List of SEC-Registered Online Lending Apps in the Philippines

Updated for a Philippine legal/compliance audience. This provides the full legal framework, practical compliance checklists, and a workflow to obtain the official, current list of SEC-registered online lending apps.

1) Executive Summary

Online lending in the Philippines sits under a tightly regulated scheme led by the Securities and Exchange Commission (SEC) for Lending Companies (RA 9474) and Financing Companies (RA 8556). When these entities offer credit via an app or website, that channel is an Online Lending Platform (OLP) that must be separately registered with the SEC and operated under strict conduct, disclosure, data-privacy, and collection-practice rules. Because registrations, suspensions, and revocations change frequently, the only authoritative list is the SEC’s current registry and/or its published advisories and orders. This article explains the law, the registration and compliance requirements, how to confirm whether an app is duly registered, and how to maintain your own defensible list internally.

Deliverable: I prepared a clean spreadsheet template you can use to track the official list and your verification evidence. Download the Excel template

2) Governing Laws & Regulators

  • Securities and Exchange Commission (SEC)

    • Lending Company Regulation Act of 2007 (RA 9474).
    • Financing Company Act of 1998 (RA 8556).
    • Implementing rules and SEC Memorandum Circulars governing OLP registration, disclosure, reporting, conduct, and debt collection.
    • Powers to issue Advisories, Cease-and-Desist Orders (CDOs), revocations, suspensions, and administrative fines.

  • Bangko Sentral ng Pilipinas (BSP)

    • Regulates banks and BSP-supervised financial institutions; interacts with lending/financing companies on certain consumer-protection and disclosure expectations (e.g., Truth in Lending Act implementation). If you are not a bank/QB, the primary corporate regulator remains the SEC.

  • National Privacy Commission (NPC)

    • Data Privacy Act of 2012 (RA 10173). Governs data processing, notice/consent, retention, security measures, data subject rights, breach reporting; relevant to OLPs’ access to phone contacts, media, location, etc.

  • Truth in Lending Act (RA 3765) and DTI/BSP implementing rules

    • Mandates clear disclosure of finance charges, total cost of credit, and computation bases.

  • Other cross-cutting laws

    • Cybercrime Prevention Act (RA 10175) (for misuse of data and systems), Revised Penal Code (threats, libel, harassment), Consumer Act (RA 7394) (unfair/deceptive acts), and Anti-Red Tape Act in relation to permitting.

3) Key Definitions

  • Lending Company – A stock corporation engaged in lending money from its own funds to the public, not a bank or quasi-bank, registered with the SEC under RA 9474. Minimum paid-in capital: historically ₱1,000,000 (check latest SEC circulars for updates applicable to your case).

  • Financing Company – A corporation primarily engaged in financing by extending credit, non-bank, registered with the SEC under RA 8556. Minimum capital thresholds are higher and may vary by scope and geography (consult the latest SEC circulars).

  • Online Lending Platform (OLP) – Any mobile app or web-based platform used by a lending/financing company to market, accept applications, evaluate, approve, release, or collect loans. Each OLP must be registered with the SEC before public release.

4) Who May Operate an OLP

  1. An SEC-registered Lending Company (RA 9474) with a valid Certificate of Authority (CA); or
  2. An SEC-registered Financing Company (RA 8556) with a valid CA.

Foreign ownership restrictions: Lending companies under RA 9474 require majority Filipino ownership (historically ≥51% voting stock). Financing companies under RA 8556 allow higher foreign equity subject to constitutional and special-law limits. Always confirm current thresholds in the latest regulations and your specific corporate approvals.

5) Required Authorizations (Pre-Launch)

  • SEC Certificate of Incorporation (correct primary purpose aligned to lending/financing).
  • SEC Certificate of Authority (CA) to operate as a Lending/Financing Company.
  • OLP Registration/Approval per relevant SEC Memorandum Circular(s) for each mobile app and website to be used (often including app name, package ID/bundle ID, domain/URL, screenshots, backend controls, 3rd-party processors, privacy notice, and sample disclosures).
  • NPC Registration/DMO filings as applicable (e.g., Data Protection Officer, data processing systems, privacy impact assessment).
  • Local government permits (principal office address).
  • Third-party service contracts (KYC vendors, data analytics, cloud hosting, collection agencies) available for inspection.
  • Consumer protection and complaints handling policy documented.

6) Ongoing Compliance Obligations

  • Disclosure & Transparency

    • Prominently disclose APR/nominal rate, fees, penalties, tenor, computation method, and total cost of credit.
    • Provide pre-contractual information and standard form agreements accessible in-app and on the website.
    • Clear consent flows for data collection, including device permissions and contact list access (if any).

  • Interest, Fees, and Penalty Controls

    • Observe any caps or limits and computation standards imposed by current SEC circulars and the Truth in Lending Act rules (e.g., limits on late payment charges, processing fees, and total cost of credit where applicable).
    • No hidden charges; no forced add-ons without opt-in.

  • Debt Collection Conduct

    • No harassment, intimidation, or “debt shaming” (e.g., blasting an entire contact list, social media threats, obscene/abusive language).
    • Contacting third parties is tightly restricted; call times and frequency should be reasonable; accurate identification is required.
    • Keep call recordings/communications logs for audit.

  • Data Privacy & Security

    • Purpose limitation and data minimization; explicit consent for sensitive processing.
    • Privacy Notice that is specific to the OLP; cookie/SDK disclosures; cross-border data transfer basis (SCCs/adequacy/consents).
    • Security measures (encryption at rest/in transit, access controls, vendor risk management).
    • Breach notification to NPC and data subjects within statutory timelines.

  • Reporting & Notifications

    • File periodic reports with the SEC (and NPC where applicable).
    • Prior notice to the SEC for OLP changes (app name change, domain change, ownership/control changes, material outsourcing, major feature shifts).

  • Advertising & Marketing

    • Ads must be truthful, not misleading; include required disclaimers and APR/cost disclosures where mandated.
    • Influencer/affiliate marketing remains the company’s responsibility.

7) Enforcement Toolkit (What Happens When You Don’t Comply)

  • SEC Advisories naming non-compliant apps/entities.
  • Cease-and-Desist Orders (CDOs) against the company and its OLPs.
  • Suspension/Revocation of CA and OLP approvals; app store takedowns coordinated with marketplaces.
  • Administrative fines and directors/officers liability for violations or contempt.
  • Criminal exposure may arise from harassment, unauthorized practice, falsities, or data-privacy offenses.

8) How to Build (and Defend) Your Own “Current List”

Because the roster of lawful apps changes, treat the “list” as a controlled register you update and evidence regularly. Use the attached spreadsheet:

  1. Start with the corporate entity. Record the exact corporate name and SEC CA number.

  2. Map each OLP. For every app (Android/iOS) and website, record:

    • App name and package/bundle ID
    • Developer name shown in the store (must match or clearly map to the registered entity)
    • Official website/URL

  3. Verify authorization. Confirm the company’s CA is valid and the specific OLP (app/website) has SEC approval. Save screenshots or PDF copies of proof (advisories, registry pages, or letters).

  4. Check data-privacy posture. Confirm presence of privacy notice, DPO details, and NPC registration/filings (if applicable).

  5. Check disclosures. In-app and website screens should show rates, fees, total cost, and repayment schedule before acceptance.

  6. Check collection practices. Ask for the company’s collection policy, scripts, and training materials.

  7. Date-stamp and sign off. Enter a “Date of Last Verification” and Reviewer initials in the sheet.

  8. Set review cadence. Re-verify monthly (or more frequently during regulatory sweeps). Archive evidence with immutable timestamps.

Tip: If an app’s developer name or corporate name does not match any SEC-registered entity with a valid CA, treat it as red-flag pending clarification.

9) Red Flags for Non-Compliant Apps

  • No clear corporate identity (only a brand).
  • No SEC CA or no OLP approval cited anywhere.
  • Aggressive permissions (contacts, photos, SMS) without clear necessity or consent.
  • Debt-shaming reports, threats, or obscene language.
  • Hidden fees, ambiguous APR, or “service fees” deducted from proceeds without disclosure.
  • Inconsistent developer names across app store and in-app legal pages.
  • No working customer support or registered principal office.

10) Practical Checklist (for Compliance & Product Teams)

  • Entity has valid SEC CA (copy on file).
  • Every app/website used for lending is registered/approved as an OLP.
  • Public disclosures are accurate, prominent, and consistent (APR, fees, penalties, TCC).
  • Privacy Notice and consent flows pass DPA standards; DPO named and contactable.
  • Collection policy prohibits harassment and third-party disclosures; QA of calls/SMS.
  • Vendor contracts (KYC, analytics, cloud, collectors) reviewed and filed.
  • Audit trail: screenshots, PDFs, and store links dated and archived.
  • Incident & breach playbooks tested; reporting lines to SEC/NPC defined.
  • Monthly re-verification of registry/advisories; sheet updated with evidence.

11) FAQs

Q: Is there a permanent, printed “master list”? A: No. Treat any static list as stale. The authoritative position is the current SEC registry + the latest advisories and orders.

Q: Can a financing company (not a lending company) run an OLP? A: Yes—if it holds an SEC Certificate of Authority and has the specific OLP registered with the SEC.

Q: Are interest rates capped? A: Caps and computation rules depend on the current SEC circulars and Truth in Lending rules. Always apply the latest circular(s) to your product and jurisdiction and retain documentation of your interpretation.

Q: Can an app access my phone contacts for collection? A: Access and use are constrained by the Data Privacy Act and SEC/NPC guidance. Debt-shaming and improper third-party disclosures can trigger enforcement.

12) How to Present the “List” Internally

Use the attached Excel as your controlled register. Suggested columns include app name, corporate entity, SEC Registration No., CA No., entity type, OLP URL, app-store link, office address, contacts, fees snapshot, date of last verification, evidence, and status.

13) Final Notes

  • Maintain versioned evidence (PDFs/screenshots) for every entry on your list.
  • Align product, legal, compliance, marketing, and vendor management on a single source of truth (the maintained register + evidence folder).
  • For any uncertainty (e.g., rebranded apps, corporate restructurings), treat as unverified until you obtain documentary proof of current authorization.

This article is intended as a comprehensive legal-compliance guide for identifying and maintaining the list of SEC-registered online lending apps in the Philippines and for operating an OLP in full compliance with Philippine law.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login