Why this matters

In the Philippines, “lending” is a regulated activity. A business can look real online (website, Facebook page, app, “agent”), but still be operating without authority, charging abusive fees, mishandling personal data, or running an outright scam. Verifying legitimacy is mainly about confirming two things:

the entity exists as a registered corporation, and
it has the regulatory authority to engage in lending (a “secondary license” / authority to operate), not just a corporate registration.

The legal and regulatory framework (Philippine context)

1) Corporate registration vs. authority to lend

A corporation may be registered with the SEC for many lawful purposes, but lending to the public is regulated. In practice, legitimacy requires both:

SEC registration (corporate existence), and
SEC authority/secondary license to operate as a lending company (or financing company), as applicable.

If a lender cannot show (or you cannot confirm) its authority to operate, treat it as high risk.

2) Key regulators (who supervises what)

Different “lenders” fall under different regulators. Knowing which regulator applies is part of verification.

SEC (Securities and Exchange Commission) Oversees lending companies and financing companies, including many non-bank lenders and many online lending platforms.
BSP (Bangko Sentral ng Pilipinas) Oversees banks, quasi-banks, many NBFIs under BSP supervision, and other entities the BSP regulates.
CDA (Cooperative Development Authority) Oversees cooperatives, including those that provide loans to members (and only within the cooperative’s legal scope).
DTI (Department of Trade and Industry) Oversees sole proprietorship name registration and certain consumer matters, but a DTI business name is not a license to operate as a lending company.

Practical takeaway: If an outfit claims it’s a “lending company” but only shows a DTI certificate, that’s a red flag.

3) Core laws you should know (high-level)

Lending Company Regulation Act of 2007 (Republic Act No. 9474) – governs lending companies and requires SEC authority to operate.
Financing Company Act of 1998 (Republic Act No. 8556), as amended by Republic Act No. 10881 – governs financing companies and SEC supervision.
Data Privacy Act of 2012 (Republic Act No. 10173) – regulates collection/processing of personal data; very relevant to online lenders and “contact access” abuse.
Truth in Lending Act (Republic Act No. 3765) – promotes disclosure of loan terms/true cost of credit (especially relevant to transparency of charges).
Financial Products and Services Consumer Protection Act (Republic Act No. 11765) – strengthens consumer protection rules across financial regulators (including SEC-supervised entities).
Civil Code principles + jurisprudence on unconscionable interest/penalties – even with the long-standing suspension of strict usury ceilings, courts may reduce rates/penalties that are excessive, iniquitous, or unconscionable based on the facts.

Step-by-step: how to verify a lending company is legitimate and SEC-registered

Step 1: Identify the “real” legal entity (not the brand/agent)

Ask for and write down:

Exact corporate name (not just the app/brand)
SEC registration number
Principal office address (not just “online”)
Landline and official email
Name and position of signatory on the contract
Copy/photo of the company’s SEC Certificate of Incorporation and authority/Certificate to Operate (secondary license)

Why: Scammers hide behind brand names and “agents.” Your contract must name the correct legal entity.

Step 2: Confirm SEC corporate existence and status

You want to confirm that the entity is:

Registered with the SEC as a corporation; and
In good standing or active (not dissolved/expired, not delinquent, not under suspension, as applicable).

How to do this in practice (without relying on marketing screenshots):

Use the SEC’s official verification channels (online facility or in-person request) to verify registration details; and/or
Request certified true copies or official SEC documents showing current status.

What to look for:

Exact name match (including punctuation like “Inc.”, “Corp.”, “Corporation”)
Registration number consistency across documents
The principal office address matches the SEC record
The company’s filings appear current (where relevant)

Step 3: Confirm SEC authority to operate as a lending/financing company (secondary license)

This is the most important step.

For a true “lending company” under RA 9474, SEC supervision typically includes an authority to operate as a lending company (often referred to as a secondary license). For a “financing company,” the same concept applies under the financing company law and SEC rules.

Ask for proof of authority/secondary license and verify it through SEC records/confirmation.

Red flag: “We are SEC registered” but can’t show authority to operate as a lending company, or they show only a generic SEC incorporation certificate.

Step 4: Verify that the entity you’re dealing with is the same entity on the paperwork

Fraud often happens when:

The app/brand is one name,
the contract is another,
the bank account receiving payment is a third party,
and “agents” are the ones communicating.

Match these items:

Contract party name = SEC registered entity name
Receipts/invoices = same entity
Collection/payment channels = same entity
The authorized signatory has corporate authority (board resolution/secretary’s certificate when appropriate)

Do not pay “processing,” “insurance,” “release,” “notarization,” or “membership” fees to personal accounts as a condition to release proceeds. Legitimate lenders may have fees, but payment flows should be traceable and consistent with the contracting entity.

Step 5: Check local and tax registrations (supporting signals, not substitutes)

These don’t prove SEC authority to lend, but they help you detect “fly-by-night” setups.

Mayor’s/Business Permit (LGU) for the stated office location
Barangay clearance (often part of business permitting)
BIR registration (COR) and official receipts/invoicing process

Important: An LGU permit or BIR COR alone does not make them a lawful lending company. It’s supportive evidence only.

Step 6: For online lending apps (OLAs), check compliance signals

Online lending is where most abusive practices show up. Use this checklist:

A. App identity

App developer/publisher name should match (or be clearly linked to) the SEC-registered entity.
The website domain, email, and privacy policy should identify the same legal entity.

B. Data privacy

Does the app request access to your contacts, photos, SMS, call logs, or social media? Excessive permissions can be a major risk.
There should be a clear privacy notice stating what data is collected, why, how long kept, and who it’s shared with.

C. Collection practices

Threats, public shaming, contacting your friends/contacts, doxxing, and harassment can indicate unlawful collection and potential Data Privacy Act violations.

Practical rule: If the lender’s process depends on extracting your phone contacts or threatening exposure, treat it as high-risk even if it looks “registered.”

Step 7: Search for SEC advisories / watchlists (if available through official channels)

Regulators sometimes issue public advisories against unregistered or abusive entities. If you can access official advisories through SEC channels, check whether the brand/company appears in warnings.

Even if a name isn’t on an advisory list, that does not prove legitimacy—advisories are not exhaustive.

Red flags that commonly indicate an illegitimate or abusive lender

Corporate/authority red flags

Only shows DTI registration (sole prop) while claiming to be a “lending company”
Cannot provide SEC registration number or gives inconsistent numbers
Cannot provide authority/secondary license to operate as a lending/financing company
Uses multiple entity names and refuses to clarify the contracting entity
Payment requested to personal e-wallets/bank accounts
“Approval guaranteed” without underwriting, but asks for fees first

Contract red flags

No written contract, or contract is “to follow”
Contract lacks clear disclosures: principal, effective interest, fees, penalties, due dates, total amount payable
Vague “service fees” that balloon the total cost
Requires you to sign blank forms or submit OTPs without explanation

Collection & privacy red flags

Harassment, threats, defamatory messaging
Contacting your employer, relatives, or contacts to shame you
Posting your info publicly
Collecting excessive device permissions unrelated to a loan

What legitimate lenders typically provide (baseline expectations)

A legitimate, properly authorized lender should be able to provide:

SEC Certificate of Incorporation (corporate existence)
Proof of SEC authority/secondary license to operate as a lending or financing company
Written contract with clear loan disclosures
Official receipt/invoice practices consistent with the entity
Transparent fee schedule and penalties
Lawful collection channels and a formal complaints process

If you suspect the lender is not legitimate: what you can do (Philippine remedies)

1) Stop and preserve evidence

Save screenshots of chats, texts, call logs, emails
Save copies of the app permissions screens
Keep payment receipts and bank/e-wallet details
Keep the contract and any disclosures

2) Report to the proper agency (based on who regulates them)

SEC – for lending/financing companies and many online lending platforms; report unregistered operation, deceptive practices, abusive collection tied to SEC-supervised entities
National Privacy Commission (NPC) – for Data Privacy Act violations (unauthorized disclosure, harassment via contacts, excessive data collection, improper processing)
PNP Anti-Cybercrime / NBI Cybercrime – for online scams, identity theft, extortion-like threats, and other cyber offenses
BSP – if the entity is a bank or BSP-supervised financial institution
CDA – if it’s a cooperative lending issue

3) Consider civil/criminal angles (fact-dependent)

Depending on conduct, possible issues may include:

Fraud/estafa-type schemes (if elements are present)
Grave threats/extortion-like behavior (if threats are used to compel payment)
Defamation/libel (if they publish false allegations)
Data Privacy Act violations (unauthorized processing/disclosure)

Exact liability depends on evidence and circumstances.

A practical verification checklist (quick use)

Before applying / accepting funds

I have the exact corporate name and SEC registration number
I confirmed SEC corporate existence and status through official channels
I confirmed SEC authority/secondary license to operate as a lending/financing company
Contract party name matches the SEC entity
Payment channel belongs to the same entity (not a personal account)
Full disclosure exists: principal, all fees, penalties, total payable, due dates
For apps: permissions are reasonable; privacy notice is clear
No “fee before release” to personal accounts
No threats/harassment indicators during pre-loan communication

If any key item fails—especially the authority to operate—treat it as a high risk lender.

Sample message you can send to a prospective lender (copy/paste)

Please provide: (1) your exact SEC-registered corporate name and SEC registration number; (2) proof of your SEC authority/secondary license to operate as a lending company/financing company; (3) your principal office address; and (4) a complete disclosure of the loan terms including principal, all fees, penalties, due dates, and total amount payable. I will proceed only after these are verified.

Final reminders

“SEC registered” is not the same as “authorized to lend.” Always verify the authority/secondary license.
For online loans, legitimacy is not only about registration; it’s also about lawful disclosure, fair dealing, and privacy-compliant collection.
If you’re already dealing with a lender and want a reality check, compare the entity name on your contract, the recipient name on payments, and the SEC records—mismatches are where problems often appear.