LEGAL RULES FOR ONLINE LENDING APPS AND DEBT COLLECTION IN THE PHILIPPINES (Updated to June 2025)

1 | Regulatory Map: Who Governs What?

Regulator	Core Mandate over Lenders & Collectors
Securities and Exchange Commission (SEC)	Licensing of lending & financing companies; oversight of online lending apps (OLAs); enforcement of RA 9474, RA 8556, and consumer-protection memoranda.
Bangko Sentral ng Pilipinas (BSP)	Prudential rules for banks and non-bank credit providers; caps on small-loan interest; financial consumer protection (RA 11765); payment-system licensing.
National Privacy Commission (NPC)	Enforcement of Data Privacy Act (-2012) over personal-data practices of apps and collectors.
Department of Trade and Industry (DTI)	Supplemental rules on door-to-door/agency collectors and deceptive acts under the Consumer Act.
Department of Information and Communications Technology (DICT) & National Telecommunications Commission (NTC)	Takedown of malicious apps/websites; SIM-spam complaints.
Anti-Money Laundering Council (AMLC)	KYC and suspicious-transaction reporting for qualifying digital lenders.

(Local government units may also require mayor’s/business permits, but these do not substitute for SEC or BSP authorization.)

2 | Incorporation & Licensing Basics

Lending Company Regulation Act of 2007 (RA 9474)
- Minimum paid-in capital: ₱1 million (SEC often requires ≥ ₱10 million for OLAs in practice).
- At least 1 Filipino citizen must hold majority of voting stock or sit as a director/officer.
- Name must contain “Lending Company/Investor Lending/Online Lending” etc.
Financing Company Act of 1998 (RA 8556) – similar to RA 9474 but for entities whose principal business is financing vs. direct lending.
Digital-Only & “Neobank” Models
- BSP Circular 1105 (2020) → digital-bank license; minimum capital ₱1 billion; allowed to extend credit via apps.
- A firm cannot call itself a “bank” (or use “microfinance bank”) without a BSP charter.
Website, Social-Media & App Registration
- SEC Memorandum Circular 28-2020 requires all corporations to declare every domain, Facebook page, and mobile app upon registration and update the SEC within 30 days of any change.

3 | Key Consumer-Protection Statutes & Rules

Instrument	Snapshot of Obligations
Financial Products and Services Consumer Protection Act of 2022 (RA 11765)	Unfair, abusive, or deceptive acts (UDAAP) banned; regulators may impose up to ₱2 million per day per continuing violation, cease-and-desist orders (CDOs), restitution, & imprisonment of officers (1–5 years).
Truth in Lending Act (-1963) & BSP/SEC IRRs	Mandatory disclosure of Total Cost of Credit, Effective Interest Rate (EIR), fees, penalties, and default computation before disbursement.
BSP Circular 1098-2020	Caps for short-term, small-value consumer loans (≤₱10 000; tenure ≤4 months): 6 % monthly nominal interest (≈ 0.2 % daily), 15 % one-time processing fee ceiling.
SEC Memorandum Circular 18-2019	Special rules for OLAs: (a) register the APK, kiosk, or platform; (b) submit third-party audit of algorithm; (c) no “contact scraping” without informed, specific consent.
SEC Memorandum Circular 10-2021 (“Prohibited Debt-Collection Practices”)	Bars threats, obscenities, door-to-door harassment, contacting borrowers’ phonebook, or posting to social media. Contact window: 6 a.m.–10 p.m., max 3 calls/day.
NPC Advisory Opinion 2020-03 & Circular 2020-01	Access to contacts, location, cameras, and SMS is excessive unless “strictly necessary” for credit-worthiness; public-shaming and “death-threat messages” qualify as separate privacy violations.
SIM Registration Act of 2022 (RA 11934)	Collectors sending bulk reminders via SMS must use registered SIMs; spoofed numbers expose the lender to suspension.

4 | Debt-Collection Law: What Collectors May Not Do

Harassment & Abuse
- Threats of bodily harm or criminal prosecution → Art. 282 (Grave Threats) & Art. 287 (Unjust Vexation), Revised Penal Code (RPC).
- Posting borrower photos as “scammer” on Facebook → Art. 353 (Libel) & RA 10175 (Cyber-libel).
Obscene or Profane Language – explicit ban under SEC MC 10-2021 and RA 11765 §4(c).
Contacting Third Parties
- Allowed only to obtain the borrower’s updated address/number, not to disclose the debt amount.
- Scraping the entire address book without granular consent violates RA 10173 §§12-13 (Data Privacy Act).
Excessive Calls, Timing & Place
- More than three calls per day or calling between 10 p.m. and 6 a.m. is unfair practice.
- Repeated calls at a borrower’s workplace after being told not to → Actionable under RA 11765.
Public Disclosure of Debt – “ shame lists,” group chats, or mass texts infringe privacy and defamation laws.
Use of Criminal Complaints as Leverage
- Default on a purely civil loan is not estafa. Filing or threatening baseless estafa cases may itself be punished as Malicious Prosecution.

5 | Interest, Fees & ‘5-6’ Lending

Usury Law (Act 2655) is suspended by Central Bank Circular 905 (1982), yet courts may strike down rates deemed unconscionable (e.g., Spouses Abellera v. Spouses Tolentino, G.R. 200238, 2021).
Since 2020, BSP caps apply to micro-loans only; larger consumer loans rely on the “unconscionability” test.
“5-6” (≈ 20 % monthly) is not a separate crime, but lenders without SEC license risk 6-10 years’ imprisonment under RA 9474 §16.

6 | Data Privacy & Cyber Obligations

Obligation	Practical Take-away for Apps
Lawful Basis (RA 10173 §12)	Credit-scoring ≠ blanket pass to harvest contacts/photos. Must articulate specific & proportional purpose.
Transparency & Consent	Privacy notice must be “clear and in plain language,” available inside the app and on Google Play.
Data Retention	Retain only while the loan (or statutory record-keeping) subsists; erase contact lists upon settlement.
Security Measures	Encryption at rest, MFA for staff dashboards; annual NPC security-audit submission for companies ≥250 employees or processing ≥1 000 records.
Cross-Border Transfers	Allowed if recipient country has comparable protection or with contractual clauses approved by NPC.

Breaches must be reported to NPC and affected data subjects within 72 hours of discovery (§20).

7 | Fintech-Specific Compliance

Payment Systems (RA 11127; BSP Circular 1049-2019) – Wallet-based lenders must register as an OPS (Operator of Payment System).
Electronic Signatures – Valid under E-Commerce Act (-2000). For loans ≥₱400 000, notarization is recommended to make the instrument self-authenticating.
Credit Information System Act (-2008) – Lenders must submit positive and negative credit data to CIC or accredited bureaus within 30 days of loan booking or default.

8 | Anti-Money Laundering & KYC

Scenario	Covered by AMLA?
Loan disbursed from e-money wallet funded by deposits	Yes – OLA operator is a “covered person.”
Pure peer-to-peer (P2P) platform where lender funds go directly to borrower’s G-Cash/PayMaya	Likely Yes – as a remittance-transfer business.
Small strictly ‘store credit’ scheme (≤₱100 000 total assets)	No, but still must perform KYC under RA 11765.

Covered entities must:

Verify identity with a valid government ID (video KYC allowed under BSP Circular 1108-2020);
Screen names vs. AMLC Sanctions List;
File Suspicious Transaction Reports (STRs) within 5 days.

9 | Enforcement, Penalties & Remedies

Violation	Sanctions
Operating without SEC license	RA 9474 §16: ₱50 000–₱500 000 & 6–10 years’ imprisonment + asset forfeiture.
Privacy breach (non-malicious)	Up to ₱5 million fine per act; director/officer may face up to 3 years’ imprisonment (§25, RA 10173).
Unfair collection (first offense)	SEC: Suspension 60 days + ₱50 000–₱200 000 fine; repeat: revocation of primary license.
UDAAP (RA 11765)	Monetary restitution + ₱2 million per day continuing fine; criminal case vs. officers.
Failure to disclose total interest	₱5 000–₱2 000 000 under Truth-in-Lending IRR + possible rescission of loan.

Borrower Remedies

Regulatory Complaint – SEC Enforcement and Investor Protection Department: epd@sec.gov.ph.
Privacy Complaint – NPC: complaints@privacy.gov.ph or via Zoom hearing.
Civil Action – Damages under Art. 19–21 Civil Code; small-claims court for ≤₱400 000 (no lawyer needed).
Barangay Mediation – Required for loans ≤₱400 000 when parties in same city/municipality.
Injunction / TRO – Regional Trial Court may stop harassment or take-down defamatory posts.

10 | Best-Practice Checklist for Compliance Teams

Domain	Must-Have Controls (2025)
Product	Pre-loan pop-up: total repayable, EIR, and repayment calendar; sample calculators.
Engineering	API logs with immutable audit trail; data-access role-based; annual VAPT.
Collections	Call scripts vetted by counsel; autodialer caps; escalation matrix; “cease communication” toggle.
Legal/Privacy	Privacy-by-Design review each new feature; data-retention schedule auto-purge after 5 years.
AML/KYC	AI-facial liveness check; sanctions re-screen every 30 days.

11 | Practical Pointers for Borrowers

Check SEC List of Registered Online Lending Platforms (updated monthly).
Compute the Effective Interest Rate (EIR) – total repayable / net proceeds × 365 / loan days.
Document Everything – screenshots of abusive texts & calls; audio recording is legal if you are a party to the call (People v. Datu, G.R. Filing 2023).
Know What’s Criminal, What’s Civil – Non-payment ≠ estafa unless you issued a bouncing check or misrepresented collateral.
Exercise Your Data Subject Rights – Request erasure of contacts/photo once the loan is settled (§34, RA 10173).

12 | Looking Ahead

“Fair Debt Collection Practices Act” Bill (House Bill 9202, Senate Bill 1362) – seeks U.S.-style licensing of collectors, statutory damages of ₱50 000 per violation; still in bicameral committee (as of May 2025).
BSP Open-Finance Framework – once fully live, borrowers may port repayment history to competing lenders, diluting “hostage-style” lock-in by one app.
Mandatory Credit-Score Disclosure – SEC draft rules (circulated April 2025) would compel apps to show how each data field affects the score, mirroring EU GDPR “explainability” standards.

Conclusion

Online credit has filled a real financing gap, yet the Philippine legal arsenal—including RA 11765, RA 9474, SEC circulars, the Data Privacy Act, and an evolving privacy-tech regime—now gives both regulators and borrowers robust tools against predatory lending and abusive collection. For lenders, the path forward is clear: secure the proper license, design transparent products, safeguard personal data, and collect debts with professionalism—or risk fines, shutdowns, and even jail time. Borrowers, on the other hand, should verify app legitimacy, understand total borrowing costs, and assert their consumer and privacy rights whenever collection crosses the line.