Harassment from Online Lending App

Harassment by Online Lending Apps in the Philippines

A 2025 legal primer for lawyers, compliance officers, and aggrieved borrowers

1. Why the Issue Matters

Since 2018 the Securities and Exchange Commission (SEC) and the National Privacy Commission (NPC) have logged thousands of complaints alleging “debt-shaming,” threats, doxxing, contact-list blasting, and the posting of altered photos when borrowers fall behind on payments. The practice exploded with the pandemic-era shift to contact-less, app-based “salary loans.” By early 2025 more than 400 online lending platforms (OLPs) were operating, but roughly one-third had no licence or had already been the subject of SEC cease-and-desist orders. citeturn5view0turn6view0

2. Core Statutes, Rules and Circulars

Layer Instrument Key prohibitions / duties
Corporate licensing RA 9474 (Lending Company Regulation Act) & RA 8556 (Financing Company Act) Lending/financing companies must secure a Certificate of Authority; “unconscionable” charges are illegal.
Debt-collection conduct SEC Memorandum Circular (MC) 18-2019Prohibition on Unfair Debt-Collection Practices Bans obscenities, public shaming, threats, calls before 6 a.m./after 10 p.m., or contacting persons other than the borrower/guarantor. Penalties range from ₱25k to ₱1 M plus possible licence revocation. citeturn5view0
SEC MC 19-2019 (Complaint Handling) & MC 28-2021 (Mandatory Registration of Each OLP) Requires a dedicated complaints group, 15-day resolution window, and separate SEC authorisation for every app front-end. citeturn0search6
Financial-consumer protection RA 11765 (2022) – Financial Products and Services Consumer Protection Act (FPSCPA) & joint SEC/BSP IRR (2023) Makes “harassing or abusive collection practice” an unfair conduct actionable by regulators; empowers SEC/BSP to award restitution and impose fines up to ₱2 M per violation plus disgorgement of profits. citeturn7search0
Data privacy RA 10173 (Data Privacy Act) + NPC Circular 20-01 (Loan-Related Transactions) Lenders may collect only data that are necessary and proportional. Contact-list scraping or bulk disclosure without consent can trigger imprisonment (1–6 yrs) and fines up to ₱4 M per count. citeturn1search5turn6view0
Criminal law overlay Revised Penal Code arts. 282 (grave threats), 287 (unjust vexation), 353–355 (libel) as amended by RA 10951; RA 10175 (Cybercrime) Converts the same acts to cyber-offenses when done via SMS, chat, or social media; online libel may be punished by fine alone per the 2023 SC ruling. citeturn3search0
Consumer-disclosure rules RA 3765 (Truth in Lending Act) & BSP/SEC total-cost-cap regulations (2022) Non-disclosure of the full cost of credit voids penalty fees and can ground a civil action for damages. citeturn10search8
Emerging legislation HB 6776 / SB 1366 (“Online Lending Regulation & Penalties Act”) – House passed 2nd reading 13 Mar 2025; Senate hearings ongoing Would criminalise debt-shaming per se, treble actual damages, and raise maximum administrative fines to ₱10 M. citeturn10search2
Sen. Padilla’s SB 2456 (2024) Seeks prison terms for “systematic debtor intimidation” and imposes a black-listing scheme for repeat OLP offenders. citeturn10search4

3. Typical Harassing Tactics (+ applicable legal hooks)

Tactic Possible charges / sanctions
Repeated calls/SMS at odd hours Unjust vexation (Art 287 RPC); SEC MC 18-2019
Threats of physical harm or arrest Grave threats (Art 282 RPC); Cyber-threats (RA 10175); SEC/BSP unfair-conduct provisions
“Contact-list blasting” (messaging employer, relatives) NPC: unauthorised processing; SEC MC 18-2019 ban on third-party contact
Posting borrower’s photo with defamatory text Libel / cyber-libel; Anti-Photo-and-Video Voyeurism Act (RA 9995) if intimate images are used
False claims of criminal complaint or “NBI warrant” Deceit under SEC MC 18-2019; Estafa if money is extorted

4. How Regulators Have Been Enforcing

  • SEC cease-and-desist orders (CDOs). From 2019-2024 the SEC issued more than 70 CDOs shutting down unlicensed or abusive OLAs such as CashWhale, Pesomama, and HappyCredit, citing MC 18 violations. citeturn1search4
  • NPC investigations and bans. In In re Populus Lending (Pesopop) the NPC imposed a temporary ban on data processing after finding that the app forced users to surrender their entire contact list before they could even apply for a loan. citeturn6view0
  • Fines & licence revocations. First-offense MC 18 breaches draw fines of ₱25 k (lending co.) or ₱50 k (financing co.); third offenses may see licences revoked. citeturn5view0
  • Judicial trend. The 2023 Supreme Court ruling in People v. Soliman on online libel signalled willingness to impose fines rather than jail, but still affirmed cyber-libel as a serious offense, providing a practical route for harassed borrowers who are publicly defamed. citeturn3search0

5. Remedies for Borrowers

  1. Gather evidence early. Screenshot messages, record call logs (with date/time stamp), and save social-media URLs.
  2. Send a cease-and-desist letter. Cite MC 18-2019 and RA 11765; many collectors back off once shown the rules. citeturn0search8
  3. File administrative complaints (non-exclusive—parallel filing is allowed):
    • SEC Corporate Governance and Finance Dept. – MC 18 complaint form; attach proof of threats.
    • NPC Complaints and Investigation Division. Sworn complaint within 1 year from last harassing act; request an immediate stop-processing order. citeturn0search4
    • BSP Consumer Assistance Mechanism if the lender is a bank/e-wallet supervised by BSP; unresolved cases may proceed to adjudication under RA 11765.
  4. Criminal action. File with the Office of the Prosecutor for threats, unjust vexation, or cyber-libel; attach certified evidence.
  5. Civil suit (damages) or small-claims (≤ ₱1 M). Debt-collection harassment can form the basis for moral and exemplary damages under Articles 19–21 Civil Code.
  6. Barangay protection or safe-space laws. Continuous stalking or gender-based online harassment may justify Barangay Protection Orders under RA 11313 (Safe Spaces Act).

6. Compliance Imperatives for Lending Companies

  • Privacy-by-design. Collect minimum data; delete contact-list access from Android/iOS builds unless truly required.
  • Call-centre scripting & training. Explicitly prohibit profanity, threats, and contacting persons other than the borrower/guarantor.
  • Complaint-handling queue. RA 11765 and SEC MC 19-2019 require acknowledgment within 2 days and resolution within 15 days.
  • Audit trails. Maintain outbound-call logs and implement caller-ID masking; these may be subpoenaed.
  • Third-party collectors. Include MC 18 compliance clauses; a lender is solidarily liable for its agents’ acts.

7. Jurisprudence & Agency Rulings to Watch

Year Case / Ruling Take-away
2023 In re Populus Lending (NPC SS 21-008) Contact-list scraping before loan processing violates Sections 11, 16, 25 DPA; temporary data-processing ban upheld. citeturn6view0
2024 SEC v. Joywin Lending (CDO 23-048) “Blast texts” to 300 contacts deemed public disclosure under MC 18; licence revoked after 2nd offense.
2023 People v. Soliman (G.R. 260912) SC affirms that courts may impose fine only for cyber-libel but confirms online posts fall under RA 10175. citeturn3search0
2024 NPC Advisory No. 2024-02 Draft rules on automated decision-making require a “human-in-the-loop” for credit denials. citeturn10search2

8. Looking Ahead

  • Legislative momentum. HB 6776/SB 1366 could, for the first time, criminalise debt-shaming itself and raise fine ceilings to ₱10 M; the Senate Banks committee is expected to release a committee report by Q3 2025. citeturn10search2
  • Stronger fintech codes. The NPC’s draft Code of Conduct for FinTech Providers will tighten AI-credit-scoring rules and cross-border data transfers.
  • Regional cooperation. ASEAN’s Cross-Border Data-Flow Framework (effective late 2025) will allow Philippine regulators to request takedowns from app stores hosted abroad.

9. Practical Checklist for Victims

  1. Stop engaging by phone; require written correspondence.
  2. Document every interaction (screenshots, call-records).
  3. Compute lawful balances (verify interest cap & undisclosed fees).
  4. Send a demand for a detailed statement of account citing RA 3765.
  5. Escalate – SEC ▶ NPC ▶ BSP ▶ PNP-ACG / NBI-CCD as needed.
  6. Negotiate a settlement only in writing and insist on a quitclaim that includes deletion of your data from all databases.

Conclusion

Philippine law already supplies a multi-layered shield—corporate licensing, consumer-protection statutes, data-privacy rules, and criminal penalties—against harassment by online lending apps. While enforcement has become more robust since 2019, the sheer speed of fintech innovation means gaps remain. The pending Online Lending Regulation & Penalties Act is poised to hard-code higher fines and direct criminal liability. Until then, borrowers, lawyers, and compliance teams must deftly use the existing toolkit: SEC MC 18-2019 for unfair collection, RA 11765 for consumer compensation, and the Data Privacy Act for abusive data grabs.

When properly invoked—and documented—these remedies do work: dozens of apps have already been delisted, fined, or banned outright. The next frontier is ensuring that every borrower knows these rights and that every fintech firm builds compliance in from day one.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login