Finding out that your name, mobile number, ID, photo, or contact details were used in an online lending app without your consent can be frightening. Sometimes the app claims you borrowed money. Sometimes you are only listed as a “reference,” but collectors message you or your family as if you are responsible for the debt. In the Philippines, this can involve several legal issues at once: data privacy, unfair debt collection, identity theft, fraud, cyber harassment, and possible civil damages.
The most important point is this: being named in an online lending app does not automatically make you liable for someone else’s loan. A lender must show a real legal basis for using your personal data, and a person cannot be treated as a guarantor unless they clearly agreed to be one. Philippine regulators have specifically warned online lending platforms against harassment, public shaming, unlawful use of personal data, and contacting people in a borrower’s phone contacts who are not guarantors.
What It Means When Your Name Is Used Without Consent
Your situation usually falls into one of these categories:
| Situation | What it usually means | Your main concern |
|---|---|---|
| You were listed as a character reference | Someone placed your name or number in the app to verify identity or background | The app may contact you only within lawful limits |
| You were treated as a guarantor | The app claims you are responsible if the borrower does not pay | This requires your separate, express consent |
| Someone used your name, ID, selfie, or number to apply for a loan | Possible impersonation or identity theft | Criminal complaint and data privacy action may be needed |
| Collectors are messaging your friends, employer, or relatives about you | Possible unfair debt collection and privacy violation | SEC/NPC complaint and evidence preservation |
| Your name or photo was posted online as a “scammer,” “estafador,” or delinquent borrower | Possible cyberlibel, data privacy violation, and civil damages | Cybercrime and civil remedies may apply |
The difference matters because your remedy depends on what actually happened. A person who is merely listed as a reference is not automatically a borrower, co-maker, surety, or guarantor. A guarantor is someone who expressly binds himself or herself to answer for another person’s debt if that person defaults. The NPC has emphasized that character references and guarantors must be treated separately, and a guarantor must give separate consent before being bound. (National Privacy Commission)
Your Rights Under Philippine Law
Data Privacy Act of 2012
Republic Act No. 10173, or the Data Privacy Act of 2012, protects personal information handled by private companies, including lending companies and online lending platforms. Its Implementing Rules and Regulations recognize that consent must be freely given, specific, and informed, and that data subjects have rights such as the right to be informed, object, access, correct, erase or block data, and claim damages for unauthorized use of personal data. (National Privacy Commission)
For online lending apps, the key privacy principles are:
- Transparency — you should know what data is being collected, why, how it will be used, and who will receive it.
- Legitimate purpose — the lender must have a lawful and specific reason for processing your data.
- Proportionality — the lender should collect and use only data necessary for that purpose.
The NPC’s rules on loan-related transactions apply to lending companies, financing companies, and even persons acting as such, whether or not they have the proper SEC authority. NPC Circular No. 20-01 covers processing of personal data for evaluating applications, granting loans, collecting loans, and closing accounts. (National Privacy Commission)
In 2026, the DICT, NPC, and SEC jointly reiterated that online lending platforms must not engage in unnecessary, unauthorized, excessive, or disproportionate processing of personal data, especially access to borrowers’ contact lists. They also stated that contacting people in the borrower’s contact list other than guarantors is prohibited for debt collection.
SEC Rules on Lending and Collection
Lending companies are regulated by the Securities and Exchange Commission under Republic Act No. 9474, the Lending Company Regulation Act of 2007. A lending company must be a corporation and cannot conduct business without authority from the SEC. The SEC also has power to regulate, examine, and sanction lending companies, including suspension or revocation of authority to operate. (Supreme Court E-Library)
The SEC’s Memorandum Circular No. 18, Series of 2019 prohibits unfair debt collection practices by financing and lending companies. The SEC’s own issuances list this circular under “Prohibition on Unfair Debt Collection Practices of Financing Companies and Lending Companies,” while the 2026 DICT-NPC-SEC advisory identifies prohibited practices such as threats, harassment, intimidation, public shaming, unlawful use of personal data, and contacting non-guarantor phone contacts for collection. (SEC Appointment System)
Republic Act No. 11765, the Financial Products and Services Consumer Protection Act, also protects financial consumers. It recognizes rights to fair treatment, disclosure and transparency, protection against fraud and misuse, data privacy, and timely handling of complaints. It gives regulators such as the SEC authority to impose enforcement actions, issue cease-and-desist orders, suspend operations, impose fines, and provide complaint-handling mechanisms. (Supreme Court E-Library)
Cybercrime and Identity Theft
If someone used your name, ID, selfie, mobile number, or other identifying information to obtain a loan, the issue may go beyond a privacy complaint. It may involve computer-related identity theft under Republic Act No. 10175, the Cybercrime Prevention Act of 2012. Section 4(b)(3) penalizes the intentional acquisition, use, misuse, transfer, possession, alteration, or deletion of identifying information belonging to another person without right. (Supreme Court E-Library)
If the lender or collector posts defamatory accusations online, such as calling you a scammer or criminal in a Facebook post, group chat, or public page, the same law also covers cyberlibel when libel under the Revised Penal Code is committed through a computer system. (Supreme Court E-Library)
The NBI and PNP are the law enforcement authorities responsible for cybercrime cases, and the NBI Cybercrime Division handles complaints from victims of computer crimes. (Supreme Court E-Library)
Civil Code Remedies for Damage to Reputation and Privacy
Even when a case is not purely criminal, the Civil Code may support a civil claim for damages. Articles 19, 20, and 21 require people to act with justice, honesty, good faith, and in a manner not contrary to law, morals, good customs, or public policy. Article 26 protects personal dignity, privacy, and peace of mind. Article 33 allows an independent civil action for damages in cases of defamation, fraud, and physical injuries. (Lawphil)
In practical terms, this matters when a person’s reputation, employment, business, family relationships, or mental well-being is harmed because an online lender used their name or personal information unlawfully.
What to Do Immediately
1. Do not pay a debt that is not yours
If you never borrowed money, do not pay simply to stop harassment. Payment can create confusion later because the lender may argue that you recognized the account.
Instead, say in writing:
“I did not apply for, receive, guarantee, or consent to this loan. Please provide the legal basis for processing my personal data, the source of the information, and proof of any alleged obligation.”
Keep the message short. Do not argue over the phone. Do not send more IDs, selfies, OTPs, signatures, or bank details unless you are certain you are dealing with a legitimate government office or verified institution.
2. Preserve evidence before blocking everyone
Blocking may stop stress, but evidence disappears quickly. Before blocking or reporting accounts, save:
- Screenshots of messages, including sender name, number, date, and time
- Call logs showing missed calls or repeated calls
- Voice recordings if available and lawfully obtained
- Screenshots of public posts, comments, group chats, or debt-shaming messages
- The app name, developer name, website, Google Play/App Store link, APK source, and logo
- Loan account number, reference number, or demand notice
- Payment instructions, e-wallet numbers, bank account names, QR codes, and collector names
- Messages sent to your family, friends, employer, or co-workers
- Copies of IDs or documents that may have been misused
- A written timeline of events
Ask relatives or friends who received messages to send you screenshots from their own phones. Screenshots from third parties are often important because they show the lender contacted people outside the borrower-lender relationship.
3. Find out whether you are being treated as borrower, reference, or guarantor
Send a written request to the lending app, company email, data protection officer, or customer service channel asking for:
- The exact role assigned to you: borrower, co-borrower, character reference, guarantor, or emergency contact.
- The source of your personal data.
- The legal basis for processing your data.
- A copy of any document, e-signature, consent form, or recording allegedly showing your consent.
- Deletion or blocking of your personal data if it was unlawfully obtained.
- Written confirmation that you are not liable for the loan if you did not sign or consent.
This written request is also important because the NPC complaint process generally requires exhaustion of remedies: you must show that you informed the respondent in writing and gave them an opportunity to address the privacy violation, and that they failed to act properly or did not respond within 15 calendar days. (National Privacy Commission)
4. Report the matter to the correct agency
Different agencies handle different parts of the problem.
| Problem | Where to report | Why |
|---|---|---|
| Harassment, threats, public shaming, unfair collection by lending app | SEC, especially through SEC iMessage | SEC regulates lending and financing companies |
| Unauthorized use of your name, number, contacts, ID, or photo | National Privacy Commission | NPC handles Data Privacy Act complaints |
| Identity theft, fake account, forged online loan, cyberlibel, online threats | NBI Cybercrime Division or PNP Anti-Cybercrime Group | These are law enforcement matters |
| Scam, phishing, online fraud, cyber incident | DICT/CICC hotline 1326 and cyber reporting channels | Government cyber incident reporting |
| Immediate physical danger | Local police station or emergency channels | Safety comes first |
The DICT-NPC-SEC advisory identifies the SEC Financing and Lending Companies Department for unfair debt collection complaints, the DICT Cyber Hotline 1326, the NBI Cybercrime Division, and the PNP Anti-Cybercrime Group as reporting channels for harassment, threats, frauds, and scams involving online lending platforms.
The SEC iMessage system is the SEC’s official web-based platform for public inquiries, complaints, incidents, and requests, and it generates a ticket that can be tracked. (iMessage)
5. File an NPC complaint if the privacy violation is not corrected
For a formal NPC complaint, the NPC requires the complaint to be in a specific format. The complainant must print and fill out the form, have it notarized, and submit it in person, by courier, or by scanned email. (National Privacy Commission)
Under the NPC complaint mechanics, a complaint should include supporting documents and affidavits. A complaint may be dismissed outright if it is insufficient in form or substance, if the respondent was not first given an opportunity to address the issue, if it does not involve a DPA violation or personal data breach, or if the evidence is insufficient. (National Privacy Commission)
A practical NPC packet usually includes:
- Notarized complaint form or verified complaint
- Copy of your valid ID
- Screenshots and call logs
- Your written demand or privacy request to the lender
- Proof that the lender received it, such as email sent status, courier receipt, or ticket number
- The lender’s reply, or proof of no reply after 15 calendar days
- Affidavits from people who received messages about you
- Timeline of events
- App details and company details, if known
6. Consider a criminal complaint if there was impersonation, threats, or cyberlibel
Go to the NBI Cybercrime Division or PNP Anti-Cybercrime Group if:
- Someone used your identity to obtain a loan.
- A fake account used your photo, ID, or name.
- You received threats of harm, arrest, public exposure, or violence.
- Your name or photo was posted online with defamatory accusations.
- The app used forged documents, fake e-signatures, or fabricated consent.
- Collectors are using multiple numbers, anonymous accounts, or overseas-looking contacts.
The NBI Citizen’s Charter for victims of computer crimes shows that complainants may proceed to the Cybercrime Division to file a complaint or request investigation, undergo preliminary interview, execute sworn statements, and submit supporting documents. It lists no fee for the initial steps and indicates an initial front-end process of about one hour and ten minutes, although the actual investigation can take longer depending on complexity. (National Bureau of Investigation)
Required Documents and Practical Timelines
| Step | Documents to prepare | Usual practical timeline |
|---|---|---|
| Evidence preservation | Screenshots, call logs, app details, messages to contacts, payment details | Same day |
| Written demand/privacy request | Letter or email asking for basis, source, proof of consent, deletion/blocking | Send immediately |
| Waiting period for NPC exhaustion | Proof respondent received your written notice | 15 calendar days from receipt |
| SEC complaint | Timeline, screenshots, company/app details, collection messages, loan notices | Ticket can be filed online; resolution depends on facts and follow-ups |
| NPC complaint | Notarized complaint, evidence, affidavits, proof of exhaustion | Filing after proper documentation; incomplete complaints risk dismissal |
| NBI/PNP cybercrime complaint | Complaint-affidavit, IDs, screenshots, device, URLs, account names, numbers | Initial intake may be quick; investigation varies |
| Civil damages case | Evidence of injury, defamatory posts, lost income, medical records if any, witnesses | Timeline depends on court docket and complexity |
Common Mistakes That Can Hurt Your Case
Ignoring the first written notice
Even if the claim is false, do not just delete everything. A short written denial helps create a record that you disputed the debt and objected to the use of your personal data.
Sending more IDs to “verify” yourself
Scammers often ask for another ID, selfie, OTP, or signature to “clear your name.” If the app is suspicious, this may worsen identity theft. Verify the company first through official SEC channels and use official complaint portals.
Mixing all lending apps in one messy complaint
Many victims receive messages from several apps at once. Organize evidence by app name, company name, phone number, date, and incident. Regulators process complaints more easily when the timeline is clean.
Relying only on phone calls
A phone call is hard to prove unless recorded and authenticated. Use email, official ticket systems, or written messages so there is a record.
Assuming barangay mediation is always required
Barangay conciliation is usually not the correct first step when the respondent is a corporation, an online lending platform, a person outside your city or municipality, or an unknown cyber offender. For online lending abuse, the more practical first offices are usually the SEC, NPC, NBI, PNP Anti-Cybercrime Group, or DICT/CICC channels, depending on the facts.
Paying just to stop harassment
If the debt is not yours, payment may encourage further demands. If you actually borrowed money, you can still complain about unlawful collection practices, hidden charges, public shaming, and unauthorized contact-list use. Owing money does not give collectors the right to violate privacy or harass third parties.
Special Notes for OFWs, Filipinos Abroad, and Foreigners
OFWs and Filipinos abroad can still prepare complaints if the online lending app operates in the Philippines or uses Philippine contacts, numbers, or companies. Save screenshots using Philippine time if possible, keep the SIM or number involved, and ask family members in the Philippines to preserve messages they received.
If someone in the Philippines will file documents or appear for you, agencies or lawyers may ask for a Special Power of Attorney. Documents executed abroad may need consular notarization or apostille, depending on where they were signed and where they will be used. The DFA Apostille system lists Special Powers of Attorney and affidavits among documents that may require authentication for use in the Philippines, while Philippine embassies may notarize private documents such as affidavits and SPAs when the signer personally appears. (Apostille Authority)
Foreigners in the Philippines may also invoke data privacy rights if their personal information is processed by a Philippine-based lender or by an online lending platform operating in the Philippines. The Data Privacy Act protects “data subjects,” not only Filipino citizens. Practical issues for foreigners include proving identity, preserving Philippine mobile records, translating foreign-language documents into English, and ensuring that affidavits executed abroad are properly notarized, consularized, or apostilled when required.
Frequently Asked Questions
Can an online lending app make me pay just because my name was used?
No. Your name appearing in an app does not automatically make you liable. The lender must prove that you applied for the loan, received the money, signed or electronically agreed to the loan, or validly agreed to be a guarantor or co-maker.
Am I liable if I was listed as a character reference?
Not automatically. A character reference is generally used to verify identity or information. A guarantor is different because a guarantor expressly agrees to answer for the debt if the borrower fails to pay. Philippine regulators have stated that guarantors must give separate consent.
Can online lending apps contact my relatives or friends?
For debt collection, lending and financing companies may contact the guarantor, but the 2026 DICT-NPC-SEC advisory states that contacting people in the borrower’s contact list other than guarantors is prohibited.
What if I really borrowed money but the app is shaming me online?
You may still complain. A real debt does not authorize threats, harassment, public shaming, defamatory posts, or excessive use of your personal data. The legal issue becomes both repayment and unlawful collection conduct.
Where should I file first: SEC, NPC, NBI, or PNP?
File with the SEC for unfair debt collection or abusive lending practices. File with the NPC for unauthorized processing or misuse of personal data. Go to NBI or PNP cybercrime units if there is identity theft, cyberlibel, hacking, fake accounts, threats, or fraud. Some cases require reports to more than one agency because the facts overlap.
Do I need a lawyer to file an SEC or NPC complaint?
Many people file initial complaints themselves if they have organized evidence and a clear timeline. A lawyer becomes more important when there is a large amount involved, identity theft, forged documents, court papers, criminal charges, settlement negotiations, or a civil damages case.
What if the app is not registered with the SEC?
Still document and report it. RA 9474 requires lending companies to have SEC authority to operate, and the SEC has regulatory power over lending companies. If the company is unregistered or hiding behind changing app names, include all available identifiers: app link, developer name, phone numbers, e-wallets, bank accounts, messages, and screenshots. (Supreme Court E-Library)
Can I ask the app to delete my data?
Yes, if your data was unlawfully obtained, is being used for an unauthorized purpose, is false, is no longer necessary, or is being processed unlawfully. The DPA IRR recognizes the right to erasure or blocking, subject to legal limitations. (National Privacy Commission)
Can I sue for damages?
Possibly. If the misuse of your name caused reputational harm, emotional distress, business loss, employment problems, or other damage, Civil Code provisions on abuse of rights, unlawful injury, privacy, dignity, defamation, and fraud may be relevant. The available remedy depends on evidence, the identity of the wrongdoer, and the exact acts committed. (Lawphil)
Key Takeaways
- Your name in an online lending app does not automatically make you liable for the loan.
- A character reference is not the same as a guarantor; guarantor liability requires separate consent.
- Philippine regulators prohibit online lending platforms from using excessive personal data, accessing contact lists without proper basis, harassing people, publicly shaming borrowers, and contacting non-guarantor contacts for collection.
- Preserve evidence before blocking numbers or deleting messages.
- Send a written denial and data privacy request asking for the source, basis, proof of consent, and deletion or blocking of your data.
- Report unfair collection to the SEC, privacy violations to the NPC, and identity theft, threats, cyberlibel, or fraud to the NBI or PNP cybercrime units.
- For NPC complaints, prepare a notarized complaint, evidence, affidavits, and proof that you first gave the respondent a chance to address the privacy violation.
- OFWs, Filipinos abroad, and foreigners can still pursue remedies when the personal data misuse or online lending activity is connected to the Philippines.