Where to File a Complaint Against an Online Lending App for “Public Shaming” in the Philippines

Executive summary

“Public shaming” by online lending apps—e.g., blasting debt reminders to your contacts, posting defaming statements on social media, or threatening to expose private information—is unlawful under multiple Philippine laws. The proper venue depends on what was done and who the lender is. In most cases you will complain to the Securities and Exchange Commission (SEC) and/or the National Privacy Commission (NPC); you may also pursue criminal and civil remedies and, if the lender is a bank or e-money issuer, complain to the Bangko Sentral ng Pilipinas (BSP). This article explains the legal basis, the right regulators, and a step-by-step playbook for building a strong case.

What counts as “public shaming” by lending apps?

Typical misconduct includes:

Accessing your phone contacts or gallery, then messaging your relatives, co-workers, employer, or friends about your debt.
Group chats, social media posts, or SMS blasts portraying you as a “scammer” or “delinquent.”
Threats to publish personal data or to contact your employer unless you pay immediately.
Harassing or obscene language, repeated calls beyond reasonable hours, and false representations by collectors.

These acts can simultaneously violate data privacy, consumer protection, unfair debt collection rules, and criminal laws (libel, grave threats, grave coercion, unjust vexation), among others.

Core legal framework

Data Privacy Act of 2012 (DPA; R.A. 10173) Protects personal information. Unlawful processing, unauthorized disclosure, and failure to implement security measures are punishable. Using scraped contact lists to shame a borrower is a classic DPA issue.
SEC rules on unfair debt collection (applicable to lending companies and financing companies) SEC issuances prohibit abusive collection practices such as contacting persons not listed as references, threats, use of profane or insulting language, and false representations. Many app-based lenders fall here.
Financial Products and Services Consumer Protection Act (FCPA; R.A. 11765) Establishes abusive collection practice prohibitions across financial service providers and strengthens the complaint and enforcement powers of the BSP, SEC, and Insurance Commission (IC).
Revised Penal Code & special penal laws Potential crimes include libel (including cyber libel), grave threats, grave coercion, unjust vexation, and violation of the Anti-Photo and Video Voyeurism Act (if images are misused). You may file criminal complaints with law enforcement and prosecutors.
Civil Code Allows recovery of moral, exemplary, and actual damages for tortious acts that injure reputation, privacy, and peace of mind.

Who supervises whom? (Choose the right regulator)

SEC — lending apps operated by lending companies or financing companies (non-bank). Most “payday” and small-ticket lending apps are here.
BSP — banks, e-money issuers, and other BSP-supervised financial institutions. If the app is from a bank, digital bank, or e-wallet that extended credit (e.g., credit lines), complain to BSP.
NPC — any entity mishandling personal data (regardless of whether it’s SEC- or BSP-supervised). NPC is the venue when your contacts were scraped, when private information was disclosed, or when consent/privacy notices were defective.
Insurance Commission (IC) — if the “lender” is an insurer or HMO extending credit-like products.

You can file with more than one office: e.g., NPC for the privacy breach and SEC or BSP for abusive collection. Parallel criminal and civil actions may also proceed.

Where and how to file your complaint

1) National Privacy Commission (NPC) — for privacy violations

When to go: The app accessed your contacts/photos without proper consent; sent messages to third parties; disclosed sensitive data; or threatened disclosure.

What to file:

Sworn Complaint (include your full name, address, facts, reliefs sought).
Evidence: screenshots of messages or posts, call logs, app permissions page, privacy notice/terms of the app, copies of IDs only if necessary, and a chronology of events.
Data Subject Action: Briefly note if you tried to exercise your data subject rights (e.g., demanded deletion, withdrawal of consent, or access to your data) and attach the company’s reply or non-reply.

What NPC can do: Investigate, order cease and desist, direct erasure/blocking of unlawfully processed data, impose administrative fines, and refer criminal aspects to prosecutors.

2) Securities and Exchange Commission (SEC) — for abusive debt collection (lenders/financers)

When to go: The collector used threats, humiliation, or contacted people not your stated references; used profane or demeaning language; misrepresented identity; or the app is unlicensed.

What to file:

Complaint or tip to the SEC’s enforcement/investor protection arm identifying the lending company, app name, and links to store listings.
Evidence: the app’s screenshots, collection messages (SMS, chat, in-app), audio recordings if lawfully obtained, and identities/numbers of collectors.
If you suspect the lender is unregistered/has a CDO, include that.

What SEC can do: Order take-downs/cease-and-desist, revoke licenses, fine the company, and coordinate with app stores and law enforcement.

3) Bangko Sentral ng Pilipinas (BSP) — if the lender is a bank or e-money issuer

When to go: The credit is from a BSP-supervised institution (e.g., bank credit card/instalment, e-wallet credit line). What to file: A consumer assistance complaint detailing the abusive collection acts and attaching evidence.

What BSP can do: Enforce the FCPA and its rules against abusive collection, require remediation, and sanction the supervised institution.

4) Police/Prosecutor/NBI — for criminal acts (libel, threats, coercion)

When to go: Messages include criminal threats, extortion, or defamatory posts; or there’s stalking/harassment beyond mere reminders.

Where to go:

PNP Anti-Cybercrime Group (ACG) or NBI Cybercrime Division for e-evidence collection and investigation.
Office of the City/Provincial Prosecutor to file a criminal complaint with your affidavits and attachments.

What to prepare: Affidavits (yours and witnesses’), screenshots with timestamps/URLs, phone extraction reports if available, and device preservation steps (see “evidence” below).

5) Civil action for damages

When to go: If you suffered mental anguish, reputational harm, or job consequences due to shaming. Remedies: Moral and exemplary damages, plus injunction to restrain continued harassment. Consult counsel; civil and administrative/criminal cases can run in parallel.

Evidence: build a prosecution-ready package

Preserve everything
- Full-screen screenshots that show sender, date, and time.
- Export chat histories (WhatsApp/Viber/Messenger/Telegram), call logs, and voicemails.
- Keep copies of the app’s permissions (phone Settings → App → Permissions) at the time of install/use.
Document consent and notices
- Save the app’s Privacy Notice/Terms as PDFs. Note any lack of specific, informed consent for contact scraping.
Collect third-party statements
- Ask family/co-workers who received shaming messages to issue brief affidavits and provide screenshots.
Create a timeline
- Date-ordered log of installs, disbursements, due dates, collection messages, threats, and your responses.
Metadata where possible
- If feasible, retain original files (not just screenshots) so headers/metadata can be examined.

Practical, step-by-step playbook

Stop the data leak
- Revoke the app’s permissions (Contacts, SMS, Phone, Storage, Photos).
- Change passwords if the app had broader access; consider a factory reset only after evidence backup.
Send a short legal demand (email/support ticket/in-app):
- State that you are withdrawing consent to process and disclose your personal data; demand erasure of contacts/photos and cessation of third-party contacts; and request a copy of all data they hold about you.
- Give a reasonable deadline to comply and note you will escalate to NPC/SEC/BSP and file criminal charges for threats/libel.
File with the right regulator(s)
- NPC for privacy violations; SEC or BSP for abusive collection depending on supervision; police/NBI + prosecutor for crimes.
Consider payment safety
- If you’ll settle, avoid sending money to collector personal accounts; pay only through official channels that generate a receipt. Keep proofs.
If your employer was contacted
- Ask HR to preserve the messages and to refrain from distributing them; their affidavit will be key to damages.

Frequently asked questions

Q1: What if the app is not registered with the SEC? File with the SEC anyway. Operating a lending business without required authorization is sanctionable. Unlicensed apps commonly use the public-shaming tactic; SEC can issue take-downs and coordinate with platforms.

Q2: The app says I “consented” when I installed it. Is that a defense? Not if consent was forced, bundled, or overly broad, or if the use (e.g., texting your boss) is disproportionate to loan collection. The DPA requires specific, informed, time-bound, and freely given consent and legitimate purpose. Harassment and humiliation are not legitimate.

Q3: Can I sue for damages even if I still owe money? Yes. Debt does not excuse unlawful processing of data or abusive practices. Liability for harassment/privacy violations is separate from your repayment obligations.

Q4: Are screenshots enough? They are often sufficient to start. For stronger cases, keep native exports and witness affidavits. Law enforcement can assist with forensic preservation.

Q5: Can I make them delete my data and stop contacting my contacts? Yes. Under the DPA you can assert erasure/blocking and object to processing. Regulators may order cease and desist and deletion if violations are found.

Template: short demand-and-withdrawal letter (adapt as needed)

Subject: Unlawful Collection & Data Privacy Violations — Immediate Cease and Desist

I am a borrower under your app [App Name], Account No. [xxxx]. Your agents have accessed and used my phone contacts and disclosed my personal data to third parties to compel payment, including [brief examples with dates].

I hereby withdraw consent to the processing and disclosure of my personal data beyond what is strictly necessary and lawful for account servicing. I demand that you cease all third-party contacts, erase any data harvested from my device (e.g., contacts/photos), and provide me, within [x] days, a copy of all personal data you hold about me and a list of recipients to whom my data was disclosed.

Continued harassment constitutes violations of the Data Privacy Act, the Financial Consumer Protection Act, and SEC/BSP rules on abusive collection, and may amount to libel, threats, and coercion. I will escalate to the NPC and [SEC or BSP], and pursue criminal and civil remedies.

Sincerely, [Name] [Contact details]

Checklist before filing

Screenshots & exports arranged chronologically
App permissions and privacy notice saved
Your demand letter sent; proof of sending kept
Identification of regulator (SEC/BSP) based on lender type
NPC complaint package drafted (for privacy issues)
Criminal complaint outline prepared (if threats/libel occurred)
Considered civil damages and venue with counsel

Key takeaways

NPC: privacy breaches (contact scraping, disclosure, threats to disclose).
SEC: abusive collection by lending/financing companies; unlicensed apps.
BSP: abusive collection by banks/e-money issuers.
Police/NBI/Prosecutor: criminal conduct (libel, threats, coercion). Act quickly, preserve evidence, and do not let the existence of a debt deter you from enforcing your rights.

This article is general information for the Philippine context and not a substitute for legal advice. A lawyer can tailor strategy, especially where criminal and civil actions should be coordinated with regulator complaints.