Legality of Online Lending Apps in the Philippines (Comprehensive legal primer, updated to June 2025)
1 | Why this matters
Mobile “salary-loan” and “instant cash” apps have exploded since 2016, serving millions of un-/under-banked Filipinos. At the same time, hundreds of apps have been taken down or criminally prosecuted for operating without a licence, debt-shaming borrowers, scraping contact lists, or charging usurious fees. Unlike informal “5-6” lending, digital lenders sit at the intersection of several statutes, three primary regulators (SEC, BSP and NPC) and the Anti-Money Laundering Council (AMLC).
2 | Key statutes & their regulatory umpires
| Law / Issuance | Core purpose | Key regulator(s) |
|---|---|---|
| Republic Act 9474 (Lending Company Regulation Act “LCRA”, 2007) & IRR (SEC MC 3-2017) | Requires every “lending company” (LC) to secure a SEC Certificate of Authority (CA); sets ₱1 million minimum paid-in capital; mandates disclosure of effective interest rate; criminalises unlicensed lending (fine up to ₱1 million and/or 6-month-4-year imprisonment) | Securities & Exchange Commission (SEC) |
| RA 8556 (Financing Company Act, 1998) | Covers “financing companies” (FCs) which may also use apps; ₱10 million minimum capital outside NCR (₱10 m-₱15 m in NCR) | SEC |
| SEC Memorandum Circulars (selected) | • MC 18-2019 – Prohibition of Unfair Debt Collection Practices (no contact-list harvesting, public shaming, threats) • MC 19-2019 – Reportorial & advertising rules for online lending platforms (OLPs) • MC 10-2021 – Revised rules on registration and disclosure of OLPs; every new app must be filed 10 days before launch and reflected in the CA • MC 4-2022 – Enhanced “walk-in” complaint handling and whistle-blowing hotline |
SEC (Corporate Governance & FinTech/Innovation offices) |
| Data Privacy Act 2012 (RA 10173) & NPC Circular 16-01 & 20-01 | Makes contact-list scraping, excessive permissions and non-consented data sharing punishable (imprisonment up to 6 years & fines up to ₱5 million per act) | National Privacy Commission (NPC) |
| BSP Circular 1154 s.2022 (formerly 1082 s.2020) on Digital-Lending Risk | Sets interest-rate cap for short-term credit: nominal 6 % / month (effective 15 % APR), up to ₱10 000 principal; bars add-on “processing fees” above 5 % | Bangko Sentral ng Pilipinas (BSP) |
| Anti-Money Laundering Act (RA 9160, as amended) & AMLC Regulatory Issuance 1-2018 | Classifies SEC-licensed LCs/FCs as Covered Persons: requires Customer Due Diligence (including selfie + ID “e-KYC”), Suspicious Transaction Reports and a Money-Laundering Prevention Program | AMLC + SEC |
| Consumer Act (RA 7394) & Financial Products and Services Consumer Protection Act (RA 11765, 2022) | Gives BSP & SEC visitorial powers and enables restitution/fee-refund orders for abusive lending | DTI, BSP, SEC |
3 | Licence, launch & operate – step-by-step
| Stage | Practical requirement | Common pitfalls |
|---|---|---|
| 1. Incorporate | Name must include “Lending Company, Inc.” (LC) or “Finance Corporation” (FC). Foreign equity max: 49 % (RA 9474). | Using “Solutions” or “Ventures” in name → SEC rejects |
| 2. Secure CA | File Form F-108 w/ 5-year financial projections, ₱1 m (LC) or ₱10 m (FC) paid-in capital, notarised AML manual, and sworn undertaking not to charge beyond authorised rates. | “Rent-a-Licence” (piggy-backing on another entity’s CA) is illegal. |
| 3. Register OLP | 10 days pre-launch, submit: APK/IPA file hash, data-flow diagram, server location (must be in a jurisdiction with Mutual Legal Assistance Treaty), customer journey, sample marketing. | Launching v2.0 without updated filing → SEC cease-and-desist |
| 4. Go live (soft-launch) | Implement Privacy-by-Design: request only device ID, camera, storage (for KYC docs). Do not access contacts or photo gallery. Use BSP-accredited CIC credit bureau if scoring. | Apps banned 2020-2024: 80 % cited “contact list scraping” |
| 5. Ongoing compliance | Quarterly: upload loan portfolio ageing, NPL ratio, top 20 borrowers; Annual: audited FS, Beneficial-Ownership disclosure (SEC MC 1-2021). AMLC: STRs within 5 days. NPC: security incident report within 72 hours. | Missed report for two quarters → automatic inclusion in SEC “Lending Watchlist” (public). |
4 | Interest & fees – how high is too high?
No statutory usury ceiling since CB Circular 905 (1982) abolished the 12 % cap.
Courts, however, void “unconscionable” rates (SC Macalinao v BPI Family Savings, G.R. 228575, 2021; Spouses Abella v Spouses Abella, G.R. 214725, 2022) and reduce to 6 % p.a.
BSP Circular 1154 (Jan 2023, renewed Jan 2025) introduced sector-specific cap only for payday loans (≤₱10 000, ≤ 4 months) offered by banks and LCs/FCs:
- 6 % nominal monthly interest, 15 % effective APR ceiling
- Processing/service fee ≤ 5 % once, no other charges
- Penalty interest ≤ 1 % / month; total charges (interest + penalty + fees) may not exceed 100 % of principal
5 | Collections: do’s & don’ts
Allowed
- Call borrower’s own mobile/landline 8 am-9 pm, Mon-Sat
- Send polite SMS/email reminders
- File small-claims/civil action; report to CIC
Prohibited (SEC MC 18-2019 + NPC Advisory 2021-01)
- Accessing phonebook, posting debts on social media, group chats
- Using threatening, profane, or obscene language
- Contacting employer/H.R. without written consent
- Charging “collection fees” not in original disclosure
Violations can yield:
- SEC Cease & Desist Order (CDO) – immediate app store takedown
- Up to ₱1 000 per day administrative fine (SEC Rules of Procedure, 2016)
- NPC compliance order + up to ₱5 m fine / 3 years imprisonment
6 | Recent enforcement snapshot (2019-2025)
| Year | Action | Outcome |
|---|---|---|
| 2019-2020 | SEC shut down 68 unlicensed apps; Google Play required Philippine LCs/FCs to upload SEC CA during listing | First global geo-blocking by Google against rogue lenders |
| 2021 | NPC fined 26 apps for debt-shaming; joint SEC-NPC task-force created | First cross-agency data-privacy raids |
| 2022 | SEC CDO vs. “CashJeep”, “Peso Tree”, “StartPera” (contact scraping) | Apps removed within 24 hours; directors charged under RA 9474 |
| 2023 | BSP Circular 1154 cap took effect; 14 lenders voluntarily cut rates; SEC revoked 12 CAs for AML non-reporting | Shift to longer-tenor “installment” products to avoid cap |
| 2024 Q4 | First criminal conviction: Pasig RTC found “XYZ Lending Corp.” directors guilty of unlicensed lending (4-month jail, ₱500 000 fine) | Sets precedent; still on appeal as of June 2025 |
7 | Cross-border & fintech wrinkles
- Foreign--owned platforms must form a Philippine subsidiary; direct cross-border lending into the PH triggers doing-business test (Afmont Realty v CA [G.R. 170479, 2009]).
- Payment rails: Most OLPs use e-money issuers (EMIs) like GCash/Maya. EMI licence is under BSP; but lending itself still needs SEC CA.
- Buy-Now-Pay-Later (BNPL): If financing is on-balance-sheet, BNPL provider needs FC licence; if only marketplace, may fall under BSP operator of payment system.
- Open-Finance API: When an LC/FC pulls bank transaction data via BSP Circular 1122 (2021) with consent, it must revise its privacy manual and ensure data minimisation.
8 | Penalties at a glance
| Violation | Primary law | Max penalty |
|---|---|---|
| Operating without CA | RA 9474 §12 | ₱1 m + 4 years imprisonment |
| Unfair collection (debt-shaming) | SEC MC 18-2019 | CDO + ₱1 000/day |
| Data-privacy breach | RA 10173 §25-34 | ₱5 m + 6 years |
| Non-filing of AMLC reports | AMLA §20 | ₱500 000-1 m per violation |
| Exceeding BSP capped rates | BSP administrative | Suspension + restitution to borrowers |
9 | Compliance checklist for founders & counsel
- Regulatory triage – Determine if product is consumer loan ≤₱10 k (subject to rate cap) or instalment ≥₱10 k.
- Capital & structure – Meet RA 9474/RA 8556 capital; foreign equity ≤ 49 %.
- CA & OLP filing – Secure SEC CA, then register each versioned app.
- Privacy Impact Assessment – Limit permissions; draft layered privacy notice; register Data Processing System (DPS) with NPC.
- AML Program – Board-approved MLPP, risk-rating engine, real-time sanctions screening.
- Transparent pricing – Show APR, peso-example, fees, due dates before “Apply” button.
- Fair collection script – Train agents; record calls; keep audit logs.
- Cyber-security – Adopt BSP‐DSP guidelines even if not BSP-regulated: encryption at rest, ISO 27001, annual VAPT.
- Reportorial calendar – Automate SEC, NPC, AMLC filings.
- Internal audit & whistle-blowing – Quarterly audits; anonymous channel.
10 | Looking ahead (legislative watch, 2025-2027)
- House Bill 5942 / Senate Bill 1811 (“Predatory Lending Prevention Act”) – proposes 36 % APR nationwide cap and doubles fines for debt-shaming; pending second-reading.
- e-Commerce Act amendments – would classify app stores as digital service providers jointly liable for listing unlicensed lenders.
- NPC “rules of procedure” (draft, May 2025) – may grant NPC direct takedown power over apps and websites without SEC referral.
- ASEAN Cross-Border Data Flows Framework – once ratified, Philippine LCs with data centres abroad must obtain NPC certification akin to CBPR.
11 | Conclusion
Operating an online lending app in the Philippines is legal only under a tripartite compliance regime: (1) SEC licensure & disclosure, (2) BSP consumer-rate caps (for small loans) and payment-rail rules, and (3) NPC data-privacy safeguards, all overlaid by AML and consumer-protection statutes. The regulatory mood since 2019 has been increasingly punitive, with dozens of apps delisted and the first criminal conviction in 2024. Fintech entrepreneurs that treat licensing as mere paperwork or rely on contact-list intimidation risk swift shutdown, criminal prosecution, and director-level liability. Conversely, ventures that bake compliance, ethical data use, and borrower-centric design into their model continue to attract venture funding and regulatory goodwill.
This article is for general information and does not constitute legal advice. For specific transactions, consult Philippine counsel or seek a formal ruling from the SEC or BSP.