How to Check if a Lending App or Company Is Legit in the Philippines

How to Check if a Lending App or Company Is Legit in the Philippines

For consumers, employees handling vendor due diligence, and founders planning to launch a lending product. Philippine law-focused.

1) The short answer (what to check first)

  1. SEC status:

    • The entity must have a SEC Registration Number and a Certificate of Authority (CA) to operate as a Lending Company (under the Lending Company Regulation Act) or a Financing Company (under the Financing Company Act).
    • A mere SEC Registration (of a corporation) ≠ permission to lend to the public. The CA is separate and essential.

  2. Right regulator:

    • Banks, e-money issuers, and pawnshops are regulated by the Bangko Sentral ng Pilipinas (BSP) (not the SEC).
    • Cooperatives are regulated by the Cooperative Development Authority (CDA) and may extend credit to members.
    • Insurance and pre-need entities are under the Insurance Commission (IC).
    • Microfinance NGOs are governed by the Microfinance NGOs Act and its council.
    • If an app says it’s any of the above, it should name the correct regulator.

  3. App conduct & privacy:

    • No contact scraping, shaming, threats, or harassment.
    • No excessive device permissions unrelated to lending (e.g., requiring contacts/photos for basic use).
    • Clear privacy notice and consent under the Data Privacy Act (DPA).

  4. Disclosure & terms:

    • Transparent total cost of credit (interest + fees), computation examples, repayment schedule, late fees, and cooling-off/cancellation or early settlement rules if offered.

If any of those are missing, treat as high risk.

2) Legal framework (why these checks matter)

  • Corporations & authority to lend:

    • Lending to the public as a business requires incorporation and specific authority:

      • Lending Company Regulation Act (often referred to with its implementing rules) for “lending companies.”
      • Financing Company Act for “financing companies.”

    • The SEC issues a Certificate of Authority after capital, fit-and-proper, and documentary checks.

  • Regulatory carve-outs:

    • Banks, quasi-banks, trust entities, pawnshops (BSP); cooperatives (CDA); insurers/pre-need (IC); microfinance NGOs (its council) are outside the lending-company regime because they are regulated elsewhere—but they still must follow their own sector rules.

  • Privacy & collections:

    • Data Privacy Act of 2012 + NPC rules: lawful processing, consent, purpose limitation, data minimization, security safeguards, and data subject rights.
    • Unfair/abusive collection can trigger administrative penalties (SEC or NPC) and even criminal liability (e.g., grave threats, libel/cyber-libel, unjust vexation) under the Revised Penal Code and related laws.

  • Interest & fees:

    • The Usury Law ceilings are effectively suspended, but unconscionable rates/fees can be struck down by courts. Specific caps may apply in particular sectors (e.g., credit cards) via regulator circulars; always read the latest terms disclosed by the lender and compare with current rules.

3) Step-by-step due diligence (for consumers and businesses)

A. Confirm who is allowed to regulate them

  1. What they claim to be: bank, lending company, financing company, cooperative, pawnshop, insurer, EMI, or NGO.
  2. Cross-check: the name, exact corporate entity, and brand/app name match across the app, website, receipts, and contract.

B. Verify authorization

  • SEC-regulated lenders (lending/financing companies):

    • Must show SEC Registration Number and CA Number (Certificate of Authority).
    • Contracts/receipts should bear the legal entity name (not only a brand).

  • BSP-regulated entities (banks/EMIs/pawnshops):

    • Should display their BSP license type and official name.

  • CDA cooperatives:

    • Credit offered primarily to members; documents show CDA registration and cooperative details.

  • Insurance/Pre-need:

    • Insurance Commission registration for the relevant products.

Tip: A Facebook page, Play Store listing, or a generic “DTI Certificate” is not enough. DTI business name registration does not authorize lending to the public.

C. Inspect the app’s behavior

  • Permissions: Does it demand contacts, photos, or mic access without a clear lending purpose? Red flag.
  • Onboarding: Are KYC steps and consent screens readable and specific?
  • Privacy notice: Names the data controller, purposes, retention periods, third-party sharing, and contact details for data subject requests.
  • Security posture: OTP/2FA offered? Plain-text passwords? Visible red flags if missing.

D. Read the economic terms

  • Total Cost of Credit (TCC): Annualized interest (if disclosed), processing/convenience fees, disbursement charges, late fees, collection fees, penalties.
  • Disbursement net-of-fees: Are fees deducted upfront (so the effective rate spikes)?
  • Repayment: frequency, due dates, grace periods, early repayment or pretermination treatment.
  • Collateral/assignments: any wage assignment or automatic debit agreements; revocation terms.
  • Default & collections: when default occurs; cure periods; where disputes are heard; whether arbitration applies and with what rules.

E. Evaluate collection practices

  • Legit lenders do not:

    • Threaten violence, public shaming, or contact your employer/family/phonebook to coerce payment.
    • Post defamatory content or send mass texts to your contacts.

  • They do:

    • Use lawful reminders, demand letters, and (if needed) file civil actions or use accredited collection agencies that follow conduct standards.

4) Red flags that usually mean “walk away”

  • No CA number (SEC) or wrong regulator named.
  • Entity name on the contract does not match the app/receipt or is missing entirely.
  • Excessive device permissions; the app won’t function unless you grant contacts/gallery access.
  • Withholding principal via large “processing” or “service” fees, especially for very short tenors.
  • Government-endorsed” or “DTI-approved” claims for lending authority (misleading).
  • Anonymous customer support (no legal entity, no address, only chat handles).
  • Threats or shaming during collections.

5) If you’re already dealing with a shady app: practical remedies

A. Preserve evidence

  • Keep screenshots of the app listing, permissions prompts, disclosures, chats/SMS, call logs, receipts, and transaction IDs.
  • Save copies of the loan contract and payment proofs.

B. Exercise your Data Privacy Act rights

  • Send a data subject request (DSR): ask for information they hold, withdraw consent for non-essential processing, or demand deletion when legally appropriate.
  • If the app contacted your phonebook or posted defamatory notices, note dates, numbers used, and recipients.

C. Report to the right body

  • SEC (for lending/financing companies operating without CA or violating conduct rules).
  • BSP (for banks/EMIs/pawnshops).
  • CDA (for cooperatives).
  • Insurance Commission (if an insurance-type product is involved).
  • National Privacy Commission (NPC) for privacy violations (contact scraping, shaming, unlawful processing).
  • PNP-ACG / NBI for criminal harassment, threats, or fraud.
  • Small Claims Court for monetary disputes within jurisdictional limits; no lawyer required.

D. Debt-collection boundaries

  • You must pay valid debts, but you can set terms for safe communication (channels/hours).
  • Reply with a written notice: “Communicate only via [email/number], between [times].”
  • If harassment continues, document and escalate to regulators/law enforcement.

6) For founders & compliance officers (building a legit lending app)

  • Choose the right charter: lending company vs. financing company vs. bank/EMI partnership/cooperative tie-ups.
  • Get the CA (or sector license) before launch.
  • Product disclosures: show TCC clearly, provide amortization tables, and avoid junk fees.
  • Privacy-by-design: limit permissions to what’s necessary; implement KYC with lawful basis, DPIAs, breach procedures, and a working DPO email.
  • Collections governance: in-house policy + training + vetted third-party agencies; ban harassment; retain call recordings; complaint turnaround times.
  • Vendor oversight: credit scoring providers, payment gateways, SMS senders—ensure DPAs, data sharing agreements, and cross-border safeguards.
  • Complaints desk: responsive help center, escalation ladders, and regulator-facing logs.

7) FAQs

Q: Is a high interest rate automatically illegal? Not automatically. But unconscionable interest/fees can be reduced or voided by courts. Sector rules may impose caps (e.g., certain products), and misleading or opaque pricing can be penalized.

Q: The app says it’s “partnered with” a licensed entity. Is that enough? No. The entity extending credit must itself be authorized for that activity, or be clearly operating as an agent under an allowed model with proper disclosures.

Q: Can a lender message my contacts? Generally no—you didn’t (and can’t) validly consent on behalf of other people. Contacting them for shaming/pressure is a major red flag and likely violates the DPA and other laws.

Q: They threatened to post my photos. What now? Preserve evidence; file with NPC and law enforcement. Threats, extortion, or defamation can be criminal. Seek counsel if immediate harm is likely.

8) One-page checklist (print/save)

Entity & License

  • The company’s full legal name matches across app, contract, and receipts
  • SEC Registration Number and Certificate of Authority (or correct sector license) are shown
  • Regulator named correctly (SEC/BSP/CDA/IC/MF NGO Council)

Disclosures & Pricing

  • Clear total cost of credit (interest + all fees)
  • Sample computations and repayment schedule
  • Late fees/penalties explained; early repayment policy stated

Privacy & Conduct

  • Minimal app permissions; no forced access to contacts/gallery
  • Privacy notice with DPO contact; consent screens are specific
  • No harassment or shaming tactics in collections

Operations

  • Working hotline/email and physical address
  • Receipts show legal entity and CA/license
  • Complaint and escalation process stated

Red Flags (any one = avoid)

  • No CA/license number
  • Entity name mismatch or hidden ownership
  • Huge upfront “processing” deductions
  • Threats, shaming, contact scraping

9) Simple templates

A. Data Subject Request (DPA)

Subject: Data Subject Request – [Your Full Name] To: [DPO Email of Lender] I am asserting my rights under the Data Privacy Act. Please (1) confirm whether you process my personal data; (2) provide a copy of all personal data, sources, purposes, recipients, and retention periods; (3) cease processing for non-essential purposes and delete data not necessary to perform my loan contract; and (4) confirm actions taken within 15 days. — [Name], [Mobile], [Reference/Loan No.]

B. Cease Harassment / Channel Restriction

Subject: Communications Concerning Loan [No.] Effective immediately, please limit all communications to [email/number] between [time window]. Do not contact my employer, family, or contacts. Continued harassment will be documented and reported to regulators and law enforcement. — [Name], [Date]

C. Complaint Cover Note (SEC/NPC/BSP/CDA/IC as applicable)

I am reporting [Entity/App Name] for [unlicensed lending / abusive collection / privacy violations]. Attached are screenshots, contracts, IDs, and payment proofs. Please acknowledge and advise next steps. — [Name], [Address], [Contact]

10) Final notes

  • A legit Philippine lender pairs the right license with clear disclosures, lawful data handling, and professional collections.
  • When in doubt, don’t share contacts or grant unnecessary permissions. Get the legal entity name, ask for the license/CA number, and read the fine print.
  • If you spot violations, document and report promptly; it protects you and helps clean up the market.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login