Before you borrow from a loan app, do not rely only on app-store ratings, Facebook ads, influencer posts, or a screenshot of an “SEC certificate.” In the Philippines, a legitimate online lending company usually has to pass three checks: the company must legally exist, it must have authority from the Securities and Exchange Commission (SEC) to operate as a lending or financing company, and the specific app, website, or online lending platform must be properly recorded or identifiable as connected to that authorized company. This guide explains how to check those details, what red flags to watch for, and what to do if an app is registered but still uses harassment, public shaming, or illegal data collection. (Supreme Court E-Library)
What “Legitimate Online Lending Company” Means in the Philippines
A loan app can look professional and still be risky. A company may also be registered with the SEC as a corporation but still not be authorized to lend money to the public.
For ordinary borrowers, “legit” should mean all of the following:
- The company is a real corporation registered with the SEC.
- The company has a Certificate of Authority to operate as a lending company or financing company.
- The online lending platform, app, or website is recorded, disclosed, or verifiable as connected to that authorized company.
- The loan terms are disclosed before you accept the loan.
- The company follows data privacy, fair collection, and financial consumer protection rules.
This distinction matters because many abusive loan apps use the name of one company, the logo of another, and a different app name in Google Play, the App Store, Facebook, TikTok, or SMS ads. Some also show an SEC registration number but hide the more important question: Do they have authority to operate as a lender, and is this specific online platform recorded with the SEC?
Legal Basis: Who Regulates Online Lending in the Philippines?
Lending companies are regulated by the SEC under RA 9474
Republic Act No. 9474, or the Lending Company Regulation Act of 2007, regulates companies that lend money from their own capital funds or from funds sourced from not more than 19 persons. Under RA 9474, a lending company must be a corporation, and it cannot conduct lending business unless it has been granted authority to operate by the SEC. (Supreme Court E-Library)
RA 9474 also gives the SEC power to regulate lending companies, require reports, examine records, and impose administrative sanctions such as fines, suspension, or revocation of authority. Operating or holding oneself out as a lending company without valid SEC authority can lead to penalties. (Supreme Court E-Library)
Financing companies are regulated under RA 8556
Some online lenders are not “lending companies” but financing companies. Republic Act No. 8556, or the Financing Company Act of 1998, covers companies primarily organized to extend credit through methods such as direct lending, discounting, factoring, installment contracts, chattel mortgages, and financial leasing. These companies are also regulated by the SEC, and they cannot hold themselves out as financing companies without proper authority. (Lawphil)
For borrowers, the practical point is simple: whether the app claims to be a lending company, financing company, fintech platform, or loan marketplace, you should still verify the company’s SEC authority and the status of the specific online platform.
Online lending platforms must be identifiable and compliant
The SEC, National Privacy Commission (NPC), and Department of Information and Communications Technology (DICT) have treated online lending platforms seriously because of repeated complaints involving harassment, public shaming, excessive app permissions, and misuse of personal data. A 2026 joint advisory reminded lending companies, financing companies, and online lending platforms that unnecessary app permissions and unauthorized, excessive, or disproportionate processing of personal data are prohibited.
An online lending platform may be a mobile app, website, or fintech-enabled system through which loan products are offered. The app name should be traceable to a real, authorized company. If the app name, developer name, website name, and corporate name do not match or cannot be explained clearly, treat that as a serious warning sign.
SEC Registration Is Not Enough
Many borrowers ask: “May SEC registration naman, legit na ba?”
Not necessarily.
An SEC Certificate of Incorporation only means the company exists as a corporation. It does not automatically mean the company can legally operate as a lending company or financing company. For lending companies under RA 9474, the important document is the SEC authority to operate as a lending company. For financing companies under RA 8556, the company must also meet the legal requirements and be authorized under the financing company rules. (Supreme Court E-Library)
A suspicious loan app may show:
- an SEC registration number,
- a business permit,
- a BIR certificate of registration,
- a mayor’s permit,
- a DTI registration for a trade name,
- a screenshot of a certificate,
- or a “partner company” name.
These can help identify the operator, but they do not replace the need to verify the company’s lending or financing authority and the status of the online lending platform.
Step-by-Step Guide: How to Check If an Online Lending Company Is Legitimate
1. Get the exact company name behind the app
Before installing the app or submitting personal information, look for the following:
- the exact app name;
- the developer name in the app store;
- the website or domain name;
- the corporate name in the privacy policy and terms of service;
- the SEC registration number;
- the Certificate of Authority number, if shown;
- the physical office address;
- the customer support email or hotline;
- the Data Protection Officer or privacy contact;
- the collection agency, if any;
- the payment account name for repayments.
Do not accept vague answers like “SEC registered po kami” or “partner po namin ang lending company.” Ask: What is the exact SEC-registered corporate name, and under what authority does it operate?
If the app does not disclose the actual lending or financing company, that is already a red flag.
2. Check the SEC’s official verification channels
The SEC maintains official online services where the public can check company records and submit inquiries. The SEC’s iMessage portal includes online services such as eSEARCH and “Check with SEC,” which are useful starting points for verifying corporate information. (iMessage)
The SEC has also confirmed through its official public information response that it maintains lists of lending companies with Certificates of Authority, financing companies, and recorded online lending platforms. These lists are the better reference points when checking whether a loan app is actually authorized, not just incorporated. (www.foi.gov.ph)
When checking, use the exact corporate name, not only the brand name. For example, an app may be called “FastPeso,” but the operator may be “ABC Lending Corporation.” You need to check the operator.
3. Look for the Certificate of Authority
For lending companies, the key question is:
Does this company have a valid Certificate of Authority to operate as a lending company?
For financing companies, ask:
Is this company authorized as a financing company under SEC rules?
A company that only shows a Certificate of Incorporation but no authority to operate as a lender should not be treated as verified.
4. Match the app name with the SEC-recorded online lending platform
This is where many borrowers get misled.
Even if the company is authorized, the specific app or platform should still be checked. Look for the exact app name, website, or online lending platform in the SEC’s relevant list or advisory. The SEC’s public materials distinguish between lending or financing companies and recorded online lending platforms, so both layers matter. (www.foi.gov.ph)
Be careful when:
- the app name is different from the corporate name;
- the app uses a foreign developer name;
- the privacy policy names a different company;
- the payment account is under a person’s name;
- the app says it is “powered by” or “under” another company without proof;
- the app recently changed names;
- the app disappeared and reappeared under a new logo.
A legitimate operator should be able to explain the relationship between the app, the website, and the SEC-authorized company.
5. Search for SEC advisories, suspension orders, or revocations
After checking the official list, search whether the company or app has been mentioned in SEC advisories involving:
- unregistered or unrecorded online lending platforms;
- revocation of Certificate of Authority;
- suspension;
- cease-and-desist orders;
- unfair debt collection practices;
- unauthorized loan apps;
- misleading advertisements.
This is important because a company may have been authorized before but later suspended, revoked, or sanctioned.
6. Read the loan disclosure before tapping “Accept”
Republic Act No. 3765, the Truth in Lending Act, requires creditors to disclose the true cost of credit before the transaction is consummated. The disclosure should include key items such as the amount financed, itemized charges, the finance charge in pesos and centavos, and the finance charge expressed as a simple annual rate. (Lawphil)
For online loans, this means you should clearly see the important numbers before you accept:
| Item to check | What you should see |
|---|---|
| Principal amount | The actual amount borrowed |
| Net proceeds | The amount you will actually receive after deductions |
| Interest | The rate and how it is computed |
| Service fees | Processing, platform, or other charges |
| Finance charge | Total cost of credit in pesos |
| Annual rate | Simple annual rate, not only daily or weekly rate |
| Due date | Exact repayment date |
| Penalties | Late fees and how they are computed |
| Total amount due | Full amount payable on the due date |
If the app only shows the full cost after disbursement, hides deductions, or makes the borrower guess the annualized cost, that is a serious warning sign.
Also remember Article 1956 of the Civil Code: no interest is due unless it has been expressly stipulated in writing. Philippine courts have repeatedly applied this rule in loan disputes. (Lawphil)
7. Review the privacy notice and app permissions
A legitimate online lender may collect personal information for identity verification, credit evaluation, and loan servicing. But it cannot collect everything just because you installed the app.
The 2026 DICT-NPC-SEC advisory specifically warned against unnecessary app permissions and unrestrained processing of contact lists. It also emphasized that permissions such as camera or gallery access must be tied to a legitimate purpose like know-your-customer verification, and that contact list access cannot be used freely for debt collection or harassment.
Before installing or using a loan app, check whether it asks for access to:
- your full contact list;
- SMS messages;
- call logs;
- photos and gallery;
- microphone;
- social media accounts;
- location data;
- employer details;
- phone storage.
A request for information is not automatically illegal, but it must be necessary, proportionate, and connected to a lawful purpose. If the app refuses to work unless you give broad access to contacts, gallery, SMS, and storage, that is a major red flag.
8. Check the payment account before sending money
Repayments should normally be made through traceable channels connected to the company or its authorized payment processor. Be careful if the collector asks you to pay to:
- a personal GCash or Maya account;
- an individual bank account;
- a changing list of account names;
- a QR code without company identification;
- a “collector’s account” with no official receipt.
Always save proof of payment. Keep screenshots of the payment instructions, receipt, reference number, date, amount, and account name.
Quick Checklist: Legitimate vs. Risky Online Lending App
| What to check | Good sign | Red flag |
|---|---|---|
| Corporate identity | Clear SEC-registered company name | App hides the operator or uses only a brand name |
| SEC authority | Has lending or financing authority | Shows only incorporation papers |
| App/platform status | App name is traceable to SEC records | App name is not listed or does not match the operator |
| Loan disclosure | Full cost shown before acceptance | Fees and deductions appear only after release |
| Privacy notice | Explains data use clearly | Generic, missing, copied, or unreadable policy |
| App permissions | Limited to necessary functions | Demands contacts, gallery, SMS, and storage access |
| Collection behavior | Professional written reminders | Threats, insults, public shaming, contact-list blasting |
| Payment method | Company or official payment channel | Personal wallet or individual bank account |
| Complaints history | No major adverse SEC/NPC advisory found | App appears in warnings, suspension, or revocation orders |
Common Red Flags of Illegal or Abusive Online Lending Apps
They say “SEC registered” but cannot show lending authority
This is one of the most common tricks. A corporation may exist, but that does not prove it can legally operate as a lender. Look for authority to operate as a lending or financing company, not just incorporation.
The app name does not match the company name
Some operators use multiple app names under one company. Others use new names after negative reviews or enforcement action. If the app name is different, the company should clearly disclose the connection.
They ask for an advance fee before releasing the loan
Be suspicious if the app asks for an “unlocking fee,” “insurance fee,” “verification fee,” “tax,” or “processing fee” before releasing the loan, especially if payment is to a personal account. Legitimate charges should be disclosed as part of the loan terms, not demanded through suspicious side payments.
They require broad contact-list access
The 2026 DICT-NPC-SEC advisory is clear that contacting people in a borrower’s contact list, other than guarantors, is prohibited for debt collection. It also requires a separate interface for character references and guarantors, because a character reference is not the same as a guarantor.
They threaten to shame you online
SEC Memorandum Circular No. 18, Series of 2019, treats several abusive practices as unfair debt collection, including threats, insults, use of profane language, false representations, and disclosure or publication of a borrower’s personal information in improper ways. It also treats contacting people in the borrower’s contact list, except guarantors or co-makers, as an unfair collection practice.
They call before 6:00 a.m. or after 10:00 p.m.
SEC rules on unfair debt collection identify unreasonable contact times as a problematic practice, subject to limited exceptions. Repeated calls at odd hours, especially when combined with threats or insults, should be documented carefully.
The collector refuses to identify themselves
Debt collectors should not hide behind fake names, random numbers, or anonymous accounts. SEC rules require collectors to disclose their full name and true identity when collecting.
They claim you will be jailed for not paying a loan
Nonpayment of a loan is generally a civil matter. A lender may pursue lawful collection and, in proper cases, file a civil case. But collectors should not fabricate criminal cases, fake warrants, fake barangay blotters, or threats of immediate arrest just to pressure payment.
If there is fraud, identity theft, falsified documents, or cyber harassment, different legal issues may arise. But a collector cannot simply convert ordinary inability to pay into a threat of jail.
What If the Company Is Registered but the Collection Is Abusive?
A company can be registered and still violate collection, privacy, or consumer protection rules.
Registration is not a license to:
- post your face or ID online;
- message your family, office, customers, or classmates;
- tell people you are a scammer;
- use insults or sexual language;
- threaten fake criminal cases;
- access your contacts without proper basis;
- shame you in group chats;
- call your employer repeatedly;
- use your photos for intimidation.
The Financial Products and Services Consumer Protection Act, Republic Act No. 11765, recognizes financial consumer rights such as fair treatment, disclosure and transparency, protection against fraud and misuse, data privacy, and timely complaint handling. It also gives regulators, including the SEC for SEC-regulated entities, authority to impose sanctions and address certain consumer complaints. (Supreme Court E-Library)
RA 11765 also makes financial service providers responsible for the acts and omissions of their directors, officers, employees, agents, and accredited third-party service providers, including debt collectors. This is important because lenders sometimes blame “outside collectors” when harassment happens. (Supreme Court E-Library)
What to Do If You Already Borrowed From a Suspicious Loan App
1. Stop giving additional unnecessary data
Do not send extra selfies, IDs, payslips, contact lists, social media accounts, or employer details unless you have verified the company and understand why the information is legally needed.
2. Save all evidence immediately
Take screenshots or screen recordings of:
- the app name and app-store page;
- the developer name;
- the loan offer;
- the disclosure statement;
- the loan agreement;
- fees and deductions;
- repayment instructions;
- payment receipts;
- privacy policy;
- app permissions;
- collector messages;
- call logs;
- threats;
- posts or group chats;
- messages sent to your contacts;
- emails or SMS from the company.
Do not edit screenshots. Keep original files when possible.
3. Revoke unnecessary app permissions
On your phone, review the app permissions and remove access to contacts, photos, SMS, location, camera, microphone, and storage if they are no longer needed. The 2026 joint advisory specifically encourages users to check and revoke permissions that are unnecessary or excessive.
4. Pay only through traceable channels
If you owe a valid debt, keep the issue separate from the harassment. Pay only through verifiable channels and keep proof. If the amount is disputed because of hidden charges, excessive penalties, or unexplained deductions, document the dispute in writing.
5. File the appropriate complaint
Depending on the problem, the proper office may be different:
| Problem | Where to report |
|---|---|
| Unregistered or unrecorded lending app | SEC, especially FINLEND |
| Unfair debt collection by lending or financing company | SEC |
| Misuse of personal data, contact-list blasting, unauthorized processing | National Privacy Commission |
| Cyber harassment, threats, doxxing, fake accounts, fraud | NBI Cybercrime Division or PNP Anti-Cybercrime Group |
| App security, suspicious digital platform concerns | DICT-related channels where applicable |
The 2026 DICT-NPC-SEC advisory specifically identifies the SEC Financing and Lending Companies Department, DICT, NBI Cybercrime Division, and PNP Anti-Cybercrime Group as reporting channels for abusive online lending behavior.
Filing a Complaint With the SEC
For lending or financing company issues, the SEC is usually the first agency to check because it regulates lending companies and financing companies.
Prepare:
- your full name and contact details;
- the exact app name;
- the corporate name, if known;
- screenshots of the app, website, and privacy policy;
- loan agreement or disclosure statement;
- proof of disbursement;
- payment receipts;
- screenshots of threats or abusive messages;
- call logs;
- names and numbers of collectors;
- names of people contacted by the app;
- a short timeline of what happened.
The SEC’s iMessage portal allows users to create tickets and choose services, including complaints involving financing and lending companies. (iMessage)
A useful complaint timeline is:
- Date you installed the app.
- Date you applied for the loan.
- Amount requested.
- Amount actually received.
- Charges deducted.
- Due date and amount demanded.
- Date harassment or abusive collection started.
- Names or numbers used by collectors.
- Whether your contacts were messaged.
- What you want the regulator to investigate.
Filing a Complaint With the National Privacy Commission
If the issue involves misuse of your personal data, the NPC may be the proper agency. Common privacy issues include:
- unauthorized access to your contacts;
- sending messages to your contact list;
- posting your photo or ID;
- using your employer details for harassment;
- processing personal data beyond what you consented to;
- refusing to delete unnecessary data;
- using deceptive consent screens.
Under the Data Privacy Act framework, personal data processing must follow principles such as transparency, legitimate purpose, and proportionality. The NPC rules also recognize rights of data subjects, including rights connected to unlawful, unauthorized, or no-longer-necessary processing. (National Privacy Commission)
For an NPC complaint, the process usually requires a formal complaint using the prescribed form or a verified complaint, supporting evidence, and notarization. NPC rules also generally require the complainant to first inform the respondent in writing and attach proof that the respondent failed to act or failed to respond within 15 calendar days. (National Privacy Commission)
If you are abroad, notarization can be a practical bottleneck. For Filipinos overseas or foreigners filing from outside the Philippines, documents such as a complaint affidavit or Special Power of Attorney may need proper notarization, consular acknowledgment, or apostille depending on how and where the document will be used. Keep scanned copies ready, but also preserve the original signed documents.
Special Notes for OFWs and Foreigners
OFWs are often targeted through Facebook, Viber, WhatsApp, and SMS
Many overseas Filipino workers borrow for family emergencies, tuition, medical bills, visa costs, or travel expenses. Some loan apps exploit urgency by offering fast approval but hiding high fees or abusive permissions.
If you are abroad, be extra careful with:
- Philippine SIM-based loan offers;
- apps requiring access to Philippine contacts;
- collectors threatening your relatives in the Philippines;
- payment instructions to personal e-wallets;
- fake “legal department” messages;
- threats to contact your employer overseas.
Keep evidence from both your overseas phone and your Philippine contacts’ phones.
Foreigners should check whether the lender is operating in the Philippines
A foreign-owned app is not automatically illegal, but if it lends to Philippine borrowers or operates through a Philippine lending or financing company, it must still comply with Philippine rules. RA 9474 and RA 8556 also contain ownership and reciprocity rules for foreign participation in lending or financing companies. (Supreme Court E-Library)
Foreigners living in the Philippines should also be cautious about apps asking for passports, visa pages, ACR I-Card details, work permits, or employer information. These are sensitive documents. The app should clearly explain why the documents are needed, how long they will be kept, who can access them, and how they will be protected.
Documents, Fees, Timelines, and Practical Bottlenecks
| Task | Documents or details needed | Usual cost | Practical timing |
|---|---|---|---|
| Basic app verification | App name, developer, corporate name, SEC number, website | Free | Same day if records are easy to find |
| SEC list checking | Corporate name and app/platform name | Free | Same day, but names may be confusing |
| SEC complaint | Complaint narrative, screenshots, loan documents, payment proof, collector messages | Usually no filing fee for complaint submission | Initial review may take time depending on completeness and docket load |
| NPC complaint | Notarized complaint form or verified complaint, evidence, proof of prior written notice to respondent | Notarization cost may apply | Delays often happen because evidence or notarization is incomplete |
| Cybercrime report | Screenshots, links, numbers, account names, threat messages, device details | Usually no filing fee | Urgent threats should be reported promptly |
| Evidence preservation | Screenshots, screen recordings, original files, call logs | Free | Do immediately before app, posts, or accounts disappear |
The most common bottlenecks are incomplete screenshots, missing app details, deleted messages, lack of notarization for privacy complaints, and confusion between the app name and the corporate operator.
Frequently Asked Questions
Is an online lending app legitimate if it is SEC registered?
Not automatically. SEC incorporation only proves that a corporation exists. For lending, you should check whether the company has authority to operate as a lending or financing company and whether the specific online lending platform is recorded or verifiable. (Supreme Court E-Library)
How do I check if a loan app is registered with the SEC Philippines?
Get the exact corporate name behind the app, then check SEC online services and the SEC’s public lists for lending companies, financing companies, and recorded online lending platforms. Do not search only the app nickname or marketing brand. (iMessage)
Can a lending app access my contacts?
A lending app should not freely or unnecessarily access your entire contact list. The 2026 DICT-NPC-SEC advisory warns against unnecessary permissions and prohibits contacting people in a borrower’s contact list for debt collection except guarantors. Character references are different from guarantors.
Can online lenders message my family, friends, or employer?
They should not harass or shame you through your contacts. SEC rules on unfair debt collection treat improper contact-list messaging, threats, insults, and public disclosure of borrower information as problematic collection practices.
Are high interest rates illegal in online loans?
High interest is not automatically illegal just because it feels expensive, but the lender must properly disclose the cost of credit. Under the Truth in Lending Act, the finance charge and annual rate must be disclosed before the transaction is completed. Under the Civil Code, interest must also be expressly stipulated in writing. (Lawphil)
What if the app releases less money than the amount I borrowed?
Check the disclosure statement. Some apps deduct processing fees or service charges upfront, but these charges should be clearly disclosed before you accept the loan. If the app advertised one amount but released much less without clear disclosure, save screenshots and consider reporting the issue to the SEC.
Can I complain even if I really owe money?
Yes. Owing money does not give a lender the right to harass, shame, threaten, or misuse your personal data. Keep the debt issue separate from the abusive conduct. Document the amount you received, the amount demanded, payments made, and the specific collection acts you are complaining about.
Where do I report abusive online lending apps in the Philippines?
For lending or financing violations, report to the SEC, especially FINLEND. For data privacy violations, report to the NPC. For cyber harassment, threats, fake accounts, or online fraud, report to the NBI Cybercrime Division or PNP Anti-Cybercrime Group. The 2026 joint advisory identifies these agencies as proper reporting channels for abusive online lending behavior.
What if a collector says they will file a barangay case or send police to my house?
A creditor may pursue lawful remedies, but collectors should not use fake legal threats, intimidation, or false claims of immediate arrest. Nonpayment of an ordinary loan is generally a civil matter. Save the messages, names, numbers, and call logs, especially if the collector uses threats, insults, or fake legal documents.
Is it safe to borrow from an app just because it is in Google Play or the App Store?
No. App-store availability is not the same as Philippine regulatory approval. Still check the SEC authority of the company, the status of the specific online lending platform, the loan disclosure, privacy policy, app permissions, and complaint history.
Key Takeaways
- SEC registration alone is not enough. Check for authority to operate as a lending or financing company.
- Verify the app itself, not only the company. The online lending platform name should be traceable to the authorized operator.
- Read the full loan disclosure before accepting. The Truth in Lending Act requires disclosure of the true cost of credit.
- Do not ignore app permissions. Excessive access to contacts, gallery, SMS, or storage is a major warning sign.
- Collectors cannot use harassment or public shaming. SEC rules prohibit unfair debt collection practices.
- A character reference is not automatically a guarantor. Guarantors must give separate, express consent.
- Save evidence early. Screenshots, call logs, loan terms, receipts, and messages are often the most important documents.
- Report to the correct agency. SEC handles lending and financing company issues, NPC handles privacy violations, and NBI or PNP cybercrime units handle serious online threats or cyber harassment.