Check if Online Lending Company Is SEC Licensed Philippines

How to Verify Whether an Online Lending Company Is SEC-Licensed in the Philippines

(A comprehensive legal-practice explainer—updated to June 2025)

Quick take-away: A genuinely licensed online lending operator holds two separate authorizations from the Securities and Exchange Commission (SEC)—

  1. a Certificate of Incorporation and
  2. a Certificate of Authority (CA) to Operate as a Lending or Financing Company— plus a secondary registration for its online lending platform (OLP). Everything else is illegal.

1. Governing Laws & Key Regulations

Instrument Core purpose
Republic Act No. 9474 (Lending Company Regulation Act of 2007, “LCRA”) Requires SEC licensing for all lending companies and sets criminal penalties for unlicensed lending (₱10 000 – ₱50 000 fine and/or 6 months – 10 years’ imprisonment).
Republic Act No. 8556 (Financing Company Act of 1998) Parallel regime for financing companies; many fintech players incorporate under this law instead of the LCRA, but the compliance and verification steps are the same.
SEC Memorandum Circular (MC) No. 18-2019 Mandates secondary registration of every online lending platform, imposes disclosure rules (e.g., full corporate name, CA number, interest computation), and limits data that may be collected from borrowers’ phones.
SEC MC No. 19-2019 Requires prominent in-app posting of the CA, interest rates, total cost of credit, and a link to the SEC’s complaint channel.
SEC MC No. 28-2020 Requires corporations (including lenders) to designate a valid e-mail address and phone line for SEC notices—helpful when you need to serve demands.
Republic Act No. 11765 (Financial Products and Services Consumer Protection Act, 2022) Gives SEC explicit inspection, adjudicatory, and enforcement power over abusive collection conduct by online lenders.
Data Privacy Act of 2012 & NPC Circular 20-01 Overlay rules for data processing; many abusive lending apps have been taken down for unlawful “contact scraping.”

2. Licensing Anatomy: The Three Documents You Must Find

Document Who issues it Why it matters How to spot red flags
Certificate of Incorporation SEC Company Registration and Monitoring Department (CRMD) Shows that the entity legally exists as a corporation. Name mismatch with app developer or CA = probable clone.
Certificate of Authority to Operate as a Lending/Financing Company SEC Corporate Governance and Finance Department (CGFD) Statutory prerequisite under §4, RA 9474 / §4, RA 8556. “CA revoked” or “expired” notes in SEC list; “doing-business-as” names not covered by CA.
OLP Secondary Registration (sometimes called “OLP permit”) SEC Financing and Lending Division Required by MC 18-2019 before an app can go live in Google Play/App Store; given a distinct OLP registration number. If the app is not in the SEC’s List of Registered OLPs, it is operating illegally even if the mother company has a CA.

Takeaway: All three must exist and be current; failing any one = unlicensed.

3. Step-by-Step Verification Without Leaving Your Desk

  1. Gather correct identifiers. Exact corporate name, trade name, and, if you have it, the CA number. Harvest these from: the app store listing, the loan agreement, SMS/e-mails, or official receipts.

  2. Check the SEC’s master lists.

    • Active Lending/Financing Companies List.

      A PDF spreadsheet updated roughly every quarter; active entities show: SEC Reg. No., CA No., date issued, registered address, and status (e.g., Active, Revoked, Expired).

    • Registered OLPs List.

      Separate list that shows the platform name and the company that owns it—important because many scammers hijack common-sounding app names.

    • SEC Advisories Archive.

      If a name appears here, the SEC has publicly warned that it is not licensed or has engaged in abusive collection.

    Where to find them? — Navigate through https://www.sec.gov.phRegulated EntitiesFinancing & Lending; no log-in needed.

  3. Cross-match details.

    • The corporate name on the CA must be identical to the name in the master list.
    • Trade names or app names must be formally approved and shown on the CA’s reverse page or in a separate SEC certificate.

  4. Inspect the CA document, if you have a copy.

    • Genuine CAs bear a QR code (introduced 2021) or a raised SEC dry-seal (pre-2021).
    • Look for validity notes: CAs issued before 2011 were perpetual; those issued after the SEC’s 2011 rules revision require operational compliance or they lapse.

  5. Validate OLP compliance.

    • Google Play now requires a “SEC Permit No. ×××” line on the app page for Philippine users. Absence is a red flag.
    • The app’s developer e-mail should use the corporate domain (e.g., @xyzlending.ph), not a free Gmail account.

  6. Confirm absence of enforcement actions.

    • Search the SEC press-release page for any Show-Cause Order, Revocation Order, or Cease-and-Desist Order (CDO) against the company.
    • If found, treat the entity as effectively unlicensed unless a Lift Order exists.

  7. Cross-check with the National Privacy Commission (optional, but recommended). Unlawful data processing is itself a ground for SEC revocation (MC 18-2019, §6). NPC publishes its own “Top Violators” list.

  8. When in doubt, e-mail or call the SEC.

4. What If the Company Is Not Licensed?

Scenario Remedies & next steps
Illegal interest / fees File a complaint with SEC CGFD. The SEC can order disgorgement and refund.
Harassment or dox-style collection Invoke RA 11765 + SEC MC 18-2019. Attach screenshots or call recordings.
Identity theft or contact scraping File parallel complaint with NPC under Data Privacy Act; NPC can levy up to ₱5 million administrative fines.
Continued operations after CDO Report to SEC Enforcement and Investor Protection Department (EIPD). The EIPD coordinates with the PNP Anti-Cybercrime Group for criminal cases.
Civil damages Sue for actual and moral damages in regular courts (jurisdiction depends on amount). An SEC CDO or revocation is admissible evidence of illegality.

Tip: Always attach a certified true copy of the SEC advisory or revocation order to your court or NPC filing; it short-circuits the need to prove lack of authority.

5. Common Red Flags Revisited

  1. “Certificate of Registration” only – means the corporation exists, but no authority to lend.
  2. App name ≠ Corporate name with no disclosure of link.
  3. Very short CA number (e.g., CA 123) – likely fabricated; genuine CAs since 2014 use seven digits (e.g., 1201123).
  4. Interest > 360 % p.a. – still legal per se (usury law suspended), but MC 19-2019 requires full cost-of-credit disclosure; omitting it is an automatic violation.
  5. Lender demands access to photos or social-media accounts. This is banned under MC 18-2019 §4(b)(6).

6. Frequently Asked Questions

Question Short answer
Is BSP approval also required? Only if the lender simultaneously offers payment services (e-money, BNPL tied to wallets). Otherwise, SEC jurisdiction suffices.
Do sole proprietors need a CA? Yes. The LCRA says “no person shall engage in the business of lending without a CA,” regardless of form. Sole props apply as corporations to get a CA; otherwise they cannot legally lend beyond the “one-off” private loan exemption.
Are pawnshops covered? Pawnshops are overseen by BSP, not SEC, under RA 7653 & BSP Circular 938-2017. They do not need an SEC CA.
Can I personally verify on-site? Yes. The SEC’s main office in Mandaluyong and extension offices maintain public “company status terminals.” Bring an ID and pay ₱10 per print-out.

7. Practical Checklist (Print-friendly)

  1. ☐ Collect exact corporate and app names.
  2. ☐ Search SEC Active Lending/Financing Companies list for CA.
  3. ☐ Search SEC Registered OLP list for platform.
  4. ☐ Check SEC Advisories and Enforcement Orders for negative findings.
  5. ☐ Inspect CA document (QR code / dry-seal).
  6. ☐ Verify disclosed interest rates & contact-scraping practices.
  7. ☐ File complaints promptly if any element is missing.

8. Final Thoughts & Compliance Outlook

The SEC’s 2024–2025 fintech roadmap promises real-time API verification of CA numbers and mandatory e-Know-Your-Customer (e-KYC) logs. Expect on-the-spot suspension of apps once the API flags an expired CA. Google and Apple have separately pledged to auto-delist apps that lose SEC registration. Meanwhile, RA 11765’s Implementing Rules (effective January 10 2025) now empower the SEC to impose administrative fines up to ₱10 million per transaction for predatory or unlicensed lending, a quantum leap from the old ₱50 000 cap.

Disclaimer: This article is for informational purposes and does not constitute legal advice. Laws and regulations change; consult a Philippine lawyer or the SEC for advice on specific situations.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login