NPC to bar online lenders from collecting borrowers’ personal information

The National Privacy Commission (NPC) on Monday announced that online lenders will be prohibited from getting personal information, such as phone and social media contact lists of their borrowers, starting in November.

“The National Privacy Commission is issuing this circular for the appropriate and respectable treatment of borrower’s personal information,’’ Privacy Commissioner Raymund Liboro said.

In Circular No. 20-01 published October 19, lenders operating online apps that can be installed in smartphones will not be allowed to collect phone and social media contact lists from their borrowers.

NPC: Complaints vs online lenders decline

NPC issues ‘work-from-home’ guidelines to safeguard personal data

“All lending and financing companies in possession of their borrowers’ contact lists in whatever form in violation of the guidelines shall dispose of the information in a secure manner that would prevent further unauthorized processing, access, or disclosure to any other party or the public,” the NPC said.

Liboro said online lending applications should design their business processes with privacy by design and default, and with complete adherence with the principles of the Data Privacy Act (DPA).

The NPC said this is in response to the numerous complaints that online lenders were illegally using personal data of clients and those of others on their contact lists.

“Once again we remind online lending operators and businesses to take their customers’ data privacy seriously and deploy adequate security measures,’’ Liboro added.


The circular will take effect 15 days after its publication in the Official Gazette or two newspapers of general circulation.

Dos and don’ts

The circular said the access to the phone camera of the borrower is allowed only for the purpose of know-your-customer (KYC) policies.

“In no way shall the borrower’s photo be used, the circular said, to harass or embarrass him or her in order to collect a delinquent loan,” the circular said.

To prevent fraud, app permissions are allowed “only under suitable, necessary and not excessive purpose of KYC.”

“When such purpose has already been achieved, such online apps shall prompt the data subject to turn off or disallow these permissions,’’ it said.

The circular also stipulates the following:

·       Personal information controllers, lending and financing companies in this case, must implement reasonable and appropriate organizational, physical, and technical security measures to protect personal data.

·       Details concerning the loan must be written in a clear language and in the most appropriate format.

·       Borrowers must be informed if the loan processing activity involves the use of profiling, automated processing, automated decision-making, or credit rating or scoring.

·       A separate lawful criterion must be in place pursuant to Sections 12 and/or 13 of the Data Privacy Act, should information be used for marketing, cross-selling, or sharing with third parties for purposes of offering other products or services not related to loans.

·       Reasonable policies on retention of data must be adopted and implemented for those with denied loan applications and borrowers who have fully settled their loans.

Accountability, penalties

The NPC reiterated that lending or financing companies and persons acting like these entities should not use any personal data to engage in unfair collection practices as defined under SEC Memorandum Circular No. 18 series of 2019.

It added that any lender found in violation of the circular will be liable under the applicable provisions of the DPA, which impose fines and imprisonment.