Loan App Harassment and Threats: How to File SEC and NPC Complaints in the Philippines

Practical legal guide for borrowers, employees, and data subjects affected by abusive online lending practices. Philippine context.

Disclaimer: This is general information, not a substitute for legal advice. For urgent safety issues (e.g., active threats, stalking, extortion), contact local law enforcement immediately.

1) Why this happens—and who regulates what

Many “loan apps” (online lending platforms or OLPs) operate as lending companies or financing companies. In the Philippines, two regulators primarily handle abuses:

  • Securities and Exchange Commission (SEC) – supervises lending and financing companies and their debt collection conduct. It can:

    • Shut down unregistered/illegal lenders and platforms;
    • Penalize unfair debt collection (harassment, threats, shaming);
    • Sanction directors/officers and revoke licenses.

  • National Privacy Commission (NPC) – enforces the Data Privacy Act of 2012 (DPA; R.A. 10173). It handles:

    • Unlawful data processing (e.g., contact harvesting, unauthorized access to photos/files);
    • Unauthorized disclosure and doxxing (messaging your contacts about your debt);
    • Security breaches and excessive permissions.

Other possible authorities (depending on facts):

  • PNP ACG / NBI Cybercrime Division – for threats, coercion, extortion, cyber libel, hacking.
  • Bangko Sentral ng Pilipinas (BSP) – if the actor is a bank, EMI/e-wallet, or payments provider (not typical for pure loan apps).
  • DTI – deceptive marketing, but debt collection abuses generally fall under SEC; data abuses under NPC.

2) Common violations to recognize

A. Unfair debt collection practices (SEC scope)

  • Threats of harm, arrest, or criminal cases for simple non-payment of civil debt;
  • Harassing calls/messages at unreasonable hours; repeated, profane, or degrading language;
  • Shaming tactics: contacting your employer, colleagues, family, or entire contact list;
  • False claims of court orders, warrants, or “NBI blotter” if you don’t pay today;
  • Misrepresentation (posing as a lawyer, police, court staff).

B. Data privacy violations (NPC scope)

  • Excessive permissions to access contacts, photos, SMS, or gallery not necessary for loan processing;
  • Harvesting and using contacts to shame or pressure repayment;
  • Unauthorized disclosure of personal information to third parties;
  • Retaining data beyond stated purpose or without a lawful basis;
  • Security lapses causing leaks/breaches.

Key Rights under the DPA: to be informed, to object, to access and rectify data, to erasure/blocking, to data portability, and to damages for violations.

3) Your immediate action plan

  1. Preserve evidence (don’t delete):

    • Screenshots of app pages, permissions requested, consent screens;
    • Copies of SMS, chat, emails, call logs, voicemails;
    • Photos of caller IDs; screen recordings if safe;
    • Names/numbers of collectors; dates/times/frequency;
    • Messages sent to your contacts (ask contacts to keep originals);
    • Proof of download (app store page), terms of service, privacy policy versions;
    • Proof of your identity and relationship to the issue (ID, employment letter—if relevant).

  2. Minimize ongoing harm:

    • Revoke app permissions in your phone settings; change passwords;
    • Inform close contacts that a lender may send false or shaming messages—ask them to preserve any messages;
    • If there are explicit threats or extortion, report to PNP/NBI immediately in parallel with regulatory complaints.

  3. Document impact:

    • Anxiety, reputational harm, missed work, security concerns;
    • Costs incurred (e.g., SIM change), HR memos, incident reports.

4) Filing a SEC complaint (unfair debt collection & illegal lending)

Who should file: Borrowers, their affected contacts/employers, or anyone directly harassed by a lending/financing company or its collectors/agents.

What the SEC looks for:

  • Legal status of the lender (registered vs. unregistered/illegal);
  • Collection behavior evidence showing harassment, threats, shaming, misrepresentation;
  • Involvement of specific officers/agents and the platform used (app name, company name).

Core contents of your complaint:

  • Complainant details: full name, address, contact info, ID copy;
  • Respondent details: company name (as shown in app/store), app name, any addresses, phone numbers, pages;
  • Narrative of facts: dates, times, nature of harassment; who was contacted; exact words used; any threats;
  • Legal grounds (plain language): unfair debt collection; operating without proper registration (if suspected); misrepresentation;
  • Annexes: screenshots, recordings/transcripts, call logs, app permissions, privacy notices, loan agreement/receipts, proof of payments.

Where/how to file:

  • SEC accepts complaints via its Enforcement/Investor Protection channels or public-facing complaint desks (online or in-person). Provide complete identification and attach evidence. (Avoid including sensitive data in the body of emails; use secure attachments where possible.)

What remedies the SEC can pursue:

  • Cease and desist orders against the app/company;
  • Administrative fines, suspension/revocation of lending licenses or revocation of corporate registration;
  • Referrals for criminal prosecution (e.g., illegal lending).

Practical tips:

  • Use concise timelines. Create a table listing date/time, the number that contacted you, channel used, and a short description of the abuse.
  • If your contacts/employer were messaged, include their sworn statements or at least copies of the messages and their contact details for verification.
  • If the company name is unclear, capture the app store developer name, in-app “About/Company” page, privacy policy footer entity, and payment recipient details.

5) Filing an NPC complaint (data privacy abuses)

Who should file: Any data subject whose personal data (or their contacts’ data) were unlawfully collected, processed, disclosed, or inadequately secured by a loan app or its agents.

Grounds to allege (choose those that fit):

  • Unlawful processing (no lawful basis, excessive data collection);
  • Unauthorized disclosure to your contacts/employer;
  • Insufficient security measures leading to breach/exposure;
  • Processing for purposes incompatible with consent (e.g., using contacts to shame you);
  • Failure to honor data subject rights (denying requests to delete/block data, etc.).

Before you file (good practice):

  • Exercise your rights in writing (email or in-app): request details of processing, object to further processing, demand deletion/blocking, and ask them to cease contacting third parties. Give a reasonable time to respond.
  • Keep copies of your request and any response (or lack thereof). This shows the NPC you tried to resolve it.

What to submit to the NPC:

  • Complaint-Affidavit (notarized if required), stating:

    • Your identity and contact details;
    • The respondent’s details (as complete as possible);
    • Clear facts and timeline of data collection and abusive disclosure;
    • Specific rights violated and reliefs sought (e.g., order to stop processing, deletion of data, penalties).

  • Annexes: privacy notice/terms, app permission screenshots, copies of shaming messages to contacts, your rights-exercise request and proof of sending, and any breach notifications.

  • If filing as a representative (e.g., for a minor), include proof of authority.

What the NPC can do:

  • Order respondents to cease unlawful processing, delete/rectify data;
  • Impose administrative fines and other corrective measures;
  • Refer matters for criminal prosecution under the DPA, where appropriate.

Tips for success:

  • Frame your story around purpose limitation and proportionality: the app collected or used data beyond what is necessary to underwrite/collect a loan.
  • Emphasize harm: reputational damage, workplace discipline, mental distress, security issues.

6) Parallel criminal/civil angles you may consider

These are optional parallel routes—useful when conduct escalates beyond regulatory violations.

  • Grave threats / coercion / unjust vexation (Revised Penal Code) – if messages include threats of harm or illegal acts.
  • Extortion / blackmail – threats to expose personal info unless you pay.
  • Cyber libel (Cybercrime Prevention Act) – if false, defamatory statements were posted or mass-sent.
  • Anti-Wiretapping / E-Commerce / Access device laws – if the app or agents accessed accounts or communications unlawfully.
  • Civil damages – for mental anguish, besmirched reputation, and other injuries.

File these with PNP/NBI and/or the City Prosecutor’s Office as appropriate. Bring the same evidence pack.

7) Evidence checklist (print-friendly)

  • Government-issued ID (for verification)
  • Loan app name, developer, version, app store page screenshots
  • Loan agreement, statements, receipts, payment proofs
  • Privacy policy and consent screens (date-stamped)
  • Permissions requested by the app (contacts, SMS, storage, etc.)
  • Complete timeline of harassment (date/time/channel/number/summary)
  • Screenshots/recordings of threats, shaming, misrepresentations
  • Messages to contacts/employer (with consent to use as evidence)
  • Your rights-exercise request to the company and their response (or none)
  • Any HR memos or third-party incident reports
  • Proof of mental/physical harm (medical consults, counseling) if any

8) Clean-room phone hygiene (to limit further misuse)

  • Revoke app permissions; uninstall the app after evidence is preserved.
  • Change device lock code, email, and cloud passwords; enable 2FA.
  • Review connected accounts/sessions; sign out of unknown devices.
  • Consider a new SIM if harassment is relentless, and keep the old SIM off but accessible for evidence.

9) Payment pressure vs. illegal collection—know the line

  • Debt is generally a civil obligation. Collection is allowed, abuse is not.

  • Legitimate collectors may:

    • Identify themselves and the creditor accurately;
    • Contact you during reasonable hours and on channels you provided;
    • State amounts due and lawful consequences (e.g., civil action).

  • They may not:

    • Threaten arrest or criminal cases for simple non-payment;
    • Contact third parties to shame you (barring lawful guarantor/co-borrower notices);
    • Use profane, demeaning, or coercive language;
    • Fabricate legal documents or affiliations.

10) Two ready-to-use complaint templates

Adapt to your facts. Keep attachments labeled as Annex “A”, “B”, … with short captions.

A. Template: SEC Complaint (Unfair Debt Collection / Illegal Lending)

Subject: Complaint vs. [Company/App Name] for Unfair Debt Collection and/or Illegal Lending

  1. Complainant: Name, Address, Contact No., Email, Government ID No.

  2. Respondent: Corporate Name (if known), Trade/App Name, App Store Developer, Known Addresses, Phone Numbers, Website/Pages.

  3. Material Facts:

    • I applied for a loan via [App] on [Date].
    • Starting [Date], I received [number] calls/messages daily from [numbers/accounts] using profane language and threats of arrest/case filing.
    • On [Date], Respondent messaged my [employer/family/contacts] disclosing my alleged debt and personal data.
    • Annexes A–F show the messages, call logs, and app permissions.

  4. Grounds:

    • Unfair debt collection practices (harassment, threats, shaming, misrepresentation);
    • Possible operation as an unregistered lending platform (subject to SEC verification).

  5. Relief Sought:

    • Investigation and administrative sanctions;
    • Cease-and-desist order against abusive collection;
    • Other appropriate measures.

Verification/Undertaking: I certify the truth of the foregoing and that attached copies are faithful reproductions of originals in my possession. Signature / Date

B. Template: NPC Complaint-Affidavit (Data Privacy Act)

Title: Complaint-Affidavit for Violations of the Data Privacy Act of 2012

  1. Complainant: Name, Address, Contact No., Email, ID

  2. Respondent (Personal Information Controller/Processor): Legal/Trade/App Name, App Developer, Addresses, Contact Details.

  3. Allegations:

    • Respondent collected excessive permissions (contacts, storage, SMS) not necessary for loan processing (Annex A).
    • Respondent disclosed my personal data to [contacts/employer] to shame/coerce payment (Annex B).
    • Respondent failed to honor my request to cease processing/delete data dated [Date] (Annex C).
    • These acts violate lawful basis, purpose limitation, data minimization, transparency, and data subject rights under the DPA and its IRR.

  4. Harm: Reputational damage, workplace disruption, mental distress, security concerns (Annex D – incident notes/HR memo/medical note, if any).

  5. Reliefs Sought:

    • Order to cease unlawful processing and delete/block my data;
    • Administrative penalties as warranted;
    • Other reliefs just and equitable.

Jurat/Notarization (if required) Signature / Date

11) Frequently asked questions

Q1: Do I have to keep paying while I complain? If the loan is valid, non-payment can still have civil consequences. Filing a complaint does not erase a lawful debt, but it does not permit harassment or data abuses. If charges/fees are unlawful or you were misled, raise that in your complaint and consider disputing the amount due.

Q2: The app contacted my boss. Can I include company records? Yes—attach the message your employer received and, if possible, a brief HR memo/incident note. Ask your employer to avoid replying to collectors and to preserve evidence.

Q3: A collector pretended to be from the police/court. Document this. Impersonation and false representation bolster your SEC complaint and may constitute criminal offenses. Consider a police blotter or NBI referral.

Q4: What if I already uninstalled the app? If possible, reinstall on a spare device without logging in to capture public-facing info (app store page, privacy policy). Never risk your data; prioritize safety.

Q5: How long will it take? Timelines vary. Provide complete, well-organized evidence to help regulators act more quickly.

12) Quick organization tips

  • Name files like: Annex_A_Permissions.png, Annex_B_ShameText_2025-10-03.jpg, Annex_C_RightsRequest.pdf.
  • Put a 1-page cover letter with a bullet summary and table of annexes.
  • Keep an incident log (date/time, who, channel, short description) updated daily.

13) When to seek counsel

  • High monetary exposure, complex chains of collectors/assignments, cross-border platforms, or if you intend to seek damages. A lawyer can help with demand letters, evidence custody, and coordinated filing with SEC, NPC, and law enforcement.

Bottom line

You have two powerful avenues: SEC for abusive/illegal lending and NPC for data privacy violations. Preserve evidence, file clear, focused complaints, and escalate criminal aspects when threats or extortion are involved. Harassment and shaming are not the price of borrowing—regulators can and do act when complaints are properly documented.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login