This article explains how to confirm whether a lender is legally allowed to operate under Philippine law, how to evaluate loan offers (especially online), and what to do if you encounter—or fall victim to—an illegal lender or loan scam. It focuses on lending and financing companies under the Securities and Exchange Commission (SEC). It also notes when other regulators (BSP, CDA, etc.) apply. This is general information, not legal advice.

1) Regulatory map: who supervises whom?

Understanding the regulator tells you which registry to check and which rules apply.

SEC (Securities and Exchange Commission) – Oversees lending companies (R.A. 9474, Lending Company Regulation Act) and financing companies (Financing Company Act). These entities must be corporations and must secure both:
1. a Certificate of Incorporation (primary registration), and
2. a Certificate of Authority (CA) to Operate as a Lending/Financing Company (the license).
BSP (Bangko Sentral ng Pilipinas) – Regulates banks, non-bank financial institutions, pawnshops, EMIs, and payment service providers. If the lender is a bank/pawnshop, you verify under BSP, not the SEC.
CDA (Cooperative Development Authority) – Regulates cooperatives; a credit/consumer cooperative that lends only to its members is not an SEC-licensed lending company.
Microfinance NGOs – Governed by the Microfinance NGOs Act, accredited by the Microfinance NGO Regulatory Council (not the SEC list of lending companies).

Key takeaway: If a “lender” claims to be SEC-registered, it should be a corporation with an SEC Certificate of Authority specifically for lending/financing. Sole proprietorships and partnerships cannot hold an SEC CA to operate as a lending company.

2) The legal baseline for SEC-licensed lenders

Lending Company Regulation Act (R.A. 9474) and Financing Company Act require:
- Incorporation under the Corporation Code;
- Paid-in capital minimums (vary by company type and rules);
- A valid SEC Certificate of Authority before starting operations;
- Ongoing compliance (reports, disclosure, fit and proper requirements for directors/officers).
Truth in Lending Act (R.A. 3765): Requires clear disclosure of the finance charge, fees, and effective interest rate before a borrower becomes obligated.
Financial Products and Services Consumer Protection Act (R.A. 11765, “FCPA”): Lays down fair treatment, transparency, data privacy, complaint-handling, cool-off/withdrawal rights as may be set by regulators, and prohibitions against abusive collection for financial service providers within the SEC/BSP/IC perimeter.
Data Privacy Act (R.A. 10173): Borrowers’ personal data must be processed fairly, with consent, purpose limitation, and security safeguards. “Contact-harvesting” and public shaming are significant red flags.

There is no general usury cap in the Philippines (the Usury Law ceilings were effectively lifted). However, interest and penalties must be expressly agreed, properly disclosed, and not unconscionable; abusive practices can be sanctioned under consumer protection, unfair collection, and other laws.

3) How to verify if a lender is SEC-registered (step-by-step)

Identify the true legal name. Ask for:
- Full corporate name (not just a trade name or app name)
- SEC Registration Number
- SEC Certificate of Authority (CA) Number (explicitly for “Lending Company” or “Financing Company”)
- Principal office address and fixed landline
- Names of directors/officers
Match the pieces.
- The corporate name on the SEC CA must match the name on the contract/receipt.
- A company may market via a different brand/app name, but the CA belongs to the corporate entity, not the brand.
Check the license itself.
- A Certificate of Incorporation is not enough. The company needs a Certificate of Authority to Operate as a lending or financing company.
- Verify if the CA is valid and current (CAs can be revoked, suspended, or expired if not renewed or if a company is penalized).
Confirm geographic presence & contact lines.
- A legitimate lender has a physical principal office in the Philippines that matches corporate records and receipts.
- Use the official email/landline found in corporate documents—not numbers inside unverified social-media posts or messages.
Cross-check regulatory scope.
- If the entity says it is a bank or pawnshop, confirm under BSP, not SEC.
- If it’s a cooperative lending solely to members, verify under CDA.
Inspect disclosures before you sign.
- Look for total loan proceeds vs. net proceeds, all fees, interest/penalties, collection process, complaint channels, and data-privacy notice.
- If disclosures are missing, unclear, or not provided until after you consent, walk away.

4) Online lending platforms and apps: what “good” looks like

A compliant SEC-licensed lender that uses an app or website should provide:

Corporate identity (exact corporate name), SEC Registration No., and SEC CA No. on the site/app and in the loan agreement.
Clear data-privacy statement (what data are collected, why, retention, third-party sharing, your rights, complaint channels).
Truth-in-lending disclosures (APR/effective interest rate, fees, computation examples).
Accessible customer service (PH address, hotline, email).
Reasonable app permissions (no blanket access to contacts, photos, microphone, SMS unless strictly necessary and consented).
Fair collection policies (no harassment, threats, doxxing, or “shaming” tactics).

Red flags unique to apps:

The app name or logo doesn’t reveal the corporate owner and there’s no SEC CA number anywhere.
Forced permissions unrelated to the service (e.g., contact scraping to threaten your friends).
“Fast pre-approval” but demands advance fees (processing, insurance) before disbursement.
The “contract” appears only after you upload IDs/OTP and is non-downloadable.
Pushing you to share OTP/PIN or to install remote-control/screen-mirroring apps.
Funds disbursed without your clear agreement to terms (a setup used to justify aggressive collection later).

5) Common loan-scam patterns (and how to respond)

Fake “SEC-registered” claims
- Scammers paste random SEC numbers or display only a Certificate of Incorporation.
- Response: Ask for the SEC Certificate of Authority number tied to the exact corporate name; demand a copy.
Advance-fee / processing-fee scams
- You’re told to pay a fee or buy “insurance” before loan release.
- Response: Legitimate fees are typically netted from proceeds or charged only after the loan is finalized. Do not send money to personal e-wallets.
Phishing & impersonation (bank officer/SEC staff “approving” your loan)
- Response: Never share OTP/PIN; verify via official hotlines; inspect sender domains and grammar; avoid links from unsolicited messages.
App shaming & data blackmail
- Unlicensed apps harvest contacts and threaten public shaming to force payment.
- Response: Document everything; revoke permissions; file complaints (see Section 9). These practices are sanctionable under consumer protection and data privacy rules.
Loan flipping/stacking traps
- “Refinance” every few days with more fees deducted from proceeds.
- Response: Calculate total cost; demand a payoff statement; compare alternatives (banks/coops/EMIs).
ATM/ID collateral
- Seizing your ATM card, ID, or passbook as “collateral” is a glaring red flag.
- Response: Refuse; such practices can breach criminal/consumer/data-privacy laws and employer/government benefit rules.

6) Due-diligence checklist (use before you apply)

Identity & Authority ☐ Full corporate name (exact spelling) ☐ SEC Registration Number (primary) ☐ SEC Certificate of Authority Number (lending/financing) ☐ Principal office address (Philippines) and landline ☐ Names of directors/officers

Disclosures & Documents ☐ Draft loan agreement before giving OTP/ID selfies ☐ Truth-in-Lending breakdown (interest, fees, APR/effective rate) ☐ Amortization schedule and net proceeds computation ☐ Penalties, default interest, collection process, right to prepay ☐ Complaint-handling and escalation paths (company → regulator)

Data & Tech ☐ App/website lists the corporate entity and CA number ☐ Only necessary app permissions (no contact scraping) ☐ Data-privacy notice & consent form (downloadable) ☐ Secure channels (avoid random DMs; verify emails/domains)

Sanity checks ☐ No advance fee to personal accounts ☐ No pressure to share OTP/PIN or install remote-control apps ☐ No demand to surrender ATM/ID ☐ Offer terms are comparable with market norms for your profile

7) Contract terms to watch (and how to negotiate)

Interest & fees: Ensure all charges are enumerated; avoid “to be determined” blanks. Ask for APR/effective interest and a total cost over the full term.
Payment method: Confirm payment channels (bank transfer, e-wallet, over-the-counter) and posting timelines; late posting can trigger penalties.
Penalties & default interest: Make sure caps and triggers are clear; contest unconscionable rates or compounding structures.
Prepayment: Ask for prepayment and restructuring options, and whether there are fees.
Data use & third-party sharing: Limit use to loan servicing; restrict marketing; prohibit contact-harvesting; require deletion after legal retention periods.
Consent and e-signatures: Ensure you receive a downloadable copy of the signed agreement and the audit trail (for e-sign).

8) If you’re dealing with a bank, cooperative, pawnshop, or EMI instead

Banks / EMIs / Pawnshops: Verify under BSP registries and rules (they won’t appear as SEC-licensed lending companies).
Cooperatives: Verify with the CDA and confirm the membership requirement; lending to non-members may be unlawful.
Employers or SSS/GSIS benefit loans: Verify directly with the agency/employer; beware of intermediaries collecting “facilitation fees”.

9) What to do if you suspect an illegal lender or abusive collection

Stop sharing more data. Revoke app permissions; change passwords; secure your SIM/e-wallet.
Preserve evidence. Keep screenshots, messages, voice notes, payment receipts, app version, and dates/times.
Engage in writing only. Ask for a statement of account and computation.
File complaints with the right bodies:
- SEC – For unlicensed lenders or licensed lenders using abusive practices; the SEC can issue cease-and-desist orders, revoke CAs, and refer for prosecution.
- National Privacy Commission (NPC) – For data-privacy violations (contact scraping, doxxing, shaming).
- BSP – If the entity is a bank/pawnshop/EMI.
- PNP-ACG / NBI-Cybercrime – For harassment, threats, phishing, identity theft.
- DTI / LGU Business Permits – For deceptive trade practices and local enforcement support.
- App Stores & Telcos – Report abusive apps/shortcodes for takedown or blocking.
Consider civil/criminal remedies. Depending on facts: unjust vexation, grave threats, libel/defamation, extortion, anti-wiretapping (if calls recorded without consent), and violations of FCPA/Data Privacy Act.

10) Practical scripts & templates

A. Verification request (email/message to the lender)

Subject: Request for SEC CA and corporate details Dear [Lender], Before proceeding, please provide: (1) your exact corporate name; (2) SEC Registration No.; (3) SEC Certificate of Authority No. to operate as a [Lending/Financing] Company; (4) principal office address and landline; (5) a PDF of your loan agreement and Truth-in-Lending disclosures. Thank you.

B. Cease abusive collection (to the lender/collector)

Subject: Cease and desist from abusive collection Dear [Company/Collector], Your agents have engaged in harassment/defamation/contact-harvesting on [dates]. These acts violate consumer protection and data-privacy laws. Cease immediately. All future communications must be in writing to this email. Provide a statement of account and lawful computation of any amount due. Regards, [Name]

C. Complaint outline (for regulators)

Your full name and contact details
Lender’s corporate name (as claimed) and brand/app names used
Dates and channels of contact; copies of ads/screenshots
Loan terms shown (or lack thereof), fees, interest, net proceeds
Abusive acts (who, when, how), evidence attached
Relief sought: investigation, takedown, sanctions, data-erasure

11) Frequently asked questions

Q: Is a screenshot of a “SEC registration” enough? A: No. You need the SEC Certificate of Authority (CA) to operate as a lending/financing company, tied to the exact corporate name.

Q: The lender is a cooperative. Should it appear on the SEC list? A: No. Cooperatives are under CDA and generally lend to members only.

Q: Can a legitimate lender require my phone contacts? A: Collecting contacts is rarely necessary for lending and raises data-privacy concerns. Treat it as a red flag.

Q: They deposited money without my consent and demand repayment. A: Dispute in writing; request the contract and consent evidence. If they cannot show a valid agreement and disclosure, escalate to regulators.

Q: Are “5-6” loans illegal? A: Many “5-6” operators are unregistered and use abusive practices; they commonly violate registration and consumer-protection laws. Report them.

12) Borrowing safely: practical alternatives

Your bank (salary/personal loan) – regulated by BSP, usually clearer pricing.
Salary-deduction loans via employer credit cooperatives – CDA regulated.
Government programs (e.g., SSS/GSIS member loans) – avoid third-party “facilitators.”
Reputable EMIs and installment programs – BSP-regulated; compare effective rates and fees.

13) Quick borrower toolkit

A calculator (to compute APR/effective rate and total cost).
A secure PDF copy of your contract, disclosure statement, and privacy notice.
A folder of evidence (screenshots, call logs).
A simple decision rule: If there’s no verifiable SEC CA (or wrong regulator), or if they ask for OTP / advance fees → walk away.

Final word

Verifying an SEC-registered lender boils down to matching the company’s identity to a valid SEC Certificate of Authority and ensuring clear, lawful disclosures with fair collection and privacy practices. If any link in that chain is missing—don’t sign, don’t send IDs, don’t pay fees. Document everything and report bad actors to the proper authorities.