Online Lending Harassment in the Philippines: How to Complain to the SEC, NPC, and NBI

This article is practical guidance, not a substitute for specific legal advice. Philippine laws cited below include the Data Privacy Act of 2012 (RA 10173) and its rules, the Lending Company Regulation Act of 2007 (RA 9474) and financing company rules, the Cybercrime Prevention Act of 2012 (RA 10175), the Revised Penal Code (for threats, coercion, etc.), the Truth in Lending Act (RA 3765), and various SEC and NPC issuances addressing online lending and unfair collection practices.

1) What “online lending harassment” looks like

Common abusive tactics by some online lenders or third-party collectors include:

  • Contact-list harvesting and mass texting/calling your family, employer, and friends.
  • Public shaming: posting your photo/name with false claims of being a “scammer” or “delinquent.”
  • Threats: jail, deportation, workplace reports, or fabricated criminal complaints.
  • Doxxing: disclosure of personal data (photos, IDs, addresses) without lawful basis.
  • Offensive language and repeated calls at odd hours.
  • Misrepresentations: pretending to be law enforcement, a court, or a government agency.
  • Unfair charges and opaque fees.

These behaviors can violate data-privacy rules, SEC rules on unfair collection, and, in serious cases, criminal laws (e.g., grave threats, grave coercion, extortion, cyber-libel).

2) Your legal anchors (quick map)

  • Data Privacy Act (RA 10173): Protects personal information; prohibits unauthorized collection, use, and disclosure. Civil, administrative, and criminal consequences exist for unlawful processing, unauthorized disclosure, and malicious disclosure.
  • SEC jurisdiction: Regulates lending and financing companies and their collection practices; polices unregistered entities and abusive collectors; can suspend/close violators and issue cease-and-desist and penalty orders.
  • Cybercrime/Criminal laws: The NBI investigates crimes such as grave threats/coercion, extortion, identity theft, cyber-libel, illegal access, and related offenses.
  • Truth in Lending Act / Civil Code: Requires cost-of-credit disclosure; unconscionable interest/fees can be struck down; abuse of rights can ground damages.

Key idea: The same conduct can trigger all three tracks: SEC (regulatory), NPC (privacy), and NBI (criminal). You may pursue them in parallel.

3) Preserve evidence first (before you complain)

  1. Screenshots of messages, chat heads (with timestamps), caller IDs, in-app notices, and social-media posts.
  2. Audio recordings of calls (if available) and call logs.
  3. Copies of IDs/images the lender obtained or leaked.
  4. Loan documents: app screens showing loan terms, payment history, receipts, and email confirmations.
  5. Proof of impact: HR memos, witness statements from contacts who received harassment, mental-health reports, and any expenses incurred.
  6. Data map: list the phone numbers, email addresses, page links, and app names used against you.
  7. Timeline: a dated summary of what happened, by whom, and where posted.

Store these in cloud/USB. Do not edit original files; make working copies.

4) Immediate self-help options (that won’t harm your case)

  • Write a short “Cease and Desist + Data Erasure” notice to the lender and its collector:

    • Withdraw consent to access or process your contacts.
    • Demand deletion of contacts/screenshots/photos obtained without lawful basis.
    • Instruct them to stop contacting third parties about your debt.
    • Ask for their Data Protection Officer (DPO) details and privacy policy.

  • Inform third parties (HR/family) that any shaming text is under investigation; ask them to save the messages for you.

  • Do not pay under duress solely to stop unlawful harassment; paying does not legalize the violation. If you choose to settle, do it through traceable channels (no cash pick-ups) and keep receipts.

A model template is below (Section 8).

5) Filing with the Securities and Exchange Commission (SEC)

When to use this track:

  • The lender/collector is a lending or financing company, or operating an online lending platform/app.
  • You suspect the entity is unregistered, misrepresents fees, or uses unfair debt-collection practices (contacting your phonebook, shaming, impersonating officials, threats).

What to allege:

  • The entity’s name, app name(s), numbers/handles used.
  • Specific abusive acts (attach screenshots and timeline).
  • If you can’t confirm registration, say so—SEC can check.

How to prepare your SEC complaint package:

  • Complaint narrative/affidavit (see Section 8).
  • Evidence bundle (Section 3).
  • Valid ID; contact info (email/phone); proof of transactions (loan disbursement and payments).
  • If your employer/friends were harassed, include sworn statements or screenshots they received.

Possible SEC outcomes:

  • Cease and Desist orders against the app or company.
  • Fines, registration revocation/suspension, public advisories.
  • Coordination with other agencies (NPC/NBI) when conduct overlaps with privacy or criminal violations.

Tip: If you don’t know whether it’s a lending or financing company, include both the company name (if any) and the app developer/publisher name you see in the app store or in-app.

6) Filing with the National Privacy Commission (NPC)

When to use this track:

  • The lender/collector accessed your contacts, gallery, or location beyond what’s necessary for the loan.
  • Your photos/IDs were disclosed to others; your contacts got messages about your debt; shaming posts were made.
  • You requested erasure or restriction of processing and they ignored you.

Possible Data Privacy Act violations to cite (plain-language):

  • Unlawful processing: collecting/using data without a lawful basis or beyond the stated purpose.
  • Unauthorized disclosure: sending your data to your contacts or posting it online.
  • Processing for unauthorized purposes: using contact lists to pressure repayment.
  • Malicious disclosure: shaming with intent to malign.

NPC complaint essentials:

  • Complainant details and proof of identity.
  • Respondent details (company/app/collector; DPO if known).
  • Narrative: what data they took, how they used it, and the harm caused.
  • Reliefs requested: stop processing (C&D), delete unlawfully obtained data, notify your contacts of the breach, and penalize the respondent.
  • Evidence: your bundle (Section 3), plus any privacy policy/consent screens you captured.

NPC powers/outcomes:

  • Compliance orders, cease-and-desist, penalties and recommendation for prosecution.
  • Orders to delete unlawfully processed data and to notify affected persons.

Practical note: It helps to show you asserted your rights first (e.g., emailed the DPO) and they failed to act. Keep proof of those messages.

7) Filing with the National Bureau of Investigation (NBI)

When to use this track:

  • The conduct is criminal:

    • Grave threats / grave coercion (forcing payment by threats).
    • Extortion (threatening to leak photos or lies unless you pay).
    • Cyber-libel (public defamatory posts or mass messages).
    • Illegal access/identity theft (taking over accounts, hacking).
    • Voyeurism/obscene publications (if intimate images are used).

  • The harassers impersonated police, prosecutors, or courts.

What to bring to NBI:

  • Sworn affidavit and evidence bundle.
  • List of URLs/handles/phone numbers, and where the persons can be found (if known).
  • Copies of reports you filed with SEC/NPC (if already lodged).

Possible NBI actions/outcomes:

  • Investigation, preservation requests to platforms, subpoenas, and case referral for prosecution.
  • Coordination with PNP Anti-Cybercrime Group and other regulators.

If posts are ongoing, ask about takedown coordination and preserving digital evidence (hashing, headers, metadata) to keep it admissible.

8) Ready-to-use templates

A) Cease & Desist + Data Erasure (send to lender/collector/DPO)

Subject: Unlawful Debt Collection, Unauthorized Processing & Disclosure of Personal Data I am asserting my rights under the Data Privacy Act and applicable SEC rules on unfair collection. You (Company/App/Collector Name) must:

  1. Cease and desist from contacting my family, employer, and other third parties regarding my account;
  2. Delete all contact lists, photos, IDs, and other personal data not necessary for loan processing;
  3. Stop threats, shaming messages, impersonation of authorities, and repeated calls outside reasonable hours;
  4. Provide the name and contact details of your Data Protection Officer, your privacy policy, and your lawful basis for processing my contacts. Consider this a formal notice that I am filing complaints with the SEC, NPC, and NBI should the harassment continue. —[Your full name], [address/contact], [date]

B) Affidavit-Narrative (for SEC/NPC/NBI; adapt as needed)

  1. Affiant: name, age, civil status, address.
  2. Respondent(s): company/app name, collectors’ names/aliases, phone numbers, pages/handles.
  3. Background: date you downloaded the app/secured the loan; terms as shown in app; how funds were released and repaid (attach proof).
  4. Harassment timeline: dates/times; who called/texted; what was said; which contacts received messages; URLs of posts.
  5. Data privacy issues: what permissions the app requested; what data they took; how they disclosed or threatened to disclose it.
  6. Harm suffered: job impact, anxiety, reputation damage, expenses.
  7. Actions taken: cease-and-desist sent, requests to DPO, platform reports.
  8. Reliefs sought: (a) stop the harassment; (b) delete unlawfully processed data; (c) penalties; (d) takedown of posts; (e) damages/referral for prosecution.
  9. Verification/Jurat: sign and notarize as required for the forum.

9) Filing tips, timelines, and strategy

  • Parallel filing is fine. Mention in each complaint that you’re also filing with the other agencies and attach copies once available.
  • Prior resort: For NPC, it’s helpful (often expected) to first contact the company’s DPO and give a reasonable time to act.
  • Prescription: Criminal actions and privacy complaints have time limits. Don’t delay—file as soon as practicable.
  • Unknown identity: If collectors hide behind prepaid numbers or burner accounts, still file using their aliases/handles and numbers; agencies can subpoena telcos/platforms.
  • Platform takedowns: Report abusive posts to the platform’s report tools (defamation/harassment/unauthorized content). Keep the report receipt and original URLs.
  • Employment issues: If your HR received shaming messages, ask for a memo confirming no disciplinary action will be taken based on these third-party communications.

10) Frequently asked questions

Q: If I pay, will they stop? A: Not guaranteed. Harassment may continue or escalate. Focus on lawful channels and document everything.

Q: The app demanded access to my contacts to proceed. Is that consent? A: Consent must be freely given, specific, informed, and evidenced—and can be withdrawn. “Take-it-or-leave-it” access unrelated to the loan’s necessity is contestable.

Q: Can they tell my employer about my debt? A: Debt is generally personal. Contacting your employer or co-workers to shame or coerce payment is a red flag for unfair collection and privacy breaches.

Q: I used a different phone later; harassment continues. What now? A: They may have exported your data. Demand erasure and pursue NPC remedies, plus NBI if threats/defamation are involved.

Q: Interests/fees feel excessive. Can I challenge them? A: Philippine courts can strike down unconscionable charges and enforce disclosure rules. That is separate from—but often related to—harassment issues.

11) Checklist: what to submit where

Track Core Issue What to Submit Sample Reliefs
SEC Unfair collection, unregistered/abusive lending apps Affidavit, evidence bundle, IDs, loan proof C&D against app, penalties, suspension/closure
NPC Unauthorized data collection/disclosure Affidavit, evidence, privacy policy/consent screens, DPO correspondence Stop processing, deletion, penalties, notices to contacts
NBI Crimes (threats, coercion, libel, extortion, illegal access) Sworn complaint, evidence, list of numbers/handles, copies of SEC/NPC filings Investigation, subpoenas, case referral, takedowns

12) Final practical pointers

  • Be specific: name the numbers used, exact words threatened, and the dates.
  • Keep calm on the phone: say “please send any lawful notices in writing” and hang up.
  • Don’t share new data: avoid sending fresh selfies/IDs “to verify” when threatened.
  • Loop in allies: give your close contacts a one-liner on how to respond (“Kindly stop contacting me; I am not the borrower. I will preserve this message as evidence.”).
  • Follow through: after filing, keep an update log of all new incidents and agency responses.

One-page summary you can copy into your complaint cover sheet

  • I am a borrower being harassed by [App/Company] through [calls/texts/social posts].
  • They accessed/used my [contacts/photos/IDs] beyond legitimate loan purposes.
  • My contacts were messaged/shamed; I received [threats/coercion/misrepresentation].
  • I demand: (1) cease-and-desist; (2) deletion of unlawfully processed data; (3) penalties; (4) takedowns; (5) referral for prosecution if warranted.
  • Attached: timeline, screenshots, call logs, loan proof, DPO correspondence, and IDs.

If you want, I can turn this into filled-in complaint drafts and a neatly formatted evidence index you can print and submit.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login