Online Lending App Harassment in the Philippines: Your Rights and How to File SEC and Data Privacy Complaints

Online Lending App Harassment in the Philippines: Your Rights and How to File SEC and Data Privacy Complaints

This article is general information for the Philippines as of August 23, 2025 (Asia/Manila). It isn’t a substitute for legal advice. If you’re in danger or facing criminal threats, contact law enforcement immediately.

What counts as “online lending app harassment”?

Typical patterns include:

  • Floods of calls, texts, Viber/FB Messenger messages, or in-app pop-ups pressuring payment.
  • Shaming tactics: contacting your relatives, co-workers, clients, or employer; group chats naming you a “delinquent”; posting your photos.
  • Threats and misrepresentation: “we’ll have you arrested,” “NBI will raid your office,” pretending to be a lawyer, police, or court staff.
  • Doxxing: sharing your photo, ID, home/work address, or debt details to third parties.
  • Data overreach: apps that scrape your contacts, photos, SMS, or location without a lawful basis.

These behaviors are not normal collection. Ethical collection means the provider reaches out to you, in a professional tone, within reasonable hours, through official channels you provided, and without humiliating you or involving unrelated third parties.

The legal framework at a glance

  • Financial Products and Services Consumer Protection Act (RA 11765) Establishes your rights as a financial consumer and prohibits abusive collection and harassment by financial service providers.

  • Lending Company Regulation Act (RA 9474) and Financing Company Act (RA 8556) Lending/financing companies (including many loan apps) are regulated by the Securities and Exchange Commission (SEC). Operating without SEC registration/authority is illegal.

  • Data Privacy Act of 2012 (RA 10173) + IRR Enforced by the National Privacy Commission (NPC). Protects your personal data; grants you data subject rights; prohibits unlawful processing, unauthorized disclosure, and privacy-intrusive practices.

  • Other laws that may apply Revised Penal Code (grave threats, coercion, libel), Cybercrime Prevention Act (RA 10175) for online/cyber-libel and related offenses, Truth in Lending Act (RA 3765) and Consumer Act (RA 7394) for disclosures. (If you issued checks, BP 22 risks are separate and fact-specific.)

If the lender is a bank/e-money issuer or a BSP-supervised entity, primary escalation is to the Bangko Sentral ng Pilipinas. If it’s a non-bank lending/financing company/app, escalate to SEC. Data privacy issues go to NPC regardless.

Your core rights (plain-English)

As a financial consumer (RA 11765)

  • Fair, ethical, professional treatment — no harassment, intimidation, or shaming.
  • Clear information on fees, interest, due dates, and collection process.
  • Appropriate channels for complaints and timely resolution.
  • Redress — providers must have internal dispute mechanisms; regulators can sanction.

As a data subject (RA 10173)

  • Be informed how your data are collected/used, and object to processing not necessary for your loan.
  • Access your data; rectify inaccuracies.
  • Erasure/Blocking of data unlawfully processed or no longer needed.
  • Data portability (where applicable).
  • Damages and the right to file a complaint with the NPC.

Key point: Scraping your phone contacts is rarely “necessary to perform the loan contract.” Using those contacts to harass or shame you is typically unlawful processing and unauthorized disclosure.

SEC’s position on unfair collection

SEC has long prohibited unfair debt collection practices by lending/financing companies. Prohibited behaviors include, in substance:

  • Threats, obscenities, or humiliating language.
  • Public shaming and contacting people in your phonebook (unless they are co-makers/guarantors you named for the loan).
  • Misrepresenting as law enforcement, court officials, or lawyers.
  • False legal threats (e.g., “instant arrest,” “search warrant tomorrow” without a real case).
  • Disclosing your debt to your employer or unrelated third parties.

Immediate steps to protect yourself

  1. Secure your device

    • Revoke the loan app’s permissions (Contacts, SMS, Photos, Location, Microphone, Accessibility).
    • Update OS; run a reputable mobile security scan.
    • Change passwords for email, social media, and banking; enable 2FA.

  2. Control communications

    • Block abusive numbers/accounts; keep everything recorded (don’t delete).
    • Tell family/co-workers to block/report harassing messages.

  3. Stop oversharing

    • Avoid sending new IDs/selfies through chat unless through verified official channels and necessary.
    • Never pay to personal accounts; insist on official pay-in channels and receipts.

  4. Document everything (see checklist below).

  5. Send a formal “Cease Harassment / Privacy Notice” (template below) via email and in-app support, and to their Data Protection Officer (DPO).

Evidence checklist (build a clean case file)

  • Identity of the lender/app: app name(s), company name, trade name, platform links, Certificate of Authority/Registration numbers if available.
  • Your loan documents: e-contracts, screenshots, statements, receipts.
  • Harassment proof: call logs, audio (if lawful), messages, group chats, posts, and the phone numbers, email addresses, and usernames used.
  • Third-party contacts: statements or screenshots showing they were contacted, including timestamps.
  • Your actions: copies of your complaints to the company, DPO, SEC, NPC; courier receipts; ticket numbers.
  • Impact: work memos, HR notes, medical consults (if distress led to treatment), expense receipts (SIM change, etc.).

Organize by date in a simple timeline.

When to go to which regulator

  • Go to SEC if:

    • The app/company is unregistered or appears to operate without SEC authority.
    • You faced unfair debt collection (threats, shaming, contacting your contacts/employer).
    • The firm refuses to identify its registered entity or provide formal receipts.

  • Go to NPC if:

    • The app scraped or misused your contacts, photos, or other data.
    • Your personal data were disclosed to third parties or posted publicly.
    • The provider ignored your Data Subject Requests (DSR) for access, erasure, or objection.

You can (and often should) complain to both SEC and NPC when harassment involves collection abuse and privacy violations.

How to file a complaint with the SEC

Goal: Stop unfair collection; sanction/close violators; protect other consumers.

What to prepare

  1. Your full name and contact details.
  2. Name of the lending/financing company (and app names/aliases).
  3. A concise narration of facts (dates, what happened, who contacted you).
  4. Evidences: screenshots, recordings, call logs, receipts, IDs (redact sensitive info where sensible).
  5. Relief sought: stop harassment; investigate; sanction; confirm registration status.

Where/how to file

  • Use the SEC’s consumer/complaints channels (online portal, email, or in-person filing at SEC offices).
  • If you suspect the entity is unregistered, highlight this; SEC can issue advisories, cease-and-desist orders, suspend/revoke authority, and refer cases for prosecution.

After filing

  • You should receive an acknowledgment/docket or ticket.
  • SEC may require a counter-affidavit from the company, ask for clarifications/evidence, or schedule conferences.
  • Keep responding on time; submit additional evidence promptly.

How to file a data privacy complaint with the NPC

Prerequisite (usually): First write to the company’s DPO asserting your data rights (access/erasure/objection) and give reasonable time (e.g., 15 days) to act. Keep proof. NPC can waive this in urgent cases (e.g., ongoing large-scale disclosure or imminent harm).

What to prepare

  1. Completed NPC complaint form (or written complaint with your details).
  2. Narrative of facts + timeline.
  3. Proof you invoked your rights with the company/DPO and their response (or lack of it).
  4. Evidence of unlawful processing/disclosure (messages to your contacts, group chats, screenshots).
  5. Relief sought: stop processing; delete unlawfully obtained data; sanction; damages (as applicable).

Where/how to file

  • Submit via NPC’s official complaint channels (online or by filing at NPC’s office).
  • If third parties received your data (relatives, employer), attach their affidavits/screenshots.

After filing

  • NPC may conduct mediation or formal investigation, issue compliance orders/cease-and-desist, direct erasure, and impose administrative fines or recommend criminal action to prosecutors.

Practical payment and restructuring tips (to avoid new problems)

  • Communicate in writing via official channels; ask for a Statement of Account and full breakdown (principal, interest, penalties).
  • Propose a written payment plan if needed; avoid verbal arrangements only.
  • Pay only through official accounts and keep ORs/e-receipts.
  • Never send IDs/selfies to random collectors’ personal accounts.

If they threaten arrest, “NBI cases,” or home/office “raids”

  • Debt is generally a civil matter. There is no instant arrest for unpaid loans.
  • False threats and pretending to be police/lawyers are unfair collection and can be criminal (e.g., coercion, threats, or cyber-libel if defamatory).
  • If you issued checks or there’s alleged fraud, get legal counsel; facts matter.

Templates you can copy-paste (edit to fit)

1) Cease Harassment / Fair Collection Notice (to the lender)

Subject: Cease Harassment; Use of Lawful Collection Practices Only

Dear [Company/Lender],

I am [Full Name], borrower for Account/Ref No. [_____]. Your representatives have engaged in collection practices that are abusive and unlawful, including [briefly describe].

I demand that you:
1) Cease contacting third parties (including my contacts/employer) and stop any form of shaming or threats;
2) Communicate only with me, through [your number/email], during reasonable hours, in professional language;
3) Provide a Statement of Account itemizing principal, interest, penalties, and official payment channels.

Failure to comply will leave me no choice but to escalate to the SEC and other authorities. I am preserving all evidence.

Sincerely,
[Name]
[Mobile/Email]
[Date]

2) Data Subject Rights + Erasure/Objection (to the DPO)

Subject: Data Privacy Act – Exercise of Rights; Erasure and Objection

Dear Data Protection Officer of [Company],

I am [Full Name]. Your app/company processed my personal data beyond what is necessary for my loan by [e.g., scraping my contacts; disclosing my photo/debt to third parties]. This violates the Data Privacy Act.

I hereby:
• Request full information on all personal data you hold about me and all disclosures made;
• Object to further processing for collection harassment, shaming, or third-party contacts;
• Demand immediate erasure of unlawfully obtained data (e.g., my contact list; shared photos);
• Request your breach/incident report if my data were disclosed.

Please reply within [15] calendar days. Non-compliance will be escalated to the National Privacy Commission.

Sincerely,
[Name]
[Mobile/Email]
[Date]

3) SEC Complaint Narrative (skeleton)

Complainant: [Name, Address, Contact]
Respondent: [Company name, App name(s), known numbers/emails]

Facts: (Chronology with dates; attach screenshots)
Violations: Unfair collection (threats, shaming, contacting third parties, misrepresentation)
Relief: Investigate; order cease of unfair practices; impose sanctions; confirm registration/authority.
Attachments: [List of evidence]

4) NPC Privacy Complaint Narrative (skeleton)

Complainant: [Name, Address, Contact]
Respondent: [Company/DPO details]

Facts: (Chronology; how data were collected and misused; who received them)
Data rights invoked: [Access, objection, erasure] sent on [date]; [no reply/inadequate reply]
Relief: Stop unlawful processing; erase data; sanction; damages (if applicable)
Attachments: [Evidence; copy of your DPO notice and proof of service]

Frequently asked questions

1) I tapped “Allow Contacts” when I installed the app. Am I stuck? No. Consent must be informed, freely given, specific, and necessary. Blanket access to your phonebook is typically not necessary to enforce a loan and does not authorize disclosure to your contacts.

2) Can they message my employer or the HR hotline? Not unless your employer is a co-maker/guarantor you named or there’s a lawful basis. Otherwise it’s generally unfair collection and a privacy violation.

3) Can I pay while I’m complaining? Yes. Paying doesn’t waive your rights. Keep receipts and continue with SEC/NPC complaints for the harassment/privacy issues.

4) Will a complaint affect my credit score? A legitimate delinquency can be reported to credit bureaus, but harassment and unlawful disclosures are separate violations and can be sanctioned.

5) Can I also report to app stores or telcos? Yes. Report abusive apps to Google Play/App Store and request number blocking or spam tagging from your telco.

Smart next steps (one-page action plan)

  1. Lock down your device & accounts; revoke app permissions.
  2. Write the Cease Harassment + DPO letters (send today); keep proof.
  3. Assemble a dated timeline + evidence folder.
  4. File complaints with SEC (unfair collection/unregistered activity) and NPC (privacy violations).
  5. Pay/Restructure safely through official channels; keep receipts.
  6. Follow up using ticket numbers; respond to regulator requests on time.
  7. Consider counsel if there are criminal-sounding threats, posted defamation, or unique facts (e.g., checks, alleged fraud).

If you’d like, tell me the app name(s) and what’s been happening, and I’ll tailor the exact violation list and your complaint wording.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login