Are Unregistered Online Lending Apps Legal? SEC Registration and Penalties

SEC Registration, Operational Rules, Liabilities, and Penalties—What Borrowers and Founders Need to Know

Executive summary

No—unregistered online lending apps (OLAs/OLPs) are illegal in the Philippines. Philippine law requires any lending company or financing company to (1) be organized as a corporation; (2) register with the Securities and Exchange Commission (SEC); and (3) obtain a Certificate of Authority (CA) before engaging in lending or offering loans to the public—offline or through an app/website. Apart from corporate and licensing requirements, operators must comply with rules on disclosure, fair debt collection, data privacy, anti–money laundering, consumer protection, and truthful advertising. Violations expose companies (and responsible officers) to administrative sanctions, civil liability, criminal penalties, and app takedowns.

Core legal framework

  1. Lending Company Regulation Act of 2007 (LCRA) – Republic Act (RA) No. 9474

    • Governs lending companies primarily engaged in granting loans from their own funds.
    • Requires SEC Certificate of Authority prior to operations.
    • Penalizes operating without a CA and empowers the SEC to suspend/revoke a CA for violations of the law, rules, or conditions.

  2. Financing Company Act (FCA) – RA No. 8556 (as amended)

    • Covers financing companies (broader asset-based financing activities).
    • Also requires SEC registration and CA; similar enforcement and penal provisions apply.

  3. Revised Corporation Code (RCC)

    • Sets corporate formation and governance requirements, director/officer duties, and administrative sanctions for corporate violations.

  4. SEC rules on Online Lending Platforms/Apps (OLPs/OLAs)

    • The SEC has issued memorandum circulars requiring separate OLP registration/notification and disclosure standards, including display of corporate name, CA number, contact details, interest/fees, complaint channels, and privacy notices in the app/website/ads.

  5. Prohibition of Unfair Debt Collection Practices

    • SEC circulars prohibit harassment, threats, public shaming, contacting borrower’s phone contacts, use of profane/obscene language, and false representations. Sanctions include fines, suspension or revocation of CA, and referral for criminal prosecution.

  6. Data Privacy Act of 2012 – RA No. 10173 (DPA)

    • The National Privacy Commission (NPC) regulates the collection and processing of personal data. Common OLA violations: excessive permissions, scraping of contact lists/photos, processing without valid consent, and insecure data storage. Penalties include fines and imprisonment, plus orders to stop processing and delete unlawfully collected data.

  7. Anti–Money Laundering Act (AMLA) – RA No. 9160 (as amended)

    • Financing and lending companies are covered persons supervised by the SEC for AML purposes. Operators must implement KYC, recordkeeping, and reporting (CTR/STR). Breaches can result in administrative and criminal exposure.

  8. Truth in Lending Act – RA No. 3765 & Consumer Act – RA No. 7394

    • Require clear disclosure of finance charges, effective interest rates (EIR), and fees. Deceptive or unfair sales practices are actionable.

Key point: The Usury Law ceilings are no longer in force (interest caps were effectively removed decades ago), but courts can strike down unconscionable interest/penalty rates and abusive fees as contrary to law, morals, good customs, public order, or public policy.

What counts as an “unregistered” or “illegal” app?

An OLA/OLP is unregistered/illegal if it does any of the following:

  • Offers or grants loans to the Philippine public without an SEC CA (even if the operator is a validly incorporated company).
  • Operates a loan app/platform without the additional OLP registration/notification required by SEC rules.
  • Misrepresents itself as registered (e.g., fake CA number, borrowing a sister company’s CA).
  • Uses fronts (e.g., a marketing entity that actually processes/approves loans) to evade licensing.
  • Is foreign-based but targets Philippine borrowers (local numbers, PH ads, PH bank/e-wallet disbursements/collections) without PH SEC authorization.

Registration and compliance checklist for a lawful online lender

  1. Incorporation under the RCC with the proper primary purpose (lending/financing).
  2. SEC Certificate of Authority (distinct from the SEC Certificate of Incorporation).
  3. OLP/App registration/notification with the SEC, including submission of app details, data flows, disclosure templates, and grievance processes.
  4. Local permits (mayor’s/business permits), DTI/BN registration if using a business name, and BIR registration for taxes/receipts.
  5. AML compliance program (Board-approved policies, Compliance Officer, KYC/CDD, CTR/STR reporting, training, and independent audit).
  6. DPA compliance (privacy notice, data processing agreements, lawful basis for processing, consent management, data minimization, security measures, breach response, and NPC registration/notifications when required).
  7. Fair debt collection policies; scripts and vendor agreements aligned with SEC rules.
  8. Marketing & disclosures: clear APR/EIR, all fees, repayment schedule, cooling-off or withdrawal rights if offered, and complaint channels.
  9. Technology & outsourcing: robust vendor due diligence, service level agreements with call centers/collectors, cloud providers, and payment gateways; incident reporting; secure software development practices and audit trails.

Penalties and consequences

A. Administrative (SEC)

  • Cease-and-Desist Orders (CDOs) shutting down operations and app/website.
  • Fines per violation/day; suspension or revocation of CA.
  • Blacklisting and referrals to other regulators, app stores, payment processors, and law enforcement.
  • Public advisories naming the app/company and responsible officers.

B. Criminal (LCRA/FCA, other laws)

  • Operating without a CA and other willful violations can carry fines and imprisonment under the LCRA/FCA.
  • Data Privacy crimes (unauthorized or malicious processing, illegal disclosure) can result in imprisonment and fines under the DPA, with higher penalties if sensitive personal information is involved.
  • Cybercrime provisions may be implicated for online harassment, threats, or identity-related offenses.

C. Civil liability

  • Borrowers may sue for damages arising from abusive collection, privacy breaches, and deceptive practices; unconscionable interest/penalties can be reduced or voided by courts.
  • Class/representative actions and injunctions are possible in egregious cases.

D. Platform and ecosystem enforcement

  • App store delisting, domain blocking/takedowns, and payment channel termination (banks/e-wallets) upon regulator or law-enforcement request.
  • Vendor exposure: third-party collectors and marketers may face liability for participating in unlawful practices.

What counts as abusive collection and contact practices?

Prohibited acts commonly include:

  • Threats, intimidation, profane or demeaning language; public shaming (posting on social media, group texts).
  • Contacting the borrower’s phone contacts, employer, or relatives who are not co-makers/guarantors.
  • False claims of criminal cases, arrest warrants, or law-enforcement affiliation.
  • Calls or messages at unreasonable hours or with alarming frequency.
  • Use of malware/spyware or excessive permissions to harvest data from devices.

Note: Even registered lenders can be sanctioned if they engage in these practices.

For borrowers: red flags and safe steps

Red flags

  • No verifiable SEC CA number in app/website/ads; or number that doesn’t match the corporate name.
  • App requires contact list/photo gallery access unrelated to credit risk.
  • Vague or hidden fees, short repayment with high “processing” charges, or flat-rate quotes without full EIR.
  • Harassing messages even before loan approval; threats of posting your photos.
  • Offshore operator with PH branding but no local corporate details.

What to do

  • Verify the lender/financing company and its CA directly with the SEC (company name must match the CA).
  • Keep screenshots, call recordings, and payment proofs.
  • File complaints with: SEC (enforcement/fair-collection), NPC (privacy abuses), and, where harassment or threats occur, law enforcement.
  • If charged unconscionable interest/fees, consider disputing the amounts and seeking consumer assistance or legal counsel.
  • Never grant blanket permissions; revoke app permissions and request data deletion under the DPA if you withdraw or settle.

For founders/operators: common compliance pitfalls

  • Launching the app after corporate registration but before obtaining the CA (still illegal).
  • Using a marketing entity as the app publisher while a separate company “owns” the CA—misalignment triggers liability.
  • Copy-paste privacy notices without mapping actual data flows and third-party processors.
  • Failure to register/report as an AMLA covered person and to conduct proper KYC.
  • Incentivizing collectors on pure recovery rates without compliance guardrails, leading to harassment.
  • Dark patterns in UI (pre-ticked consents, hidden fees, auto opt-ins).
  • Not maintaining audit trails for approvals, rate computations, and consent logs.
  • Outsourcing to call centers/field collectors without training, monitoring, and contractual compliance clauses.

Cross-border apps and jurisdiction

If an app targets Philippine residents (PH ads, peso disbursements, local payment rails, PH numbers), it is generally regarded as doing business in the Philippines and must comply with SEC licensing, DPA, and other local laws. Foreign incorporation does not shield from PH enforcement; app stores, payment partners, and hosting providers may be engaged to enforce local orders.

Frequently asked questions

1) Is it ever lawful to lend online without an SEC CA? No. If you lend to the public as a business—whether through a mobile app, website, or social media—you must have an SEC CA (as a lending or financing company) and comply with all related rules.

2) Are interest caps applicable to OLAs? There is no general statutory cap for non–credit card loans; however, unconscionable rates and hidden charges can be struck down, and deceptive practices are sanctionable.

3) Can a registered lender contact my phone contacts when I’m late? No. Third-party disclosure of your debt and contact-harassment are typically prohibited and may violate both SEC rules and the DPA.

4) What if the app says a different company owns the license? The corporate name on the CA should match the operator identified in the app/website. Mismatches are a major red flag.

5) Who can be held liable? The corporation, its directors and officers who authorized or tolerated violations, collectors, and even service providers may face administrative, civil, or criminal exposure.

Practical takeaways

  • Borrowers: Use only apps that clearly disclose the corporate name and SEC CA and that present full cost of credit. Keep evidence and report abuses promptly.
  • Founders/Investors: Budget early for licensing, privacy/AML programs, and collection compliance. Noncompliance risks shutdowns, fines, criminal cases, and loss of distribution/payments access.
  • Collectors/Marketers: Train teams and bake compliance into scripts, KPIs, and vendor contracts; otherwise the entire operation is exposed.

Disclaimer

This article provides general information on Philippine laws and regulations governing online lending apps and is not legal advice. Specific facts—such as corporate structure, product design, and enforcement history—can change outcomes. For a particular situation, consult a qualified Philippine counsel or engage directly with the SEC/NPC for formal guidance.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login