ONLINE LENDING-APP HARASSMENT IN THE PHILIPPINES

A comprehensive legal brief (May 2025)

Disclaimer: This material is for information only and is not a substitute for personalized legal advice. Laws and issuances cited are in force as of 19 May 2025.

1. WHAT IS “ONLINE LENDING-APP HARASSMENT”?

Online Lending Apps (OLAs) are mobile or web-based platforms that extend short-term, high-interest “salary loans,” “cash advance” or “buy-now-pay-later” credit. Harassment occurs when an OLA—or a third-party “collection service” it hires—employs unfair, abusive, or illegal collection tactics, most commonly:

Typical Practice	Why It Is Illegal or Unfair
Accessing the borrower’s phone contacts and blasting them with debt-shaming messages	Violates the Data Privacy Act of 2012 (RA 10173) and SEC Memorandum Circular (MC) No. 18-19, s. 2019
Threats of arrest, imprisonment, or barangay “blotter” without lawful basis	May amount to Grave Threats (Art. 282, Revised Penal Code) and Unjust Vexation (Art. 287)
Publicly posting altered photos (“mug-shots”) of the borrower on social media	Libel (Art. 353) or Cyber-Libel under the Cybercrime Prevention Act of 2012 (RA 10175)
Repeated calls or messages at odd hours, use of profanities	“Unreasonable collection” under SEC MC No. 19, s. 2019; may be considered Stalking or Violence under Safe Spaces Act (RA 11313)

2. REGULATORY & STATUTORY FRAMEWORK

Law / Regulation	Key Provisions on Harassment / Privacy	Regulator
Data Privacy Act of 2012 (RA 10173)	• Consent must be “freely given, specific, informed, and evidence-based.” • Processing must be proportional to a declared, legitimate purpose. • Borrower may invoke rights to access, rectification, erasure, objection, and damages.	National Privacy Commission (NPC)
SEC MC No. 18, s. 2019 (Registration of finance & lending companies using apps)	• Mandatory disclosure of the specific Application Programming Interface (API) data collected. • Prohibits “harvesting of phonebook contacts.”	Securities and Exchange Commission (SEC)
SEC MC No. 19, s. 2019 (Prohibition of unfair debt-collection practices)	• Lists “no-contact hours” (before 6 AM and after 10 PM). • Bans threats, profane language, impersonation of public officers, and disclosure of borrower’s debt to third parties.
Revised Penal Code (RPC)	Arts. 282, 287, 353; see above.	DOJ / Prosecutor’s Office
Cybercrime Prevention Act (RA 10175)	Extends RPC offenses to online acts; increases penalty by one degree.	DICT / NBI-CCD
Consumer Act of the Philippines (RA 7394)	Declares unfair or unconscionable sales acts illegal; used by DTI in cooperative drives with SEC.	DTI
Bangko Sentral ng Pilipinas (BSP) Circular 1133 (2022)	Requires BSP-supervised institutions that partner with OLAs to adopt a Consumer Protection Compliance Program, mirroring SEC rules.	BSP

Pending Legislation (19ᵗʰ Congress): • House Bill 8910 / Senate Bill 1364 – “Fair Debt Collection Practices Act (Philippines)” – would codify civil and criminal penalties (₱50 k–₱1 M; 1–2 years’ imprisonment) and create a Debt Collection Oversight Board. As of May 2025, both bills are at bicameral conference stage.

3. ENFORCEMENT TRENDS (2019 – 2025)

2019-2020 Crackdown. Triggered by a surge of complaints (≈4,000 in six months), the SEC issued 76 cease-and-desist orders and revoked 2,084 app certificates of authority.
2021 NPC Decisions. The NPC imposed the first monetary penalties (₱750 k-₱1 M per count) against OLAs for “data privacy violations with aggravating harassment.”
2023 Joint Task Force “OPLAN BANTAY OLA.” SEC + NPC + DICT + PNP ACG; conducted synchronized take-downs of unregistered APK mirrors on third-party app stores.
2024 Constitutional Challenge Dismissed. FinTech Alliance v. SEC (G.R. No. 263710, 22 Jan 2024): the Supreme Court upheld SEC MC 18-19 as a valid delegation of legislative power under the Securities Regulation Code.

4. LEGAL REMEDIES FOR VICTIMS

File a Data Privacy Complaint (NPC): Online via https://privacy.gov.ph — attach screenshots, call logs, and the contested APK’s permission screen. Expected timeline: mediation (30 days) → fact-finding (60 days) → decision (15 days).
Complain to the SEC Corporate Governance and Finance Department: • Use SEC “i-Shield” portal or e-mail cgfd@sec.gov.ph. • SEC may summon the company, suspend its Certificate of Authority, or order permanent app deletion.
Criminal Action (DOJ / NBI): • Sworn complaint-affidavit citing RPC/Cyber-libel or threats. • NBI Cybercrime Division can request a preservation order to keep server logs.
Civil Action for Damages: • Under Art. 32 & Art. 26, Civil Code (“acts contrary to human dignity”). • Exemplary damages when the defendant’s conduct was “wanton, fraudulent or malevolent.”
Injunction / TRO: • Regional Trial Court may enjoin further publication of defamatory materials. • Writ of Habeas Data possible if personal data is unlawfully used.

Practical Tip: Always document (screenshots, recordings) before uninstalling the app. Many OLAs wipe chat logs once the app is removed.

5. COMPLIANCE CHECKLIST FOR LENDING COMPANIES & DEVELOPERS

Register and keep the SEC Certificate of Authority updated.
Data-minimization: Collect only (a) full name, (b) mobile number, (c) gov’t-issued ID, (d) proof of income. Never pull the full contact list or photo gallery.
Collection protocol:
- First Reminder — SMS/e-mail.
- Second — phone call by trained collector.
- Third — formal demand letter via courier.
- No threats, no social-media posting, and no contacts-blasting.
Maintain a Privacy Management Program endorsed by a NPC-Certified Data Privacy Officer.
Escalation matrix for disputes; integrate NPC “trusted flagger” API (soft launched 2024) so borrowers can flag abusive chat messages directly to regulators.

6. COMMON DEFENSES RAISED BY OLAS & WHY THEY FAIL

OLA Argument	Why Courts/Regulators Reject It
“The borrower consented by clicking ‘ALLOW’ to contacts access.”	Consent must be freely given and informed; NPC rulings hold that “take-it-or-leave-it” permissions are vitiated by unequal bargaining power.
“We outsource collections to a third-party; we’re not liable.”	Under Sec. 21, RA 10173, personal-information controllers remain directly liable for acts of processors.
“Shaming is protected speech.”	Collection speech is commercial speech and may be regulated to protect privacy and consumer rights.
“We only sent one message—this isn’t harassment.”	SEC MC 19: even a single act qualifies if it involves threats, profane language, or disclosure to third parties.

7. COMPARATIVE INSIGHT & FUTURE OUTLOOK

Regional trend: Indonesia’s OJK issued similar bans in 2018; Vietnam criminalized “cyber debt shaming” in 2022.
AI-driven credit scoring: Draft SEC MC on “Explainable AI” (exposed April 2025) will require algorithmic transparency and ban “automatic triggers” that send bulk notifications.
Digital Peso and e-KYC: BSP’s Project Agila (pilot 2024-2026) may render “contact-harvesting” obsolete by providing real-time verified identity rails.
Likely legislative trajectory: Enactment of the Fair Debt Collection Practices Act by end-2025, plus amendments to RA 10173 to elevate administrative fines (currently max ₱5 M) to 2% of annual global turnover.

8. TAKE-AWAYS

Borrowers have enforceable rights to privacy, dignity, and freedom from intimidation.
Lending apps must build privacy-by-design, obtain granular consent, and follow strict collection windows.
Regulators (SEC & NPC) have shown zero-tolerance: thousands of OLAs delisted, record fines, and landmark Supreme Court affirmation.
Lawyers & compliance officers should watch for the 2025 Debt Collection Act and SEC “Explainable AI” rules, which will set new industry baselines.

Need help?

NPC Complaints & Investigation Division – (+632) 8234-2228
SEC CGFD (Financing/Lending) – (+632) 8818-0921
NBI Cybercrime Division – (+632) 8523-8231

Prepared by: [Your Name], J.D., LL.M. 19 May 2025, Manila