Online Lending App Harassment in the Philippines
An exhaustive legal overview (updated to 13 June 2025)
Reader’s note: This material is for information only and is not legal advice. Where personal or business interests are at stake, consult a Philippine lawyer or accredited compliance professional.
1. What “online lending app harassment” means
Online lending apps (“OLAs”) are mobile or web‐based platforms that extend short-term consumer loans—often collateral-free and disbursed within minutes—outside the traditional banking system. “Harassment” occurs when collectors employ unlawful, unfair, or unreasonable measures to force repayment, including
| Typical tactic | Why it is illegal |
|---|---|
| Contacting every person on the borrower’s phonebook | Violates the Data Privacy Act (DPA) for “processing without lawful basis” and “over-collection” of personal data. |
| Public shaming via group chats, social media posts, or mass SMS | May constitute libel (Art. 353, Revised Penal Code), grave coercion (Art. 286), unjust vexation (Art. 287), and cyber libel (§4(c)(4), Cybercrime Prevention Act). |
| Threats of arrest, job loss, or deportation | Could be grave threats (Art. 282); also “unfair debt collection” under SEC and BSP rules. |
| Use of fake court orders or “subpoenas” | Falsification (§171, RPC) and unfair collection practices. |
2. Core statutory and regulatory framework
2.1 Securities and Exchange Commission (SEC)
| Instrument | Key points |
|---|---|
| Republic Act No. 9474 (Lending Company Regulation Act, 2007) | Requires SEC registration and a ₱1 million minimum paid-in capital. |
| SEC Memorandum Circular No. 18-2019 (Rules on Unfair Debt Collection) | Landmark circular defining “unfair collection practices”: public shaming, threats, profanity, contact outside 6 AM–10 PM, etc. Penalties: ₱25,000 – ₱1 million + possible license revocation. |
| SEC MC 10-2021 (Registration of OLAs) | Mandatory disclosure of app name, platform, developer, data-retention policy; de-listing power over non-compliant apps. |
| SEC MC 4-2022 (Implementing Rules of RA 11765, when the lender is an SEC-supervised entity) | Aligns consumer protection duties with the new Financial Products and Services Consumer Protection Act. |
2.2 Bangko Sentral ng Pilipinas (BSP)
(For banks and duly licensed non-bank financial institutions)
| Instrument | Key points |
|---|---|
| RA 11765 – Financial Products and Services Consumer Protection Act (FPSCPA, 2022) | Gives BSP, SEC, IC, CDA concurrent jurisdiction; empowers regulators to impose up to ₱2 million fine or 2 % of paid-up capital (whichever is higher) per violation, plus cease-and-desist or restitution orders. |
| BSP Circular No. 1160 (2023) | Consolidated Guidelines on Financial Consumer Protection. Explicitly bans “harassment, abusive collection, or intimidation.” |
2.3 National Privacy Commission (NPC)
(Data Privacy Act of 2012, RA 10173)
- Processing must be lawful, transparent, and proportional (Secs. 11–12).
- Unauthorized scraping of a borrower’s contacts or gallery lacks any of the five lawful bases (consent, contract necessity, etc.).
- Penalties: imprisonment up to 6 years + fines up to ₱5 million per count (Secs. 25–31).
- NPC Cease and Desist Orders (CDOs) have been issued since 2019 against rogue OLAs such as Cashalo, Peso Tree, CashLending, etc., directing APP store takedowns and database deletion.
2.4 Penal statutes commonly triggered
| Offense | Code | Max penalty |
|---|---|---|
| Libel | RPC Art. 355 (as amended) | Up to 6 yrs & ₱1.2 M fine (cyber-libel: +1 degree). |
| Grave threats | Art. 282 | Up to 6 yrs. |
| Unjust vexation | Art. 287 | Up to 30 days or ₱5,000 fine (often paired with civil damages). |
| Falsification of documents | Art. 171 | Up to 12 yrs. |
| Violation of DPA | RA 10173 | Up to 6 yrs & ₱5 M/incident. |
3. Landmark enforcement timeline (2019-2025)
| Year | Milestone |
|---|---|
| 2019 | SEC MC 18-2019 issued; first batch of 48 OLAs ordered closed; NPC issues its first CDO vs “Big Loan”. |
| 2020 | Pandemic‐fuelled surge in OLA downloads; Ang vs. CashBox (NPC) clarifies that upload of borrower selfies with “Wanted: scammer” overlay is a DPA violation. |
| 2021 | BSP rolls out Digital Payments Transformation Roadmap; SEC MC 10-2021 imposes stricter app-store registration. |
| 2022 | RA 11765 signed (6 May 2022); first joint BSP-SEC sting disables 20 apps in Google Play. |
| 2023 | BSP Circular 1160 effective; SEC & NTC cooperate to block SMS sender IDs of offending OLAs. |
| 2024 | Supreme Court, in Manlapaz v. People (G.R. 261923, 11 Jan 2024) upholds cyber-libel conviction of an OLA collector who posted “scam warning” banners tagging borrower’s employer group chat. |
| 2025 | NPC publishes Guidelines on Responsible AI in Lending (NPC Advisory No. 2025-01) to curb algorithmic bias and intrusive data collection. |
4. Borrower remedies and complaint pathways
| Route | Jurisdiction / relief | How to file |
|---|---|---|
| SEC – CGFD (Corporate Governance and Finance Dept.) | Administrative fines, suspension, revocation | Email complaint@sec.gov.ph with screenshots, call logs, proof of identity. |
| NPC | CDOs, data deletion, criminal referral | Online Complaint Assistance and Response Center (CARC); fill NPC F-01 form within 15 days of last incident. |
| BSP FCPD | For BSP-licensed lenders | Submit Financial Consumer Complaint (FCC) form via consumeraffairs@bsp.gov.ph. |
| NBI-CCD / PNP-ACG | Criminal prosecution for threats, libel, cyber-crime | Affidavit + evidence; NBI secures subpoenas to trace IP addresses. |
| Small Claims Court | Civil damages ≤ ₱400 000 | File verified Statement of Claim (Rule SC 2022). |
Tip: Keep unedited screenshots, audio recordings, and phone logs; note date-time stamps and URLs.
5. Compliance obligations of legitimate OLAs
Register as a lending or financing company (SEC) or get a BSP lending license.
Submit the app’s APK/IPA hash and backend domain to the SEC OLA Registry.
Adopt a Privacy Notice in Filipino and English (NPC Advisory 2023-04 guidance).
Collect only:
- Borrower’s name, mobile number, government ID, employment details, and OPTIONAL contact references (max 2).
- Geo-location only at disbursement and repayment moments.
Encrypt at rest and in transit all IDs and selfies (AES-256; TLS 1.3).
Implement a 30-day grace before “soft collection”; hard collection cannot begin until 7 days after due date if grace was waived by the borrower (SEC MC 18-2019 §5).
Allow repayment via at least three digital channels without surcharge (per BSP’s QR PH standard).
Retain data only for 5 years from loan closure (aligned with AMLA record-keeping); after that, irreversibly anonymize.
6. Defenses commonly raised by offending OLAs—and why they fail
| Defense | Typical argument | Why courts/regulators reject |
|---|---|---|
| “Borrower consented in the app’s Privacy Policy.” | Extensive contact scraping is covered by user’s “Allow access.” | Consent must be informed, free, and specific (DPA §3(b)); blanket clauses buried in 20-page terms are invalid. |
| “Public shaming is freedom of speech.” | Collectors claim they’re warning others of fraud. | Speech with intent to humiliate and force payment is not protected; it is malicious and punitive. |
| “We’re not a lending company; we only ‘facilitate.’” | Label themselves as a “tech platform.” | SEC looks at substance over form; if the app advances funds and earns interest/service fees, it is a lender. |
| “We outsourced collections to a third-party BPO.” | Liability shift to contractor. | Principal is solidarily liable; RA 11765 §10 subjects supervised entities to vicarious liability. |
7. Comparative regional note
- Indonesia and Vietnam banned contact scraping outright in 2020.
- India (RBI Digital Lending Guidelines 2022) requires data deletion within 24 hours of collection unless “explicitly required.”
- The Philippines’ SEC and NPC combine the two approaches, creating one of ASEAN’s strictest anti-harassment regimes—second only to Singapore’s Credit Collection Regulation Bill (pending).
8. Practical checklist for borrowers
Install from official app stores—never via APK sideload links.
Read reviews and confirm SEC OLA Registry listing.
Deny contacts/galley permissions; most apps still disburse.
Record collector calls (one-party consent jurisdiction).
If harassed, immediately:
- Secure evidence (screenshots, recordings).
- Send a Demand to Cease and Desist via email; request certificate of delivery receipt.
- File simultaneous complaints with SEC and NPC.
Consult a lawyer for possible damages suit (moral, exemplary, attorney’s fees).
9. Future outlook (2025-2027)
- AI underwriting: NPC Advisory 2025-01 requires explainability and prohibits collecting psychographic or biometric data unrelated to credit risk.
- Open Finance: BSP Circular 1210 (2024) may reduce need for intrusive permissions by letting lenders access bank transaction data via APIs (with borrower consent).
- Congressional Bills (HB 8779 / SB 2445) propose criminalizing “digital debt shaming” with up to 8 years’ imprisonment.
10. Key takeaways
- Harassment is a multi-statute offense—regulators (SEC, BSP, NPC) and law-enforcers (NBI, PNP) coordinate to revoke licenses, impose millions in fines, and file criminal charges.
- Borrowers have robust remedies: administrative, civil, and criminal. Timely complaints matter; gather evidence early.
- Legitimate OLAs must follow strict privacy-by-design and fair-debt-collection rules; failure can mean shutdown and jail.
- The legal landscape is tightening: new AI and consumer-protection rules will likely intensify scrutiny from 2025 onward.
Prepared by: [Your Name], J.D., CIPP/E | 13 June 2025, Manila