How to Verify the Legitimacy of an Online Lending Company in the Philippines
(A practitioner-oriented legal guide as of 7 May 2025)
1. Why verification matters
Online lending apps (“OLAs”) can deliver life-saving liquidity, but the sector has also become a breeding ground for scams, privacy violations, and loan-shark tactics. Under Philippine law, lending to the public is a regulated activity: no one may do it without a specific authority from the government. Verifying legitimacy is therefore both a consumer safety step and a quick legal triage—only companies that pass the tests below are allowed to lend money in the first place.
2. Regulatory architecture
| Regulator | What it supervises | Key issuances affecting OLAs |
|---|---|---|
| Securities and Exchange Commission (SEC) | All lending companies and financing companies (whether their services are delivered through an app or a branch) | • Republic Act (RA) 9474 – Lending Company Regulation Act of 2007 and its 2010 IRR • SEC Memorandum Circular (MC) 18-2019 – Registration and Reporting of Online Lending Platforms • MC 19-2019 – Prohibition on Unfair Collection Practices • MC 28-2021 – Mandatory Email & Cellphone Disclosure |
| Bangko Sentral ng Pilipinas (BSP) | Banks, e-money issuers and other deposit-taking or payments entities that may also offer loans | • RA 7653 (New Central Bank Act, as amended) • RA 11765 – Financial Products and Services Consumer Protection Act (jointly implemented with SEC, IC & CDA) |
| National Privacy Commission (NPC) | Processing of personal and contact data by apps | • RA 10173 – Data Privacy Act of 2012 • NPC Circular 16-01 – Data-Protection Officer Registration |
| Inter-agency enforcers | Criminal acts (estafa, cyber-harassment, libel, etc.) | • NBI Cybercrime Division, PNP-ACG, CIDG, DOJ-OOC |
Bottom-line: For a standalone OLA that is not a bank, authority must come from the SEC. Neither a Department of Trade and Industry (DTI) business-name certificate nor local mayor’s permit is enough.
3. Legal “papers” a genuine lender must hold
- SEC Certificate of Registration (COR) – proves the entity exists as a corporation or OPC.
- SEC Certificate of Authority (CA) – the crucial licence to operate as a lending or financing company under RA 9474/RA 8556. No CA, no lending—period.
- Approved Articles & By-laws stating lending as the primary purpose.
- Secondary Licence for the OLP/App under MC 18-2019 (one OLP = one licence; must be renewed upon version change).
- Privacy Notice & NPC Confirmation that a Data-Protection Officer is registered.
- BSP registration – only if the same entity also issues e-money or touchpoints regulated by BSP (e.g., card-based cash-outs).
4. Step-by-step verification checklist
| Step | How to do it | What you should see |
|---|---|---|
| 1. Look for the SEC Registration Number & CA No. on the app’s splash screen, website footer, in-store listing, or promo materials. | Required by MC 18-2019. | Two distinct numbers; the CA often states “valid until revoked.” |
| 2. Validate in SEC’s public database* (e.g., CRS Search or Lending Investor Financing Division e-list). | Enter the company name or SEC Reg. No. | The record must show “Active,” “Lending Company,” and list the CA. |
| 3. Check SEC Advisories (Investor Protection page) for companies flagged or ordered to stop. | PDF list is updated frequently. | A legitimate company should not appear in the “Unregistered/Revoked” or “Cease-and-Desist” columns. |
| 4. Inspect the Privacy Notice inside the app. | Must identify the Personal Information Controller, DPO email, processing purpose, and retention period. | Vague “as needed” or no DPO = red flag. |
| 5. Confirm contactability. | MC 28-2021 obliges lenders to publish a working phone line and e-mail. Dial/send a test inquiry. | Unreachable or automated loops suggest a fly-by-night outfit. |
| 6. Scrutinise cost disclosures. | RA 3765 (Truth in Lending Act) requires the Annual Percentage Rate (APR) and total charges to be shown before you press “accept.” | Hidden fees, daily interest quotes without an APR, or “processing” deductions withheld upfront violate the law. |
| 7. Assess collection practices. | MC 19-2019 prohibits threats, profanity, dissemination of your debt to contacts, and use of fake legal summons. | Reports or app-store reviews citing these indicate non-compliance. |
*You can do steps 2 & 3 on a mobile browser; no account is required.
5. Telltale red flags of an illegal lender
| Red Flag | Why it suggests illegality |
|---|---|
| “We operate under DTI only” | DTI does not license lending. |
| No physical or virtual office address | SEC requires a principal office stated in the Articles. |
| Solicits processing fees or membership fees before releasing a loan | SEC has repeatedly warned that this is a classic advance-fee scam. |
| Asks for full contact list access as a pre-condition | NPC has ruled that blanket contact-scraping is unnecessary and excessive processing. |
| Uses threats of “subpoena,” “NBI warrant,” or public shaming | Explicitly banned by MC 19-2019; can be criminal harassment. |
| Promises 0% interest forever or guaranteed approval | Violates the Material Disclosure rule under RA 3765 and may indicate a phishing ploy. |
6. Applicable statutes & regulations (quick digest)
| Measure | Core requirement / protection |
|---|---|
| RA 9474 (Lending Company Regulation Act) | SEC CA mandatory; ≥ ₱1 million paid-in capital; annual reports. |
| RA 8556 (Financing Company Act) | For entities financing purchases/installments; ≥ ₱10 million capital (NCR). |
| RA 3765 (Truth in Lending Act) + BSP Circular 730-2011 | Full cost disclosure in peso and APR terms. |
| RA 10173 (Data Privacy Act) | Lawful, fair, transparent processing; consent may be withdrawn. |
| RA 11765 (Financial Consumer Protection Act, 2022) | Gives SEC/BSP administrative front-line consumer redress power; allows restitution and fines up to ₱2 million plus daily penalties. |
| SEC MC 18-2019 | Per-platform licence; UI must display regulatory IDs prominently. |
| SEC MC 19-2019 | Enumerates unfair collection practices; authorises SEC to suspend or revoke CA for violations. |
| SEC MC 28-2021 | Mandates official e-mail & mobile; failure to comply within 30 days = automatic revocation. |
7. What to do if you discover a fake or abusive lender
- Document everything (screenshots, e-mails, call recordings).
- File a sworn complaint with the SEC Enforcement and Investor Protection Department (EIPD). Forms are downloadable; submission may be by e-mail.
- Report privacy breaches to the NPC (complaints portal).
- Escalate harassment (doxing, death threats) to the NBI Cybercrime Division or PNP Anti-Cybercrime Group; attach SEC advisory if available.
- Consult a lawyer for possible civil or criminal suits (estafa under Art. 315 Revised Penal Code, or RA 10175 cyber-libel).
8. Borrower rights you can assert
Under RA 11765 & SEC MC 19-2019 you have the right to:
- Receive clear, comprehensible loan terms before acceptance.
- Cancel within a reasonable “cool-off” period if no funds have been disbursed.
- Be treated with dignity—no public humiliation, profanity, or threats.
- Recover excess interest or charges if proven illegal.
- Demand deletion of unnecessary personal data once the loan is repaid or if you withdraw your application.
9. Practical borrower tips (beyond the law)
- Use official app stores (Google Play, Apple App Store); the SEC now coordinates with platform owners to delist rogue apps quickly.
- Compare APR, not daily interest. A 1% per day rate balloons to >360% APR.
- Read peer reviews—but focus on detailed stories, not generic five-star posts that may be planted.
- Keep copies of the e-contract and payment receipts; cloud-store them in case the app vanishes.
- Never share OTPs or passwords; legitimate lenders will not ask.
10. Emerging issues to watch (2025 onwards)
- Open Finance Framework (BSP Circular 1250-2024) will soon allow licensed lenders to pull verified bank data with your consent, potentially lowering rates for borrowers with good banking histories.
- E-KYC via PhilSys: expect SEC-registered OLAs to adopt national-ID-based verification; reject any lender asking you to send selfies by unsecured chat.
- AI-driven credit scoring: permissible, but must not be discriminatory and the logic must be explainable under RA 11765’s “right to explanation.”
Conclusion
Verifying an online lending company in the Philippines is essentially a paper chase backed by well-defined statutes. The touchstones are simple:
- SEC Certificate of Authority (plus SEC registration)
- Per-app licence under MC 18-2019
- Transparent pricing & lawful data handling
Anything less, walk away. By insisting on these non-negotiables, you protect your finances, your privacy, and help regulators drain the swamp of predatory digital lenders.
This article is for informational purposes and does not constitute formal legal advice. For specific situations, consult Philippine counsel.