I. Introduction

Identity theft through unauthorized loan processing occurs when a person’s name, personal information, identification documents, mobile number, bank details, employment details, digital credentials, biometric data, or electronic signature are used to apply for, process, approve, release, or collect a loan without that person’s valid consent.

In the Philippine context, this problem commonly appears in the form of unauthorized online loans, fraudulent digital lending applications, forged salary loans, credit card cash advances, buy-now-pay-later accounts, cooperative loans, microfinance loans, financing company loans, pawnshop or remittance-linked loans, and loans opened through stolen IDs or SIM-registered numbers.

The victim usually discovers the fraud only after receiving collection calls, text messages, app notifications, demand letters, negative credit reports, employer verification calls, or threats from collectors. The legal issues may involve criminal law, cybercrime, data privacy, consumer protection, banking and lending regulations, electronic evidence, civil liability, credit reporting, and remedies against both the fraudster and negligent financial institutions.

---

II. What Is Identity Theft Through Unauthorized Loan Processing?

Identity theft through unauthorized loan processing has two connected components.

First, there is identity misuse. Someone uses another person’s identity or personal data to impersonate them, create an account, pass verification, or make it appear that the victim applied for a loan.

Second, there is unauthorized credit transaction. A loan or credit facility is processed, approved, released, renewed, topped up, restructured, or collected under the victim’s name even though the victim did not knowingly and freely consent.

The unauthorized loan may be:

1. Completely fabricated by an impostor;
2. Processed by a lender using incomplete or unreliable verification;
3. Applied for using stolen IDs or photos;
4. Opened through a compromised phone number or SIM;
5. Submitted by a relative, friend, coworker, agent, or insider;
6. Caused by forged signatures or falsified documents;
7. Created through unauthorized use of an app account;
8. Linked to a payroll, bank, e-wallet, or government ID account without authority; or
9. Triggered by data obtained from a previous transaction and reused for lending purposes.

---

III. Common Forms in the Philippines

A. Online lending app identity theft

The victim’s ID, selfie, contact list, mobile number, or account information is used to apply for a loan through a mobile lending app. The loan proceeds may be sent to a bank account, e-wallet, or mobile wallet controlled by the fraudster.

The victim may later receive threats, shaming messages, harassment, or contact-blasting from collectors even though the victim never received the proceeds.

B. Forged paper-based loan applications

A fraudster submits a loan form using the victim’s name and forged signature. This may happen with salary loans, cooperative loans, employee loans, microfinance loans, appliance financing, motorcycle financing, pawnshop loans, or small business loans.

C. Insider-assisted unauthorized loans

An employee, agent, loan officer, broker, barangay intermediary, HR staff member, cooperative officer, or company insider may misuse information already available in records to process a loan.

This is especially serious because the lending institution may have participated, tolerated irregularities, or failed to perform basic verification.

D. Use of stolen government IDs

Fraudsters may use stolen or copied UMID, PhilSys ID, driver’s license, passport, PRC ID, voter’s ID, postal ID, company ID, or other identification documents to pass Know Your Customer checks.

E. SIM and mobile number misuse

A loan may be opened through a SIM or mobile number associated with the victim. This can happen through SIM theft, SIM swap, unauthorized SIM registration, compromised OTPs, or fraudulent use of a number previously linked to the victim.

F. E-wallet and bank-linked loan fraud

Some digital credit products are connected to e-wallets, bank apps, payroll accounts, or online marketplaces. If the account is compromised, a fraudster may draw a loan, cash advance, credit line, or “buy now, pay later” transaction.

G. Employment or payroll loan fraud

Employees may discover deductions from salary for a loan they never applied for. This may involve payroll loan providers, company cooperatives, internal HR processing, or forged authorization forms.

H. “Agent-assisted” fraud

Loan agents may submit applications using personal data collected from people who only inquired about a loan, joined a raffle, applied for a job, submitted IDs for another purpose, or were induced to provide documents through deception.

---

IV. Legal Framework

Identity theft through unauthorized loan processing may violate several Philippine laws, depending on how the fraud was committed.

The main legal sources include:

1. Revised Penal Code;
2. Cybercrime Prevention Act of 2012;
3. Data Privacy Act of 2012;
4. Access Devices Regulation Act;
5. Consumer protection laws and regulations;
6. Lending and financing company regulations;
7. Credit Information System Act;
8. Electronic Commerce Act and rules on electronic evidence;
9. SIM Registration Act-related obligations;
10. Civil Code provisions on damages, abuse of rights, negligence, and quasi-delict;
11. Banking and financial regulations, where applicable; and
12. Rules governing collection practices, especially for banks, financing companies, lending companies, and online lending platforms.

---

V. Criminal Liability of the Fraudster

A. Estafa

Unauthorized loan processing may constitute estafa when deceit, fraud, false pretenses, or misappropriation is used to obtain money or credit.

For example, a person may commit estafa by pretending to be the victim, submitting false documents, misrepresenting authority, or causing a lender to release funds based on fraudulent representations.

The offended party may be the lender, the victim whose identity was used, or both, depending on the facts. The lender may have lost money, while the victim may have suffered reputational, financial, and privacy harm.

B. Falsification of documents

If the fraudster forged signatures, altered IDs, fabricated payslips, created fake certificates of employment, falsified proof of billing, or submitted fake authorization forms, falsification may be involved.

Falsification may apply to:

1. Public documents;
2. Official documents;
3. Commercial documents;
4. Private documents; and
5. Electronic documents, depending on the method and evidence.

A forged loan agreement, fake promissory note, false authorization, or fabricated digital application can become central evidence.

C. Use of falsified documents

Even if the fraudster did not personally create the fake document, knowingly using a falsified document to secure a loan may create criminal liability.

D. Identity theft under cybercrime law

If the offender used information and communications technology to acquire, use, misuse, transfer, possess, or process identifying information without authority, the conduct may fall under identity theft-related cybercrime provisions.

This is particularly relevant where the loan was processed through an app, website, online portal, email, electronic signature system, mobile number, e-wallet, OTP, digital ID upload, or messaging platform.

E. Computer-related fraud

If the fraud involved unauthorized digital transactions, manipulation of computer systems, account takeover, false electronic inputs, or fraudulent use of online lending platforms, computer-related fraud may be considered.

F. Illegal access

If the offender accessed the victim’s email, phone, bank account, e-wallet, online lending app, social media account, or employment portal without permission, illegal access may also arise.

G. Misuse of access devices

Where the fraud involves credit cards, debit cards, account numbers, e-wallet credentials, payment instruments, OTPs, card details, or similar access devices, access-device-related offenses may apply.

H. Unjust vexation, grave coercion, threats, or libel-related offenses

If the victim is harassed, threatened, shamed, or falsely accused after the unauthorized loan, separate offenses may arise. This is especially common in online lending situations where collectors contact relatives, employers, friends, or social media connections.

---

VI. Liability of the Lending Company, Financing Company, Bank, or Platform

The fraudster is not always the only legally responsible party. A lender, platform, app operator, financing company, bank, cooperative, or loan processor may also be liable if it failed to comply with verification, consumer protection, privacy, and fair collection duties.

A. Failure to verify identity

A lender that approves a loan without adequate identity verification may be exposed to liability. The level of required diligence depends on the nature of the lender, the loan product, the risk, and applicable regulations.

A lender should generally verify:

1. The applicant’s identity;
2. The authenticity of submitted documents;
3. The applicant’s authority to borrow;
4. The applicant’s contact details;
5. The destination account for loan proceeds;
6. The consistency of application data;
7. Red flags of impersonation;
8. The validity of consent; and
9. Whether the transaction is unusually suspicious.

B. Negligent processing

If a lender accepted obviously inconsistent documents, ignored mismatched signatures, failed to confirm with the supposed borrower, released proceeds to a third party, or relied on weak verification procedures, the lender may be civilly or administratively liable.

C. Data privacy violations

If a lender processed the victim’s personal information without valid consent or lawful basis, retained excessive data, disclosed information to collectors, or contacted the victim’s phonebook contacts without authority, it may violate data privacy principles.

D. Unfair or abusive collection practices

Even if the lender claims the loan exists, collection must still be lawful. Threats, insults, public shaming, false legal threats, contact-blasting, disclosure of debt to third parties, repeated harassment, obscene language, and misleading notices may violate collection rules and privacy laws.

E. Unauthorized credit reporting

Reporting a fraudulent loan as the victim’s unpaid debt may create additional liability if the lender failed to investigate a dispute or correct inaccurate information.

F. Vicarious liability

A company may be liable for acts of its employees, agents, collectors, processors, or accredited representatives when the wrongful conduct was connected to their assigned functions or enabled by the company’s systems.

---

VII. Data Privacy Issues

Identity theft through unauthorized loan processing almost always involves personal information. It may include:

1. Full name;
2. Date of birth;
3. Address;
4. Mobile number;
5. Email address;
6. Government ID number;
7. Photo or selfie;
8. Signature;
9. Employment details;
10. Income information;
11. Bank or e-wallet details;
12. Contact list;
13. Credit history;
14. Biometric data;
15. Location data; and
16. Device information.

Some of these may be sensitive personal information, especially government-issued identifiers and financial information.

A. Lawful basis

A lender must have a lawful basis to collect and process personal information. In an identity theft case, the victim did not truly consent. A forged or unauthorized application should not be treated as valid consent from the victim.

B. Transparency

The person whose data is being processed should know who is processing the data, why it is being processed, how it will be used, how long it will be retained, and to whom it will be disclosed.

C. Proportionality

A lending platform should collect only what is necessary. Excessive access to phone contacts, photos, messages, location, social media accounts, or device files can be disproportionate.

D. Security

Companies must protect personal data against unauthorized access, disclosure, alteration, loss, misuse, and fraud. Weak systems that allow unauthorized loans may indicate poor security controls.

E. Data subject rights

A victim may invoke rights such as access, correction, objection, erasure or blocking, and damages, subject to legal limitations. The victim may demand information on how the loan was processed, what documents were used, what account received the proceeds, and to whom the data was disclosed.

F. Data breach implications

If the unauthorized loan resulted from a company’s data breach, the company may have breach notification obligations and may face investigation by the National Privacy Commission.

---

VIII. Consumer Protection and Financial Regulation

Unauthorized loans implicate consumer protection because the victim is being treated as a borrower without valid consent.

A regulated lender should not merely insist that the victim pay. It should investigate the dispute, suspend collection where appropriate, preserve records, provide copies of disputed documents, correct inaccurate reports, and cooperate with regulators and law enforcement.

A. Duties of lenders and financing companies

Lenders and financing companies should maintain proper records, verify borrowers, disclose loan terms, avoid deceptive practices, and follow fair collection standards.

B. Online lending platforms

Online lending platforms have additional risks because processing is fast, remote, and document-light. They should have stronger fraud detection, consent verification, identity checks, and complaint mechanisms.

C. Banks and supervised financial institutions

Banks and similar institutions are expected to follow Know Your Customer, anti-fraud, consumer protection, cybersecurity, and data governance standards.

D. Cooperatives and employee loan programs

Cooperatives and employer-linked lenders must also ensure that loan applications and payroll deduction authorizations are genuine. Unauthorized salary deductions can create labor, civil, and administrative issues.

---

IX. Credit Reporting Consequences

A fraudulent loan may harm the victim’s credit standing. The victim may be listed as delinquent, defaulting, or blacklisted even though they never borrowed the money.

The victim should dispute inaccurate credit information and request correction or removal. The lender should not continue reporting the account as valid after receiving credible notice of identity theft without conducting a proper investigation.

Credit reporting harm may support claims for damages, especially if the victim was denied a legitimate loan, job, lease, credit card, or business opportunity because of the fraudulent account.

---

X. Collection Harassment After an Unauthorized Loan

Many victims first learn of the fraud through collectors. Collection harassment may include:

1. Repeated calls and messages;
2. Threats of arrest or imprisonment;
3. False claims that police or courts are already involved;
4. Public shaming;
5. Contacting relatives, coworkers, employers, or friends;
6. Posting the victim’s photo online;
7. Sending edited images or defamatory messages;
8. Using profanity or intimidation;
9. Demanding payment despite a pending dispute;
10. Refusing to provide loan documents;
11. Sending fake subpoenas or warrants;
12. Threatening to visit the workplace or home; and
13. Misrepresenting themselves as lawyers, police, court staff, or government officers.

These acts may violate collection rules, data privacy law, cybercrime law, criminal law, and civil law.

A victim should avoid admitting liability or making payment merely to stop harassment unless advised by counsel. Payment may later be misinterpreted as acknowledgment of the debt, although the legal effect depends on circumstances.

---

XI. Is the Victim Required to Pay?

Generally, a person should not be liable for a loan they did not apply for, authorize, receive, or ratify.

For a loan obligation to bind a person, there must generally be valid consent, object, and cause. If the victim’s consent was forged, stolen, simulated, or never given, the alleged contract may be void, voidable, unenforceable, or otherwise not binding on the victim, depending on the facts.

However, disputes can become complicated if:

1. The proceeds entered an account under the victim’s control;
2. The victim benefited from the loan;
3. The victim allowed another person to use their IDs;
4. The victim shared OTPs or credentials;
5. The victim later made payments;
6. The victim signed related documents without reading them;
7. The victim authorized an agent but disputes the scope of authority;
8. The loan was connected to a family member or coworker; or
9. The victim delayed reporting after discovering the fraud.

The core question is whether there was genuine consent, authority, benefit, or ratification.

---

XII. What the Victim Should Do Immediately

A victim of unauthorized loan processing should act quickly and preserve evidence.

A. Preserve all evidence

Save:

1. Demand letters;
2. Text messages;
3. Call logs;
4. Screenshots;
5. Emails;
6. App notifications;
7. Loan account numbers;
8. Collection messages;
9. Names and numbers of collectors;
10. Copies of alleged loan documents;
11. Credit reports;
12. Bank or e-wallet transaction histories;
13. Police blotter or complaint records;
14. Regulator complaint references; and
15. Any proof that the victim was elsewhere, did not receive funds, or did not sign documents.

B. Demand documents from the lender

Request copies of:

1. Loan application;
2. Promissory note;
3. Disclosure statement;
4. Terms and conditions;
5. ID submitted;
6. Selfie or biometric capture;
7. Signature or e-signature records;
8. IP address, device ID, timestamp, and audit logs;
9. Mobile number and email used;
10. Bank or e-wallet account where proceeds were released;
11. Consent records;
12. Call recordings, if any;
13. Verification notes; and
14. Collection history.

C. Send a written dispute

The victim should send a written dispute stating that the loan is unauthorized, demanding suspension of collection, correction of records, preservation of evidence, and investigation.

D. File reports or complaints

Depending on the facts, the victim may report to:

1. The lender’s complaint unit;
2. The National Privacy Commission;
3. The Securities and Exchange Commission, for lending or financing companies and online lending platforms under its jurisdiction;
4. The Bangko Sentral ng Pilipinas, for banks, e-money issuers, and supervised financial institutions;
5. The Philippine National Police Anti-Cybercrime Group;
6. The National Bureau of Investigation Cybercrime Division;
7. The prosecutor’s office;
8. The barangay, where appropriate for documentation or conciliation;
9. The Credit Information Corporation or relevant credit reporting entities, for credit record disputes;
10. The employer or cooperative, for salary deductions or employment-linked loans; and
11. The court, where civil or criminal action becomes necessary.

E. Secure accounts

The victim should immediately secure email, phone, e-wallet, bank, and lending app accounts. This includes changing passwords, enabling multi-factor authentication, checking linked devices, contacting the telco for SIM issues, and monitoring bank/e-wallet activity.

---

XIII. Legal Remedies Available to the Victim

A. Criminal complaint

The victim may file a criminal complaint against the person who used their identity and any accomplices. Possible charges may include estafa, falsification, use of falsified documents, identity theft, computer-related fraud, illegal access, misuse of access devices, threats, coercion, cyber libel, or other offenses.

B. Complaint against the lender or platform

The victim may file an administrative or regulatory complaint if the lender failed to verify identity, processed data unlawfully, used abusive collection methods, or refused to correct records.

C. Data privacy complaint

A complaint before the National Privacy Commission may be appropriate where there was unauthorized processing, excessive data collection, unlawful disclosure, data breach, harassment through contact lists, or refusal to honor data subject rights.

D. Civil action for damages

The victim may seek damages for:

1. Injury to reputation;
2. Mental anguish;
3. Anxiety and humiliation;
4. Lost opportunities;
5. Wrongful salary deductions;
6. Credit damage;
7. Costs of clearing the record;
8. Attorney’s fees;
9. Exemplary damages in proper cases; and
10. Other actual losses.

E. Injunction or protective relief

Where harassment or wrongful collection continues, the victim may seek legal remedies to stop collection, prevent disclosure, correct records, or restrain further use of personal data.

F. Credit correction

The victim may demand correction, blocking, or deletion of inaccurate credit information and require the lender to notify relevant credit reporting entities.

---

XIV. Liability of Relatives, Friends, or Coworkers Who Used the Victim’s Identity

Identity theft through unauthorized loans is often committed by someone close to the victim. A family relationship does not automatically erase criminal or civil liability.

A relative, partner, friend, coworker, or housemate may be liable if they:

1. Took or copied the victim’s ID;
2. Used the victim’s phone or SIM;
3. Submitted a loan application in the victim’s name;
4. Forged the victim’s signature;
5. Used the victim’s selfie or photo;
6. Received the loan proceeds;
7. Represented themselves as authorized;
8. Caused salary deductions;
9. Hid collection notices from the victim; or
10. Benefited from the unauthorized loan.

Family considerations may affect strategy, settlement, or willingness to prosecute, but they do not automatically validate the loan.

---

XV. Employer-Linked Unauthorized Loans and Salary Deductions

Unauthorized payroll or salary loans are especially serious because they can directly affect the victim’s wages.

The employee should demand:

1. A copy of the loan documents;
2. A copy of the salary deduction authorization;
3. Proof of identity verification;
4. Proof of release of loan proceeds;
5. A stop to deductions pending investigation;
6. Reversal or refund of unauthorized deductions;
7. Preservation of CCTV, HR records, email logs, and payroll records; and
8. Written findings after investigation.

An employer should not deduct wages based on a disputed loan without verifying valid authorization. If an HR employee, cooperative officer, or payroll partner was involved, administrative and legal liability may arise.

---

XVI. Electronic Signatures and Digital Consent

A lender may claim that the victim electronically signed or clicked consent. But an electronic signature is not automatically valid just because a system recorded a click.

Important questions include:

1. Who controlled the device used?
2. Was the account compromised?
3. Was an OTP used, and who received it?
4. Was the email address actually the victim’s?
5. Was the phone number registered to the victim?
6. Was biometric verification performed?
7. Was liveness detection used?
8. Were the ID and selfie genuine?
9. Did the IP address or location match the victim?
10. Was the loan released to an account owned by the victim?
11. Did the victim receive the loan proceeds?
12. Was there a reliable audit trail?
13. Were there suspicious changes in account details?
14. Was the consent specific and informed?

Electronic records must still be authenticated. A weak audit trail may not prove valid consent.

---

XVII. Loan Proceeds: Why the Destination Account Matters

A key issue is where the loan proceeds went.

If proceeds went to an account clearly controlled by the fraudster, this supports the victim’s denial. If proceeds went to an account in the victim’s name, further investigation is needed because the account may itself have been opened fraudulently, compromised, or controlled by someone else.

Relevant evidence includes:

1. Bank or e-wallet account name;
2. Account opening documents;
3. Transaction records;
4. Withdrawal history;
5. Device logs;
6. IP addresses;
7. CCTV at cash-out points;
8. Linked mobile numbers;
9. Transfer recipients;
10. Merchant records; and
11. KYC documents for the receiving account.

---

XVIII. Red Flags of Unauthorized Loan Processing

Lenders and victims should watch for the following red flags:

1. Mismatched signatures;
2. Different phone number or email from previous records;
3. Newly created e-wallet or bank account;
4. Loan proceeds sent to a third party;
5. ID photo that appears edited or reused;
6. Poor selfie match;
7. No live verification;
8. Unusual device or IP address;
9. Application submitted at odd hours;
10. Multiple applications using the same device;
11. Sudden change in address or employer;
12. Borrower denies knowledge immediately;
13. Contact numbers belong to unrelated persons;
14. Agent insists on rushing approval;
15. Borrower cannot be reached through verified channels;
16. Salary deduction form lacks independent confirmation; and
17. Repeated use of the same documents across multiple accounts.

Failure to act on these red flags may support a negligence claim.

---

XIX. Evidence Needed to Prove Identity Theft

The victim should try to establish:

1. Lack of consent;
2. Lack of signature or forged signature;
3. Lack of receipt of proceeds;
4. Lack of control over the receiving account;
5. Lack of access to the device, SIM, or email used;
6. Inconsistencies in the loan documents;
7. Timeline showing impossibility or improbability;
8. Prior reports of lost ID, stolen phone, compromised account, or data breach;
9. Immediate dispute after discovery;
10. Harassment or unlawful collection;
11. Credit damage;
12. Failure of the lender to verify identity;
13. Excessive or unauthorized processing of personal data;
14. Identity of the likely fraudster, if known; and
15. Actual damages suffered.

---

XX. Defenses Commonly Raised by Lenders

A lender may argue:

1. The loan application used the victim’s ID;
2. The victim’s phone number received the OTP;
3. The victim’s selfie or photo was uploaded;
4. The victim’s e-signature appears in the records;
5. The proceeds were released to an account in the victim’s name;
6. The victim previously borrowed from the same platform;
7. The victim delayed disputing the loan;
8. Partial payment was made;
9. The victim shared credentials or documents voluntarily;
10. The transaction passed automated checks; or
11. The lender acted in good faith.

These defenses are not automatically conclusive. The lender must still show valid consent, proper verification, lawful processing, and fair treatment after the dispute.

---

XXI. Defenses Available to the Victim

The victim may argue:

1. No loan application was made;
2. No valid consent was given;
3. The signature was forged;
4. The electronic consent was not made by the victim;
5. The phone, SIM, email, or app account was compromised;
6. The ID was stolen, copied, or misused;
7. The proceeds were not received or enjoyed by the victim;
8. The lender failed to verify identity;
9. The lender ignored red flags;
10. The lender unlawfully processed personal information;
11. Collection was abusive or unlawful;
12. Credit reporting was inaccurate;
13. Any alleged payment was made under pressure or protest;
14. The loan documents are unreliable or unauthenticated; and
15. The supposed contract is not binding.

---

XXII. Unauthorized Loan Processing and Consent

Consent is central. A loan is not valid against a person merely because their name appears on the documents. Consent must be real, voluntary, informed, and attributable to the person.

There is no valid consent when:

1. A signature is forged;
2. An electronic signature is created by another person;
3. The victim’s ID is used without authority;
4. The victim’s phone receives an OTP but another person controls it;
5. The victim is deceived into providing documents for another purpose;
6. The victim is coerced;
7. The victim is incapable of understanding the transaction;
8. The agent exceeded authority;
9. The victim’s data was reused for a different loan; or
10. Consent was bundled, hidden, or unrelated to the actual transaction.

---

XXIII. Use of Personal Data Collected for Another Purpose

A common pattern is “purpose-switching.” A person submits an ID for employment, delivery, SIM registration, school enrollment, membership, raffle participation, remittance, rental, or a previous loan inquiry. Later, the same information is used to process a loan.

This may violate data privacy principles because personal data collected for one purpose should not be used for a completely different purpose without lawful basis and proper notice.

For example, an ID submitted for employment screening should not be used to create a loan account. A selfie sent for verification in one platform should not be reused in another lending application. A contact list accessed for app functionality should not be used for public shaming or debt collection.

---

XXIV. Harassment of Contacts and “Contact-Blasting”

Some online lenders access the borrower’s phone contacts and message relatives, friends, coworkers, or employers. In identity theft cases, this is especially harmful because the alleged borrower never consented to the loan.

Contact-blasting may involve:

1. Disclosure of alleged debt;
2. Accusations of fraud;
3. Edited photos;
4. Threatening messages;
5. Group chats;
6. Calls to employer or HR;
7. Public social media posts;
8. False legal claims;
9. Shaming language; and
10. Pressure on third parties to pay.

This may violate privacy, collection, cybercrime, and civil law principles. Even a genuine debt does not justify unlawful disclosure or harassment.

---

XXV. Demand Letters, Fake Warrants, and Threats of Arrest

Debt is generally a civil obligation. A person should be cautious when collectors claim immediate arrest, barangay pickup, police action, immigration hold, or automatic imprisonment.

However, fraudulent loan processing may involve criminal issues against the impostor. That does not mean the victim can be arrested merely because a collector says so.

Collectors who issue fake warrants, fake subpoenas, fake court notices, or false threats may expose themselves and their principals to liability.

---

XXVI. Barangay Proceedings

Barangay proceedings may help document the dispute, especially when the suspected fraudster is known and lives in the same city or municipality. However, cybercrime, offenses punishable beyond barangay conciliation limits, and disputes involving juridical entities or parties from different localities may fall outside ordinary barangay conciliation.

A barangay blotter or certificate may help show that the victim promptly denied the loan, but it does not by itself erase the loan record. The victim should still notify the lender and relevant regulators.

---

XXVII. Police and Cybercrime Reporting

Police or cybercrime reporting is useful when:

1. A phone, SIM, email, or account was hacked;
2. Online lending apps were used;
3. Fraudsters used fake accounts;
4. Electronic documents were submitted;
5. Threats or harassment occurred online;
6. Funds were transferred through e-wallets or bank apps;
7. Personal information was unlawfully processed; or
8. The identity of the fraudster is unknown.

The victim should bring printed and digital copies of evidence, including screenshots with timestamps, phone numbers, URLs, account names, transaction references, and lender details.

---

XXVIII. Complaints Before Regulators

A. National Privacy Commission

A complaint may be appropriate for unauthorized processing, unlawful disclosure, excessive data collection, contact-blasting, refusal to give access to personal data, or failure to secure information.

B. Securities and Exchange Commission

The SEC may be relevant for lending companies, financing companies, and online lending platforms under its jurisdiction. Complaints may involve abusive collection, unauthorized lending, unfair practices, or violations by registered or unregistered lenders.

C. Bangko Sentral ng Pilipinas

The BSP may be relevant when the institution involved is a bank, e-money issuer, payment operator, or BSP-supervised financial institution.

D. Credit Information System channels

If the fraudulent loan affected credit records, the victim should dispute inaccurate information through the relevant credit reporting or credit information channels.

E. Department of Trade and Industry

The DTI may be relevant for consumer transactions, depending on the type of credit product and seller-financing arrangement.

---

XXIX. Civil Code Principles

Several Civil Code principles may support a victim’s claim.

A. Abuse of rights

A lender or collector may be liable if it exercises a supposed right in a manner contrary to justice, honesty, or good faith.

B. Acts contrary to morals, good customs, or public policy

Harassing a victim, shaming them publicly, or refusing to investigate credible identity theft may give rise to damages.

C. Negligence or quasi-delict

A company that fails to implement reasonable verification and data security measures may be liable for damage caused by negligence.

D. Breach of contract or lack of contract

If no valid contract exists, the victim may seek a declaration that the alleged loan is not binding, along with damages and correction of records.

---

XXX. The Role of Banks, E-Wallets, and Payment Channels

When proceeds are released to a bank or e-wallet account, payment channels become important sources of evidence.

A victim may request investigation into:

1. Account ownership;
2. KYC documents;
3. Cash-out location;
4. Transfer destination;
5. Linked devices;
6. Login history;
7. Transaction timestamps;
8. Recipient accounts;
9. Fraud flags; and
10. Account freezing or preservation where legally available.

Banks and e-wallet providers may require formal requests, law enforcement involvement, or legal process before disclosing detailed account information.

---

XXXI. Lost IDs and Preventive Measures

Victims whose IDs were lost, stolen, copied, or compromised should:

1. Execute an affidavit of loss, where appropriate;
2. Report the loss to relevant issuers;
3. Monitor credit activity;
4. Avoid sending ID photos casually;
5. Watermark ID copies with the purpose and date;
6. Cover unnecessary ID numbers where allowed;
7. Avoid sharing OTPs;
8. Secure SIM and email accounts;
9. Use strong passwords and multi-factor authentication;
10. Regularly check e-wallet and bank loan features;
11. Be cautious with job posts and loan agents asking for IDs;
12. Avoid installing suspicious lending apps; and
13. Revoke permissions for apps that do not need contacts, photos, or location.

A useful practice is to mark ID copies with: “For [specific purpose] only, submitted on [date].” This may discourage reuse and help prove misuse.

---

XXXII. What Lenders Should Do to Prevent Unauthorized Loans

A responsible lender should implement:

1. Strong KYC procedures;
2. Liveness checks for digital onboarding;
3. Independent verification of mobile numbers and emails;
4. Fraud detection for repeated devices or suspicious IP addresses;
5. Confirmation before releasing proceeds;
6. Destination-account matching;
7. Limits on agent-submitted applications;
8. Audit trails for electronic consent;
9. Secure storage of IDs and selfies;
10. Complaint and dispute mechanisms;
11. Suspension of collection during credible identity theft disputes;
12. Data minimization;
13. Fair collection policies;
14. Training for agents and collectors;
15. Vendor and third-party oversight;
16. Credit report correction procedures;
17. Incident response for data breaches; and
18. Documentation sufficient for regulatory review.

---

XXXIII. Unauthorized Loan Processing by Agents

Loan agents can be a major source of fraud. They may collect IDs from prospective borrowers and later use them to submit unauthorized applications.

A lender may be liable for agent misconduct if the agent acted within apparent authority, used company systems, had access to company forms, or was insufficiently supervised.

Lenders should not treat agent fraud as purely a private matter if the fraud was enabled by their business model.

---

XXXIV. Settlement Issues

Sometimes the lender offers to “settle” by waiving interest, reducing the balance, or asking the victim to pay a portion. Victims should be careful.

Before settlement, consider:

1. Whether payment could be treated as admission;
2. Whether the lender will issue a written clearance;
3. Whether the lender will delete or correct credit reports;
4. Whether collection will permanently stop;
5. Whether data will be blocked or erased where appropriate;
6. Whether the lender admits the loan was fraudulent;
7. Whether the victim reserves rights against the fraudster;
8. Whether there is a confidentiality clause;
9. Whether the settlement affects complaints before regulators; and
10. Whether legal advice is needed.

A victim should avoid informal verbal settlements with collectors.

---

XXXV. Prescription and Timeliness

Legal remedies may be subject to prescriptive periods. These vary depending on the offense or cause of action. Victims should act promptly because delay may make evidence harder to obtain, logs may be deleted, phone numbers may be abandoned, and funds may be transferred.

Timely reporting also strengthens the victim’s credibility.

---

XXXVI. Sample Structure of a Written Dispute

A written dispute to a lender should generally contain:

1. Victim’s full name and contact details;
2. Loan account number, if known;
3. Clear statement that the loan is unauthorized;
4. Demand to suspend collection;
5. Demand to stop contacting third parties;
6. Demand for copies of loan documents and audit logs;
7. Demand to preserve all evidence;
8. Demand to correct credit records;
9. Request for investigation results in writing;
10. Reservation of rights; and
11. Attachments showing identity theft or non-receipt of proceeds.

The tone should be firm, factual, and non-admitting.

---

XXXVII. Practical Checklist for Victims

A victim should consider the following steps:

1. Do not panic-pay without documentation;
2. Do not admit the debt in calls or chats;
3. Ask for proof of the loan;
4. Save all collection messages;
5. Take screenshots with dates and sender details;
6. Send a written dispute;
7. Demand suspension of collection;
8. Demand deletion or correction of inaccurate credit records;
9. Request investigation logs and documents;
10. Report harassment;
11. Secure accounts and SIM;
12. Check bank and e-wallet histories;
13. File police or cybercrime reports when appropriate;
14. File regulatory complaints where appropriate;
15. Notify employer if salary deductions are involved;
16. Monitor credit standing;
17. Keep a timeline of events; and
18. Consult a lawyer for major amounts, repeated harassment, or litigation threats.

---

XXXVIII. Practical Checklist for Lenders

A lender receiving an identity theft complaint should:

1. Acknowledge the dispute promptly;
2. Suspend aggressive collection while investigating;
3. Verify the identity of the complainant;
4. Preserve all records and logs;
5. Review the application trail;
6. Check the receiving account;
7. Review agent involvement;
8. Check device and IP history;
9. Provide legally appropriate documents to the complainant;
10. Stop unlawful contact with third parties;
11. Correct credit records if fraud is confirmed;
12. Report internal fraud where appropriate;
13. Discipline employees or agents involved;
14. Improve KYC controls;
15. Notify regulators where required; and
16. Document the resolution.

---

XXXIX. Key Legal Questions in Every Case

The following questions usually determine the outcome:

1. Who submitted the loan application?
2. What documents were used?
3. Was the signature genuine?
4. Was the electronic consent attributable to the victim?
5. What phone number, email, IP address, and device were used?
6. Who received the loan proceeds?
7. Did the victim benefit from the loan?
8. Did the lender verify the applicant properly?
9. Were there red flags?
10. Was the victim’s personal data lawfully processed?
11. Did the lender continue collection after notice of fraud?
12. Was the loan reported to credit databases?
13. Were third parties contacted?
14. Was the victim harassed or defamed?
15. What actual damage was suffered?

---

XL. Conclusion

Identity theft through unauthorized loan processing is not merely a private inconvenience or ordinary debt dispute. It can involve fraud, falsification, cybercrime, unlawful data processing, negligent lending, abusive collection, and serious reputational harm.

In the Philippines, a person generally should not be bound by a loan they did not authorize, sign, receive, benefit from, or ratify. But the victim must act quickly to dispute the loan, preserve evidence, demand documents, report the fraud, secure accounts, and correct credit records.

Lenders and platforms must also take responsibility. Fast digital lending does not excuse weak verification, excessive data collection, unlawful disclosure, or harassment. When personal information is used to create a loan, the lender must be able to prove genuine consent, proper identity verification, lawful data processing, and fair collection.

The most important rule for victims is to respond in writing, preserve proof, avoid admissions, and escalate to the proper authorities when the lender or collector refuses to correct the situation. For lenders, the most important rule is to treat identity theft claims seriously, suspend harmful collection activity, investigate thoroughly, and correct records when fraud is established.