Reporting Online Lending Harassment in the Philippines: SEC, NBI, and Data Privacy Remedies

Reporting Online Lending Harassment in the Philippines: SEC, NBI, and Data Privacy Remedies

Philippine legal context • Practical, step-by-step guidance. This is general information, not legal advice.

1) What counts as “online lending harassment”?

Typical abusive tactics

  • Mass texting/calling you, your family, employer, or people in your phone’s contacts (“contact-shaming”).
  • Threats of arrest, public shaming, or workplace reports; doxxing; defamatory posts.
  • Use of profane/obscene language; repeated calls at unreasonable times; impersonating a lawyer, police, or government officer.
  • Coercive demands for selfies/IDs beyond what was agreed; forcing access to your contacts/gallery; public disclosure of your debt.

Why it’s unlawful (key legal hooks)

  • Securities and Exchange Commission (SEC): Lending/financing companies and their agents must not use unfair debt-collection practices. (See SEC Memorandum Circular No. 18, s. 2019 and related rules under the Lending Company Regulation Act RA 9474 and the Financing Company Act RA 8556.)
  • Data Privacy: The Data Privacy Act of 2012 (RA 10173) forbids unauthorized processing, excessive collection (e.g., harvesting your entire contact list without a proper legal basis), and malicious/unauthorized disclosure of personal data.
  • Criminal law: Depending on the facts, harassment may constitute grave threats (Art. 282), grave coercion (Art. 286), libel/online libel (Art. 353; RA 10175), unjust vexation (Art. 287), or related offenses under the Cybercrime Prevention Act (RA 10175).

Important: Non-payment of a loan, by itself, is not a crime. Threatening arrest or “NBI cases” for mere non-payment is an unfair practice. (Criminal liability may arise in different scenarios, e.g., BP 22 for knowingly issuing a worthless check, or estafa when there is fraud.)

2) Who regulates what? (Jurisdiction map)

Problem you’re facing Primary avenue
Abusive collection by a lending/financing company or its collectors (calls, threats, shaming) SEC (administrative sanctions; cease-and-desist; license suspension/revocation)
Contact-shaming, scraping contacts, public posting of your data/photos, leaks National Privacy Commission (NPC) under RA 10173 (compliance orders; penalties; stoppage of processing)
Criminal conduct (threats, libel, doxxing, extortion, hacking) NBI-Cybercrime Division (or PNP-ACG) → DOJ for prosecution
Banks, credit cards, e-money issuers Often BSP-supervised; use BSP consumer channels. (SEC covers lending/financing companies, not banks.)

3) Before you report: preserve evidence (safely)

Do

  • Keep a timeline (dates, numbers used, channels).
  • Save screenshots of texts/chats/app screens; export call logs.
  • Capture URLs of public shaming posts and take screenshots.
  • Keep the loan agreement, e-receipts, and the app’s privacy policy/terms if available.
  • Record how the app requested permissions (contacts, storage, camera).

Avoid illegal recordings

  • The Anti-Wiretapping Law (RA 4200) generally prohibits recording private conversations without consent of all parties. Prefer screenshots and written communications. If you will record calls, get express consent on the record.

Immediate device hygiene

  • Revoke the app’s permissions (Contacts/Phone/Storage), change passwords, enable 2FA, and uninstall the app after preserving evidence.

4) How to report to the SEC (unfair debt collection)

When to use the SEC route

  • The collector is tied to a lending company or financing company (not a bank).
  • You experience threats, shaming, impersonation, profanity, or other unfair collection practices.
  • The app/platform looks like an Online Lending Platform (OLP) run by, or for, a lending/financing company.

What to prepare

  1. Affidavit/Complaint letter (facts in chronological order; identify company/app; describe abusive acts).
  2. Evidence bundle (screenshots, numbers used, call logs, app pages, receipts).
  3. Your ID and contact details.
  4. Relief sought (e.g., investigate; issue cease-and-desist; penalize; direct the company to stop contacting third parties and to correct/delete data shared).

Where/How

  • File with the SEC Enforcement and Investor Protection Department (EIPD) and/or the division handling Lending/Financing Companies. Attach your evidence. (If you can, note the company’s SEC registration number; if unknown, say so.)
  • The SEC can: order cessation of abusive practices, fine/suspend/revoke licenses, and refer matters to law enforcement.

Template—SEC complaint opening

Subject: Complaint for Unfair Debt-Collection Practices (SEC MC 18, s. 2019) – [Name of App/Company] Complainant: [Your Name], [Address], [Contact] Respondent: [Company/Lending App] (SEC Reg. No. unknown/known: [xxx]) Facts: On [date], I obtained a loan of [amount] via [app]… Beginning [date], respondents repeatedly [threatened/shamed/contacted my employer/contacts]. Screenshots attached as Annexes “A-__”. Prayer: Investigate and sanction the respondents for violations of SEC MC 18, s. 2019 and related regulations; issue a cease-and-desist order; direct deletion of unlawfully obtained personal data; and other just relief.

5) Data Privacy remedies (NPC)

When to go to NPC

  • The lender/collector scraped your contacts, publicly posted/disclosed your personal data, or contacted third parties without a valid basis.
  • They refuse to honor your data-subject rights (to be informed, to object, to erasure/blocking, to damages, etc.).

Practical path

  1. Exercise your Data-Subject Rights (DSR) in writing first (email/letter to the company’s Data Protection Officer, if known). Demand:

    • Stop contacting third parties;
    • Identify sources, legal basis, and recipients of your data;
    • Delete/Block unlawfully collected data (e.g., contact list copies);
    • Limit processing to what’s necessary to collect the debt without harassment;
    • Respond within a reasonable period (e.g., 15 days).

  2. Escalate to NPC if ignored or denied. File a complaint with your affidavit, proof of the DSR request, and evidence of violations.

What NPC can do

  • Issue compliance or enforcement orders (e.g., stop processing; delete data), require corrective actions, and recommend criminal prosecution under RA 10173 for serious violations (e.g., unauthorized processing, unauthorized disclosure, malicious disclosure, access due to negligence).

Template—Data-subject rights letter (send to the company)

Subject: Exercise of Data-Subject Rights under RA 10173 – [Your Name] I object to your processing of my personal data for contact-shaming and harassment. Cease contacting my relatives, employer, and other third parties. Disclose within 15 days: (a) your legal basis for processing; (b) all recipients of my data; (c) data sources; and (d) measures to delete/block unlawfully obtained data (including copies of my contact list). Pending resolution, restrict processing to lawful, proportionate collection. Failure to comply will lead to a complaint with the NPC.

6) Criminal remedies (NBI / PNP-ACG)

When to use the NBI route

  • You received threats of harm, extortion, doxxing, or suffered defamation posts, or systems were hacked.

How to proceed

  1. Prepare an Affidavit-Complaint narrating the facts.
  2. Attach evidence: screenshots (include URLs, timestamps), call/SMS logs, links to posts, and any witness statements.
  3. Bring a valid government ID.
  4. File with NBI-Cybercrime Division (or your local PNP Anti-Cybercrime Group).
  5. Cooperate in digital forensics; the case may be referred to the DOJ for inquest or preliminary investigation under the Revised Penal Code and/or RA 10175.

Template—Affidavit opening

I, [Name], Filipino, of legal age, state: On [date], numbers [+63…] and accounts [@handle] threatened to [describe] unless I paid [amount]. They also posted [defamatory/doxxing content] at [URL], viewed [x] times. Annexes “A-__” consist of screenshots with visible timestamps and URLs.

7) Civil remedies (optional but powerful)

  • You may file a civil action for damages based on Civil Code provisions (Arts. 19, 20, 21 on abuse of rights/acts contra bonos mores; Art. 26 on privacy and peace of mind; defamation), and/or to enjoin further harassment.
  • Courts may reduce unconscionable interest/penalties and strike down unfair terms; interest must be in writing (Art. 1956 Civil Code; jurisprudence allows striking down unconscionable rates).

8) Practical do’s and don’ts while you assert your rights

Do

  • Continue paying legitimate amounts you admit are due, but only through official channels you can document. Ask for a statement of account.
  • Tell your references/contacts briefly that any lender contacting them about you is not authorized; ask them to screenshot any messages for your case.
  • If the harassment is intense, file a barangay blotter for documentation.

Don’t

  • Don’t pay to personal e-wallets/bank accounts of collectors.
  • Don’t share more personal data than necessary (selfies with IDs, contact lists, work IDs).
  • Don’t threaten back or post retaliatory content that could expose you to liability.

9) Quick decision guide

  1. Are you dealing with a lending/financing company (not a bank)?SEC complaint for unfair collection.
  2. Were your contacts scraped / data disclosed or misused?NPC complaint (after sending a DSR letter).
  3. Were there threats, libel, doxxing, or extortion?NBI-Cybercrime (or PNP-ACG) criminal case. (You can pursue all three in parallel.)

10) Checklists

Evidence pack

  • IDs; loan contract; app pages (About/Company/Privacy Policy).
  • Screenshots of threats, shaming texts, group chats, posts (with timestamps/URLs).
  • Call/SMS logs; list of numbers/handles used.
  • Your DSR letter & proof of sending; company’s reply (or lack thereof).
  • Timeline of events; list of affected third parties (employer, family, friends).

What to put in every complaint

  • Your identity and contacts (email/phone).
  • Exact name of app/company (as shown in the app/receipts).
  • Specific acts (who did what, when, where, how).
  • Laws/policies invoked (SEC unfair practices; RA 10173; RPC/RA 10175).
  • Relief sought (stop harassment; delete data; penalize; prosecute).

11) Frequently asked questions

Q: Can they jail me for not paying? A: No—mere non-payment is a civil matter. Threats of arrest for debt are abusive. Different facts (e.g., knowingly issuing a bounced check) can be criminal; seek counsel if in doubt.

Q: They messaged my boss and family. Is that allowed? A: Typically no. Contact-shaming and contacting people who are not guarantors/references are classic unfair practices and likely data-privacy violations.

Q: The loan terms are outrageous. What can I do? A: Pay what you acknowledge as due; dispute unconscionable interest/charges, and keep records. Courts can reduce unconscionable rates and penalties.

Q: Can I record their calls as proof? A: Be careful: RA 4200 generally requires all-party consent to record private conversations. Prefer texts/chats and screenshots as evidence.

12) Clean, reusable templates (copy-paste and adapt)

A) SEC complaint (short form)

[Date]

The Enforcement and Investor Protection Department
Securities and Exchange Commission

Re: Complaint for Unfair Debt-Collection Practices – [App/Company]

I am [Name], [Address], [Contact]. On [date], I obtained a loan of [amount] via [app]. Since [date], respondents have [threatened/contact-shamed/impersonated officials/used profane language], as shown in Annexes A-__.
These acts violate SEC rules (e.g., MC 18, s. 2019) and related regulations under RA 9474/RA 8556.

PRAYER: Please investigate and sanction respondents; issue a cease-and-desist order; direct deletion/blocking of unlawfully obtained data; and impose other appropriate remedies.

[Signature]

B) Data-Subject Rights letter (NPC path)

[Date]

Data Protection Officer
[Company]

Subject: Exercise of Rights under RA 10173 (Object, Access, Erasure/Blocking)

I object to your processing of my personal data for harassment and contact-shaming. Cease contacting third parties immediately. Within 15 days, please (1) identify your legal basis and data sources; (2) list all recipients of my data; (3) delete/block copies of my contact list and other unlawfully obtained data; and (4) confirm restrictions to proportionate, lawful collection.

Absent compliance, I will file a complaint with the NPC.

[Signature]

C) NBI affidavit (skeleton)

I, [Name], Filipino, of legal age, state:
1. On [date/time], from numbers [list] and accounts [list], respondents sent threats/defamatory posts re my loan (Annexes A-__).
2. They contacted my [relative/employer] and disclosed my personal data without consent (Annexes B-__).
3. I fear for my safety/reputation.

I request investigation for violations of the Revised Penal Code and RA 10175.

[Signature over printed name]

13) Final pointers

  • You can simultaneously: (a) file with SEC, (b) assert data-privacy rights and escalate to NPC, and (c) pursue criminal remedies through NBI/PNP-ACG.
  • Keep communications calm and factual. Your credibility—and your paper trail—win cases.
  • If the harassment is severe or you face safety risks, consult a Philippine lawyer promptly.

If you want, tell me your situation in brief (no personal identifiers needed), and I’ll adapt the templates to your facts and list the exact annexes from your evidence.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login