Online Lending App Harassment: Legal Remedies and How to File Complaints (NPC, NBI, PNP)

Online Lending App Harassment in the Philippines: Legal Remedies and How to File Complaints (NPC, NBI, PNP)

Updated for Philippine law and regulators as of 2025. This is general information, not a substitute for legal advice.

At a glance

  • Harassment by online lending apps (OLAs)—e.g., public shaming, doxxing your contacts, threats, explicit language, or repeated calls—can violate the Data Privacy Act (DPA), the Financial Consumer Protection Act (FCPA), SEC rules on unfair debt collection, the Cybercrime Prevention Act, and provisions of the Revised Penal Code (grave threats, coercion, libel), among others.
  • You can pursue parallel tracks: (1) privacy enforcement before the National Privacy Commission (NPC), (2) criminal investigation with NBI Cybercrime or PNP Anti-Cybercrime Group, and (3) regulatory enforcement against the lender/collector before the Securities and Exchange Commission (SEC) (for most OLAs).
  • Document first, delete later: Capture evidence before changing phone settings or deleting the app.
  • Assert your data rights (object, erasure, access) to stop processing and demand deletion.
  • Never pay through third-party personal accounts or QR codes that don’t match the registered entity.

What counts as “harassment” by OLAs?

Common red flags (often unlawful or prohibited):

  • Messaging or calling your relatives, employer, co-workers, or other contacts to demand payment or shame you.
  • Group chats, social media posts, edited photos, or messages labeling you as a “scammer.”
  • Threats of arrest, “blotter,” criminal cases without basis, or threats to publish private data or photos.
  • Obscene, profane, or demeaning language; repeated calls at unreasonable hours; threats of physical harm.
  • Collecting and using contact lists, photos, SMS, location or other device data without valid consent and beyond the disclosed purpose.
  • False representations (e.g., pretending to be law enforcement/court staff).

These behaviors frequently breach: (a) DPA rights and lawful processing requirements; (b) SEC prohibitions on unfair debt collection practices for lending/financing companies; and may constitute criminal offenses (extortion/grave threats, coercion, cyber libel, identity theft, unjust vexation).

Know your rights

Under the Data Privacy Act (RA 10173), you have the right to:

  • Be informed about how your data is collected/used (purpose, legal basis, retention).
  • Object to processing (e.g., contacting your phone contacts), especially for secondary uses like “shaming.”
  • Access and correct your data.
  • Erasure/blocking when processing is unlawful, excessive, or no longer necessary.
  • Damages for violations, and to file a complaint with the NPC.

Under the Financial Consumer Protection Act (RA 11765) and sector rules:

  • You are protected from abusive collection practices, misrepresentation, and unfair treatment by supervised financial institutions (banks—BSP; lending/financing companies—SEC; insurers—IC).
  • You can complain to the proper regulator and seek administrative sanctions against violators.

Under criminal law and special laws:

  • Grave threats, coercion, unjust vexation, and libel may apply.
  • Cybercrime Prevention Act (RA 10175) penalizes online versions of these offenses and identity theft, illegal access, and other acts.
  • Anti-Photo and Video Voyeurism Act (RA 9995) and the Safe Spaces Act (RA 11313) may apply if sexual images or gender-based online harassment are involved.
  • Anti-Wiretapping Act (RA 4200) generally prohibits recording private conversations without the consent of all parties. Get legal advice before recording calls; prefer chat/SMS/e-mail evidence.

Immediate steps (prioritize evidence, safety, and containment)

  1. Preserve evidence

    • Screenshots/screen recordings of messages, caller IDs, in-app notices, and payment instructions.
    • Export chat logs and metadata (timestamps, URLs, profile IDs).
    • Keep proof of payments, loan agreements, and disclosure screens/permissions you saw when installing the app.

  2. Secure your device & accounts

    • Revoke app permissions (Contacts, Storage/Photos, SMS, Location).
    • Change passwords/PINs; enable multi-factor authentication.
    • Consider a malware scan or factory reset after you finish collecting evidence.

  3. Notify people who might be contacted

    • Brief family/HR that any shaming messages are part of an OLA’s unlawful collection tactic.
    • Ask them not to engage; forward any threats to you for evidence.

  4. Assert your data rights (send takedown demand)

    • Write the app’s Data Protection Officer (DPO) asserting your DPA rights (see template below).
    • Demand immediate cessation of harassment, deletion of unlawfully collected data, and disclosure of any third parties who received your data.

  5. Check the operator

    • Determine if the entity is a registered lending/financing company (SEC jurisdiction) or a bank/e-money issuer (BSP). Your approach to the regulator depends on this.

Where—and how—to file complaints

You can pursue several routes at the same time. Align your evidence packages to each agency’s mandate.

1) National Privacy Commission (NPC) — Data Privacy Act enforcement

Grounds: Unauthorized processing; processing beyond declared purpose; excessive collection (e.g., scraping contacts/photos); unauthorized disclosure to your contacts/employer; failure to implement safeguards; malicious disclosure; refusal to honor rights (object/erasure).

What to prepare:

  • Complaint-Affidavit (narrative of facts, timeline).
  • Government ID; proof you own the number/account.
  • Evidence bundle: screenshots, call logs, app permission screens, data-rights letters/emails and their responses (or non-responses).
  • DPO details (if available) and proof you first tried to exercise your rights (helpful in NPC evaluations).

Relief possible: NPC may order cease-and-desist, data deletion, corrective actions, and impose administrative fines.

Tips:

  • Organize evidence chronologically with filenames (e.g., 2025-09-12_1033_chat-threats.png).
  • Highlight instances where your contacts were messaged and attach their statements or forwarded messages.

2) NBI — Cybercrime Division

Offenses to allege (as applicable):

  • Grave threats/extortion (demands + threat to post/shame).
  • Cyber libel (false public accusations online).
  • Identity theft/illegal access (using your account, SIM swap, or accessing device data without authority).
  • Unjust vexation/coercion (intimidation tactics).

What to bring:

  • Complaint-Affidavit and government ID.
  • Digital evidence (on USB/drive): screenshots, full chats (export), call logs, audio only if lawfully obtained, and any links/URLs.
  • Names/numbers/accounts (GCash/ bank) used for payment instructions.

Relief possible:

  • Investigation, preservation requests to platforms, subpoenas to trace owners of numbers/wallets, and filing of criminal cases with the prosecutor.

3) PNP — Anti-Cybercrime Group (ACG)

Similar to NBI; either agency can take the lead. PNP-ACG is often more accessible in provincial/City offices.

What to bring & expect:

  • Same pack as NBI.
  • If threats are ongoing, ask for a blotter and request advice on immediate safety steps (e.g., SIM change, coordination with your barangay if in-person threats arise).

4) SEC — Enforcement (for lending/financing companies and online lending platforms)

Why file here as well:

  • The SEC regulates lending/financing companies and explicitly prohibits unfair debt collection practices (e.g., shaming, contacting persons not the borrower, threats/obscene language, misleading representations).
  • SEC can suspend or revoke licenses, take down illegal OLAs, and penalize entities and responsible officers.

What to submit:

  • Detailed complaint naming the company/app and any collectors, with evidence of harassment and proof of the lending relationship (or evidence that you never consented).
  • Payment instructions that use private accounts (a red flag) and any corporate details shown in the app.

You may file to all four (NPC, NBI, PNP, SEC) to cover privacy, criminal liability, and regulatory sanctions.

Civil remedies & defending yourself

  • Damages under the DPA for unlawful processing and breach of your privacy rights.

  • Torts under the Civil Code (Articles 19, 20, 21) for abuse of rights and acts contrary to morals/good customs.

  • Defamation if false statements harmed your reputation.

  • Small Claims (no lawyers required) for money disputes up to ₱1,000,000 (threshold subject to change by Supreme Court rules). Useful if you seek to recover unlawful charges/penalties or dispute amounts.

  • If you’re sued for collection:

    • Do not ignore summons. Explore small-claims defenses (e.g., illegal interest/charges, lack of proper documentation, misapplication of payments) and counterclaims for abusive practices.
    • Settlement is permissible, but insist on official receipts and a written quitclaim; pay only to the registered entity’s official channels.

Evidence checklist (use this as your table of contents)

  • Borrower identity proof; device/number ownership.
  • Loan documents, screenshots of consents/permissions granted.
  • Harassing messages/calls (date/time, numbers, platform handles).
  • Messages to your contacts (forwarded with headers).
  • Threats to post/publish; actual posts/links with timestamps.
  • Payment instructions (account names/numbers, wallet IDs).
  • Your data-rights demand and proof of receipt; any replies.
  • Any economic loss (missed work, therapy bills) for damages claims.

Templates you can adapt

Important: Personalize the facts; sign before a notary for affidavits. Do not include sensitive data in documents you’ll share widely.

A) Data-rights & Cease-and-Desist Letter to the App’s DPO

Subject: Exercise of Rights under the Data Privacy Act / Cease and Desist from Unlawful Processing

To: Data Protection Officer, [Company/App Name]
[Official address/email if available]

I am [Full Name], mobile number [number], user/borrower of [App]. I withdraw any purported consent to access/use my device data (including contacts, photos, SMS, location) beyond loan processing and servicing. I expressly OBJECT to any further processing for collection “shaming,” contacting my relatives/employer, or public disclosure.

Pursuant to the Data Privacy Act, I demand within 5 days:
1) Confirmation whether you process my personal data and a copy of all data and sources;
2) The specific legal basis and purposes for each data category collected (contacts, images, etc.);
3) The names of third parties to whom my data was disclosed (including any collection agencies);
4) Immediate ERASURE/BLOCKING of all data not strictly necessary and lawful;
5) CESSATION of all harassing communications to me and to persons in my contacts.

Take notice that contacting my contacts/employer, threats, or defamatory statements will be reported to the NPC, NBI/PNP, and the SEC. Please preserve all logs related to my account for legal proceedings.

Sincerely,
[Name]
[Address]
[ID No.]
[Date]

B) NPC Complaint-Affidavit (outline)

I, [Name], of legal age, state:

1. Parties. I am the complainant. Respondent is [Company/App], with address [if known].
2. Facts. (Timeline: installation date; permissions requested; loan terms; start of harassment; examples)
3. Violations. (Unauthorized processing; processing beyond declared purpose; unauthorized disclosure to contacts; refusal to honor rights; security lapses.)
4. Evidence. (List exhibits with descriptions and filenames.)
5. Relief. (Order to cease processing, delete data, notify third parties, administrative penalties, damages.)
6. Prior steps. (I wrote to the DPO on [date]; [no reply/inadequate reply].)

[Signature over printed name]
[ID details]
[Jurats/Notarization]

C) NBI/PNP Cybercrime Complaint-Affidavit (outline)

I, [Name], of legal age, state:

1. On [dates/times], I received harassing/threatening messages/calls from [numbers/handles] demanding payment and threatening to [publish images / message my contacts / file cases].
2. My relatives/employer [received messages] on [dates], accusing me falsely of [x]; see Exhibits __.
3. Respondents demanded payment to [bank/wallet details]; see Exhibit __.
4. I fear for my safety and reputation. I respectfully request investigation for [grave threats/extortion, coercion, cyber libel, identity theft/illegal access, unjust vexation], preservation of evidence, and subpoenas to identify account owners.

[Signature]
[Notary]

Practical do’s and don’ts

Do:

  • Keep communications in writing (email/app inbox) and avoid heated replies.
  • Use new contact numbers only after you finish collecting evidence and making reports.
  • Tell HR that collectors have no right to disclose your debt to your employer.

Don’t:

  • Don’t pay to personal accounts or unfamiliar QR codes.
  • Don’t send selfies/IDs through unsecured chat to collectors claiming to “update your file.”
  • Don’t record calls secretly without legal advice (risk under Anti-Wiretapping Act).
  • Don’t rely only on deleting the app—it doesn’t undo data already exfiltrated.

FAQs

Q: I repaid, but they still threaten to post my photos. What now? File with NPC (unlawful processing and malicious disclosure), and NBI/PNP for extortion/cyber libel. Attach proof of full payment.

Q: They messaged my boss. Can I sue? Yes. That’s often unauthorized disclosure under the DPA and may be defamation or unfair collection under SEC rules. Consider NPC + NBI/PNP + SEC.

Q: Can I stop them from calling my contacts? Assert your right to object and erasure in writing, then escalate to NPC and SEC with evidence. Ask your contacts to forward any messages to you for your case.

Q: Will I be arrested for unpaid app loans? Debt is generally a civil matter. Arrest requires a criminal case and a lawful warrant (or in-flagrante circumstances). Threats of immediate arrest for mere nonpayment are intimidation tactics.

Q: Can I still be liable for the loan if their methods were illegal? Yes, unlawful collection does not erase legitimate debt. But you can challenge illegal charges and seek damages/sanctions for the harassment.

How to structure your multi-agency filing (suggested order)

  1. Send DPA letter to the DPO (start the paper trail).
  2. NPC complaint (privacy violations; ask for cease-and-desist and deletion).
  3. NBI/PNP (criminal aspects; request subpoenas/preservation to trace numbers and wallets).
  4. SEC complaint (regulatory sanctions; unfair collection; unregistered OLPs).

Prepare one evidence folder and tailor cover letters for each agency.

When to get a lawyer

  • Persistent threats or reputational attacks;
  • High monetary exposure or if you’re served with a complaint;
  • You plan to claim damages or file a cyber libel/extortion case;
  • You need help navigating small claims or drafting affidavits.

Final reminders

  • Parallel complaints are allowed and strategic—privacy, criminal liability, and regulatory sanctions address different harms.
  • Keep everything organized and dated. Good documentation often decides outcomes.
  • Stay vigilant for follow-up scams pretending to “fix” your case for a fee. Coordinate only through official channels.

If you’d like, I can convert the templates into fillable Word/PDF forms and a checklist you can print and use for submissions.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login