Check Legitimacy and SEC Registration of Online Lending Apps Philippines

For borrowers, compliance officers, and founders. Philippine laws and regulator practice summarized in one place.

1) What “legitimate” means in the Philippines

An online lending app (OLA) is legitimate when all of the following are true:

  1. The operating corporation exists (registered with the SEC).
  2. It holds a Certificate of Authority (CA) to Operate as a Lending Company (under the Lending Company Regulation Act, RA 9474) or as a Financing Company (under the Financing Company Act).
  3. Every digital channel used for lending—mobile app(s), website(s), and brand/trade name(s)—has been declared to and cleared by the SEC (often referred to as online lending platform (OLP) reporting).
  4. It complies with consumer protection and data privacy laws (Financial Consumer Protection Act, Data Privacy Act), and fair collection rules.
  5. Its advertising and in-app disclosures are truthful, complete, and consistent with filings.

Banks and BSP-supervised non-banks do not need an SEC CA (they are under BSP), but they also don’t pose as “SEC-licensed lending companies.”

2) The two licenses you must see (and how to interpret them)

A) SEC Corporate Registration

  • Proves the corporation exists.
  • Look for: Exact corporate name, registration number, incorporation date, and current status (active vs. dissolved/revoked).
  • Not enough on its own to lend money to the public.

B) Certificate of Authority (CA) to Operate

  • This is the permission to lend as a lending or financing company.
  • Check: Corporate name must match exactly; CA number; issue date; status (active/suspended/revoked).
  • If the app is branded differently (e.g., “CashBee”), there must be a traceable link to the corporate owner (e.g., “XYZ Lending Corp. doing business under the name and style of ‘CashBee’”).

3) App/website declarations (OLP reporting)

A compliant company declares to the SEC each of the following before use and updates the SEC when they change:

  • App name (as it appears in app stores), developer/publisher, and bundle/package ID.
  • Website(s)/URL(s) used to market/originate loans.
  • Trade name(s)/brand(s) used publicly.

If the app on your phone does not appear among the company’s declared OLPs, treat it as a red flag, even if the company itself has a CA.

4) “How to verify” — a practical, lawyerly checklist

Use the company’s legal/corporate name, not the app name, for checks.

Step 1 — Identify the legal entity

  • Open the app/website. Find About/Company/Legal pages and privacy policy.
  • Record: Corporate name, SEC registration number, CA number, address, e-mail, hotline.

Step 2 — Match trade name ↔ corporate name

  • The app’s brand must map to the corporate owner.
  • Look for “doing business under the name and style (D/B/A)” disclosures or app-store “Offered by” details matching the corporation.

Step 3 — Validate the CA

  • Confirm that the entity is listed as a Lending Company or Financing Company, and that the CA is active (not suspended/revoked).
  • Dates matter: a recently revoked CA means the company must stop lending; apps often linger—don’t rely on the listing alone.

Step 4 — Confirm the declared OLPs

  • Cross-check that this exact app name (and package ID) and website are declared by that company.
  • Re-skins/mirror sites with slightly altered names are a common evasion tactic.

Step 5 — Review required disclosures in-app

  • Show the corporate name, SEC Reg. No., CA No., physical address, complaints channel, and a Key Information Statement (KIS) before you commit—stating principal, all fees, effective rate/APR method, due dates, and total cost of credit.

Step 6 — Data privacy sanity check

  • Privacy Notice must state lawful basis, purposes, retention, sharing, and data subject rights.
  • Permissions: No contact-list scraping; no camera/mic/geolocation access unless justified and explained.
  • Third-party processors (KYC vendors, cloud) should be identified or at least categorized.

Step 7 — Collections code

  • The company (and any collection agency) must not: harass, shame, threaten, impersonate officials, or contact third parties about your debt.
  • Check for a written complaints policy and timelines for resolution.

5) Red flags (treat as non-legit until disproved)

  • No CA (has SEC registration but no CA).
  • Brand mismatch: app name cannot be linked to a specific corporate owner.
  • Multiple app names claiming the same CA but undisclosed in filings.
  • Revoked/suspended CA; app still operating.
  • Absence of corporate address and complaints contact.
  • Unclear fees (“0% interest” but heavy “processing/service” charges).
  • Phonebook scraping / threats to message your contacts.
  • Fake certificates (fonts wrong, wrong SEC logo, mismatched dates/QR codes).
  • Payment to personal e-wallets or unrelated accounts.
  • Aggressive same-day rollovers pushing repeated “renewals” with stacked fees.

6) Distinguish Lending vs Financing vs BSP-supervised

  • Lending Company: lends from its own capital to individuals/businesses; SEC + CA required.
  • Financing Company: broader financing/credit activities (installments, factoring, direct loans); SEC + CA required.
  • Banks/NBFIs (e.g., thrift/rural banks, e-money issuers under BSP): BSP license; no SEC CA—but they don’t call themselves “lending companies.”

If an app claims to be a bank but has only an SEC CA, something is off.

7) Legal consequences for non-legit OLAs (why you should care)

  • Cease and Desist Orders; app takedowns; fines; revocation of CA.
  • Criminal exposure for unlicensed lending, false statements, and privacy violations.
  • Civil damages for unfair collection, deceptive advertising, and unconscionable interest/penalties (courts can recompute to reasonable levels).
  • Data privacy penalties (NPC) for unlawful data processing and shaming practices.

8) If you’re a borrower: safe-use protocol

  1. Verify corporate identity + CA + declared OLPs before installing.
  2. Screenshot all disclosures (KIS, fees, privacy notice) before accepting.
  3. Borrow only what you can repay; short tenors + high fees compound quickly.
  4. If harassed, pause engagement, keep records (messages, call logs), and route all communications to official channels.
  5. Pay only through official channels (named corporate accounts) and keep receipts.

9) If you’re a founder/compliance officer: build-right checklist

  • Incorporate and secure SEC CA (lending or financing).
  • Report each app name, package ID, website, and trade name to SEC before launch and upon any change.
  • Publish KIS and complete fee disclosures; show CA number in-app and on the website.
  • Appoint Compliance Officer and Data Protection Officer; maintain a Privacy Management Program and PIAs.
  • Put in place a collections code (call windows, frequency caps, identity disclosure, prohibited conduct).
  • Maintain complaints desk with SLA and audit trails.
  • Vet and contract third-party processors/collectors with DPAs; monitor them.

10) What to do if you suspect an app is illegitimate

  • Stop using the app; do not grant more device permissions.
  • Document everything (screens, payment proofs, messages, caller IDs).
  • Notify the company in writing that you require proof of corporate name, SEC Reg. No., CA No., and declared OLP status; give a short deadline.
  • Report abusive collection and privacy violations to the proper authorities.
  • If you already borrowed: you remain liable for legitimate principal less invalid/unconscionable charges; negotiate a clean payoff through traceable corporate channels and keep final settlement documents.

11) Template request to the lender (to force transparency)

Subject: Request for Corporate and Licensing Details (Online Lending App)

Please provide within five (5) days: (1) Exact corporate name; (2) SEC Registration No.; (3) Certificate of Authority No. and status; (4) list of declared online platforms (app name, package ID, website); (5) physical office address; (6) complaints e-mail; and (7) your collections code and privacy notice. Kindly confirm that the app “[App Name]” is an officially declared OLP of your company. Failure to provide these will be treated as a red flag and may be reported to regulators.

12) Frequently Asked Questions

Q1: The app shows a company name and CA number in its “About” page. Is that enough? No. You must still ensure the app/website itself is declared to the SEC for that company.

Q2: The company has a CA but uses multiple brand names. Is that okay? Yes if each brand/app/URL is properly declared and disclosures map them back to the corporate owner.

Q3: Can a legitimate OLA access my phonebook to collect? No. Data minimization and fair collection principles bar shaming and mass contact. You can complain and seek damages.

Q4: Rates seem sky-high but disclosed. Legal? Courts may strike down unconscionable rates/penalties even if disclosed. Disclosures are necessary, not a free pass.

Q5: The app asks me to pay via a personal e-wallet. Safe? Risky. Payments should go to corporate accounts traceable to the licensed entity.

13) Evidence pack you should keep (borrowers)

  • Screenshots of KIS, About/Legal, privacy notice, and CA/SEC details.
  • Version & package ID of the installed app; date/time installed.
  • Payment receipts (reference nos., account names).
  • All communications (SMS, chat, call logs/recordings where lawful).
  • Copies of threatening/harassing messages (for complaints).

14) Bottom line

A legitimate Philippine online lending app is operated by a corporation with an active SEC Certificate of Authority, and each app/website/brand is declared to the SEC, with clear, truthful disclosures, privacy-by-design, and fair collection. Anything less is a red flag. Verify the entity, the CA, and the exact app you’re using; keep records; and don’t hesitate to escalate abusive practices.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login