Corporate and Individual Due Diligence in the Philippines: Background Checks and Compliance

Corporate and Individual Due Diligence in the Philippines: Background Checks and Compliance

Practical guide for lawyers, compliance officers, HR and risk teams. Philippine law–focused; not legal advice.

1) Why due diligence matters (and when it’s required)

Due diligence in the Philippines serves three overlapping goals:

  1. Legal compliance

    • Anti-Money Laundering/Counter-Terrorism Financing (AML/CTF): banks, securities firms, insurers, money service businesses, casinos, real-estate professionals, virtual asset service providers (VASPs), and other “covered persons” must apply risk-based customer due diligence (CDD), report covered/suspicious transactions, identify beneficial owners, and screen against sanctions/terrorist lists.
    • Data Privacy: collecting and verifying personal data (background checks) must comply with the Data Privacy Act (DPA), its IRR, and National Privacy Commission (NPC) guidance.
    • Corporate/Regulatory: companies must maintain accurate corporate records (e.g., General Information Sheet with beneficial ownership), hold the right licenses, pay taxes, and follow sector rules (BSP/SEC/IC/PAGCOR, etc.).
    • Labor: employers may screen candidates, but must respect labor standards, anti-discrimination rules, and privacy constraints.

  2. Risk management

    • Prevent fraud, bribery, sanctions exposure, reputational damage, and supply-chain risk.

  3. Transactional assurance

    • In M&A, lending, joint ventures, vendor onboarding, and large procurement, diligence confirms who you are dealing with, what they own/owe, and which liabilities you could inherit.

2) Core legal framework (Philippine context)

  • Data Privacy Act of 2012 (Republic Act 10173) & IRR Governs collection, processing, storage, sharing, and cross-border transfer of personal data. Requires a lawful basis (e.g., consent, legal obligation, contract necessity, or legitimate interests), proportionality, transparency, security measures, and breach reporting to the NPC/affected individuals when thresholds are met. Extra protection applies to sensitive personal information (e.g., health, government IDs, criminal proceedings).

  • Anti-Money Laundering Act (RA 9160) as amended (incl. RA 9194, 10167, 10365, 10927, 11521) Creates obligations for covered persons to implement CDD/EDD, keep records (typically at least 5 years), and file covered/suspicious transaction reports with the AMLC. Extends coverage to casinos and VASPs; real-estate professionals and other sectors are also governed by specific rules.

  • Terrorism Financing Prevention & Suppression Act (RA 10168) and Anti-Terrorism Act (RA 11479) Support targeted financial sanctions: screen customers, beneficial owners, directors, counterparties, and transactions against UN and local Anti-Terrorism Council designations; freeze assets as required.

  • Revised Corporation Code (RA 11232) & SEC rules Beneficial ownership transparency (e.g., GIS reporting), corporate governance, and record-keeping. The SEC also issues advisories on investment scams—useful in reputational checks.

  • Credit Information System Act (RA 9510) Establishes the Credit Information Corporation (CIC) for credit data; lenders access reports through accredited bureaus for credit due diligence.

  • Personal Property Security Act (RA 11057) Creates the Personal Property Security Registry (PPSR) where security interests over movables are registered—relevant for asset/lien checks.

  • Labor & sectoral laws DOLE rules (hiring, data handling in HR), BSP/SEC/Insurance Commission (IC)/PAGCOR circulars for sector-specific KYC/outsourcing/e-KYC; professional licensure via PRC; industry-specific permits (e.g., PCAB for contractors, FDA for regulated products), and environmental compliance (DENR).

Note on FATF monitoring: As of mid-2024 the Philippines was under increased monitoring (“grey list”). Status can change; compliance programs should be aligned with the latest national/sectoral guidance and FATF action plans.

3) Types of due diligence

A. Corporate due diligence (companies, NGOs, partnerships, sole proprietors)

Typical objectives and checks:

  1. Identity & legal existence

    • SEC records for corporations/partnerships; DTI for business names (sole proprietors); cooperative authority for co-ops.
    • Constitutional documents: Articles, By-Laws/Partnership Agreement, Certificates of Registration, GIS (directors/officers/owners).
    • Business permits & tax: Mayor’s/business permits; BIR registration (Certificate of Registration/TIN), VAT/excise status.

  2. Ownership & control

    • Shareholding structure up to beneficial owners (natural persons who ultimately own/control). Identify nominees/trusts, control via voting agreements, and key decision-makers.

  3. Licenses/registrations

    • Sectoral licenses: BSP-supervised financial institutions, SEC-licensed entities (brokers, fund managers), IC-regulated insurers/intermediaries, PAGCOR for casinos/POGOs, DOE/DOE-ERC for energy, etc.

  4. Financial position

    • Audited financial statements, management accounts, bank/loan facilities, covenants, liens (PPSR and chattel/mortgage registries), real property titles and encumbrances.

  5. Litigation, regulatory & sanctions

    • Court decisions, administrative orders, show-cause/penalty history; AML/CTF sanctions screening on the entity, directors/officers, shareholders, and beneficial owners.

  6. Tax

    • BIR assessments, tax rulings/exemptions, local business tax/real property tax status.

  7. Contracts & IP

    • Material contracts (change-of-control, assignment, exclusivity, non-compete), franchise/distribution, IP registrations (IPO), software licenses, data-processing agreements.

  8. ESG & compliance

    • Environmental compliance certificates, social/community obligations, health & safety; supply-chain risk (forced labor/trafficking), whistleblowing procedures, anti-bribery controls.

  9. Reputation & media

    • Adverse media, SEC/BSP/IC advisories, investment scam listings, public consumer complaints.

  10. Operational

  • Governance, internal controls, AML program (if covered person), data privacy program (privacy notice, DPO appointment, breach response, DSAs/outsourcing contracts), cybersecurity posture.

B. Individual due diligence (natural persons—customers, directors, UBOs, employees, high-risk counterparties)

  1. Identity verification

    • Acceptable IDs: passport, driver’s license, UMID, PhilID (PhilSys), PRC license, etc. Verify authenticity and liveness if doing remote onboarding.

  2. KYC & risk profiling

    • Establish purpose/nature of relationship, expected activity/wealth source, country/sector risk, and determine if PEP (domestic/foreign/international org) or close associate/family.

  3. Sanctions/terrorist & adverse media screening

    • UN and domestic lists; international sanctions (e.g., OFAC/EU/UK) if risk-relevant.

  4. Criminal/case history

    • NBI Clearance (national index of records) and police clearance (local). Interpret “hits” carefully—confirm if pending, dismissed, or convicted. Respect presumption of innocence and privacy.

  5. Employment & education verification

    • Prior employers (position, tenure), degree verification with schools; check PRC licenses for regulated professions.

  6. Financial/credit checks (when lawful & proportionate)

    • CIC reports via accredited bureaus (for lending roles or credit relationships).

  7. Conflicts & integrity

    • Outside directorships/shareholdings, related-party ties, gift/hospitality history, prior regulatory sanctions.

4) AML/CTF: risk-based CDD in practice

  • When to conduct CDD

    • At onboarding, for occasional transactions above thresholds, when suspicion arises, or when you doubt prior data.

  • CDD steps

    1. Identify the customer and verify identity using reliable, independent sources.
    2. Identify beneficial owners and verify to a reasonable level.
    3. Understand purpose/nature of the relationship.
    4. Ongoing monitoring of transactions and screening (initial and periodic).

  • Enhanced Due Diligence (EDD) triggers

    • PEPs/associates, complex/opaque ownership, high-risk countries/sectors, cash-intensive businesses, adverse media, unusual transaction patterns, correspondent banking, cross-border private banking, VASP exposures.

  • Record-keeping

    • Keep CDD/transaction records for the minimum period prescribed by AML rules (commonly at least five years from transaction/closure) or longer if investigations/litigation are ongoing.

  • Reporting

    • File Covered Transaction Reports (CTR) and Suspicious Transaction Reports (STR) to the AMLC within the prescribed deadlines. Have escalation playbooks and legal review gates.

5) Data Privacy for background checks (how to do it right)

  • Lawful basis

    • Employment checks: typically consent + legitimate interests; ensure voluntariness for applicants and avoid coercive bundling.
    • Customer/vendor checks: legal obligation (for AML-covered persons) or legitimate interests (fraud prevention) with appropriate safeguards.

  • Transparency

    • Clear privacy notices stating purposes (screening/KYC), data categories, sources (e.g., public records, references), retention, sharing (screening vendors), rights, and contact details of your Data Protection Officer (DPO).

  • Proportionality/minimization

    • Collect only what’s necessary for the risk and role. Avoid irrelevant or intrusive data (e.g., family medical history). Treat sensitive and privileged information with heightened safeguards.

  • Data sharing & outsourcing

    • Put Data Sharing Agreements (DSAs) for controller-to-controller sharing and outsourcing/processing agreements for vendor processors (security, purpose limitation, breach notification, sub-processor control, cross-border clauses).

  • Cross-border transfers

    • Allowed if you ensure comparable protection and contractual safeguards. Keep data maps and transfer registers.

  • Security

    • Risk-based controls: access governance, encryption, audit logs, vendor assessments, employee confidentiality undertakings, and secure disposal (media sanitization certificates).

  • Breach response

    • Have incident playbooks; assess reportability; if thresholds are met, notify NPC and affected individuals within prescribed timelines with required content (nature of breach, measures taken, contact point, etc.).

6) Employment background checks (HR specifics)

  • Scope that’s usually appropriate

    • Identity and credentials; NBI or police clearance; professional/driver’s licenses; employment/education history; job-related credit checks for sensitive roles (cash handling, finance).

  • Be careful with…

    • Medical information (limit to fitness-to-work and lawful occupational checks).
    • Pregnancy status, religion, sexual orientation, political beliefs—avoid; risk of discrimination claims.
    • Criminal history: consider job relevance and rehabilitation; use “knowing” only after conditional job offer where possible; give candidates a chance to explain hits.

  • Retention

    • Keep only as long as needed for hiring decisions and legal defense windows; then securely delete/anonymize.

7) Practical sources & how to use them (lawfully)

Always confirm you have a lawful basis, provide notice, and keep a record of sources searched.

  • Government & registries (examples) SEC/DTI records; LGU business permits; BIR COR; PRC license verification; PPSR for movable liens; LRA/Registry of Deeds for land titles/encumbrances; court decisions (Supreme Court/CA/Sandiganbayan); regulatory advisories (SEC/BSP/IC); PAGCOR listings; DENR/EMB environmental permits; PEZA/BOI registrations.

  • Identity & integrity NBI and local police; PhilID/PhilSys verification (where available); watchlists (UN/local), sanctions lists; adverse-media databases.

  • Credit/finance CIC reports via accredited bureaus; bank and trade references; audited FS.

  • Operational Company policies, AML/Privacy manuals, org charts; major contracts; IP filings; insurance coverage; litigation dockets; vendor and customer master files (to sample for sanctions/PEP exposure).

8) Building a compliant program (for companies in PH)

  1. Governance & risk assessment

    • Board-approved Compliance/AML/Privacy policies; appoint Compliance Officer and DPO.
    • Enterprise Risk Assessment: map inherent risks (customer types, products, geographies, delivery channels), define risk appetite, and set KYC tiers.

  2. Standard operating procedures

    • KYC/CDD & EDD playbooks (what to collect, acceptable documents, verification steps, sanctions screening cadence, triggers for refresh, handling false positives).
    • HR screening SOPs (consent, timing, relevance criteria, adverse action protocol).
    • Third-party due diligence (risk-tiered onboarding, questionnaire, documentary checks, anti-bribery undertakings, ongoing monitoring).

  3. Contracts & forms

    • Customer agreements: reps/warranties on lawful funds/ownership, audit rights, termination for sanctions violations.
    • Vendor contracts: data-processing clauses, confidentiality, audit, breach notice, sub-processor rules, localization/transfer terms.
    • HR: consent forms, privacy notice acknowledgments, background check disclosures.

  4. Technology & data

    • Screening platforms (sanctions/PEP/adverse media) with audit trails; KYC workflow tools; secure document vault; identity verification with liveness; ticketing for escalations.

  5. Training & awareness

    • Role-based AML and privacy training (frontliners, investigators, HR, procurement, IT). Simulate scenarios (false hits, data subject requests, wire “travel rule” deficiencies).

  6. Monitoring, testing & reporting

    • QA on KYC files, sanctions alert handling, periodic KYC refresh (risk-based), internal audit, regulatory reporting tests, and metrics (approval times, hit rates, backlog, breach/SAR stats).

  7. Recordkeeping & retention

    • AML minimums (often 5 years); privacy retention schedules by purpose; defensible destruction.

9) Red flags (Philippines-oriented)

  • Corporate: newly formed entity with complex offshore owners; nominee directors; inconsistent SEC/DTI/BIR/permit information; frequent changes of address or bank; unusual cash flows; dealings with sanctioned or high-risk jurisdictions; repeated SEC advisories; unpaid statutory contributions; missing ECO/permits for regulated activities.

  • Individual: reluctance to provide valid ID; unverifiable employment/education; contradictory source-of-funds story; PEP with unexplained wealth; heavy use of cash or convertible virtual currency; adverse media about fraud/corruption; multiple NBI/police “hits” without plausible context.

10) Execution checklists (copy-paste ready)

A. Corporate KYC/Onboarding (baseline)

  • Registration (SEC/DTI) + current GIS
  • Business permits + BIR COR/TIN
  • Ownership chart to UBO (incl. nominees/trusts)
  • IDs + proof of authority of signatories
  • Sector licenses/approvals
  • Sanctions/terrorist/PEP screening (entity, directors, UBOs)
  • Purpose/nature of relationship; expected activity
  • Adverse media sweep
  • AML risk rating + EDD (if triggered)
  • Data privacy: notice, lawful basis, DSA/processing clauses
  • Retention plan and review/refresh date

B. Individual KYC/Background Check (baseline)

  • Government ID (1–2) + liveness (remote)
  • Address & contact verification
  • NBI/police clearance (as appropriate)
  • Employment & education verification (role-relevant)
  • PRC license (if professional role)
  • Sanctions/terrorist/PEP & adverse media screening
  • Credit check (only when lawful/necessary)
  • Risk rating; EDD if PEP/other triggers
  • Privacy consent & notices; retention plan

C. M&A/Vendor/Counterparty DD (expanded)

  • Corporate pack + beneficial ownership
  • Financials, bank/loan and PPSR lien searches
  • Litigation/regulatory review; key contracts; IP
  • Tax compliance and assessments
  • ESG/environmental permits; labor compliance
  • Information security/privacy program maturity
  • Site visit/interviews; reference checks
  • Integration/exit clauses; reps/warranties; indemnities

11) Common pitfalls (and how to avoid them)

  • Treating “publicly available” data as free-for-all. DPA still applies; respect purpose limitation and proportionality.
  • Over-collection. Limit checks to role/risk; avoid sensitive data unless truly necessary and lawful.
  • One-time screening. Re-screen periodically and on triggers (e.g., ownership change, adverse news, sanctions updates).
  • Ignoring beneficial ownership. Go beyond the first corporate layer—“who ultimately owns/controls?”
  • False positives in sanctions/PEP hits. Use secondary identifiers (DOB, address) and a documented clearing workflow.
  • No paper trail. Keep decision logs: why you approved/declined, how you resolved alerts, what documents you relied on.
  • Vendor risk blind spots. Diligence your diligence provider: data security, subcontractors, cross-border processing, breach history.

12) Templates (short forms you can adapt)

A. Applicant/Counterparty Privacy Notice (excerpt)

We collect and process your personal data to (i) verify identity and credentials, (ii) conduct background checks and sanctions screening, and (iii) comply with AML, sanctions, and other legal obligations. We may share your data with screening vendors and regulators as required. We retain data only as long as necessary for these purposes or as required by law. You may exercise your data privacy rights by contacting our DPO at [email].

B. Background-Check Consent (employment)

I voluntarily authorize [Company] and its agents to verify my identity, credentials, and records relevant to the position applied for, including NBI/police clearances and professional licenses. I understand my data will be processed under the Data Privacy Act and applicable labor laws. I may withdraw consent subject to legal/contractual restrictions.

C. Vendor Anti-Bribery & Sanctions Warranty

Counterparty represents that it (and its owners, directors, officers) are not owned or controlled by, or acting on behalf of, any sanctioned person or jurisdiction; funds are from lawful sources; it will maintain adequate books/controls and notify [Company] of any sanctions designation. Breach is grounds for immediate termination.

13) Putting it all together: a right-sized approach

  1. Map your risks → 2) Pick your checks (tiered by risk/role) → 3) Automate the workflow (ID&V, screening, audit trail) → 4) Train people → 5) Monitor & improve (metrics, audits, regulator feedback).

With this, Philippine businesses can meet AML/CTF and Data Privacy obligations, make better decisions in transactions and hiring, and reduce exposure to sanctions, fraud, and reputational harm—all while respecting the rights of individuals and treating data responsibly.

Want this turned into a checklist pack (Word/Excel) or a set of onboarding SOPs tailored to your industry? I can draft those directly.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login