
Request deletion/correction once the lender confirms the fraud.

Handling harassment and “debt shaming”

Keep a harassment diary: who called, when, what was said; capture voicemails, texts, and social-media posts.
Send a cease-and-desist citing SEC prohibitions and privacy rights, directing all communications to your designated email.
Report continued harassment to SEC and NPC; include evidence of calls to your contacts or posts tagging you.

Special scenarios and tips

No disbursement yet: demand immediate cancellation; insist the account be closed as fraud and any “approval” rescinded.
Funds disbursed to an unknown e-wallet/bank: press the lender to provide the destination account details and transaction IDs; file with law enforcement for account tracing and ask your bank about recall mechanisms where available.
SIM compromise / SIM swap: replace SIM, update MFA everywhere, and get a telco certification (useful to show OTP interception).
Employer/agency-related leak: consider a civil claim for damages under the Civil Code and Data Privacy Act in addition to regulatory complaints.
Settlement pressure: do not “pay to clear” a fraudulent loan; insist on formal resolution letters and corrections to records.
Venue/jurisdiction: cyber offenses often allow filing where any element occurred; coordinate with counsel or the Prosecutor’s Office on proper venue.

Evidence package (what good cases look like)

Timeline (date/time-stamped) of each event.
Device/Account map: your devices, SIM history, and any loss/theft incidents.
Screenshots/video captures of app pages, loan details, and harassment.
Emails/SMS/Calls logs with numbers, names, and recordings.
Lender correspondence: your Notice of Dispute, acknowledgments, and case numbers.
KYC/Log extracts from the lender (if provided).
Police blotter and Complaint-Affidavit.
CIC dispute and final correction letter.
Receipts of costs (e.g., SIM replacement, notary fees) for potential damages claims.

Templates you can adapt

Tip: Fill in brackets with your details. Have affidavits sworn/notarized. Keep PDFs of everything you send.

1) Notice of Dispute to Lender / App

Subject: Notice of Dispute – Identity Theft and Unauthorized Online Loan (Acct/Ref: [_____])

To: [Lender/App Name] – [Consumer Care/Compliance/Data Protection Officer]

I am disputing loan account/reference [_____]. I did not apply for, authorize, or benefit from this loan. This is a case of identity theft.

Demand:
1) Immediately suspend/flag the account as FRAUD-DISPUTED and cease collection/reporting.
2) Provide within [__] days: (a) KYC records (ID image, selfie/liveness, timestamps),
   (b) device/IMEI, IP, geolocation, login and transaction logs, and (c) full investigation report.
3) Cease contacting my phone contacts and stop any debt shaming or harassment.
4) Rectify/withdraw any negative credit reporting and provide a written resolution letter.

I invoke my rights under the Data Privacy Act to object to processing beyond what is necessary for fraud investigation,
and to request blocking/erasure of unlawfully obtained data.

Attached: Affidavit of Identity Theft, valid ID, evidence bundle.

Please acknowledge receipt and provide a case number. All communications should be via email: [your email].

Sincerely,
[Name, Address, Mobile, Email, ID No.]

2) Data Privacy: Cease-and-Desist (to collectors)

Subject: Cease and Desist – Unfair Collection and Unauthorized Processing of Personal Data

This concerns loan reference [_____], which I dispute as fraudulent. You are ordered to cease:
(a) contacting persons in my contact list; (b) threats, shaming, or harassment; (c) further processing/disclosure
of my or my contacts’ personal data beyond what is lawful and necessary.

Your actions violate the Data Privacy Act and prohibitions on unfair debt collection. Confirm compliance within 48 hours.

3) Affidavit of Identity Theft and Unauthorized Loan (sworn)

I, [Name], of legal age, Filipino, with address [_____], state:

1. On [date/time], I learned of a loan with [Lender/App], Ref [_____], which I did not apply for or authorize.
2. I have never consented to the use of my [IDs/mobile/email] for this loan; I received [describe OTP/emails/calls].
3. I immediately disputed the account and demanded investigation (Annex “A” – Notice of Dispute).
4. I believe my identity was compromised via [lost ID/phone phishing/SIM swap/data leak] on/about [date].
5. The fraudulent loan caused [credit score impact/collection harassment/damages].

I execute this affidavit to support criminal, regulatory, and civil actions.

[Signature over printed name]
SUBSCRIBED AND SWORN before me this [date]…

4) Regulator complaint covers (adapt as needed)

BSP (for banks/e-money) “Attached are my Notice of Dispute, lender responses, and evidence showing the loan is fraudulent. Please direct the institution to correct records, cease collection, and provide restitution where appropriate.”

SEC (for lending/financing/OLPs) “Please investigate unfair debt collection (threats, contact scraping, shaming) and compliance failures in onboarding/KYC. I request sanctions and consumer redress, and that the company delete unlawfully obtained contacts.”

NPC (privacy complaint) “Please investigate unauthorized processing/disclosure, inadequate security measures enabling identity theft, and contact scraping. I seek a compliance order, deletion/blocking of data, and administrative penalties.”

5) CIC dispute request

I dispute the accuracy of entry [Lender/Acct/Date] in my credit report as it arose from identity theft.
Please annotate as DISPUTED and investigate with the submitting entity. Attached are my Affidavit and lender correspondence.

Civil remedies and damages

Beyond criminal and administrative actions, you may claim damages (actual, moral, exemplary, attorney’s fees) under the Civil Code (e.g., quasi-delict) and the Data Privacy Act (right to be indemnified for damages due to violations of your data subject rights). If your losses are purely monetary and within threshold, Small Claims may be an efficient forum; consult counsel on suitability.

Prevention and hardening

Lock down your identity: minimize ID sharing; redact non-essential fields when submitting IDs; use watermarks (purpose/date) on ID scans where acceptable.
Device hygiene: unique passwords, password manager, MFA (prefer app-based over SMS), OS updates, antivirus.
SIM safety: secure PUK; detect SIM-swap signs (sudden no-signal, OTPs you didn’t request).
Phishing awareness: never share OTPs; verify loan app legitimacy; install from official app stores only.
Credit monitoring: pull your CIC report periodically; set alerts with participating institutions.
Breach response: if an entity holding your data suffers a breach, use your right to be informed and demand containment and mitigation steps.

Frequently asked questions (practical)

Do I have to pay while the investigation is ongoing? If you did not contract the loan, do not admit liability or pay “to make it go away.” Keep it in dispute and escalate. Paying may be construed as acknowledgment.

What if the lender refuses to give KYC/logs citing “privacy”? You are the data subject; KYC and logs about you are your personal data. Ask for a data subject access package (with redactions only for third-party data).

Can the lender call my contacts? Contact scraping and calling your contacts to coerce payment can violate privacy and SEC unfair debt collection rules. Document and report.

How long will this take? Timelines vary by institution and regulator. Build a thorough paper trail early to accelerate resolution.

Final takeaways

Move fast: dispute in writing, preserve evidence, and escalate early.
Use all tracks: consumer-protection, privacy, lending regulation, criminal, and credit-reporting.
Demand records: KYC and technical logs are often decisive in clearing your name.
Never tolerate harassment: it’s often sanctionable; report it.
Close the loop: ensure credit records are corrected and obtain a resolution letter for your files.

If you’d like, I can tailor the templates to your exact facts (names, dates, lender type) and generate a ready-to-print bundle.