1 April 2026
Joint DICT‑NPC‑SEC advisory reinforces data privacy and fair collection requirements for operators of online lending platforms in the Philippines
In brief
In response to rising complaints against online lending platforms (OLPs), the Department of Information and Communications Technology (DICT), National Privacy Commission (NPC), and Securities and Exchange Commission (SEC) issued a joint Advisory on 18 March 2026 reaffirming existing regulatory requirements applicable to OLPs, including data minimization, valid consent, app design, and debt collection practices. Although the Advisory introduces no new legal obligations, it clearly signals heightened enforcement risk, with potential sanctions ranging from fines to the suspension or revocation of authority to operate, among others.
Key takeaways
Clients operating OLPs in the Philippines should reassess their current operating and compliance frameworks in light of the Advisory. In particular, OLP operators should review data collection and app permission practices to ensure strict adherence to data minimization principles, revisit consent flows and interface design to confirm that consent is valid and defensible, and confirm that debt collection activities are limited to duly designated and expressly consented guarantors. Clients should also ensure that NPC registration, automated decision‑making notifications, and data retention practices remain current, as regulators have clearly signaled increased enforcement focus in this area.
In more detail
The Advisory reinforces regulators’ expectations that operators of OLPs must ensure that personal data processing is strictly limited to what is necessary and proportionate for legitimate loan‑related purposes. The use of mobile applications to collect personal data beyond what is required, particularly through excessive or unnecessary app permissions, is expressly prohibited, with regulators identifying unrestricted access to borrowers’ contact lists as a key risk area.
OLP operators are reminded that debt collection activities must be narrowly confined to duly designated guarantors who have expressly consented to assume loan obligations. Contacting individuals on a borrower’s contact list other than named guarantors, including character references, is prohibited. To support this distinction, platforms are expected to maintain separate interfaces for character references provided solely for identification or verification purposes and for guarantors who may be contacted in the event of default.
The Advisory also reinforces the importance of valid consent and compliant app design. Deceptive interface practices that undermine a borrower’s ability to give or withdraw consent may invalidate consent and expose operators to regulatory action. Application permissions must be limited to specified and legitimate purposes and should be revoked once those purposes have been fulfilled.
From an operational standpoint, OLP operators must continue to comply with NPC registration requirements and notifications relating to automated decision‑making. The Advisory also reminds OLP operators that personal data may be retained only for as long as necessary to fulfill its stated purpose, to establish or defend legal claims, or as otherwise required by law, after which secure disposal is required. Violations of applicable laws and issuances may result in administrative sanctions imposed by the relevant regulator, including fines and the suspension or revocation of authority to operate, among others.
Finally, the Advisory reminds borrowers to exercise caution when using OLPs, including downloading applications only from verified sources, carefully reviewing privacy notices and consent terms, limiting permissions to legitimate purposes, and reporting abusive collection practices or cyber‑related misconduct to the appropriate authorities (e.g., SEC, DICT, National Bureau of Investigation, Philippine National Police).