How to Verify if an Online Betting or Gaming Site Is Legal in the Philippines (PAGCOR/SEC Check)

How to Verify If an Online Lending App Is Legit and SEC-Licensed (Philippines)

This guide is written for borrowers, compliance officers, and in-house counsel in the Philippines. It explains the legal landscape, what “licensed” actually means, the exact checks you can perform before borrowing, and the red flags that usually signal an illegal or abusive app. This is general information, not legal advice.

1) Why licensing matters

A “slick” mobile app does not make a lender legal. In the Philippines, any non-bank entity that offers loans to the public must (a) be properly organized as a corporation and registered with the Securities and Exchange Commission (SEC), and (b) hold a Certificate of Authority (CA) to operate as a Lending Company or Financing Company. Operating without a CA is a criminal offense. Licensing also determines which rules apply on disclosures, collection practices, data privacy, and anti-money laundering (AML).

2) Core legal framework (Philippine context)

  • Lending Company Regulation Act (LCRA) – Republic Act No. 9474 and its IRR: requires SEC registration and a Certificate of Authority for lending companies (stock corporations only; sole proprietorships and partnerships cannot be lending companies).
  • Financing Company Act – Republic Act No. 8556 and its IRR: similar CA requirement for financing companies (often larger-ticket, installment financing, leasing, factoring).
  • Truth in Lending Act – Republic Act No. 3765: mandates clear disclosure of the true cost of credit (e.g., finance charges and effective interest).
  • Data Privacy Act – Republic Act No. 10173 and NPC rules: governs consent, purpose limitation, data minimization, security, breach notification, and the appointment of a Data Protection Officer (DPO).
  • Financial Products and Services Consumer Protection Act (FCPA) – Republic Act No. 11765: enhances the SEC’s consumer protection powers (market conduct, fair treatment, redress).
  • Anti-Money Laundering Act (AMLA) – as amended: lending/financing companies supervised by the SEC are generally covered persons and must perform KYC, maintain records, and report covered/suspicious transactions.
  • Unfair debt collection – The SEC has circulars prohibiting harassment, threats, public shaming, and contacting persons other than the borrower for collection.
  • Usury – Statutory interest ceilings were suspended decades ago; there is no blanket “usury cap.” However, lenders must comply with disclosure rules, consumer protection standards, and any specific caps or limits issued by regulators for particular products. Excessive, misleading, or unconscionable pricing can still draw enforcement, especially when paired with abusive practices.

3) What “SEC-licensed” really means

A legitimate lender must have both of the following:

  1. SEC Company Registration – proof the entity exists as a corporation (e.g., SEC Registration No. CS2XXX-XXXXX).
  2. Certificate of Authority (CA) – explicit authority from the SEC to operate as a Lending Company or Financing Company (e.g., CA No. XXXX).

If an app shows only a DTI Business Name registration, mayor’s permit, or BIR documents, that is not enough. If the app says “BSP-licensed” but it is not a bank (or a payment operator speaking only about payments), that is a red flag for lending. Lending companies are SEC-licensed, not BSP-licensed.

4) Online Lending Platforms (OLPs): extra obligations

When lending is done through a website or mobile app, the corporate lender behind it must still be SEC-licensed. In addition, OLPs are expected to comply with rules on:

  • Proper identification of the corporate entity behind the app (legal name, SEC Reg. No., CA No., principal office).
  • App-specific registrations/notifications as may be required by the SEC (e.g., listing of the URLs/domains/apps used).
  • Clear pre-loan disclosures (total cost of credit, fees, tenor, due dates, default/penalty calculations).
  • Collection conduct (no harassment, no “debt shaming,” no contacting your entire phonebook).
  • Data privacy (no indiscriminate harvesting of contacts, photos, or location; lawful purpose; granular consent; DPO contact).

5) Step-by-step: How to verify legitimacy before you borrow

  1. Capture the app’s exact identity.

    • Note the app name, developer name on the app store, the website/domain in the privacy policy, and any company details shown in-app (SEC Reg. No., CA No., office address, email, hotline). Screenshots help.

  2. Match the brand to a real, licensed corporation.

    • The brand/app name should map to a specific corporate name (e.g., “ABC Loans” operated by “ABC Lending Corporation”).
    • If the app belongs to a bank, confirm it openly states the bank’s full legal name and BSP regulation; otherwise, it should state the SEC-licensed corporation and its CA number.

  3. Confirm the SEC details.

    • A legitimate lender will publish its SEC Registration No. and CA No. prominently (in the app, website, and customer T&Cs).

    • Verify that:

      • The corporate name exactly matches what the app claims;
      • The CA is for a Lending Company or Financing Company (not just a corporate registration);
      • The status is active (not revoked/suspended/expired).

  4. Check disclosures before application.

    • Look for a Key Facts Statement or equivalent pre-contract disclosure that shows: principal, term, effective interest/finance charge, fees, amortization schedule, due dates, default interest/penalties (with exact computation basis), and total amount payable.
    • Absence of these is a red flag.

  5. Assess data privacy posture.

    • There should be a Privacy Notice in plain language, the DPO’s contact, data retention periods, who data is shared with, and your rights (access, correction, deletion).
    • App permissions should be proportionate: camera for e-KYC is reasonable; contact list scraping, mass SMS access, and gallery harvesting are not.
    • Coercive consent (e.g., “allow us to read your contacts or we won’t release your loan”) is suspect.

  6. Evaluate collection practices.

    • Legit lenders confirm your channels and call you—not your boss, relatives, or entire phonebook.
    • Any threat of arrest, public posts, doxxing, profanity, or contacting third parties is forbidden.

  7. Confirm payment channels and beneficiary.

    • If you repay via bank transfer, e-wallet, or OTC, the account name should match the licensed corporation (or its disclosed payment processor). Random personal accounts are red flags.

  8. Check pricing sanity and fee stacking.

    • Even without a universal cap, daily interest claims, undisclosed “processing fees,” or mandatory “insurance” that is never documented are warning signs.
    • Compare the amount disbursed vs. amount you must repay—not just the “headline” rate.

  9. Look for working support channels.

    • There should be a staffed hotline or email that replies with the licensed company signature block. Bounces or anonymous Gmail addresses are red flags.

  10. Do a final mismatch sweep.

  • App developer name ≠ corporate name, no CA, offshore address only, sideloaded APKs from Telegram/Drive, or “loan first, documents later” … treat as high-risk.

6) Red flags that commonly signal an illegal/abusive app

  • No SEC CA number anywhere; or the CA number belongs to a different company.
  • Says “DTI-registered” or “mayor’s permit only” but offers loans to the public.
  • Claims “BSP-licensed” but is not a bank (and is clearly offering lending, not just payments).
  • Requires you to upload contacts list or threatens to message your relatives/employer.
  • Debt shaming: threats to post your photos/IDs online, mass texts to your contacts, or defamatory “wanted” posters.
  • Sideloading: asks you to install an APK outside official app stores.
  • Upfront fees before any disbursement, payable to a person’s e-wallet/bank account.
  • Extreme tenors (e.g., 7-day loans rolled over weekly) with cascading “processing” and “renewal” fees.
  • Anonymous ownership: no office address in the Philippines, no DPO, no responsible officers named.

7) If you’ve already used a suspicious app

  1. Preserve evidence – screenshots of the app listing, terms, disclosures (or lack), messages, call logs, payment receipts, and the app’s requested permissions.
  2. Lock down data – revoke app permissions in your phone settings; change passwords; enable 2FA on email/e-wallet.
  3. Dispute unauthorized debits – notify your bank/e-wallet immediately and follow their dispute timelines.
  4. File complaints – report to the SEC (lending/financing misconduct), the National Privacy Commission (NPC) for privacy violations (contact scraping, public shaming), and, for threats/extortion, the PNP Anti-Cybercrime Group/NBI.
  5. Do not engage with harassers – keep communication factual; refer to your rights; avoid paying to stop harassment when no lawful debt exists.
  6. Seek counsel – for serious harassment or large-value disputes, consult a lawyer. Evidence gathered early materially helps.

8) Special cases you may encounter

  • “Peer-to-peer lending” apps: If the platform matches lenders and borrowers, check if it is operating under the SEC’s crowdfunding/intermediary framework or otherwise authorized. “P2P” is not a loophole to avoid SEC oversight.
  • Marketplace & aggregator apps: Some apps simply refer you to lenders. The one extending credit must still be licensed; the aggregator must not misrepresent its role.
  • Bank-affiliated apps: If the lender is a bank, it should clearly identify the bank and refer to BSP supervision for the lending activity; still expect Truth-in-Lending-quality disclosures.
  • Employer or cooperative loans: Different rules may apply (e.g., co-op lending under the Cooperative Development Authority), but any third-party non-bank app doing public lending reverts to SEC rules.

9) Practical borrower’s checklist (print or save)

  • Corporate legal name appears and matches the brand/app.
  • SEC Registration No. shown.
  • SEC Certificate of Authority (CA) No. shown and labeled for Lending or Financing Company.
  • Office address in the Philippines, working hotline/email, and DPO contact.
  • Key Facts/Disclosure before you apply: principal, tenor, effective interest/finance charge, all fees, penalties (with formula), total payable.
  • No contact-list/gallery scraping; permissions limited to what is necessary (camera for e-KYC, etc.).
  • No harassment terms; collection policy aligns with fair-debt rules.
  • Payment account name matches the licensed corporation (or its disclosed processor).
  • You understand exactly how much you will receive vs. how much you must repay and when.
  • You have screenshots of all disclosures and identities.

10) Frequently asked questions

Q: Is a DTI Business Name enough for a lending app? A: No. Public lending requires an SEC-licensed corporation with a CA. DTI BN registration does not authorize lending.

Q: The app shows an SEC Registration Number but no CA. Is that okay? A: No. Corporate registration proves existence, but you still need a CA to legally lend to the public.

Q: The app says it is “BSP-approved.” A: For lending, the relevant license is from the SEC, unless the lender is a bank. Treat non-bank “BSP-approved lender” claims with caution.

Q: Are lenders allowed to contact my employer or relatives? A: As a rule, no. Harassment, public shaming, and contacting third parties in collection are prohibited practices and may trigger SEC/NPC enforcement.

Q: Is there a legal maximum interest rate? A: There is no universal cap under the suspended Usury Law, but lenders must provide full, truthful disclosure and comply with consumer-protection standards. Abusive pricing coupled with unfair practices can still be sanctioned.

11) Compliance corner (for lenders and counsel)

  • Maintain active CA and keep SEC apprised of any apps/URLs used for lending.
  • Implement KYC/AML controls; document risk assessment; train frontliners.
  • Provide pre-contract Key Facts and standardized disclosures; show effective interest/finance charge clearly.
  • Build a privacy program: data inventory, DPIAs for the app, DPO appointment, breach response plan, and permission hygiene (no contact scraping).
  • Enforce a collections code of conduct; audit third-party agencies; keep call recordings and logs.
  • Maintain complaints handling with tracked turnaround times and escalation to compliance/legal.
  • Keep marketing truthful; avoid “instant approval/no documents” claims that create unfair expectations.
  • Periodically review app store listings and the privacy policy to ensure they mirror current practices.

12) One-page TL;DR

To be legit in the Philippines, an online lending app must be backed by a corporation with an active SEC Certificate of Authority to operate as a lending or financing company. Before borrowing, match the brand to the corporate name, verify the CA, read the Key Facts/Disclosure, check privacy/collection practices, and confirm the payee details. Walk away at the first sign of no CA, contact-list scraping, harassment threats, or upfront fees.

If you want, I can turn this into a printable checklist or a borrower-facing “Know Your Lender” form you can share with staff or clients.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login