Illegal Collection Practices by Lending Apps in the Philippines A practitioner-oriented legal overview (June 2025)
Executive summary
The surge of mobile “salary-loan” and “quick-cash” applications in the Philippines has been accompanied by a spike in abusive collection tactics—threats, doxxing, social-media shaming, and unauthorized scraping of a borrower’s contact list. Philippine law already prohibits these practices, but enforcement is spread across several regulators (SEC, BSP, NPC, DTI, PNP-ACG) and a patchwork of statutes. This article pieces those rules together and explains:
- what exactly counts as an illegal collection act;
- which laws, circulars, and regulators apply;
- the civil, administrative, and criminal penalties now being imposed; and
- concrete defensive steps open to borrowers and compliance measures required of lenders.
(This material is for education only; always obtain formal legal advice on a live case.)
1. Regulatory map
| Regulator | Core mandate | Key issuances covering online lending & collection |
|---|---|---|
| Securities and Exchange Commission (SEC) | Licensing of lending/financing companies; unfair debt-collection policing | Lending Company Regulation Act (RA 9474); SEC Memorandum Circular (MC) No. 18-2019 (registration of online lending platforms); MC 19-2019 (minimum capital & fines); MC 10-2021 (complaint handling & reporting); cease-and-desist orders (CDOs) 2020-2025 |
| Bangko Sentral ng Pilipinas (BSP) | Prudential supervision of banks/EMIs; consumer protection over “credit-granting entities” | Financial Products and Services Consumer Protection Act (RA 11765, 2022) + BSP Circular 1160-2023 (FCP rules); interest-rate cap under BSP Memorandum M-2010-010 (as amended) |
| National Privacy Commission (NPC) | Enforcement of Data Privacy Act (RA 10173) | NPC Circular 20-01 (Guidelines on Processing Personal Data for Loan-Related Transactions); various orders vs. doxxing/shaming 2019-2024 |
| Department of Trade and Industry (DTI) | Deceptive sales practices | Consumer Act (RA 7394) |
| Philippine National Police – Anti-Cybercrime Group (PNP-ACG) | Criminal investigation | Cybercrime Prevention Act (RA 10175); Revised Penal Code (RPC) |
| Courts | Civil/criminal jurisdiction | Civil Code Art. 19-21 (abuse of rights), Art. 32 (constitutional rights), Art. 2176 (quasi-delict) |
2. Statutory anchors
- RA 9474 (Lending Company Regulation Act, 2007) Section 7 outlaws “unfair collection practices such as, but not limited to, harassment or abuse, falsification, or misleading representations.” Violations trigger fines (₱10,000-50,000 per act) and imprisonment (6 months-10 years).
- RA 11765 (Financial Products and Services Consumer Protection Act, 2022) Codifies fair treatment as a right and empowers BSP/SEC to issue Administrative Sanctions up to ₱2 million per day for continuing violations, plus restitution and disgorgement.
- Data Privacy Act (RA 10173, 2012) Unauthorized scraping or disclosure of contacts/photos is processing without consent (Sections 11 & 12) and may amount to unauthorized disclosure (Section 32) punishable by up to 3 years’ imprisonment and ₱1 million fine.
- Truth in Lending Act (RA 3765, 1963) & BSP Circular 730-2001 Mandate clear disclosure of effective interest; hidden “penalty handling fees” are deceptive and void.
- Cybercrime Prevention Act (RA 10175, 2012) + RPC arts. 355, 282, 287 • Online shaming = libel; • Threatening bodily harm = grave threats; • Persistent harassment texts/calls = unjust vexation.
3. What counts as illegal collection?
Philippine rules borrow heavily from U.S. FDCPA principles but add data-privacy elements. Below are the most litigated acts (all presumptively illegal when done by a lending app or its third-party collector):
| Category | Typical conduct seen in PH apps | Legal hooks violated |
|---|---|---|
| Harassment & intimidation | Repeated profane calls, midnight SMS, death threats, use of police badges in profile photos | RA 9474 §7; RA 11765 §§4-6; RPC arts. 282, 287 |
| Shaming / “doxxing” | Mass-texting debtor’s contacts (“Si Ana balasubas!”), posting pictures on Facebook “wanted” pages | DPA §32; Cyber-libel (RA 10175 §4(c)(4)); SEC MC 10-2021 Part IV |
| Contacting third parties without consent | Calling employer HR to demand salary deduction; messaging parents | DPA §12; NPC Circular 20-01 §4(b); possible unfair labor practice |
| False representation | Saying “case filed” when none exists; impersonating a field sheriff | RPC art. 177 (usurpation of authority); SEC MC 10-2021 §5(b) |
| Unreasonable disclosure requests | Forcing access to photo gallery, real-time GPS, or social-media log-ins | DPA §§11-13 (data minimization, proportionality) |
| Excessive interest / undisclosed charges | Stating 0% in ads, then compounding 1.5% per day + ₱300 “processing” on collection day | Truth-in-Lending (RA 3765); BSP Memo on interest caps |
| Collection after 10 p.m. / on Sundays | Auto-dialer bursts at 11:30 p.m. | While no statute fixes hours, SEC and NPC treat it as harassment under RA 9474 / DPA |
4. Enforcement snapshot (2019-2025)
| Year | Regulator action | Highlight |
|---|---|---|
| 2019 | SEC CDO vs. “Cashlend,” “Pautang Peso,” 38 others | First crackdown—apps delisted from Play Store; directors black-listed |
| 2020 | NPC order vs. Fynamics Lending | ₱4 million fine for scraping 18,000 contact lists; ordered to delete data |
| 2021 | SEC MC 10 | Mandatory in-app “Complaint” button; 72-hour reply rule |
| 2022 | RA 11765 signed | Gave SEC/BSP power to slap daily penalties & issue asset freezes |
| 2023 | BSP Circular 1160 | Explicitly extends FCP rules to “non-bank credit providers making digital loans” |
| 2024 | Joint SEC-NPC task force | “Ops Harabas” raid on a Makati call-center–style collector; 53 laptops seized, 12 arrests for grave threats |
(Actual cases are public record; details simplified for brevity.)
5. Borrower remedies and strategy
- Document everything – screenshots, call logs, recordings (allowed under the “one-party consent” rule in PH if you are party to the call).
- Send a Data Privacy Demand to the app invoking NPC Circular 20-01; request: cessation of processing, erasure, and accounting of disclosures.
- File administrative complaints: SEC – unfair collection and unregistered operations (use Form OLP-1 + ₱1k filing fee); NPC – data-privacy breaches (online portal “CMS”); BSP (if the lender is a supervised entity) – within 15 days from lapse of internal mediation.
- Criminal avenues – Swear a complaint-affidavit before the PNP-ACG or NBI-CCD; include digital evidence hash-sealed.
- Civil suit for damages – Art. 32 or 19-21 (abuse of rights) lets you seek: ₱50k nominal; ₱100k+ moral (psych stress); plus exemplary if malice proven.
- Debt restructuring or conciliation – Through barangay Lupon only if parties reside in same city/municipality (Katarungang Pambarangay Law).
6. Compliance checklist for lending-app operators
| Area | Minimum requirements (2025 baseline) |
|---|---|
| Corporate license | SEC primary license (financing/lending) + secondary “OLP Certificate” renewed annually |
| Disclosure | Full APR, tenor, fees on first screen (SEC MC 10 Annex B) |
| Data privacy | Privacy notice in Filipino & English; collect only: name, ID, selfie, proof of income; no phone-book scraping unless separate opt-in that meets DPA §12(c) “consent must be freely given, specific, informed” |
| Third-party collectors | Written service-level agreement; collectors must use official email/domain; joint liability under RA 11765 §61 |
| Collection conduct SOP | No profanity, threats, or contact with third parties; calls only 7 a.m.–9 p.m.; maintain call logs; monthly compliance report to SEC |
| Record retention & deletion | Retain only 3 years after loan closure; automatic wipe of contact lists once paid off |
| Interest & charges | Keep effective interest ≤ 6% per month (BSP memo cap for loans ≤ ₱10k/≤4 months); clearly separate penalties from interest |
7. Emerging issues
- AI-driven credit scoring – SEC is drafting a circular to require explainability for algorithmic denials by 2026.
- Cross-border collectors – Increasing use of call centers in Shenzhen and Cambodia raises jurisdictional problems; DOJ-ICPO “red-notice” route has been tested only once (2024).
- Regulatory harmonization – Senate Bill 2360 seeks to consolidate SEC and BSP consumer-protection desks into a single Financial Consumer Ombudsman with subpoena powers.
- Digital rehabilitation – Draft House Bill proposes a “Micro-debtor Rescue Act” allowing debt relief for aggregate digital loans ≤ ₱250k via court-approved plan.
8. Conclusion
Abusive in-app collectors now face a constellation of liabilities: SEC revocation, NPC privacy fines, BSP daily penalties, and even jail time for harassment-based crimes. Borrowers are no longer powerless—digital evidence is admissible, and regulators actively coordinate raids and take-downs. Still, prevention is best accomplished through compliance-by-design: transparent pricing, data minimization, and a strictly professional collector script. Lenders who embed these principles early avoid both reputational ruin and the rapidly escalating penalty regime of RA 11765.
Prepared by: [Your Name], Philippine lawyer/consultant. Updated: 9 June 2025 – Manila.