This practical legal guide explains how to verify a lender, what licenses to look for, how online lending apps should behave, what Philippine laws protect you, the red flags to avoid, and what to do if something goes wrong. It’s written for borrowers, HR/finance teams, and compliance officers.

---

1) Overview: Who regulates whom?

• Bangko Sentral ng Pilipinas (BSP) – Regulates banks and certain non-bank financial institutions.
• Securities and Exchange Commission (SEC) – Regulates lending companies (under the Lending Company Regulation Act) and financing companies. Also oversees online lending platforms (OLPs) operated by those companies.
• National Privacy Commission (NPC) – Enforces the Data Privacy Act over lenders and apps that process your personal data.
• Anti-Money Laundering Council (AMLC) – Monitors anti-money-laundering compliance; lending and financing companies are “covered persons.”
• Cooperative Development Authority (CDA) – Regulates credit cooperatives.
• Local Government Units (LGUs) – Issue mayor’s permits and business clearances.
• Bureau of Internal Revenue (BIR) – Issues the BIR Certificate of Registration (Form 2303).

Bottom line: A legitimate lending or financing company (non-bank) is primarily supervised by the SEC, not the BSP. Banks are supervised by the BSP. Credit cooperatives are supervised by the CDA.

---

2) Lending vs. Financing Companies (why it matters)

• Lending Company – Grants loans sourced from its own capital funds. Must be a Philippine corporation.
• Financing Company – Provides credit (e.g., consumer loans, auto loans, installment plans) and may engage in leasing and other financing activities. Also must be a corporation.

They require SEC primary registration and a Certificate of Authority (CA) to Operate. Without a CA, they cannot legally lend to the public—even if they have an SEC registration number as a corporation.

---

3) The core legal requirements a legitimate lender should meet

1. Corporate existence with the SEC

   • Articles of Incorporation & By-Laws
   • SEC Registration Number (primary registration)

2. SEC Certificate of Authority (CA) to Operate

   • Explicitly states it is authorized as a Lending Company or Financing Company.
   • If operating online/app-based, the SEC requires compliance with specific circulars on online lending platforms.

3. Local permits and tax registration

   • Mayor’s/Business Permit (LGU)
   • BIR Certificate of Registration (Form 2303) and official receipts

4. Data privacy compliance (NPC)

   • Privacy Notice and Privacy Policy that are clear and accessible
   • Lawful basis for processing, minimal data collection, and secure data handling
   • No unauthorized scraping of your phone contacts, photos, or files

5. Anti-Money Laundering (AMLA) compliance

   • Know-Your-Customer (KYC) procedures (valid IDs, verification)
   • Ongoing monitoring and reporting of suspicious transactions

6. Truth in Lending Act (R.A. 3765) disclosures

   • Effective interest rate (EIR) and Annual Percentage Rate (APR)
   • All fees and charges must be clearly disclosed before you borrow
   • A copy of the loan contract and the disclosure statement must be provided

7. Fair collection practices

   • No harassment, threats, public shaming, or doxxing
   • No texting/calling your contacts, employers, or relatives to shame you
   • Collection must be professional and limited to reasonable times/channels

---

4) Step-by-step: How to verify legitimacy (onsite or online)

A. Ask for documents (and read them):

• SEC Certificate of Authority (look for the type: Lending or Financing Company)
• SEC Primary Registration documents
• Mayor’s Permit and BIR 2303
• Privacy Notice and Disclosure Statement (Truth in Lending Act)
• For apps/online platforms: ask how their OLP is operated and under which SEC-registered company

B. Match the details:

• The company name, principal office, registration numbers, and branding on the office, website, and app must match exactly across documents.
• Check directors/officers listed in the company profile against what staff tell you.

C. Validate with public sources:

• Search the SEC’s public lists/advisories for (1) companies with Certificates of Authority, (2) suspended/revoked entities, and (3) illegal lenders and apps.
• For banks (if the entity claims to be one), verify on BSP’s supervised institutions list.
• For cooperatives, verify with the CDA.
• For data privacy, see if the operator publishes NPC registration details and maintains compliant privacy practices.

Tip: A company that refuses to show its SEC CA, or provides only a generic SEC registration (without a CA), is a major red flag.

---

5) What legitimate online lending apps must (and must not) do

Must:

• Identify the SEC-licensed company operating the app
• Provide contact information (office address, hotlines, email)
• Present clear pricing (EIR/APR), fees, repayment dates, and total amount payable before you tap “Agree”
• Obtain informed, specific consent for any personal data collected; follow data minimization (only what’s necessary)
• Give you a loan contract and disclosure statement

Must not:

• Demand blanket access to your contacts, galleries, or messages
• Harass you or your contacts for collection
• Hide or drip-feed fees (e.g., “processing” or “service” fees) that spike the EIR
• Use fake names or constantly switch app identities while using the same operator

---

6) Interest, fees, and “no usury” myths

• The Usury Law ceilings are no longer in force, so there is no universal interest cap for all loans.
• However, courts may strike “unconscionable” interest as void under the Civil Code (e.g., when the rates are shockingly excessive or hidden).
• BSP imposes specific caps for credit cards and sets consumer protection standards for BSP-supervised entities; those do not automatically apply to SEC-regulated lenders.
• Regardless of caps, the Truth in Lending Act requires full cost disclosure. If you can’t compute the total cost before borrowing, walk away.

---

7) Debt collection: What’s legal and what isn’t

Generally allowed:

• Professional reminders through the contact details you provided
• Calls/texts/emails during reasonable hours
• Accurate updates on your account status and lawful consequences of default

Prohibited/unfair practices (red flags):

• Threats, obscenity, or public shaming posts
• Contacting your employer/relatives or your phonebook to shame you
• False legal threats (e.g., “we already filed a case” when none exists)
• Fake “warrants,” “subpoenas,” or “NBI/PNP” letters sent via chat
• Excessive collection fees not agreed in the contract

If this happens, document everything (screenshots, call logs) and file complaints (see §11).

---

8) In-person lenders and “loan sharks”

A “pa-5-6”/“5-6” operator (loan shark) typically:

• Has no SEC CA, no official receipts, and no clear contract
• Uses daily collection and intimidation
• States a low “interest” but adds daily “service”/“penalty” fees that balloon costs
• Keeps your ATM card/IDs as collateral (unsafe and often unlawful)

Avoid them. Even if you’re in a bind, the legal and financial risk is high.

---

9) Special cases (don’t mis-classify the entity)

• Banks – Verify on BSP lists; they do not need an SEC CA as a lending or financing company because they are banks.
• Pawnshops/Money Service Businesses – BSP-supervised (not SEC lending companies).
• Cooperatives – CDA-supervised; they lend to their members (check your membership and cooperative by-laws).
• Microfinance NGOs – Registered with the SEC as NGOs, but operate under a separate law and certification framework; they are not lending/financing companies.

---

10) Practical red-flag checklist

Walk away if you see any of these:

• No SEC CA to operate as a lending/financing company
• Mismatch between app name, website, receipts, and the SEC-registered corporate name
• Demands phonebook/gallery access or installs spyware-like SDKs
• Won’t give you a copy of the loan contract/Truth-in-Lending disclosure before disbursement
• Hidden fees deducted upfront (e.g., high “processing” fees)
• Harassment or “we’ll text your boss/family” threats
• Anonymous staff, no physical office, disposable phone numbers only
• Payment through personal e-wallets/bank accounts (not the company’s account)
• Refuses to issue BIR-registered official receipts

---

11) If you suspect an illegal or abusive lender

1. Stop sharing data; uninstall the app (if safe), revoke permissions.

2. Preserve evidence: screenshots, recordings, receipts, IDs, chat exports.

3. Notify the lender in writing to cease unlawful collection/harassment and to communicate only through official channels.

4. File complaints with the appropriate bodies:

   • SEC (for unlicensed lending, illegal OLPs, unfair collection)
   • NPC (for privacy violations, unauthorized contact scraping, doxxing)
   • AMLC tipline (for suspicious transactions)
   • PNP Anti-Cybercrime Group / NBI Cybercrime (for threats, extortion, cyber-harassment)
   • CDA/BSP if the entity claims to be a cooperative/bank

5. Consider civil remedies:

   • Small Claims (no lawyer required) for money claims up to ₱1,000,000 (current threshold), e.g., to recover illegal charges
   • Injunctions or damages for privacy and harassment violations

6. For employees: coordinate with HR/Legal to filter harassing messages and protect workplace contacts.

---

12) Borrower’s due-diligence pack (use this before you sign)

Ask the lender to provide, in writing:

• SEC Certificate of Authority number and date issued
• SEC corporate registration details (exact corporate name, office address)
• All-in cost: EIR/APR, itemized fees, penalties, and total amount payable
• Repayment schedule and acceptable payment channels (in the company’s name)
• Privacy Policy and Data Sharing practices
• Collection policy (who may contact you, when, how)
• Contact information (hotline, email, office) and complaints escalation path

If any item is missing or unclear, don’t sign.

---

13) Frequently asked questions

Q: The company showed me an SEC number. Is that enough? A: No. You need their SEC Certificate of Authority (CA) as a lending or financing company. Generic SEC registration is not a license to lend to the public.

Q: Can they legally contact my employer or my phonebook? A: Generally no. That is an unfair collection practice and may also violate data privacy laws.

Q: The interest seems low, but fees are huge. Is that allowed? A: Hidden or excessive fees that distort the real cost can be unfair or unconscionable and may be struck down. The Truth in Lending Act requires full, pre-contract disclosure of the total cost.

Q: They want my ATM card or IDs as collateral. A: Treat this as a serious red flag. It exposes you to theft, fraud, and abuse, and can be evidence of illegal lending.

Q: What if they already posted my photos or private info? A: Collect evidence immediately and file complaints with the NPC, law enforcement, and the SEC. You can also seek civil remedies for damages.

---

14) One-page verification script (you can reuse this)

“Before we proceed, please send the following: (1) your SEC Certificate of Authority as a lending/financing company; (2) your SEC primary registration showing the exact corporate name and office; (3) your BIR 2303 and Mayor’s Permit; (4) your Truth-in-Lending disclosure showing APR/EIR, all fees, penalties, and the total amount payable; (5) your Privacy Policy and collection policy; and (6) confirmation that all payments are made to the company’s official bank/e-wallet accounts, with BIR-registered ORs issued. I’ll review and revert once matched against public records.”

---

15) Key takeaways

• License first: Look for SEC CA to Operate (not just SEC registration).
• Match names: App/website/receipts must match the SEC corporate name.
• See the price: Demand APR/EIR and total amount payable upfront.
• Protect your data: No contact scraping or harassment—ever.
• Keep records: Contracts, disclosures, receipts, and communications.
• Know your avenues: SEC, NPC, AMLC, law enforcement, and Small Claims.

---

This guide is for general information and does not constitute legal advice. For a specific situation, consult a Philippine lawyer or your compliance team.