Yes. In the Philippines, an online lending company, financing company, collection agency, or collector may be punished for using threatening, shaming, abusive, or harassing messages to collect a debt. The borrower may still owe a valid loan, but the lender does not gain the right to threaten arrest, shame the borrower in group chats, contact random phone contacts, post IDs or photos, use insults, or pretend to take legal action it cannot lawfully take. The legal remedy depends on what happened: SEC administrative complaint, NPC data privacy complaint, criminal complaint, civil action for damages, or a combination of these.
The basic rule: collecting a debt is allowed, harassment is not
A lender may remind a borrower about payment, send a statement of account, offer restructuring, endorse the account to a legitimate collection agency, or file a proper civil case.
What it cannot do is use collection methods that violate law, privacy, dignity, or public order.
Common abusive online lending practices include:
- Sending messages like “ipapakulong ka namin bukas” even when no criminal case exists
- Calling the borrower a “scammer,” “magnanakaw,” or “estafador” in a group chat
- Sending the borrower’s photo, government ID, or loan details to relatives, officemates, or Facebook friends
- Threatening to post the borrower online
- Calling or messaging the borrower’s employer to embarrass them
- Contacting people from the borrower’s phone contacts who are not guarantors or co-makers
- Using fake “law office,” “court,” “barangay,” or “police” notices
- Calling repeatedly at unreasonable hours
- Using profanity, sexual insults, or threats of violence
The Securities and Exchange Commission’s SEC Memorandum Circular No. 18, Series of 2019 expressly recognizes that financing companies, lending companies, and their third-party service providers may collect only through reasonable and legally permissible means, and must observe good faith and reasonable conduct. The same circular lists prohibited unfair debt collection practices, including threats of violence or criminal means, threats to take action that cannot legally be taken, insults or profane language, unauthorized disclosure of borrower information, deceptive means, unreasonable contact times, and contacting persons in the borrower’s contact list other than guarantors or co-makers.
Which Philippine laws may apply?
Several laws may apply at the same time. The same abusive message can be an SEC violation, a data privacy violation, and possibly a criminal offense.
| Conduct by lender or collector | Possible legal consequence |
|---|---|
| Threatening violence, harm, arrest, or illegal action | SEC unfair collection practice; possible Revised Penal Code offense |
| Posting borrower’s photo, ID, debt details, or insults online | Data Privacy Act violation; possible cyberlibel; possible civil damages |
| Messaging relatives, friends, officemates, or contacts who are not guarantors | SEC violation; Data Privacy Act violation |
| Calling the borrower “scammer” or “thief” in a group chat or public post | Possible libel or cyberlibel if the legal elements are present |
| Using fake court, police, NBI, barangay, or law office notices | SEC violation; possible criminal liability depending on facts |
| Repeated abusive calls or messages meant to disturb or shame | Possible unjust vexation or other criminal complaint |
| Accessing or harvesting phone contacts beyond what is necessary | Data Privacy Act violation; NPC complaint |
SEC rules on unfair debt collection by lending and financing companies
Online lending platforms in the Philippines are usually operated by lending companies or financing companies regulated by the SEC under laws such as the Lending Company Regulation Act of 2007, Republic Act No. 9474, and the Financing Company Act. RA 9474 declares a policy to regulate lending companies and prevent practices prejudicial to public interest. (Lawphil)
Under SEC Memorandum Circular No. 18, Series of 2019, the following are unfair collection practices when done by financing companies, lending companies, or their third-party collection service providers:
- Using or threatening violence or other criminal means to harm a person, reputation, or property
- Threatening to take an action that cannot legally be taken
- Using obscenities, insults, or profane language when the natural consequence is to abuse the borrower or when it amounts to a criminal act
- Disclosing or publishing the names and personal information of borrowers who allegedly refuse to pay, except in limited lawful situations
- Communicating or threatening to communicate false loan information, including failure to state that a debt is disputed
- Using false representation or deceptive means to collect
- Making contact at unreasonable or inconvenient times
- Contacting persons in the borrower’s contact list other than those named as guarantors or co-makers
The circular also states that the lending or financing company remains ultimately responsible even if it uses a third-party collection agency. In practice, this matters because many online lending apps try to blame “outside collectors.” SEC rules do not allow a company to avoid responsibility simply by outsourcing collection.
SEC penalties
For violations of SEC MC 18, the SEC may impose administrative penalties. The circular provides fines of ₱25,000 for the first offense and ₱50,000 for the second offense for lending companies; ₱50,000 for the first offense and ₱100,000 for the second offense for financing companies. For a third offense, depending on the facts and gravity, the SEC may impose a fine of up to ₱1,000,000, suspend lending or financing activities for up to 60 days, or revoke the company’s certificate of authority.
These SEC penalties are separate from criminal, civil, or data privacy penalties that may be imposed by courts or other agencies.
Data privacy violations: when online lending apps use your contacts, photo, ID, or loan details
Many online lending harassment cases are also privacy cases. The Data Privacy Act of 2012, Republic Act No. 10173, protects personal information in government and private information systems and created the National Privacy Commission. (National Privacy Commission)
The NPC issued specific rules for loan-related transactions. NPC Circular No. 20-01 provides that lending companies, financing companies, and similar persons must limit the personal data they collect to what is adequate, relevant, suitable, necessary, and not excessive. It also prohibits unnecessary app permissions involving personal and sensitive personal information.
For online lending apps, the NPC rules are especially important because abusive lenders often use phone permissions to pressure borrowers. NPC Circular No. 20-01 states that a borrower’s photo must not be used to harass or embarrass the borrower for collection, and that access to phone contacts, email lists, or social media contacts for debt collection or harassment is prohibited.
A 2026 public advisory by the DICT, NPC, and SEC reiterated that unnecessary processing of personal data through mobile apps is prohibited; unauthorized, excessive, or disproportionate processing of contact lists is prohibited; and contacting persons in the borrower’s contact list other than guarantors is prohibited. The advisory also states that for debt collection, lending companies and financing companies may only contact the guarantor, and that a person is a guarantor only if they consented to be one.
This means a lender cannot justify contacting your entire phonebook by saying, “You gave app permission.” Consent obtained through confusing screens, pre-ticked boxes, forced permissions, or deceptive app design may be questioned. The 2026 advisory warns that deceptive design patterns may undermine data privacy principles and may invalidate consent.
Criminal liability: when collection messages become a crime
Not every rude message is automatically a criminal case. But certain collection tactics may fall under the Revised Penal Code, Cybercrime Prevention Act, or special laws.
Grave threats, light threats, and unjust vexation
Under Article 282 of the Revised Penal Code, grave threats involve threatening another person with harm to the person, honor, or property of that person or their family, where the threatened harm amounts to a crime. Article 283 punishes light threats, and Article 287 covers unjust vexations and other coercive acts. (Supreme Court E-Library)
Examples that may justify a criminal complaint include:
- “Ipapapatay ka namin kapag hindi ka nagbayad.”
- “Pupuntahan ka namin sa bahay at sisirain namin gamit mo.”
- “Ipapahiya ka namin sa lahat ng contacts mo.”
- “Bayad ka ngayon or ipopost namin mukha mo as scammer.”
The exact charge depends on the words used, the surrounding facts, whether there was a demand or condition, whether the threat involved a crime, and whether the messages were repeated.
Cyberlibel and defamatory posts
If the lender or collector publicly posts or sends to a group chat statements that falsely impute a crime, vice, defect, or dishonorable act to the borrower, the conduct may amount to libel or cyberlibel, depending on the medium and facts.
The Supreme Court in Disini v. Secretary of Justice explained that online libel under RA 10175 is not a completely new crime; it applies the Revised Penal Code’s libel provisions to communications through a computer system or similar means. The Court also discussed the usual elements of libel: a defamatory imputation, publication, identification of the person defamed, and malice. (Supreme Court E-Library)
Examples that may raise cyberlibel issues include:
- Posting the borrower’s face on Facebook with “scammer ito”
- Sending a borrower’s ID to an office group chat with “magnanakaw”
- Creating a fake “wanted” poster and circulating it online
- Posting that the borrower committed estafa when no such case exists
A private one-on-one insult may not always be libel because libel requires publication to a third person. But it may still support other complaints, such as unjust vexation, threats, SEC unfair collection, or data privacy violations.
Cybercrime law may increase penalties
Republic Act No. 10175, the Cybercrime Prevention Act of 2012, covers cybercrime offenses and also treats crimes under the Revised Penal Code and special laws as cyber-related when committed through information and communication technologies. (Lawphil)
This matters because many online lending abuses happen through SMS, Messenger, Viber, WhatsApp, Telegram, email, Facebook posts, app notifications, or automated call systems.
Can you be jailed just because you cannot pay an online loan?
No person may be imprisoned for debt under Article III, Section 20 of the 1987 Philippine Constitution. (Supreme Court E-Library)
This is one of the most important points for borrowers. Failure to pay an ordinary loan is generally a civil matter. A lender may demand payment, charge lawful interest and penalties, report to proper credit channels if allowed by law, or file a civil collection case.
But the lender should not say “automatic jail,” “may warrant ka na,” or “pupulutin ka ng pulis bukas” simply because the loan is unpaid.
There are exceptions where criminal liability may arise from separate acts, not from mere inability to pay. Examples include using fake identity documents, committing fraud from the beginning, issuing bouncing checks, identity theft, or other criminal conduct. But a collector cannot invent a criminal case just to scare a borrower into paying.
What borrowers should do when they receive threatening or shaming messages
1. Preserve evidence immediately
Do this before blocking, uninstalling the app, or deleting messages.
Save:
- Screenshots showing the full message, sender name or number, date, and time
- Screen recordings showing the account profile and message thread
- URLs of posts, profiles, comments, or group chats
- Call logs showing repeated calls and times
- Copies of emails and SMS messages
- Photos or screenshots of fake notices, fake demand letters, or fake court documents
- Names and numbers of collectors
- App name, developer name, website, privacy policy, and loan contract
- Proof of payment, receipts, and statement of account
- Messages sent to your relatives, employer, references, or contacts
Avoid secretly recording phone calls without understanding the Anti-Wiretapping Act, Republic Act No. 4200. In many cases, screenshots, call logs, written messages, affidavits from witnesses, and the actual device are safer evidence.
2. Identify the lender, not just the app name
Many lending apps use brand names different from the SEC-registered company name.
Look for:
- SEC registration name
- Certificate of Authority number
- App developer name
- Website and privacy notice
- Disclosure statement
- Loan agreement
- Collection agency name
- Payment account name
The SEC maintains public services and an i-Message ticketing platform for complaints and inquiries. The SEC i-Message page describes the system as a platform for public inquiries, complaints, incidents, and requests, and provides a way to open and track tickets. (imessage.sec.gov.ph)
3. Send a written objection or privacy request when appropriate
For privacy complaints, it is often important to show that you informed the company in writing and gave it a chance to act.
A practical written message can say:
- You dispute the abusive collection method
- You demand that they stop contacting non-guarantor contacts
- You demand deletion or blocking of improperly collected contacts, photos, and personal data
- You request the company’s Data Protection Officer contact details
- You request a proper statement of account
- You reserve your right to file complaints with the SEC, NPC, and law enforcement
The NPC’s complaint rules require “exhaustion of remedies” in many cases, meaning the complainant must show that the respondent was informed in writing of the privacy violation or breach and failed to take timely or appropriate action, or did not respond within 15 calendar days from receipt. (National Privacy Commission)
4. File an SEC complaint for unfair debt collection
An SEC complaint is appropriate when the abusive party is a lending company, financing company, online lending platform, or collection service provider acting for them.
Attach:
- Complaint narrative
- Screenshots and links
- Loan documents
- Proof of payment, if any
- Details of the app and company
- Names and numbers of collectors
- Evidence that contacts, employer, relatives, or friends were contacted
- Affidavits or written statements from affected contacts, if available
The SEC route is especially useful when the goal is regulatory action: fines, suspension, revocation, or orders affecting the company’s authority to operate.
5. File an NPC complaint for misuse of personal data
An NPC complaint is appropriate when the lender used your personal information, contacts, photos, ID, employment details, social media profile, or loan information without lawful basis or beyond what was necessary.
The NPC says a complaint may be filed by the affected data subject, an authorized representative with a special power of attorney, or the NPC on its own initiative. A complaint is generally filed using a filled-out and notarized complaint-assisted form or verified complaint, with evidence and witness affidavits, submitted personally, by registered mail, by courier, or by electronic mail as authorized by the Commission. (National Privacy Commission)
The NPC states that its Complaints and Investigation Division has 30 calendar days from receipt to give due course to or dismiss a complaint without prejudice, and that the process up to final adjudication may take about 10 to 12 months. If there is an application for a temporary ban on processing personal data, that request may involve a faster summary process, often one to two weeks after filing the request. (National Privacy Commission)
6. File a criminal complaint for threats, cyberlibel, or harassment
For serious threats, public shaming, fake legal notices, or repeated abusive messages, a criminal complaint may be filed with law enforcement or the prosecutor’s office.
Possible offices include:
- Nearest police station for immediate threats or blotter
- PNP Anti-Cybercrime Group or regional cybercrime units
- NBI Cybercrime Division
- Office of the City or Provincial Prosecutor
The NBI Citizen’s Charter for victims of computer crimes identifies the Cybercrime Division as the relevant office, states that the general public may avail of investigative assistance, and lists steps such as filing a complaint, undergoing preliminary interview and investigation, executing sworn statements, submitting affidavits, and providing supporting documents. It also indicates no listed fee for the listed investigative assistance process and an initial processing time of about 1 hour and 10 minutes for the listed frontline steps. (National Bureau of Investigation)
In practice, criminal complaints often require:
- Valid government ID
- Complaint-affidavit
- Printed screenshots and digital copies
- Device used to receive messages, if requested
- URLs and account details
- Witness affidavits from contacts who received messages
- Proof that the account or number is connected to the lender or collector
- Loan agreement and payment records
After investigation, the matter may proceed to preliminary investigation before the prosecutor. If the prosecutor finds probable cause, an information may be filed in court.
Documents and evidence checklist
| Purpose | Useful documents |
|---|---|
| SEC complaint | Screenshots, app name, SEC company name, loan agreement, collection messages, proof that contacts were messaged |
| NPC complaint | Notarized complaint-assisted form or verified complaint, evidence, witness affidavits, written notice to company, proof of 15-day non-response or inadequate response |
| Criminal complaint | Complaint-affidavit, IDs, screenshots, URLs, sender numbers, device, witness affidavits, proof of publication or threats |
| Civil damages claim | Evidence of defamatory posts, emotional distress, reputational harm, lost work opportunity, medical records if relevant, witness statements |
| For OFWs or complainants abroad | Consularized or apostilled affidavits when required, special power of attorney for a representative, copies of passport/ID, overseas contact details |
Special issues for OFWs, foreigners, and people outside the Philippines
Foreigners and Filipinos abroad can still be affected by Philippine online lending harassment, especially if the app, lender, borrower, contacts, or data processing is connected to the Philippines.
Practical issues include:
- Notarization: Philippine agencies and prosecutors usually prefer notarized affidavits. If signed abroad, documents may need acknowledgment before a Philippine Embassy or Consulate, or notarization abroad followed by apostille if the country is part of the Apostille Convention.
- Representative filing: A trusted person in the Philippines may need a Special Power of Attorney, especially for NPC complaints or follow-ups.
- Personal appearance: Criminal complaints may require coordination with law enforcement or prosecutors, and the complainant may later be asked to affirm statements.
- Evidence from contacts in the Philippines: If relatives, coworkers, or friends in the Philippines received shaming messages, their affidavits can be very helpful.
- Data privacy rights: The focus is not nationality but whether personal data was processed unlawfully by covered persons or in a Philippine-connected transaction.
Common mistakes that weaken complaints
Deleting the app too early
Uninstalling the app may delete messages, permissions, loan details, or account records. Preserve evidence first.
Paying through unofficial channels
Some collectors pressure borrowers to send payment to personal GCash, Maya, or bank accounts. Ask for the registered company’s official payment channel and keep receipts.
Ignoring the debt completely
Harassment is unlawful, but the loan may still be valid. Ask for a statement of account, dispute unlawful charges in writing, and keep proof of all communications.
Posting back in anger
Borrowers sometimes respond by posting the collector’s photo, number, or insults online. This can create a separate defamation or privacy issue. Preserve evidence and use formal remedies instead.
Assuming every threat is automatically cyberlibel
Cyberlibel requires specific elements, including publication to a third person and a defamatory imputation. A private abusive message may be punishable under other rules, but not every insult is cyberlibel.
Forgetting the 15-day written notice for NPC complaints
For many NPC complaints, proof that you informed the respondent in writing and gave them a chance to address the violation is important. The NPC specifically mentions this exhaustion of remedies requirement. (National Privacy Commission)
Frequently Asked Questions
Is it illegal for an online lending company to threaten me through text or chat?
Yes, if the message contains threats of violence, illegal action, reputational harm, fake arrest, or other unlawful pressure. It may be an SEC unfair debt collection practice and may also support a criminal complaint depending on the wording and facts.
Can an online lending app contact my phone contacts?
Generally, it should not contact people from your phone contacts for debt collection unless they are proper guarantors or co-makers, and current government guidance says lending companies may only contact the guarantor for debt collection. Randomly contacting relatives, friends, coworkers, or phonebook entries can be an SEC and data privacy issue.
Can they post my picture or ID online if I do not pay?
No. Using a borrower’s photo, ID, or personal details to shame or pressure payment may violate SEC rules, the Data Privacy Act, and possibly criminal laws on cyberlibel or unjust vexation depending on how it was done. NPC rules specifically say a borrower’s photo must not be used to harass or embarrass the borrower to collect a delinquent loan.
Can I go to jail for not paying an online loan?
Not for mere nonpayment of debt. The Constitution says no person shall be imprisoned for debt. However, separate criminal acts such as fraud, identity theft, or issuing a bouncing check may create criminal liability. (Supreme Court E-Library)
Where should I report online lending harassment?
Use the SEC for unfair debt collection by lending or financing companies, the NPC for misuse of personal data, and law enforcement such as the PNP or NBI for threats, cyberlibel, fake legal notices, or serious harassment. Some cases justify filing with more than one office because the violations are different.
What evidence do I need before filing a complaint?
Keep screenshots, URLs, sender numbers, call logs, loan documents, receipts, proof of app permissions, company details, and witness statements from contacts who received messages. For public posts or group chats, capture the post, date, group name, URL, and comments showing publication.
What if the online lending company is not SEC-registered?
An unregistered lender may create additional regulatory issues. Still preserve evidence and report to the SEC. If there are threats, public shaming, or data misuse, the fact that the operator is unregistered does not prevent NPC or criminal remedies.
Can my relatives or officemates file a complaint if they were harassed?
Yes, especially for data privacy concerns. A person whose own personal information was misused or who received harassing messages may have a separate complaint. The NPC allows data subjects affected by a privacy violation or personal data breach to file complaints. (National Privacy Commission)
Can I file SEC, NPC, and criminal complaints at the same time?
Yes, when the facts support different violations. SEC handles unfair collection practices; NPC handles personal data misuse; law enforcement and prosecutors handle crimes. These remedies address different legal wrongs.
Key Takeaways
- Online lending companies may collect valid debts, but they cannot threaten, shame, harass, deceive, or misuse personal data.
- SEC Memorandum Circular No. 18, Series of 2019 prohibits unfair debt collection practices by lending and financing companies and their third-party collectors.
- Contacting random phone contacts, posting borrower information, or using photos and IDs for shaming can violate the Data Privacy Act and NPC rules.
- Serious threats, public defamatory posts, fake legal notices, or repeated abusive messages may support criminal complaints under the Revised Penal Code and Cybercrime Prevention Act.
- Nonpayment of an ordinary debt does not automatically mean jail; the Constitution prohibits imprisonment for debt.
- Preserve screenshots, URLs, call logs, loan documents, receipts, and witness statements before deleting messages or uninstalling the app.
- The proper remedy may involve the SEC, NPC, PNP, NBI, prosecutor’s office, or civil courts, depending on the facts.