Online Lending Harassment in the Philippines: How to File Complaints with the NPC, SEC, and NBI

This practical legal guide explains what “online lending harassment” is under Philippine law, the remedies available, and exactly how to file complaints with the National Privacy Commission (NPC), Securities and Exchange Commission (SEC), and National Bureau of Investigation (NBI). It is general information, not a substitute for legal advice about your specific facts.

1) What “online lending harassment” typically looks like

Online lending harassment refers to abusive or unlawful collection tactics commonly used by online lending apps (OLAs) or their third-party collectors, including:

Doxxing/shaming: sending texts, chats, emails, or social media posts to a borrower’s contacts, officemates, or family to “expose” the borrower.
Threats and intimidation: threats of arrest, public humiliation, criminal charges for mere non-payment, or violence.
Harassing communications: repeated calls or messages at unreasonable hours; obscene, degrading, or sexist remarks; use of fake legal notices.
Overcollection/misuse of data: scraping the device’s Contacts, Photos, SMS, Location, etc., without a valid legal basis, then using that data to harass.
False representations: pretending to be from the courts, law enforcement, or a law office when they are not.
Unfair collection: contacting people who are not the borrower, co-maker, guarantor, or authorized representative; workplace harassment.

Key principle: You can be sued for a debt, but you cannot be jailed for mere non-payment of civil debt (1987 Constitution, Art. III, Sec. 20). Jail becomes a risk only for separate crimes (e.g., estafa for fraud, B.P. 22 for bouncing checks, etc.), not for the simple fact of owing money.

2) Which laws and agencies apply

A. Data Privacy Act (DPA) — NPC jurisdiction

Core violations: excessive collection (e.g., scraping all contacts), processing without valid consent/legal basis, unauthorized disclosure to third parties (your contacts), lack of privacy notice, failure to honor data subject rights (DSRs), poor security.
Remedies: NPC can order cease-and-desist, require deletion/erasure or restricted processing, direct companies to honor DSRs, and impose administrative penalties. Civil damages are pursued in regular courts.

B. Unfair Debt Collection by Lending/Financing Companies — SEC jurisdiction

Lending and financing companies are regulated by the SEC (not BSP), and unfair debt collection practices are prohibited. Typical bans cover threats, use of profane/obscene language, contacting persons other than the borrower/co-maker/guarantor/authorized representative, harassment at work, and misleading or false representations.
Remedies: SEC may fine, suspend, or revoke a company’s Certificate of Authority and order corrective measures. It can also refer criminal angles to law enforcement.

C. Crimes that may be committed — NBI (and/or PNP-ACG) investigation; DOJ prosecution

Depending on facts, collectors may commit:

Grave threats / light threats; grave coercion; unjust vexation (Revised Penal Code).
Libel/slander and cyber libel if shaming posts or messages impute a crime or defect with malice.
Violations of the Cybercrime Prevention Act for offenses done through ICT.
Gender-based online sexual harassment (Safe Spaces Act) if sexist or sexualized abuse is involved.
Anti-Wiretapping: do not secretly record private phone calls without consent; your own screenshots, call logs, and text/chat records are fine.

D. Other potentially relevant frameworks

Financial Products and Services Consumer Protection Act (RA 11765) enhances enforcement powers of financial regulators (including SEC) against abusive practices.
Civil Code (Abuse of rights; tort) for damages claims in court.
Small Claims (for eligible money disputes) can provide quick civil remedies without a lawyer.

3) Evidence you should gather (before you file anything)

Screenshots of abusive messages, shaming posts, collector IDs/handles, phone numbers used, timestamps.
Call logs (dates/times). Do not record calls without consent.
Proof of account: loan agreement, app profile, payment records, receipts, ledger screenshots.
Privacy angle: app permissions granted (Contacts/SMS/Files), screenshots of the app asking for or using those permissions, privacy notice/terms.
Third-party harassment: screenshots or sworn statements from contacts who were messaged.
Your efforts to resolve: emails or messages to the lender’s Data Protection Officer (DPO) or customer support asking them to stop harassment or honor DSRs.
Valid ID and Affidavit/Complaint-Affidavit narrating facts chronologically (who, what, when, where, how, with exhibits).

Tip: Preserve the phone before uninstalling the app. After capturing evidence, revoke the app’s permissions (Contacts/Storage/SMS) and uninstall if safe to do so.

4) Where to file — quick decision map

Your contacts were messaged or your data was scraped/misused → NPC (Data Privacy Act).
Collector used threats/obscenities or contacted non-authorized persons and the lender is a lending/financing company → SEC (unfair collection).
There are criminal acts (threats, libel/cyber libel, coercion, extortion, stalking) → NBI Cybercrime Division (and/or PNP-ACG).
If the lender is a bank/e-money issuer → complaints go to BSP (not SEC), but you can still file criminal and privacy complaints separately.

You may file in parallel with NPC, SEC, and NBI when the same facts implicate different laws.

5) How to file with the National Privacy Commission (NPC)

When to choose NPC

The app scraped your Contacts/SMS/Photos or disclosed your personal data to others without a valid basis.
The company refused to honor your data subject rights, e.g., to erasure/blocking, to object to processing for collection harassment, or to access your data.

Pre-filing step (recommended)

Write to the company’s DPO first, demand: (a) stop processing for harassment, (b) delete unlawfully collected data (e.g., contacts), (c) stop contacting third parties, and (d) give you copies of your data and a copy of their privacy notice/legal basis. Keep proof of delivery.
This shows good faith and often is required or favored by NPC.

What to file

Verified Complaint or Complaint-Affidavit (narrate facts; identify personal data involved; specify rights violated and unlawful bases/processing).
Annexes: screenshots, app permission screenshots, privacy notice, messages to DPO, IDs, sworn statements from contacts harassed.
Relief sought: cease-and-desist; deletion/erasure; order to stop contacting third parties; order to honor DSRs; administrative penalties.

Where/how

File through NPC’s online complaints portal or by email/physical filing (check the NPC website for the current channel and forms).

After filing

NPC may require clarifications or additional evidence.
Possible outcomes: Order to cease and desist, directives to delete or restrict processing, and administrative fines.
For damages, file a separate civil case relying on the DPA and Civil Code.

6) How to file with the Securities and Exchange Commission (SEC) (for lending/financing companies)

When to choose SEC

The collector/lender engaged in unfair debt collection: threats, profane language, shaming, contacting people who are not your co-maker/guarantor/authorized representative, workplace harassment, repeated calls at odd hours, false legal claims.
The entity may be unregistered or operating without a Certificate of Authority as a lending/financing company.

What to file

Complaint or Complaint-Affidavit addressed to the SEC’s enforcement arm (commonly the Enforcement and Investor Protection Department).
Identify the company/app name(s), phone numbers used, dates, specific acts constituting unfair collection.
Annexes: evidence of the abusive acts (screenshots/recordings of public posts), loan documents, proof of payments, proof of identity, witness statements (e.g., officemates or relatives who were contacted).

Relief you can ask for

Investigation of unfair collection violations.
Suspension or revocation of the company’s registration/Certificate of Authority.
Directives to cease abusive practices and to correct data handling.
Referral to NPC (privacy aspects) or law enforcement (criminal aspects) when appropriate.

Where/how

Submit to the SEC (online portals and email addresses change; check the SEC website for current filing channels and forms).
You may also verify if the company is legitimately registered and if the app/platform is duly recorded with the SEC.

After filing

SEC may issue show-cause, cease-and-desist, or administrative orders. They may also coordinate with platforms or other authorities. Parallel privacy and criminal complaints can proceed.

7) How to file with the National Bureau of Investigation (NBI) (Cybercrime Division)

When to choose NBI

There are criminal acts: threats of harm, extortion, coercion, identity-based abuse, libel/cyber libel, stalking, or data-related crimes.
Harassment occurred via SMS, chats, social media, emails, or calls (ICT-enabled).

What to file/bring

Complaint-Affidavit narrating facts with dates, handles/usernames, phone numbers, and the specific criminal acts (e.g., grave threats, cyber libel).
Evidence: screenshots (include full headers/URLs when possible), call logs, public posts, witness statements; valid ID.
If minors were harassed, highlight this; enhanced child-protection laws apply.

What the NBI can do

Investigate, preserve and analyze digital evidence, trace perpetrators (when feasible), and file a case with the Prosecutor’s Office.
You may be called to execute a supplemental affidavit and later to subscribe your affidavit before a prosecutor.

Practical notes

Do not delete original messages; export or back up chats where possible.
Do not pay “fixers” or share OTPs/one-time links with anyone claiming to be from the NBI.

8) Cease-and-desist and data-rights letters you can send now

You can often reduce harm by sending short, focused notices to the lender’s DPO and the collector:

(A) Data Privacy / DPO notice (email/message)

Subject: Exercise of Data Subject Rights; Unlawful Collection & Disclosure

I am exercising my rights under the Data Privacy Act to object to processing of my personal data for debt collection harassment, to demand erasure/deletion of unlawfully collected data (including Contacts/Photos/SMS), and to demand that you cease and desist from contacting any person other than me, my co-maker/guarantor, or my authorized representative.

Please: (1) confirm in writing within 10 days that you have stopped the unlawful processing and third-party contacts; (2) provide a copy of my personal data you hold and your legal basis for processing; and (3) identify all third parties with whom my data was shared.

Failure to comply will be elevated to the National Privacy Commission and other authorities.

(B) Anti-harassment notice to the collector

Your collection tactics violate Philippine law (including prohibitions on unfair debt collection, threats, and harassment). Stop contacting my employer/relatives/friends and refrain from threats or false representations. Further violations will be reported to the SEC, NPC, and NBI.

Keep proof of sending and any replies.

9) Frequently asked legal questions

Can they have me arrested for not paying? No. Non-payment of civil debt is not a crime. Only a court can issue warrants of arrest, and only for criminal cases based on probable cause.
They say they will post my photo and call me a criminal. Is that libel/cyber libel? It can be, if a defamatory imputation is made publicly with malice. Preserve evidence and consider an NBI complaint.
They messaged my officemates and clients. Is that allowed? Generally no for lending/financing companies; contacting non-authorized third parties and workplace shaming are typical unfair collection and privacy violations.
They demand that I allow full access to Contacts to use the app. Is that consent valid? Consent under the DPA must be freely given, specific, informed, and evidenced. Bundled, unnecessary permissions (e.g., to read all Contacts for a small loan) are likely excessive and challengeable.
Should I pay just to stop the harassment? That is a personal and financial decision. If you owe a legitimate debt, you remain civilly liable, but you do not have to tolerate illegal tactics. Consider negotiating restructuring through official channels only (no fixers).

10) Practical safety checklist

Capture evidence first; then revoke app permissions (Contacts/SMS/Storage/Location) and consider uninstalling.
Change passwords/enable MFA for email, social, and e-wallets.
Warn close contacts: tell them collectors must not be entertained; do not share your info.
Inform HR if workplace harassment occurs; provide a short memo citing privacy and unfair collection prohibitions.
Block and document: block abusive numbers/handles but keep screenshots and logs.
Never share OTPs or IDs with anyone claiming to “settle” the case.

11) Templates you can adapt

A. Complaint-Affidavit (skeleton)

Complainant: [Name, age, address, contact details] Respondent(s): [Lender/Collector names, app name, known numbers/handles]

Facts:

I obtained a loan from [app/company] on [date]; terms attached as Annex “A.”

Beginning [date], respondent(s) sent the following harassing communications: [describe chronologically, with Annexes “B,” “C,” …].

Without my valid consent or lawful basis, the app collected my [Contacts/SMS/etc.] and messaged [names], causing humiliation and distress (Annexes).

Violations: Data Privacy Act (unlawful processing/unauthorized disclosure); Unfair debt collection practices; [Threats/coercion/cyber libel] under the Revised Penal Code/Cybercrime law.

Reliefs Sought: [For NPC: cease-and-desist; erasure; DSR compliance. For SEC: sanction/suspension/revocation; cease abusive collection. For NBI: criminal investigation and filing of appropriate charges.]

Verification & Certification Against Forum Shopping: [standard language]

Signature; ID; Jurat (subscribe before a notary/public officer).

B. Third-party witness statement (if your contact was harassed)

I, [Name], received messages/calls from [number/account] on [dates] claiming [content]. Screenshots attached as Annex “[ ]”. I do not owe money to [company]; the messages concern [Borrower]. I was alarmed/embarrassed. I have no authority to discuss [Borrower]’s debt.

12) What outcomes to expect

NPC: orders to stop processing for harassment, delete unlawfully collected data, honor DSRs, and administrative penalties.
SEC: fines; cease-and-desist; suspension/revocation of authority to operate; referrals to other agencies.
NBI/Prosecutor/Courts: criminal cases (e.g., cyber libel, threats, coercion) may be filed; outcomes depend on evidence and prosecutorial/court findings.
Civil courts: damages for abuse of rights, privacy harms, or defamation; small claims may be available for qualified money disputes.

13) Common pitfalls to avoid

Secret call recording without consent (risk under Anti-Wiretapping). Use screenshots, logs, and witness statements instead.
Paying “fixers” or giving OTPs/IDs to strangers claiming they can “clean” your record.
Deleting the app before collecting evidence.
Assuming the entity is a bank (different regulator). Check the nature of the lender.
Not writing the DPO: a short email asserting your DSRs often reduces harm and strengthens your NPC case.

14) Getting help

Public Attorney’s Office (PAO) if you qualify financially.
IBP legal aid clinics or private counsel for strategic filing and possible civil damages.
Victim support: If harassment includes gender-based abuse, reach out to local VAWC desks or barangay officials for immediate assistance.

Bottom line

You do not have to tolerate shaming, threats, or data misuse from online lending apps. Document everything, assert your data privacy rights, and file targeted complaints: NPC for privacy violations, SEC for unfair collection by lending/financing companies, and NBI for crimes. Parallel remedies are allowed and often the most effective path to stopping abuse.