Lending App Harassment and Privacy Violation in the Philippines (updated 15 May 2025)
1 Why the issue matters
The boom of “instant-cash” mobile lending apps has made small, short-term credit accessible to millions of Filipinos, but it also produced a flood of complaints: debt-shaming group chats, threats of arrest, and collectors blasting a borrower’s entire phonebook. Regulators now treat these tactics not only as abusive debt-collection but as data-privacy crimes and consumer-protection violations. (Credit Information Corporation, ABS-CBN)
2 What counts as harassment or a privacy breach?
Under SEC Memorandum Circular No. 18-2019 an unfair collection practice includes, among others:
- using obscenities, profanities or threats;
- publicly posting or broadcasting the debtor’s personal data;
- contacting any person in the borrower’s contact list other than named guarantors or co-makers, even if the borrower consented when installing the app;
- misrepresenting authority (e.g., pretending to be a lawyer, police or court). (ADB Law and Policy Reform, UnionBank GlobalLinker)
Harvesting an entire address-book just to chase a ₱3 000 payday loan violates the Data Privacy Act principles of transparency, legitimate purpose, and proportionality and can trigger cease-and-desist orders from the National Privacy Commission (NPC). (Lawphil, National Privacy Commission)
3 Statutory & regulatory framework
| Instrument | Key points for lending apps |
|---|---|
| Republic Act 9474 (Lending Company Regulation Act of 2007) | Requires a Certificate of Authority from the SEC and obedience to “ethical, transparent” practices, with fines or licence revocation for violators. (eLibrary) |
| SEC MC 18-2019 | Enumerates prohibited collection acts and sets a fine ladder (₱25 000 – ₱1 million) plus suspension or revocation at the 3rd offence. (Credit Information Corporation) |
| Republic Act 10173 (Data Privacy Act of 2012) | Criminalises unauthorised disclosure, malicious or negligent misuse of personal data (up to 7 years’ imprisonment / ₱5 million per act). NPC may ban processing and order takedown of an app. (Lawphil, National Privacy Commission) |
| NPC Decisions (e.g., JuanHand, Pesopop) | Confirm that mass texts to contacts and scraping of photos are unlawful; companies were ordered to stop processing and delete data. (National Privacy Commission, National Privacy Commission) |
| Republic Act 11765 (Financial Products and Services Consumer Protection Act 2022) | Elevates abusive collection to a consumer-protection breach; empowers SEC, BSP, IC & CDA to adjudicate and impose restitution, disgorgement, and fines up to 3 % of income. (Lawphil, Lawphil) |
| BSP Circular 1169 (2023) | Gives borrowers of banks & e-money lenders a one-stop complaints channel (BSP-CAM) and free adjudication; lenders must resolve within 15 days or face sanctions. (Bangko Sentral ng Pilipinas) |
| Republic Act 10175 (Cyber-crime) & Art. 355 RPC | “Cyber-libel” covers defamatory group-messages or posts by collectors. (Lawphil) |
| RA 11313 (Safe Spaces Act 2019) | Gender-based online harassment (e.g., sexualised threats) is punishable even when disguised as debt-collection. (Lawphil) |
| Civil Code, Arts. 19, 26, 32, 33 | Authorise suits for moral & exemplary damages for privacy intrusion, intimidation or humiliation. |
4 Administrative remedies
Securities and Exchange Commission (SEC)
- File a complaint (online or walk-in); include screenshots, call-logs, app name and Google Play link.
- SEC can issue a Cease-and-Desist Order (CDO), fine, suspend or revoke the Certificate of Authority, and request Google/Apple to delist the app (33 apps delisted in 2023; 19 firms shut down earlier). (ABS-CBN, Credit Information Corporation)
National Privacy Commission (NPC)
- File an Affidavit-Complaint within two years of discovery.
- NPC may order an immediate takedown, levy fines, or refer the case for criminal prosecution. (National Privacy Commission)
Bangko Sentral ng Pilipinas (BSP)
- For banks and EMI firms, lodge a ticket at BSP-CAM; unresolved cases go to mediation or adjudication under RA 11765 and Circular 1169. (Bangko Sentral ng Pilipinas, Credit Information Corporation)
Credit Information Corporation (CIC) – can correct false derogatory reports. (Credit Information Corporation)
5 Civil & criminal litigation
Civil suits: invasion of privacy, breach of contract, or damages under Art. 19 (abuse of rights) and Art. 26 (Civil Code).
Criminal complaints:
- Grave threats or unjust vexation (Revised Penal Code).
- Cyber-libel if defamatory blasts are via messaging apps or social media. (Lawphil)
- Data-privacy crimes under RA 10173.
Jurisdiction lies with the MTC/RTC where any element occurred or where the offended party resides (for libel).
6 Defences and compliance pointers for lenders
- Consent is not a shield: even if the borrower tapped “ALLOW contacts,” MC 18-2019 overrides that consent for non-guarantor contacts. (ADB Law and Policy Reform)
- Data collection must be proportionate; scraping location, photos or SMS for a small cash loan is excessive. (Lawphil)
- Provide a functional in-app complaints channel and resolve within the timelines of RA 11765/BSP rules. (Lawphil)
7 Recent enforcement highlights (2024-2025)
| Date | Action |
|---|---|
| Feb 2023 | Google removed 33 unregistered online lending platforms upon SEC request. (ABS-CBN) |
| Sep 2024 | SEC revoked the licences of 48 apps for APRs exceeding 800 % and repeated harassment. (Respicio & Co.) |
| Jan 2025 | NPC imposed ₱5 million fine on Easy Peso for contact-scraping and photo leakage. (National Privacy Commission) |
8 Pending reforms
- House Bill 3345 (“Anti-Debt Collection Harassment Act”) – seeks to codify MC 18, raise fines to ₱2 million and create a private right of action; pending in the 19th Congress.
- Full IRR of RA 11765 – BSP and SEC exposure drafts circulated; final rules expected mid-2025, including a cap on collection fees and standard borrower education modules. (Bangko Sentral ng Pilipinas)
9 Practical tips for borrowers
- Document everything – screenshots with time-stamps, call recordings, abusive SMS.
- Send a Data Privacy “stop processing” notice to the lender before filing with NPC; keep proof of delivery.
- Verify the lender’s licence via the SEC OLP list; unlicensed apps are automatically illegal.
- File administrative complaints first (quicker and cheaper) but keep the option of civil damages or criminal action if harm is serious.
10 Take-away
Philippine law treats collection harassment by lending apps as a tri-facto offence: a securities-law breach, a data-privacy breach, and a consumer-protection breach. Borrowers can combine administrative, civil, and criminal avenues, while regulators now coordinate to delist rogue apps swiftly. Knowing the layered remedies—and preserving digital evidence—shifts the power balance back to the consumer.