Reporting Threats from Online Lending Apps in the Philippines
A comprehensive legal guide (updated 25 July 2025)
Disclaimer: This article is for informational purposes only and does not create a lawyer‑client relationship. For advice on a specific case, consult a qualified Philippine attorney or accredited financial consumer service desk.
1. What Counts as a “Threat” from an Online Lending App?
| Kind of threat | Typical form | Possible legal violation |
|---|---|---|
| Harassment & intimidation | Repeated calls, profanity, threats of bodily harm | Art. 282–283 Revised Penal Code (Grave or Light Threats); Sec. 155, 2022 Financial Products and Services Consumer Protection Act (FPSCPA) |
| “Shaming” or public disclosure | Mass‐text blasts to contacts, social‑media posts with borrower’s photo | Art. 353 (Libel); Art. 26 Civil Code (privacy); Sec. 25 Data Privacy Act (Malicious Disclosure) |
| Blackmail or extortion | “Pay today or we post your nude photos / ruin your credit” | Art. 294 RPC (Robbery/Extortion); Cybercrime Prevention Act §6 (if online) |
| Contact‑scraping alerts | Messages to family/friends: “You are a guarantor—pay or be sued” | Art. 315 RPC (Estafa – deceit); NPC Circular 18‑01 (Data minimization) |
A single communication can violate multiple statutes, especially once information and communication technologies (ICT) are involved.
2. Regulatory & Legal Framework
2.1 Securities and Exchange Commission (SEC)
- SEC Memorandum Circular No. 18‑2019 – Registration of Online Lending Platforms (OLPs) and mandatory disclosure of app permissions.
- SEC MC No. 10‑2021 – Prohibited debt‑collection practices: harassment, threats, obscene language, contact‑scraping, and public shaming are explicitly banned.
- Penalties: PHP 10,000 – 1 million plus PHP 2,000/day for continuing violations; suspension or revocation of a Certificate of Authority (CoA); cease‑and‑desist orders (CDOs) blocking the app on the Play Store.
2.2 National Privacy Commission (NPC)
Republic Act (RA) 10173 – Data Privacy Act (DPA).
- Sec. 25–29: unauthorized processing, malicious disclosure, intentional breach.
Sample enforcement: NPC Cases 19‑004 & 19‑014 (Fast Cash, Fynamics Fast Pay) where apps were fined and ordered to delete harvested contacts.
2.3 Bangko Sentral ng Pilipinas (BSP) and Financial Products and Services Consumer Protection Act (RA 11765, 2022)
Although most OLPs are non‑bank financing companies supervised by the SEC, the BSP now holds concurrent jurisdiction when products blur into payments, e‑money or “Buy‑Now‑Pay‑Later” schemes. RA 11765 guarantees consumers the right to fair, respectful collection and empowers the BSP, SEC and Insurance Commission to adjudicate.
2.4 Criminal Laws
| Law | Relevance | Penalty range |
|---|---|---|
| Revised Penal Code Arts. 282‑283 (Threats), 287 (Light Coercions), 315 (Estafa), 353‑355 (Libel) | Core criminal offenses | Arresto mayor to prisión correccional; fines |
| RA 10175 Cybercrime Prevention Act §6 | Raises the penalty one degree when the above crimes are committed through ICT | E.g., Grave Threats online → prisión mayor |
| RA 10173 Data Privacy Act | 1–6 yrs imprisonment + PHP 500k–4 M | |
| RA 9262 Anti‑Violence Against Women & Children | If threats amount to psychological violence by an intimate partner | 6–20 yrs |
| RA 11422 Safe Spaces Act (if threats are sexual in nature) | Fine + community service or imprisonment |
3. Agencies You Can Approach
| Agency | Best for | How to file |
|---|---|---|
| SEC Corporate Governance & Finance Dept. | Unauthorized or abusive lending apps | Email scanned complaint form + evidence to cgfd_md@sec.gov.ph or via the SECEAP portal |
| NPC Complaints & Investigation Division | Contact scraping, data misuse | Online Complaints Portal (CP Form v.2) within 15 days from last violative act |
| PNP Anti‑Cybercrime Group (ACG) | Criminal threats, libel, extortion via ICT | Walk‑in (Camp Crame) or regional ACG desks; bring devices for forensic imaging |
| NBI Cybercrime Division | Same as PNP‑ACG; can issue Subpoena Duces Tecum to telcos/platforms | e‑mail nbi_cybercrime@nbi.gov.ph; schedule online |
| BSP Consumer Assistance Mechanism (CAM) & DTI Fair Trade Enforcement Bureau | If app is partnered with a bank/e‑money issuer; deceptive interest ads | CAM form via bsp.gov.ph; 15‑day resolution window |
4. Step‑by‑Step Reporting Guide
Preserve evidence immediately
- Take timestamped screenshots (include status bar).
- Use the phone’s Call & SMS Backup; export chat logs (WhatsApp, Viber).
- If calls are made, record them after verbally informing the caller (to avoid RA 4200 wiretapping liability).
Draft a Chronology
- Dates, sender numbers, app names, threatened consequences, any money already paid.
File an SEC Complaint
- Download “Complaint Form – Financing/Lending Companies” (SEC website).
- Attach proof of identity and evidence.
- SEC issues a reference number; keep for follow‑up.
- Expect mediation notice within 30 days or outright CDO if app is unregistered.
Parallel NPC Complaint (if contact scraping or exposure of personal data)
- Fill CP Form; cite Sec. 25 DPA. Include phone permission logs if available (Settings ▶ App ▶ Permissions ▶ History).
Criminal Affidavit (optional but powerful)
- Execute a “Complaint‑Affidavit” before the city/provincial prosecutor.
- Attach evidence and Police Blotter.
- Prosecutor conducts inquest (if suspect is arrested) or pre‑investigation; subpoena may issue to the company address in SEC records.
Civil Action for Damages (when reputational harm or mental anguish is severe)
- File before the RTC (amount > PHP 2 M) or MTC (≤ 2 M).
- Cite Arts. 19, 20, 21, 26 Civil Code and attach psychological assessment for moral damages.
Request App‑Store Takedown
- Google Play Developer Policy prohibits “harassment and bullying.” Forward SEC advisory plus screenshots; takedowns typically happen within 48 hrs.
5. Evidentiary Rules & Tips
| Rule | Key points |
|---|---|
| Rule on Cybercrime Warrants (A.M. No. 17‑11‑03‑SC, 2019) | Police must secure a cyber subpoena to get server logs; cooperation letters you file help establish probable cause. |
| Rules on Electronic Evidence (A.M. No. 01‑7‑01‑SC) | Affidavit of print‑out + your oath is prima facie authentication; preserve original digital copies on a write‑blocked drive. |
| Chain of custody | Seal devices in evidence bags, hash using SHA‑256; note hash in the receipt. |
| Privilege & privacy | You may forward conversations addressed to you without needing the sender’s consent; but avoid disclosing unrelated third‑party data to agencies. |
6. Notable Enforcement and Jurisprudence
| Year | Case / Action | Outcome |
|---|---|---|
| 2019 | NPC v. Fynamics Lending Inc. (Fast Cash) | App ordered deleted; PHP 3 M cumulative fines; first landmark DPA enforcement vs. OLA |
| 2020 | SEC CDO vs. Cash Whale et al. | 63 apps delisted from Play Store within 72 hrs |
| 2021 | People v. Montilla (RTC Manila) – threats via Messenger by collection agent | Conviction for Grave Threats as cybercrime; imprisonment 6 yrs 1 day–8 yrs |
| 2023 | NPC x Colourette “Share Contacts” Ads | NPC advisory clarified that requiring contact list access to qualify for a loan is excessive and unnecessary processing |
| 2024 | SEC MC 2‑2024 | Mandatory in‑app “Complaint” button linking to SEC form |
7. Common Defenses Raised by Collectors (and How to Counter Them)
- “It’s part of the loan contract.” Under Philippine law, contractual clauses cannot waive criminal liability or override statutes. Unconscionable provisions are void under Art. 1306 Civil Code and SEC MC 10‑2021.
- “We’re just exercising our right to collect.” The right ends where abuse begins (Art. 19 Civil Code). Harassment, threats, and contact scraping are never a legitimate exercise.
- “Only civil, not criminal.” Threats, libel, and extortion are mala in se. Criminal action is independent of civil collection (Art. 100 RPC; Rule 111 Rules of Court).
8. Practical Tips for Borrowers
- Communicate in writing only, so everything is logged.
- Do not delete the app until you have backed up evidence—some apps self‑wipe logs.
- Notify family & contacts that any harassing calls should be recorded and reported.
- Consider a cease‑and‑desist letter drafted by counsel; this sometimes triggers internal compliance desks that bypass rogue collection agencies.
- Seek psycho‑social support. Threats can trigger anxiety; medical certificates bolster moral‑damage claims.
9. Legislative & Policy Developments to Watch (2025‑onwards)
- House Bill 10798 – “Anti‑Online Lending Harassment Act.” Seeks to criminalize contact scraping per se; pending Second Reading in the Senate.
- BSP’s draft “Digital Credit Risk Management Guidelines.” Would impose fit‑and‑proper tests for third‑party collectors and require an “Ethical AI” assessment for automated approval engines.
- NPC “Code of Practice for FinTech” (Consultation Paper 2025‑01). Emphasizes data minimization and “privacy by design” for lending apps.
10. Summary Checklist
- Gather & preserve digital evidence.
- File parallel administrative complaints with SEC (lending violations) and NPC (privacy).
- Lodge a criminal complaint with PNP‑ACG or NBI if threats, libel, or extortion exist.
- Consider civil action for damages if reputational or psychological harm is substantial.
- Monitor agency actions (CDO, fines) and follow up; agencies must resolve within statutory periods (15–60 days).
- Seek professional help—public attorneys, Integrated Bar of the Philippines free legal aid, or BSP Financial Consumer Protection Desk.
11. Template: Basic SEC Complaint Affidavit (excerpt)
I, Juan Dela Cruz, of legal age, Filipino, after having been duly sworn, depose and state:
- On 12 June 2025 I installed the mobile application “QuickPeso.”
- From 5‑10 July 2025 I received 37 calls and 89 SMS from mobile numbers +63‑912‑* and +63‑945‑* containing threats of bodily harm and publication of my contact list…
- I attach Annex “A” (screenshots), Annex “B” (call log), Annex “C” (Google Play listing).
- I respectfully pray that the Commission order respondents to cease operations, delist the application, and impose administrative fines pursuant to SEC MC 10‑2021.
Final Word
Philippine law provides multiple, overlapping remedies—administrative, criminal, and civil—against abusive online lending apps. Swift documentation and simultaneous reporting to the SEC, NPC, and cyber‑crime law‑enforcement units maximize pressure on erring companies and protect borrowers’ rights. Stay vigilant, know your options, and do not hesitate to seek help.