How to Check Legitimacy of Online Lending Platforms

How to Check the Legitimacy of Online Lending Platforms in the Philippines

This practical legal guide explains how Philippine borrowers can verify whether an online lender is legitimate, what the law requires, how pricing and collection should work, and what to do if things go wrong. It is written for consumers, employees, and micro-entrepreneurs.

The quick checklist (do these before you borrow)

  1. Identify the regulator.

    • Banks/e-money issuers (EMIs) → regulated by Bangko Sentral ng Pilipinas (BSP).
    • Lending companies (LCs) and Financing companies (FCs) → supervised by the Securities and Exchange Commission (SEC).
    • Crowdfunding/P2P operators → licensed by SEC under the Crowdfunding Rules.

  2. Ask for two numbers—always: the SEC Registration Number and the Certificate of Authority (CA) number to operate as a lending/financing company. (For banks/EMIs, ask for BSP license details.) A business name or DTI certificate is not enough.

  3. Match names exactly. The company name on the app/website, in the contract, and in the receipt should match the SEC/BSP-licensed entity character-for-character (no “doing business as” tricks).

  4. App hygiene. Download only from official app stores. Avoid APK side-loads. Check the developer name, company website, and privacy policy; permissions should be proportionate (a loan app doesn’t need your photo gallery or entire contacts).

  5. Pre-contract disclosures. Before you accept, you must see a clear cost breakdown: principal, interest rate, all fees (processing, service, disbursement, convenience), payment schedule, and effective interest rate (EIR) under the Truth in Lending Act (TILA).

  6. Debt collection promise. The lender should state it follows SEC’s unfair collection rules (no harassment, no public shaming, no contacting your phone contacts) and the Data Privacy Act (DPA).

  7. Customer support and DPO. There should be a working hotline/email, postal address in the Philippines, and the name/email of the Data Protection Officer (DPO).

  8. No upfront “approval fees.” Legit lenders do not ask you to pay before disbursing the loan and never ask for your OTP/PIN.

  9. Compare total cost, not just the headline rate. Fees withheld at disbursement make loans much more expensive than the advertised “monthly rate.”

Who regulates what (and why it matters)

  • SEC (Lending & Financing Companies). Under the Lending Company Regulation Act of 2007 (RA 9474) and the Financing Company Act (RA 8556), LCs/FCs must (a) register with the SEC, and (b) secure a Certificate of Authority before operating—offline or online. The SEC also issues rules for online lending platforms (OLPs), requires registration/reporting of the specific apps/websites used, mandates disclosures, and enforces unfair debt collection prohibitions.

  • BSP (Banks/EMIs/Credit Cards/Some BNPLs). Banks and EMIs (e.g., wallet apps) fall under BSP’s consumer protection and disclosure rules. If an app claims it “partners with a bank,” verify the actual bank and the product type (a bank loan, credit card cash advance, BNPL, etc.).

  • NPC (Data Privacy). The Data Privacy Act of 2012 (RA 10173) requires lawful, proportional, and transparent data processing. Scraping your contacts and threatening to message them is generally inconsistent with purpose limitation and proportionality principles.

  • Financial Consumer Protection Act (RA 11765, 2022). Gives SEC/BSP broader powers to set market conduct standards, require redress, penalize unfair, deceptive, abusive acts or practices (UDAAP), and order restitution. Lenders must have a consumer assistance mechanism.

  • Truth in Lending Act (RA 3765). Requires lenders to disclose full finance charges and EIR before you’re bound.

  • Other applicable laws. E-Commerce Act (RA 8792) (validity of e-signatures and e-contracts), Cybercrime Prevention Act (RA 10175) (threats, harassment online), and relevant provisions of the Revised Penal Code (grave threats, unjust vexation) may apply to abusive collection tactics.

Step-by-step: Verify the lender and the app

  1. Get the legal name and CA Ask for:

    • Exact corporate name (as registered with SEC/BSP)
    • SEC Registration Number
    • SEC CA Number (for LCs/FCs) or BSP license details (for banks/EMIs) Red flag: evasive answers like “We’re SEC-registered” without numbers, or numbers in another company’s name.

  2. Confirm the role. Some apps are just lead generators or collectors for a licensed lender. If you borrow through an intermediary, your loan contract should still be with a licensed LC/FC/bank, and the intermediary must be authorized to act for that lender.

  3. Scrutinize the app listing.

    • Developer name should match or clearly connect to the licensed entity.
    • Privacy policy link should identify the Philippine entity and DPO contact.
    • Permissions: access to contacts, photos, mic, camera, location is typically unnecessary for underwriting. Requiring them is a red flag.

  4. Contracting & disclosures Before you e-sign, insist on:

    • Key Facts Statement or Disclosure Statement with the EIR and total amount to pay.
    • All fees (processing, convenience, late, collection/field visit fees) enumerated.
    • Repayment schedule and grace periods.
    • Complaint channels (email/phone, response times).
    • Confirmation they follow SEC debt collection rules and the DPA.

  5. Pricing sense-check (EIR)

    • If a lender says “4% monthly interest + 5% processing fee (withheld)” on a ₱10,000, 30-day loan:

      • You receive ₱9,500 but repay ₱10,400.
      • Cost = ₱10,400 − ₱9,500 = ₱900.
      • EIR for 30 days = 900 / 9,500 = 9.4737% (much higher than the “4%” headline).

    • Always compute against cash received, not the nominal principal.

  6. Debt collection promises A legitimate lender commits in writing to:

    • No harassment or public shaming, no contacting people from your phonebook, no threats.
    • Communicating only at reasonable hours, using civil language, and discussing accurate amounts.
    • Providing receipts, accurate statements, and a path to dispute errors.

  7. Data privacy compliance Look for a Privacy Notice that states: purposes of data use (credit scoring, servicing), legal basis (consent/legitimate interests), sharing with processors/affiliates, retention period, and your rights (access, correction, deletion, objection). There must be a DPO email and a way to withdraw consent (noting that withdrawal doesn’t cancel lawful processing already done).

Red flags (treat as high-risk or walk away)

  • No SEC CA (for LC/FC) or no BSP license (for banks/EMIs), or numbers that don’t match the entity on the app/contract.
  • The app requires your contacts/photo gallery and threatens to message them.
  • Upfront “approval” or “unlock” fees before loan release.
  • Requests for OTP/PIN, your ATM card, or to sideload an APK.
  • Guaranteed approval in minutes,” 0% interest but large “processing” or “service” fees, or vague “system charges.”
  • Contract includes blanket waivers (e.g., permission to post your debt on social media, or to lock/erase your device).
  • Collections use threats, obscenities, fake legal notices, or contact you at odd hours repeatedly.

What legitimate collection should look like

  • Contacts you, not your family, employer, or phonebook.
  • Communicates during reasonable hours and uses civil language.
  • States accurate amounts and cites the agreement you signed.
  • Offers payment options, official receipts, and a way to dispute errors.
  • Stops using your data beyond the stated purposes once your loan is settled, subject to lawful retention.

If you face harassment, document everything (screenshots, call logs, messages, names, dates, amounts) and keep your loan contract and disclosures.

Special product types (how to tell them apart)

  • Lending vs Financing companies. Both cannot accept deposits; they extend credit. Financing companies often fund installment purchases and business credit, lending companies focus on consumer loans. Both need SEC CA.
  • BNPL (Buy Now, Pay Later). May be offered by an LC/FC or in partnership with a bank/EMI. The provider still needs the proper license and must give TILA disclosures.
  • Crowdfunding/P2P lending. If investors fund your loan via a platform, the platform operator must be licensed by the SEC as a crowdfunding intermediary/portal. Your loan contract should name the real counterparties.

Pricing, caps, and disclosures (what to expect)

  • Truth in Lending requires a Disclosure Statement showing the EIR and all finance charges before you are bound.
  • Philippine regulators have imposed interest/fee caps for certain small-value, short-term loans and limited penalty/late fees. Because these caps can change, don’t rely on a headline rate—check the current EIR and the total peso amount to pay in your disclosure.
  • Withheld fees dramatically increase the EIR. Always compare loans using EIR (or total peso cost), not nominal rates.

Rule of thumb: If fees are withheld from the principal, compute EIR as

$$ \text{EIR for the period} = \frac{\text{Total Repayment} - \text{Cash Received}}{\text{Cash Received}} $$

Then compare across lenders on the same time period (e.g., monthly).

Data privacy: your rights with loan apps

Under the Data Privacy Act, you have the right to:

  • Be informed: clear privacy notice, identity of the personal information controller, DPO contact, purposes, sharing, and retention.
  • Access & correct your data.
  • Object to processing that’s not necessary or lacks a lawful basis.
  • Withdraw consent (subject to consequences spelled out in the contract).
  • Erasure (when appropriate, e.g., when data is no longer necessary or was unlawfully obtained).
  • Complain to the National Privacy Commission (NPC) for privacy violations (e.g., scraping/using your contacts, public shaming).

If you’re already in trouble (harassment or illegal charges)

  1. Preserve evidence. Screenshots, call recordings (if lawful), messages, app pages, receipts, and bank statements.

  2. Write a demand to the lender’s DPO and complaints office:

    • Identify the account and disputed conduct.
    • Invoke SEC unfair collection rules and the DPA.
    • Demand deletion of unlawfully obtained contacts and to cease contacting third parties.
    • Ask for an itemized statement and how charges were computed (including EIR).

  3. File complaints with regulators (parallel tracks are okay):

    • SEC (for unlicensed lenders, abusive collection, unlawful fees).
    • NPC (for privacy violations).
    • BSP (if the lender is a bank/EMI).
    • PNP-ACG/DOJ (for threats, extortion, doxxing, cyber harassment).

  4. Pay only what is lawful and documented. Ask for an updated statement showing principal, interest, and authorized fees; dispute junk fees.

  5. Consider legal counsel if the amounts or harm are significant—especially for harassment, defamation, or unauthorized data use.

Practical due diligence pack (before you click “Accept”)

  • Company legal name, SEC Reg No., SEC CA No. (or BSP license), corporate address.
  • Screenshots of app listing, permissions, privacy policy.
  • Disclosure Statement/Key Facts Statement with EIR and a full fee table.
  • Loan agreement (save a copy).
  • Customer service and DPO contacts.
  • Statement on debt collection standards followed.
  • Repayment calendar and official payment channels.

Frequently asked questions

1) Is a DTI Business Name Certificate enough? No. A DTI certificate only registers a business name. Lending/financing needs an SEC CA; banking/EMI needs BSP authority.

2) The app says “SEC-registered,” but the numbers are for another company. That’s a common tactic. The entity on your contract must be the same one that holds the SEC CA/BSP license.

3) Can they message my employer or family? Legitimate collection targets you, not third parties (unless a lawful guarantor/co-maker is involved). Public shaming and mass-messaging contacts are prohibited conduct in regulatory guidance.

4) What if I already gave contact permissions? You can revoke permissions in your phone settings and assert your DPA rights (object/erasure) in writing. Keep proof.

5) Will my loan be reported to a credit bureau? The Credit Information Corporation (CIC) framework allows reporting of credit data to accredited bureaus. Reputable lenders usually disclose if they report; they shouldn’t threaten to “blacklist” you outside lawful reporting channels.

Templates you can use

A. “Know-Your-Lender” questions (send by email/chat):

  1. Please provide your SEC Registration No. and Certificate of Authority No. (or BSP license details) and the exact corporate name that will appear in my loan contract.
  2. Is your app/website owned and operated by the same entity? If not, what is the relationship?
  3. Kindly send the Disclosure Statement (principal, all fees, total amount to pay, EIR) before I e-sign.
  4. Confirm that your collection practices comply with SEC rules and the Data Privacy Act and that you do not contact third parties.
  5. Provide the name and email of your Data Protection Officer and your consumer assistance channels.

B. “Cease illegal collection/processing” notice (if harassed):

I am invoking my rights under the Financial Consumer Protection Act, SEC rules on unfair debt collection, and the Data Privacy Act. Cease contacting third parties, stop threats or public shaming, and limit communications to reasonable hours using civil language. Provide an itemized statement (principal, interest, authorized fees, EIR) and delete unlawfully obtained personal data (e.g., my contacts). Please confirm compliance within 5 business days.

Bottom line

A legitimate online lending platform in the Philippines (a) holds the right license (SEC CA or BSP authority), (b) provides clear pre-contract disclosures with EIR, (c) respects data privacy and fair collection standards, and (d) offers real customer support. If any one of those pillars is missing—walk away or report it.

Pro tip: Compare loans using the effective peso cost and EIR, never the headline monthly rate. Fees withheld at disbursement can double or triple the true cost.

Note: Specific fee/interest caps and administrative practices can be updated by regulators from time to time. When in doubt, verify the current requirements directly with SEC, BSP, or the NPC, and keep copies of everything you’re shown before you proceed.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login