Designing Enforcement: The Philippine Advisory on Online Lending Platforms

On 18 March 2026, the Department of Information and Communications Technology (DICT), the National Privacy Commission (NPC), and the Securities and Exchange Commission (SEC) of the Philippines issued a joint public advisory addressing abusive practices by online lending platforms (OLPs).

The document is not novel in doctrinal terms. It reiterates existing legal frameworks: the Data Privacy Act, NPC circulars on loan-related data processing, and SEC memoranda on unfair debt collection practices. What makes it analytically interesting is not what it adds, but what it reveals.

The advisory describes a pattern that has become increasingly familiar in digital lending markets: mobile applications requiring excessive permissions, harvesting contact lists, contacting non-guarantors, and using intimidation or public shaming as a collection strategy. It explicitly prohibits unnecessary access to borrowers’ contact lists and restricts contact for collection purposes strictly to guarantors who have expressly consented.

Two structural observations follow:

First, the core regulatory concern is not simply data protection. It is the conversion of personal data into enforcement leverage. The contact list is not being accessed only for underwriting or risk modelling alone, but it also becomes an instrument of reputational coercion. The advisory attempts to disentangle identification from enforcement by requiring separate interfaces for character references and guarantors. This technical design requirement acknowledges an important fact: interface architecture is not neutral. On the contrary, it structures legal consequences.

Second, the state’s response remains reactive. The advisory reiterates prohibitions and reminds platforms of retention limits, consent requirements, and registration duties. It also warns consumers about deceptive design patterns and pre-ticked permissions. Yet the document implicitly concedes that much of the enforcement dynamic unfolds within the application environment itself, before formal legal remedies are triggered.

The closing line is telling: “Digital transformation must protect - not prey upon - the Filipino people.” This is a clear normative statement. It does not describe a regulatory technique, but expresses a boundary that the architecture of certain lending models is already testing.

For DICRI, this advisory illustrates a broader phenomenon. In platform-mediated credit systems, enforcement is no longer limited to courts or licensed debt collectors. It is partially embedded in interface permissions, automated notifications, and access to social data. Regulatory authority is therefore required to intervene not only at the level of conduct, but at the level of design.

The Philippine case is not unique. Comparable interventions have emerged in jurisdictions with similar lending architectures, and DICRI will address them in future posts. What is analytically significant here is the clarity with which the advisory identifies the interface itself as a regulatory object.

Digital lending platforms may operate within licensing regimes, yet their enforcement capacity is generated by technical affordances that precede and sometimes bypass traditional debt collection frameworks. The regulatory challenge, therefore, lies not only in sanctioning abusive conduct but in understanding how platform design reorganises enforcement power.

DICRI’s work proceeds from this premise. If credit governance is increasingly embedded in technical infrastructures, then regulatory analysis must engage those infrastructures directly. The task is not to restate prohibitions, but to examine how digital credit ecosystems are structured and how they might be structured differently.