Legal Limits on the “Blacklist” Authority of Online Lending Apps in the Philippines (A doctrinal-cum-practical survey as of 9 June 2025)
1. What “blacklisting” means in Philippine lending practice
In consumer finance, blacklisting is any act by which a lender (a) flags a borrower’s account internally to deny future credit, and/or (b) shares that adverse mark with third parties so that the borrower is barred, shamed, or pressured. The second aspect—disclosure to people outside the lender’s organization—is where most legal problems arise.
2. Sources of law that govern, and limit, blacklisting
| Area | Key statutes / rules | Core limits on online lenders |
|---|---|---|
| Data privacy & confidentiality | • Republic Act (RA) 10173, Data Privacy Act of 2012 (DPA) • NPC Circular 20-01 (Guidelines on Data Sharing) • NPC decisions vs. rogue Online Lending Apps (OLAs)—e.g., “FDS Apps,” “Pondo Peso,” 2020–2024 |
• Processing must be proportionate and based on valid consent or another lawful basis. • It is unlawful to harvest phone contacts and blast them with collection messages. • Only entities listed in the borrower’s consent form, or specifically allowed by law, may receive credit-related personal data. |
| Credit reporting | • RA 9510, Credit Information System Act (CISA) • CIC Rules (Credit Information Corporation) |
• Reporting negative data to the CIC is legal if the lender is an accredited submitting entity and complies with quality and dispute-resolution standards. • Sharing to any private “industry blacklist” outside the CIC (e.g., consortium Google-Sheets) is not authorized. |
| Lending-company licensing | • RA 9474, Lending Company Regulation Act of 2007 (LCRA) • SEC Memorandum Circular (MC) 18-2019 (Registration & Reporting of OLAs) • SEC MC 28-2021 (Enhanced Disclosure & Data Use Rules) |
• Only SEC-licensed lenders may operate apps and must state—in-app—exactly how default data will be used. • SEC can revoke a certificate for “unfair collection or unfair disclosure.” |
| Financial-consumer protection | • RA 11765, Financial Products and Services Consumer Protection Act (FCPA) 2022 • BSP Circular 1160-2023 (FCP Regulations) |
• “Harassing or humiliating debtors” and “disclosing debts to persons other than the borrower” are per se unfair conduct. • BSP/SEC may fine up to PHP 2 million per transaction and impose restitution. |
| Civil & criminal exposure | • Art. 26 and Art. 32, Civil Code (privacy & damages) • Art. 365, Revised Penal Code (criminal negligence in data leaks) • RA 8792 (E-Commerce Act) §33(a) (unauthorized access) • RA 10175 (Cybercrime Prevention Act) – libel/harassment online |
• A borrower may sue for actual, moral, and exemplary damages. • Officers may face cyber-libel charges for “shame posts” or forced social-media disclosures. |
3. What an online lender can lawfully do
- Internal risk flagging – Mark a borrower’s account as “no further credit,” provided the information stays inside the company or is reported only to the CIC.
- Report to the Credit Information Corporation – This is expressly allowed by RA 9510. Borrowers are entitled to see and dispute their report within 30 days.
- Pursue civil collection – File a case or refer the account to a duly registered collection agency. Agencies must observe the same privacy rules.
4. What an online lender cannot do (and cases showing the line)**
| Prohibited act | Why illegal | Illustrative enforcement (year) |
|---|---|---|
| Uploading a “delinquent list” to a public Facebook page (“name-and-shame”) | No lawful basis under DPA; criminal libel | NPC CCO-21-056 (2021): PHP 750 k fine + cease-and-desist order |
| Sending group SMS to all numbers in borrower’s phonebook (“Tell X to pay”) | Absence of informed, specific consent; excessive data processing | NPC CCO-22-014 (2022): OLA ordered to delete entire contact database |
| Sharing a private “industry blacklist” spreadsheet among five sister apps | Not among CIC-sanctioned exchanges; possible anti-competitive collusion | SEC Show-Cause letters, January 2024; three apps delisted |
| Refusing to delete adverse data long after the loan is paid | DPA “storage limitation” principle; CIC’s 3-year retention cap for fully settled debt | NPC opinion, March 2023 – data must be purged or anonymized after lawful retention period |
Note: NPC dispositions are administrative; criminal prosecution may still proceed.
5. Interaction with the Philippine Competition Act (PCA)
A cartel-type shared blacklist may constitute an agreement that prevents, restricts, or lessens competition under RA 10667. The Philippine Competition Commission has not yet imposed fines specific to OLAs, but it has issued Compliance Advisories (2024) warning fintech clusters that collaborative refusal to lend is “concerted refusal to deal.”
6. Due-process expectations when reporting to the Credit Information Corp.
Under CISA and the CIC’s 2023 Revised Implementing Rules:
- Pre-report notice – A lender must inform the borrower that the negative data will be sent to the CIC not less than 30 days before submission.
- Right to dispute – The borrower may file a dispute with the CIC; the lender must resolve within 15 working days (or it becomes a “no-fault” correction).
- Escalation – Unresolved disputes go to the CIC Adjudication Office; decisions are appealable to the SEC, then the Court of Appeals.
Failure to give due-process notice can void the report and expose the lender to up to PHP 1 million per violation plus suspension of CIC accreditation.
7. Remedies for aggrieved borrowers
| Remedy | Forum | Prescriptive period |
|---|---|---|
| Data Privacy Complaint | National Privacy Commission | 1 year from discovery of violation |
| FCPA administrative complaint | BSP (if the lender is a bank or EMI) or SEC (if lending company) | 2 years |
| Civil suit for damages | RTB/MTC depending on amount | 4 years (quasi-delict) |
| Criminal complaint (e.g., cyber-libel, DPA offenses) | Office of the City/Provincial Prosecutor | 10 years (cyber-libel), 3 years (libel) |
A successful DPA complaint may award damages in the same NPC decision.
8. Compliance checklist for online lending apps
- Map data flows – Identify every point where default information exits the app.
- Use a layered privacy notice – A concise in-app banner plus a full PDF.
- Obtain separate, granular consent for contact scraping (if at all needed)—and be prepared to operate even if the borrower refuses.
- Limit disclosure channels to the CIC, accredited collection agencies, and lawyers under privilege.
- Adopt a documented deletion schedule (e.g., purge seven years after loan closure or three years after full payment, whichever is earlier).
- Run a “blast test” – Simulate collection templates; anything that could embarrass a borrower if seen by a third party likely violates the FCPA.
- Train staff and third-party collectors annually; keep proof of completion.
9. Emerging policy debates (2025-onward)
- Central Digital Debt Registry – Bills in the 19th Congress propose folding OLA data into a real-time registry at the BSP, which may supersede private blacklists altogether.
- Right to be Forgotten – Advocates argue that once a small-ticket loan (≤ PHP 15 k) is paid, the data should auto-expire after one year.
- AI-driven risk pooling – Start-ups offer probabilistic scoring derived from telco metadata. Regulators warn that opaque AI models may re-create de-facto blacklists without explicit borrower identification, sidestepping current rules.
10. Conclusion
An online lender may mark a borrower as risky internally and may report legitimate defaults to the Credit Information Corporation—and nowhere else. Any broader “blacklist” that publicly or semi-privately tags a person as delinquent without due process, lawful basis, and proportionality runs afoul of the Data Privacy Act, the Financial-Consumer Protection Act, SEC and BSP circulars, and even the Competition Act.
With fines now topping PHP 2 million per breach—and personal criminal liability for directors—compliance is no longer optional. The safest (and most commercially rational) path is to treat blacklisting not as a publicity weapon but as a narrow, regulated credit-reporting function, with clear notice, an avenue to contest, and strict data-retention limits.
This article is for informational purposes only and does not constitute legal advice. For case-specific guidance, consult Philippine counsel.