A practitioner-ready guide for borrowers, compliance teams, and HR on how to vet an online lending app (OLA) in the Philippines—what “legitimate” means, how to confirm SEC registration and authority to operate, what red flags to avoid, and what remedies exist when apps go rogue.
This is general legal information. Align with your regulator, auditor, or counsel where needed.
1) What “legitimate” means (legal backbone)
A legitimate consumer lender operating through an app must:
Be a juridical entity registered with the SEC (corporation/partnership), with:
- SEC Company Registration No. (company’s legal existence), and
- Certificate of Authority (CA) to operate as a Lending Company (under R.A. 9474) or as a Financing Company (under R.A. 8556), whichever applies. (No CA = cannot engage in lending/financing to the public.)
Disclose, in-app and on its website:
- Registered corporate name (not just a brand), principal office address, SEC Registration No., and CA No., plus contact details for complaints.
Comply with financial-consumer protection norms (e.g., R.A. 11765), Truth in Lending Act (R.A. 3765—clear disclosure of total cost of credit), Data Privacy Act (R.A. 10173), and anti-harassment/fair collection rules.
Use BSP-supervised channels only if it is a bank/e-money issuer (banks are licensed by BSP, not SEC, but their lending partner/affiliate still needs proper authority depending on structure).
2) The legitimacy checklist (before you install or borrow)
A) Corporate identity & authority
- Exact corporate name (as shown on 2303/SEC papers) is visible in the app/website.
- SEC Registration No. and CA No. explicitly stated.
- Physical office address in the Philippines (not just a P.O. box or vague “Makati/Taguig”).
- Corporate email/landline for complaints (not only a chat bot or social page).
B) Cost-of-credit transparency
- Loan amount, term, interest rate, and all fees (processing, service, disbursement) shown before you commit.
- APR or Effective Interest Rate disclosed; no “mystery math.”
- Amortization schedule or a calculator visible.
- No mandatory add-ons (insurance, tips) unless you can opt out.
C) Privacy & permissions
- Privacy Notice names the data controller (the company), lawful basis for processing, retention period, and complaint channels.
- App does not require access to contacts, gallery, messages, or file storage to approve the loan. (Contact-harvesting is a red flag.)
- No blanket consent for public disclosure of your data.
D) Collections & conduct
- Terms ban: public shaming, contacting your employer/contacts, threats of arrest, fake legal letters.
- They have a written complaint/appeal process and commit to reasonable call hours.
E) Payments & receipts
- Traceable payment channels (bank, e-wallet with receipt).
- Official statement/receipt issued after each payment.
Rule of thumb: If the app cannot show who they are (legal entity), where they are (address), and under what license (CA No.), don’t borrow.
3) How to confirm SEC registration and authority—step by step
Get the legal name (not just the app brand). Look in:
- App About/Company page or footer, loan contract, privacy policy, or email signature.
Ask for copies (via email/chat):
- SEC Certificate of Incorporation/Registration
- SEC Certificate of Authority (Lending/Financing), showing CA No. and date
- Articles/By-Laws (first page with name & purpose is usually enough)
- DTI/Trade name if they use a brand different from the corporate name
Cross-check the documents with what appears in the app/contract:
- Corporate name, address, and CA No. must match.
- The lender in the contract should be the same entity that holds the CA.
If they refuse to provide CA details or give only a brand name → treat as unlicensed and disengage.
4) Sorting the ecosystem (who supervises whom)
| Provider Type | Primary License | Primary Supervisor | Notes |
|---|---|---|---|
| Bank (digital/branch) | BSP banking license | BSP | Can lend without SEC CA; still must follow FCP, TILA, DPA, fair collection. App should say it is a bank. |
| Financing Co. | SEC Registration + CA (Financing) | SEC | Typically larger-ticket, purchase-finance; may operate an app. |
| Lending Co. | SEC Registration + CA (Lending) | SEC | Consumer micro-lending/short-term loans. |
| Marketplace/Broker App | Platform registration (no lending) | Depends | If they grant loans in their name, they need a CA. If only brokering, they must clearly identify the licensed lender. |
5) Red flags (treat as high risk or illegal)
- No corporate name or SEC/CA numbers anywhere; uses only a brand.
- Requires access to contacts/photos; creates group chats with your family/colleagues.
- Threats of arrest, deportation, blotter, or “padlocking” your house; fake lawyer/sheriff letters.
- Upfront cash deposit or “processing fee” before loan approval/funding.
- Interest/fees unclear or change after you click “accept.”
- Payment only via untraceable channels (personal accounts, OTC to a person).
- No receipts, no amortization table, no hotline for complaints.
6) Borrower protection in practice (what to keep on file)
- Screenshots/PDFs of: app disclosures, license details, privacy policy, pricing page, loan contract, and payment receipts.
- Loan computation sheet (principal, interest, fees, total) before you accept.
- All communications (emails, chats) and a timeline of events.
This file will defend your consumer rights and tax/expense records and supports complaints if needed.
7) If you’re a company/HR vetting a payroll partner or staff lender
- Require: SEC Certificate of Registration, Certificate of Authority, BIR 2303, Data Privacy compliance (privacy notice, DPO contact), and sample loan contract.
- Put into the MOU: lawful collection commitments (no workplace harassment), no scraping of employee contacts, clear pricing, and regulator cooperation.
- Shut off onboarding if names/CA No. don’t match or if the app demands phonebook access.
8) What interest/fees are lawful?
- The old Usury Law ceilings are not presently in force; reasonableness and disclosure govern.
- Special caps apply to credit cards (BSP-set per month); OLAs that are non-banks generally have no fixed statutory cap, but unconscionable rates/fees can be struck down by courts and regulators—especially if undisclosed or misleading.
Your shield is disclosure: demand a full itemization and APR. If they refuse, walk away.
9) When an app turns abusive—your remedies
- Financial Consumer Protection (FCP): Demand validation (creditor identity, contract, itemized computation) and stop harassment; set call windows in writing.
- Data Privacy: Object to contact scraping/public shaming; demand deletion of unlawfully processed data; prepare an evidence pack (screens, links, call logs).
- Criminal/Civil: Grave threats/coercion, libel/slander (including online), unjust vexation; civil damages and injunction.
- Workplace: HR can issue a no-contact memo to protect the office and refuse disclosure.
(File with the appropriate agencies; keep your evidence chronological and indexed.)
10) Templates you can use
A) Vendor due-diligence request (email/chat)
Subject: Request for SEC Licensing Details
Kindly provide the following for compliance:
1) SEC Certificate of Registration (company name & reg. no.);
2) SEC Certificate of Authority as [Lending/Financing] Company (CA No. & date);
3) Principal office address and complaint channels;
4) Sample loan contract and pricing disclosure (APR/fees).
We only transact with licensed entities. Thank you.B) Pre-borrowing confirmation (message inside the app)
Before I proceed, please confirm:
• Legal corporate name and SEC Registration No.;
• Certificate of Authority No. and date issued;
• Full disclosure of interest, fees, total amount payable, and APR;
• Privacy policy link and list of device permissions required.
If unavailable, I will discontinue the application.C) Cease harassment & validation (if already borrowed)
Subject: Validation Request & Cease of Unlawful Collection
Please send within 7 days: (1) creditor’s legal name and authority to collect,
(2) loan contract reference, (3) itemized computation of principal/interest/fees,
and (4) payment history to date. Contact me only at [number/email], Mon–Fri
[hours]. Do not contact my relatives/employer or disclose my data. Public
shaming, threats, or fake legal notices are unlawful and will be reported.11) Frequently asked questions
Q1: The app says it’s a “platform,” not the lender. How do I check? Ask: Who is the lender of record? You must see the licensed company’s name and CA No. on the loan contract and receipts.
Q2: Can a sole proprietor legally operate an OLA? Consumer lending to the public generally requires a corporation/partnership with a CA. A sole proprietor cannot hold an SEC CA.
Q3: The app is operated by a bank—do I still look for an SEC CA? Banks lend under BSP authority, not SEC CA. The app must clearly identify the bank and provide complaint channels. If a non-bank affiliate is the lender, that entity must have an SEC CA.
Q4: They asked for an “approval fee” upfront. Treat as a scam. Legitimate lenders net off disclosed fees at disbursement or bill them—not demand cash first.
Q5: They refuse to show licenses, saying “confidential.” Licenses are public facts. Refusal is a deal-breaker.
12) Bottom line
- Legitimacy = identifiable company + SEC/BSP license + Certificate of Authority (if non-bank) + lawful disclosures + privacy-safe conduct.
- No license, no deal. If the app can’t show who they are and under what authority they lend, disengage.
- Keep a document trail before you borrow; it’s your shield against abuse and disallowances.
- If harassment occurs, assert your rights in writing, preserve evidence, and pursue regulatory/criminal remedies.
If you share the app’s brand, any company name/CA No. they gave, and a screenshot of their disclosures/permissions, I can map a quick go/no-go verdict and draft the exact due-diligence email or cease letter you need.