Online Lending Apps Charging Excessive Interest and Harassing Borrowers: Legal Remedies with NPC, SEC, NBI

Online Lending Apps Charging Excessive Interest and Harassing Borrowers: Legal Remedies with the NPC, SEC, and NBI (Philippine Context)

Last updated: 29 September 2025 (PH time). This article is for general information only and is not a substitute for legal advice.

1) Why this matters

Mobile “instant cash” apps have made borrowing fast—but some operate illegally or use abusive tactics: sky-high interest, opaque fees, incessant calls, public shaming, and mass-messaging your contacts. Philippine law provides administrative, civil, and criminal remedies. Three agencies are central:

  • National Privacy Commission (NPC): privacy and data-abuse (contact harvesting; “debt-shaming” messages; doxxing).
  • Securities and Exchange Commission (SEC): registration and conduct of lending/financing companies, including unfair collection practices.
  • National Bureau of Investigation (NBI): criminal offenses (e.g., grave threats, cyber libel, unjust vexation, extortion).

2) The legal framework at a glance

Core statutes and rules

  • Data Privacy Act of 2012 (RA 10173) and its IRR — protects personal data; prohibits unauthorized or excessive processing and unlawful disclosure.

  • Lending Company Regulation Act (LCRA, RA 9474) and Financing Company Act (RA 8556) — require SEC registration and a Certificate of Authority; regulate operations.

  • SEC rules on online lending (e.g., registration/Disclosure obligations) and SEC Memorandum Circular on Prohibition of Unfair Debt Collection Practices (commonly cited as SEC MC 19-2019) — bars threats, obscene language, and publication/shaming, among others.

  • Revised Penal Code (RPC):

    • Grave threats (Art. 282), grave/coercion (Art. 286), unjust vexation (Art. 287), slander/libel (Arts. 353–355).

  • Cybercrime Prevention Act (RA 10175): elevates liability when the foregoing are done through ICT (e.g., cyber libel, computer-related offenses).

  • Safe Spaces Act (RA 11313): gender-based online sexual harassment (if messages are sexualized/obscene).

  • Anti-Photo and Video Voyeurism Act (RA 9995): if intimate images are shared.

  • BSP rules mainly cover banks and credit cards; most pure OLAs fall under SEC, not BSP.

3) “Excessive interest” under Philippine law

  • No fixed legal interest ceiling for most private loans since Central Bank Circular No. 905 (1982) suspended Usury Law ceilings.

  • But courts police unconscionable rates. The Supreme Court has repeatedly struck down interest rates deemed “iniquitous or unconscionable” (often monthly rates of 3%–10%+ or totals that balloon through layered “fees”), reducing them to a reasonable rate and voiding penalty provisions.

  • Takeaways for borrowers:

    • Extremely high monthly rates, stacked processing fees, and compounding penalties are challengeable in civil court.
    • Even if you signed digitally, courts can reform or void unconscionable stipulations.
    • Keep all screens/receipts: stated APR/charges, in-app schedules, SMS reminders.

4) Harassment and “debt-shaming”

Typical abusive patterns (often illegal):

  • Mass-texting/calling your contacts found through the app’s permissions (“contact scraping”) → unlawful processing under the DPA.
  • Posting your name/photo/ID on social media or group chats labeling you a “scammer” → potential privacy breach (DPA), libel/cyber libel, SEC unfair collection.
  • Threats, profanity, or doxxing (e.g., “We will call your boss, we will post your selfie”) → possible RPC and cybercrime offenses.
  • Calling outside reasonable hours, repeated calls to work, or contacting unrelated persons → unfair collection under SEC rules; privacy breaches.

5) Which agency does what?

A) National Privacy Commission (NPC)

When to involve: the app accessed your contacts; sent messages to third parties; published your data; used more data than necessary; refused to honor your rights (access, erasure, objection).

Possible outcomes: Cease-and-Desist Orders, compliance orders, administrative fines, and referral for criminal prosecution for serious DPA violations. NPC can also require data breach notifications and corrective measures.

B) Securities and Exchange Commission (SEC)

When to involve:

  • The lender is unregistered (no SEC Company Registration/Certificate of Authority).
  • The lender (even if registered) used unfair debt collection (e.g., debt-shaming, threats).
  • The app name is different from the corporate registrant; or it operates via “borrower aggregators” without proper authority.

Possible outcomes: Show-Cause orders, fines, suspension/revocation of Certificate of Authority, app takedowns/blocks, public advisories against the entity, and referral to law enforcement.

C) National Bureau of Investigation (NBI)

When to involve: criminal behavior—threats, extortion (“pay or we blast your photos”), defamation, stalking, sextortion, or fraud. Possible outcomes: Criminal complaints filed with the DOJ/prosecutor (and potentially warrant applications for accounts/devices).

6) Evidence to gather (do this before confronting the lender)

  1. Identity of the lender/app: app store page, developer name, website, SEC registration/CA if any, emails/SMS headers.
  2. Loan documents: e-contracts, screenshots of terms/charges, amortization schedules, proof of disbursement and payments.
  3. Harassment record: call logs, voice recordings (if lawfully obtained), chat/SMS screenshots with timestamps, social-media posts/URLs.
  4. Privacy trail: permission prompts, screenshots proving access to Contacts, Photos, Location, SMS, etc.; proof that third parties were messaged.
  5. Witness statements: affected contacts, HR/supervisors, barangay officials.
  6. Your mitigation steps: cease-and-desist emails, revocation of consent, in-app requests, data-erasure requests.
  7. Device forensics (if needed): APK hash, app version, data flows (tech counsel can assist).

7) Step-by-step remedies and how to file

A) With the NPC (privacy/data-abuse)

Grounds: unlawful processing; unauthorized disclosure; processing disproportionate to the purpose; failure to implement security measures; non-compliance with data subject rights.

How to proceed:

  1. Assert your rights with the company first (short, written request): demand cessation of harassment, erasure of scraped contacts, and restriction of processing; request their privacy notice and lawful basis. Keep proof of sending.

  2. If unresolved or urgent (e.g., ongoing shaming), file a complaint with NPC. Include:

    • Sworn statement/complaint affidavit;
    • Evidence in Section 6;
    • Names/contact details of affected third parties;
    • Reliefs sought: cease-and-desist, deletion, administrative fines, breach notification.

  3. Cooperate with mediation or compliance proceedings if scheduled.

Practical tips:

  • Emphasize data minimization—scraping all contacts is almost never necessary to collect a debt.
  • Highlight harm to third parties (time, reputational damage).
  • Ask NPC to order deletion of scraped contacts and prohibit future outreach to anyone other than you and your counsel.

B) With the SEC (unregistered or abusive collection)

Grounds: operating without a Certificate of Authority; unfair debt collection practices (SEC MC on unfair collection); misrepresentations of fees/interest; predatory terms.

How to proceed:

  1. Prepare entity details: corporate name (if any), app names/aliases, website, payment channels (GCash, bank accounts), responsible officers if known.
  2. Submit a complaint with attachments (screenshots, messages, proof of payments, contract terms).
  3. Request urgent measures: directive to stop sending messages to your contacts; app takedown/block; show-cause against the entity.

Practical tips:

  • If the entity is not found in SEC records, say so and attach app store screenshots.
  • Cite specific unfair acts: threats, profanity, calls to employer, public posting, contacting unrelated persons, calls at odd hours.

C) With the NBI (criminal offenses)

Grounds:

  • Threats/extortion: “We will post your ID/selfie unless you pay by 5 pm.”
  • Defamation/cyber libel: public posts or mass messages branding you “scammer/thief.”
  • Unjust vexation/coercion/stalking: repeated harassing calls or visits.
  • Voyeurism/anti-photo law: if intimate images are shared.

How to proceed:

  1. Visit the NBI Cybercrime Division or nearest field office; bring your ID and evidence.
  2. Execute a sworn statement; provide device numbers, account handles, and payment trail.
  3. The NBI may preserve evidence, trace accounts, and coordinate with platforms for takedown and prosecution.

8) Civil remedies (courts)

  • Action for damages (Articles 19, 20, 21 Civil Code—abuse of rights, acts contrary to morals/good customs).
  • Annulment/reformation of loan stipulations that are unconscionable; injunctions against harassment; accounting of payments.
  • Attorney’s fees and moral/exemplary damages for public shaming and privacy invasion.

9) Payment, negotiation, and safety

  • You still owe the principal (minus illegal charges). Consider consigning or paying directly while reserving your rights against unlawful interest/penalties and abusive acts.
  • Use traceable channels (bank transfer, e-wallet with reference).
  • Do not hand over additional IDs/selfies. Revoke unnecessary app permissions; uninstall after securing evidence.
  • If you can, channel communications in writing only (email) and note you disallow contact with third parties.

10) Model documents you can adapt

A) Data-Subject Notice & Cease-and-Desist (to the lender)

Subject: Assertion of Data Privacy Rights; Cease-and-Desist from Unlawful Processing

I am the data subject for Account/Loan No. ______ under your app ______. You (and your agents) are ordered to immediately cease (a) accessing or using my device contacts; (b) messaging any third party about my account; and (c) publishing or threatening to publish my personal data.

Under RA 10173, you lack a lawful basis to process the personal data of my contacts. Your actions constitute unlawful processing and unauthorized disclosure.

I demand within 48 hours: (1) written confirmation of erasure of contact lists and any third-party data you obtained from my device; (2) your privacy notice, lawful basis, and data-sharing disclosures; (3) the name and contact details of your Data Protection Officer.

Continued harassment will be documented for NPC, SEC, and NBI complaints, and for civil and criminal action.

Sincerely, Name / Contact / Date

B) Complaint Outline (NPC)

  • Parties; app names; corporate identity (if any)
  • Facts: install date, permissions granted, harassment timeline
  • Legal violations: DPA provisions (unlawful processing; unauthorized disclosure; data minimization; security)
  • Evidence list (annexes)
  • Reliefs: cease-and-desist; deletion; fines; breach notification; referral for prosecution

C) Complaint Outline (SEC)

  • Entity details; registration/CA status (if known)
  • Acts: unfair collection (list specific acts); misrepresentation of charges
  • Reliefs: sanctions; suspension/revocation; orders to stop abusive collection; app takedown/block

D) Affidavit for NBI

  • Your identity; chronology; copies of threats/shaming posts; witnesses (contacts, HR)
  • Specific crimes alleged; prayer for investigation and prosecution

11) Red flags when choosing a lending app

  • No clear corporate name or SEC details; only a brand alias.
  • All-access permissions (Contacts, SMS, Photos) unrelated to credit scoring or servicing.
  • Interest quoted only per day or per 7/14 days, not APR; “processing fee” deducted upfront.
  • Disbursement via personal e-wallet or unknown accounts.
  • Support emails using free webmail and non-PH phone numbers.

12) Frequently asked questions

Q1: Can they legally contact my employer or my phone contacts? Generally no. It’s rarely necessary and typically violates data minimization under the DPA and unfair collection prohibitions. They may contact you and your named co-maker/guarantor (if any), but not blast unrelated third parties.

Q2: I signed the terms—am I stuck with the high interest? Not necessarily. Courts may strike down unconscionable interest/penalties and compute a reasonable rate, crediting your prior payments.

Q3: Can I be jailed for non-payment of a loan? No imprisonment for debt. Criminal exposure arises from fraud (e.g., identity theft, bouncing checks with deceit), not mere inability to pay. The criminal risk here is typically on the abusive collector, not the borrower.

Q4: They threatened to post my selfie/ID. What do I do now? Preserve evidence, demand cessation, and file with NPC and NBI immediately. If they already posted, add cyber libel and privacy breach grounds; request urgent takedown.

Q5: Should I keep paying while I complain? If you can, pay the principal (and any lawful interest you don’t dispute) to prevent ballooning balances—under protest—while you challenge illegal charges and harassment.

13) Practical playbook (one-page)

  1. Secure evidence (Section 6).
  2. Revoke app permissions; change passwords; keep the app only if you still need data, then uninstall.
  3. Send cease-and-desist + DPA rights assertion (Section 10A).
  4. File NPC complaint (privacy violations).
  5. File SEC complaint (unregistered/abusive collection).
  6. File NBI complaint (threats, libel, extortion).
  7. Consider civil action to reform/void unconscionable terms and claim damages.
  8. Pay principal under protest (if able) and keep receipts.

14) Key concepts to cite when writing your complaints

  • Unlawful processing and unauthorized disclosure (RA 10173).
  • Data minimization and proportionality principles.
  • Unfair debt collection (threats, obscenity, public shaming, contacting unrelated persons).
  • Unconscionable interest (jurisprudence allowing courts to reduce or void).
  • Civil Code: abuse of rights; acts contra bonos mores.
  • Cybercrime overlay for online conduct (RA 10175).

15) Final notes

  • Keep communications in writing; avoid verbal promises.
  • Do not provide extra IDs/selfies/contacts.
  • If the lender offers a “settlement,” insist on a written computation and confirmation of account closure upon payment.
  • Coordinate with counsel if harassment is severe or if you receive any court/process server documents.

If you’d like, I can turn this into fill-in-the-blank templates (NPC, SEC, NBI) tailored to your facts, or help you audit screenshots for the strongest angles.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login