Online Lending App Regulations Philippines

Online Lending App Regulations in the Philippines: A 2025 Legal Primer

Prepared 6 July 2025 (Asia/Manila)

1. Regulatory Architecture — Who Oversees What?

Authority Core Mandate vis-à-vis Online Lending Apps (OLAs)
Securities and Exchange Commission (SEC) Primary licensing and prudential supervision of lending companies (LCs) and financing companies (FCs) under R.A. 9474 and R.A. 8556. Issues cease-and-desist orders (CDOs), imposes fines, and revokes Certificates of Authority (CA).
National Privacy Commission (NPC) Enforcement of R.A. 10173 (Data Privacy Act) and NPC Circulars on lawful data collection and debt-collection conduct.
Bangko Sentral ng Pilipinas (BSP) Oversight when an OLA also functions as an e-money issuer, payments service provider, virtual asset service provider, or digital bank (e.g., R.A. 11127 & BSP Circular No. 1049). Sets systemic risk, AML/CTF, and consumer protection rules.
Anti-Money Laundering Council (AMLC) Covered-person rules apply once total assets/loan portfolio reach the current PHP-thresholds under R.A. 9160 (as amended) & AMLC Regs.
Department of Trade and Industry (DTI) General consumer-protection policing of unfair or deceptive acts under R.A. 7394 (Consumer Act) where SEC jurisdiction does not expressly cover.
Department of Information and Communications Technology (DICT) Cyber-resilience and ICT security standards under the Cybercrime Prevention Act (R.A. 10175) and DICT Department Circulars.

2. Core Statutes & Key Rules

  1. R.A. 9474 ‒ Lending Company Regulation Act of 2007

    • Requires SEC registration as a stock corporation and a separate Certificate of Authority (CA) to “operate as a lending company.”
    • Capitalization: ₱1 million paid-in minimum.
    • Names must include “Lending Company” or “Lending Investor.”

  2. R.A. 8556 ‒ Financing Company Act of 1998

    • Similar dual registration; higher paid-in capital (₱10 million in NCR; ₱5 million elsewhere; BSP may increase).
    • Permits broader credit-financing activities than LCs.

  3. SEC Memorandum Circular (MC) No. 18-2019

    • Coined the term “Online Lending Platform” (OLP) and required each mobile app, domain, or website to be separately recorded with the SEC’s Corporate Governance and Finance Department (CGFD).
    • Prohibits any OLP operation without prior SEC confirmation letter.

  4. SEC MC No. 19-2019Prohibition of Unfair Collection Practices

    • Bans the following: public shaming, threats of physical harm, use of profane language, and contacting persons in the borrower’s phone directory who are not guarantors.
    • Limits contact hours to 6 AM – 10 PM; only the borrower (or spouse) may be contacted through employer numbers.

  5. SEC MC No. 28-2020Beneficial Ownership Transparency

    • Mandates submission of Beneficial Ownership Declaration Forms; failure triggers monetary penalties and possible CA suspension.

  6. SEC MC No. 10-2021Mandatory Disclosure of Interest Rates and Fees

    • Requires one-page “Key Fact Sheet” inside the app before loan acceptance: APR, service fees, penalties, and total payment in pesos.
    • Any amendment needs “push notification” to all existing borrowers.

  7. SEC MC No. 03-2022Enhanced Reportorial Requirements for LCs/FCs using Digital Channels

    • Quarterly submission of:

      • List of all active URLs, APK hashes, and third-party data processors;
      • Server location and cloud service provider;
      • Average and peak daily users.

    • Audited cybersecurity self-assessment, signed by a Philippine-licensed information-security professional.

  8. Data Privacy Act (R.A. 10173) & NPC Advisory Opinion No. 2022-013

    • OLAs may only collect: name, address, email, mobile number, birth-date, TIN/SSS/Gov-ID nos., employer, and two character references.
    • Access to contacts, SMS, images, location, and social-media accounts is prohibited unless strictly necessary and the borrower provides granular, specific, and revocable consent.
    • Retention: raw personal data must be deleted one year after full loan settlement (or immediately upon lawful request).

  9. BSP Circular No. 1160 (2023)Consumer Protection in Digital Finance

    • Applies when an OLA also offers wallet or payment services; requires 24/7 dispute channels, real-time transaction alerts, and a “cooling-off” option for first-time borrowers.

  10. Anti-Money Laundering Act (R.A. 9160, as amended by R.A. 11521)

    • LCs/FCs become covered persons once their total asset size or single loan transaction exceeds BSP-AMLC thresholds (currently ₱10 million).
    • Must register with AMLC, conduct CDD, and submit CTR/STR filings electronically.

3. Licensing & Operational Workflow

  1. Corporate Setup: Incorporate as a stock corporation under the Revised Corporation Code (R.A. 11232); secure SEC Articles of Incorporation with “Lending Company” in the name.

  2. CA Application (SEC-FGD):

    • Paid-in capital certification, bank certificate, and Treasurer-in-Trust.
    • Business plan with five-year financial projections.
    • Fit-and-proper test for directors/officers (no estafa or BSP-disqualifying offenses).

  3. OLP Registration (if using an app or website):

    • Submit APK (Android) or IPA (iOS) file, domain WHOIS, data-flow diagram, privacy policy, and screenshots.
    • Pay ₱10,000 inspection fee.

  4. Post-License Compliance:

    • Quarterly unaudited and annual audited FS, plus General Information Sheet (GIS).
    • Report material changes (e.g., new version of the app, cloud migration) within 10 days.

4. Interest, Fees & Unconscionability

  • There is no statutory interest-rate cap for SEC-supervised entities (the Usury Law ceilings were lifted in 1982).
  • Courts, however, routinely void “unconscionable” rates (e.g., Supreme Court in Spouses Abella v. Spouses Abella, G.R. 206557, 16 Jan 2023: reduced 720 % APR to 24 % p.a.).
  • OLAs must display effective APR, not just “service fees,” to avoid deceptive marketing exposure under Article 50, Consumer Act.

5. Debt-Collection Conduct Rules (SEC MC 19-2019 & NPC guidance)

Prohibited Act Example
Public shaming Posting borrower photos on social media or group chats.
Misrepresentation Claiming affiliation with courts or law-enforcement to intimidate.
Threats “We will send police to arrest you tomorrow.”
Unreasonable Contact Calling a borrower’s HR manager every hour or once salary is released.
Contacting third parties without basis Messaging all numbers in the phonebook.

Penalties (per violation, SEC-imposed): ₱25,000 – ₱1,000,000 plus suspension/revocation of CA; criminal liability under R.A. 9474 §14 (₱50,000–₱100,000 and/or 6-12 months imprisonment).

6. Data Privacy Red Lines

  1. Contact Scraping – Deemed excessive under NPC Advisory Opinion 2019-43; violators subject to R.A. 10173 §33 (1-3 years imprisonment + ₱500k–₱2 million fine).
  2. “Device hostage” permissions – Apps that refuse to uninstall unless the loan is paid are considered unauthorized processing.
  3. Plain-text storage of IDs or selfies – Minimum safeguard breach = 1 % of gross annual income or ₱5 million, whichever is higher (NPC Circular 2022-01).

7. Advertising & Influencer Marketing

  • Must comply with truthful advertising under SEC MC 13-2022—financial influencers (“finfluencers”) must disclose sponsored content.
  • DTI can impose up to ₱300,000 administrative fine per misleading ad.

8. Cross-Border & Outsourcing Issues

  • Server location abroad is allowed provided data are accessible “on-shore on demand” (SEC MC 3-2022).
  • Outsourcing of customer-service or credit-scoring to foreign vendors requires a Board-approved Outsourcing Agreement and a Data-Sharing Agreement vetted by the NPC.
  • Foreign OLAs targeting Philippine residents without local CA: SEC may block local app-store presence via DICT takedown cooperation (first used Feb 2022 vs. “Ready Cash Pro”).

9. AML/CTF & KYC Checklist (when covered)

Step Minimum Doc/Info
Risk Assessment Documented ML/TF risk matrix.
KYC 1 govt-issued photo ID, selfie-liveness check, device fingerprint.
Ongoing Monitoring Automated alerts for multiple accounts using identical IDs, unusual repayment channels.
CTR File if cash > ₱500,000 single or aggregate in one day.
STR Suspicious patterns (e.g., immediate repayment through crypto off-ramps).

Failure can trigger administrative fines of ₱10,000 – ₱5 million per violation, plus criminal penalties under R.A. 9160.

10. Sanctions & Enforcement Trends (2020 – Q2 2025)

  • 340 apps forcibly removed from Google Play/Apple App Store.
  • 170 CDOs and 92 CA revocations issued.
  • First criminal conviction of OLA executives for grave threats (Pasig RTC, People v. Li Feng, promulgated 12 Dec 2023).
  • NPC imposed its first cross-border transfer fine (₱6.25 million) against an OLA that sent raw phonebook data to a Vietnam-based collection firm (May 2024).

11. Legislative Outlook (as of July 2025)

Bill Core Proposal Status
House Bill 7402Online Lending Regulation Act Interest-rate cap of 0.8 % per day and mandatory 30-day grace period. Passed House 3rd Reading, pending Senate committee.
Senate Bill 1979 Consolidates SEC & BSP consumer-protection functions into a “Financial Consumer Protection Commission.” Committee Report submitted; interpellations ongoing.
House Bill 9165 Creates “e-KYC shared utility” allowing one-click identity verification across OLAs. Pending on 1st Reading.

12. Practical Compliance Roadmap for OLA Operators

  1. Pre-launch

    • Conduct a regulatory scoping memo—confirm if your app triggers BSP licensing (wallet, remittance, VASP).
    • Perform a privacy-by-design review; limit requested permissions to camera, storage (ID upload), and network state.

  2. Launch-year (Year 1)

    • Set up Know-Your-App logging: store APK checksum, release notes, and code-signing certificates.
    • File all SEC and NPC registries within 30 days of first disbursement.

  3. Growth phase (Year 2+)

    • Implement AI-based risk models only after a documented Model Risk Management Policy (SEC MC 9-2023 draft).
    • Appoint a Data Protection Officer registered with NPC; disclose in-app.

  4. Maturity (Year 4+)

    • Consider ISO/IEC 27701 certification for competitive edge.
    • Enroll in Credit Information Corporation (CIC) as a Submitting Entity; improves portfolio performance while meeting R.A. 9510 obligations.

13. Borrower-Side Tips (Know Your Rights)

  • Demand a Key Fact Sheet and compare total payment, not just daily interest.
  • You can revoke consent to contact non-guarantor friends at any time—make the request in writing.
  • Harassment or public shaming? Document and file a complaint with SEC CGFD (cgfd@sec.gov.ph) and NPC (complaints@privacy.gov.ph).
  • Partial payments must be accepted unless expressly disallowed in your loan agreement (Art. 1248, Civil Code).

14. Conclusion

Regulation of online lending apps in the Philippines is now a multi-layered framework dominated by the SEC but heavily interwoven with data-privacy, consumer-protection, and AML standards. After a wave of abusive operators between 2018 and 2021, compliance expectations have hardened: granular consent, fair collection, beneficial-ownership transparency, and cyber-resilience are no longer “best practice” but legal minimums. Operators must design for trust, pace with evolving SEC Memorandum Circulars, and anticipate Senate-driven interest-rate caps. Borrowers, on the other hand, hold clearer statutory rights and multiple enforcement avenues.

Staying ahead therefore means treating regulatory compliance not as a box-ticking exercise but a continuous, enterprise-wide discipline—crucial in the Philippines’ fast-growing, scrutiny-intensive fintech landscape.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login