Regulations on Online Lending Apps Philippines

Comprehensive legal guide as of 2025. For general information only; not legal advice.

1) Snapshot: who regulates what

  • Securities and Exchange Commission (SEC) – primary regulator of lending companies and financing companies, including those that lend via apps and websites. Issues the Certificate of Authority (CA) to operate, prescribes disclosure/collection standards, and can suspend/revoke licenses and order takedowns.
  • National Privacy Commission (NPC) – enforces the Data Privacy Act (DPA) for apps’ data collection, permissions, contact scraping, and “shaming” practices. Can order stop-processing, impose fines, and require breach notifications.
  • Anti-Money Laundering Council (AMLC) – implements AMLA compliance; lending/financing companies are covered persons (KYC, recordkeeping, and reporting of covered/suspicious transactions).
  • BSP (Bangko Sentral ng Pilipinas) – supervises banks, e-money issuers, payment service providers that OLAs often use for disbursement/collection; sets credit card caps (not directly for OLAs) and consumer protection standards for BSP-supervised entities.
  • DTI – consumer protection (advertising and unfair trade practices) where applicable.
  • LGUs/NTC/DICT/app stores – auxiliary roles (permits, number blocking requests, digital takedowns, app listing requirements).

2) Can you lend online without an SEC license?

No. To offer loans to the public—whether through a mobile app, website, or offline—you must:

  1. Incorporate/register the business;
  2. Obtain the SEC Certificate of Authority as a Lending Company (LCRA regime) or Financing Company (Financing Company Act regime); and
  3. Comply with ongoing reporting and conduct rules.

Operating without a CA is a criminal and administrative violation. Using an “agent” or platform front does not cure the requirement; the entity offering or granting the loan must be licensed. Cross-border apps targeting PH users likewise need Philippine authorization.

Nationality & capital notes (high level):

  • Lending companies typically require Filipino majority ownership and a minimum paid-in capital (statutory floor).
  • Financing companies have different capital/nationality rules and may allow greater foreign participation, subject to the Foreign Investment Negative List and special laws. (Exact thresholds depend on the specific statute and current rules; align your structure with counsel.)

3) What counts as an “Online Lending Platform (OLP/OLA)”

Any digital channel that markets, processes, approves, disburses, or collects consumer loans—native app, web app, chat-based flow, or API gateway. If the app merely markets but the loan is granted by a licensed principal, the principal remains responsible for compliance; outsourcing does not transfer regulatory liability.

4) Required borrower disclosures (before you take a loan)

Borrowers must receive clear, conspicuous, and itemized disclosures before consent, reflecting principles of the Truth in Lending framework:

  • Total loan amount and net proceeds (after any deductions).
  • Tenor, repayment schedule, and due dates.
  • Interest rate and all finance charges/fees (processing, service, disbursement, collection, late, and prepayment charges).
  • APR/effective rate (best practice) and sample amortization.
  • Default consequences (collections, reporting to credit bureaus).
  • Privacy notice (specific purposes, data sharing, retention).
  • Customer support and complaint channels.

Surprise “first-day interest,” hidden “service fees,” or back-loaded penalties risk being struck down as unconscionable.

5) Interest, fees, and “usury”

The Usury Law ceilings are suspended, but courts and regulators invalidate or reduce unconscionable rates and charges. Caps for credit cards (a BSP domain) do not automatically apply to OLAs; however, OLAs are still bound by fairness and disclosure rules. Rule of thumb: The higher the nominal rate and fees, the stricter the scrutiny; be transparent and proportionate.

6) Collections: the hard lines you cannot cross

OLAs and their collectors must not:

  • Harass, threaten, or shame borrowers (no doxxing, no defamatory posts, no “warrant” or “arrest” threats—non-payment of debt is civil, not criminal).
  • Contact third parties (family, employers, friends) without a lawful basis and consent.
  • Use obscene language, call at unreasonable hours, or misrepresent as police, court, or government.
  • Access phone contacts, photos, SMS, or location beyond what is strictly necessary and consented to.
  • Retain data longer than necessary or share it with unvetted collectors.

Expect regulators to require: caller identification, limited call windows, and documented cease-and-desist on third-party contacts when requested. Debt shaming routinely triggers NPC and SEC enforcement.

7) Data privacy for lending apps (what’s allowed)

Under the Data Privacy Act and its rules:

  • Lawful basis & consent: Collect only what is relevant (KYC, credit assessment, fraud control). Blanket permissions (e.g., auto-harvest of contacts/photos) are generally not “necessary.”
  • Transparency: Provide layered privacy notices in-app; specify data sharing with collectors, analytics, cloud hosts, and credit bureaus.
  • Data minimization: No “permissions first, purpose later.” Turn off device permissions by default unless required for the current step.
  • Security: Encryption, access controls, and vendor due diligence; report breaches to NPC and affected users within statutory timelines.
  • Data subject rights: Access, correction, deletion (when compatible with laws), portability, and objection to certain processing (e.g., marketing).
  • DPAs with collectors/partners and cross-border transfer safeguards.

8) AML/KYC obligations (AMLA)

Lending/financing companies are covered persons under the Anti-Money Laundering Act:

  • Customer due diligence (identify and verify), beneficial ownership, and ongoing monitoring.
  • Recordkeeping (usually 5 years from last transaction/closure).
  • Reporting: Covered (threshold-based) and Suspicious Transaction Reports to AMLC.
  • Sanctions screening and terrorism financing controls. Onboarding must balance privacy and risk—collect enough for AML, not everything your SDK can grab.

9) Use of third-party service providers

  • You remain responsible. Outsourcing credit scoring, verification, or collections requires contracts, supervision, and privacy/security controls.
  • International vendors: ensure cross-border data transfer compliance and localization of support for complaints and takedowns.

10) Reporting to the credit registry

The Credit Information Corporation (CIC) framework allows lenders to submit and pull credit data. Before reporting negative information, provide proper notice and ensure accuracy. Borrowers may dispute erroneous reports and request correction.

11) E-contracts, e-signatures, and proofs

Under the E-Commerce Act, electronic contracts and e-signatures are generally valid. Keep robust audit trails (consent screens, OTP logs, IP/device fingerprints, timestamped ledgers). Notarization is not required for simple loans, but large exposures may still use e-notarized or wet-ink agreements for enforcement confidence.

12) Advertising and growth practices

  • No deceptive ads: State the true cost, avoid “0%” claims if there are fees that function as interest.
  • App store compliance: Listings should match the corporate name on the SEC CA; submit updated documents when publishing or updating apps.
  • Referral programs: Avoid unfair or spammy tactics; obtain marketing consent and provide opt-out mechanisms.

13) Complaints and enforcement pathways (borrowers)

If you encounter harassment, hidden fees, or privacy abuses:

  1. Document everything: screenshots, caller IDs, messages, recordings (if lawful), app permissions.

  2. Write to the lender (support/legal address in the app) demanding correction or data restriction.

  3. File with regulators:

    • SEC (licensing, unfair collection, illegal lending),
    • NPC (privacy violations, shaming, contact scraping),
    • DTI (deceptive marketing),
    • AMLC (for suspicious activity), and, where appropriate,
    • PNP/NBI (for threats, extortion, or cybercrimes).

  4. Consider civil suits (damages, injunction) for severe abuses.

  5. If the lender is unlicensed, warn others and report for takedown.

14) Special topics

a) Is non-payment a crime?

No. Simple non-payment of a loan is a civil matter. Threats of arrest or “NBI cases” for a consumer loan are baseless unless there’s fraud, bounced checks under special laws, or other independent crimes.

b) “Consent to access contacts = consent to shame”?

No. Consent must be specific and informed. Public disclosure of debt to third parties or social-media shaming exceeds legitimate collection purposes and violates privacy and consumer protection rules.

c) Rollovers, top-ups, and pyramiding fees

Stacking fees to simulate “new disbursements” can be treated as disguised interest and unfair. Regulators and courts look at the effective cost to the borrower.

d) Restructuring and hardship plans

Lenders should offer reasonable options (tenor extension, fee relief) and memorialize revised terms. Keep clear amortization schedules and updated disclosures.

15) Compliance checklists

For Online Lenders/FinCos

  • Corporate & licensing: SEC registration and CA; branch notifications; nationality & capital checks.
  • Consumer protection: Full pre-contract disclosures, standardized APR display, cooling-off/withdrawal policy (if offered), clear complaints channel.
  • Privacy: DPO designated, privacy management program, data inventory, DPIAs for the app, minimal permissions, breach response plan.
  • AML: Board-approved AML manual, KYC program, STR/CTR workflows, training, testing.
  • Collections: Written code of conduct, call-time limits, ban on third-party contacts without basis, audit of agencies.
  • Technology: Secure SDLC, vendor due diligence, logs, encryption at rest/in transit, role-based access.
  • Credit reporting: CIC onboarding, accurate and timely submissions, dispute process.
  • Governance: Complaints MI, regulatory reporting, readiness for SEC/NPC inquiries.

For Borrowers

  • Before borrowing: Check if the lender states its SEC CA number/name; read the rate + fee table; review permissions and privacy notice.
  • While borrowing: Keep copies of contracts, OTP confirmations, and amortization.
  • If things go wrong: Demand a ledger, dispute wrong charges, revoke unnecessary permissions on your phone, and report abusive behavior.

16) Penalties & remedies (high level)

  • SEC: Fines, suspension/revocation of CA, cease-and-desist, public advisories, and referral for criminal prosecution (e.g., illegal lending, unfair collection).
  • NPC: Administrative fines, stop-processing orders, and mandatory remediation; civil damages may also be pursued.
  • AMLC: Administrative sanctions for AML breaches; potential criminal liability for willful violations.
  • Courts: Invalidate unconscionable charges, award damages/attorney’s fees, grant injunctions against harassing collections.

17) Governance patterns regulators expect

  • “Privacy by design” in the app (permissions only when needed; no contact scraping).
  • Fair cost presentation (APR prominently shown; fee caps internally enforced).
  • Complaint response within set timelines, with documented closure.
  • Collection QA: recorded calls, random audits, sanctions for rule-breaking agents.
  • Regular board reporting on complaints, privacy incidents, AML alerts, and regulator interactions.

18) Frequently asked questions

Q1: The app wants access to my contacts and photos. Is that required? For a standard cash loan, no. That is typically excessive and risky under the DPA.

Q2: Can they call my employer/family? Not without a lawful basis and specific consent. Even then, content must be limited (identity verification/locating the borrower), not shaming.

Q3: They threatened jail if I don’t pay today. Ignore the threat but document it. Non-payment is civil. Report to SEC/NPC if harassment or privacy abuse occurs.

Q4: Are payday-style “7-day loans” legal? Short-tenor loans are not per se illegal, but hidden fees and exploitative rates are actionable. Demand a full cost breakdown.

Q5: Can I prepay without penalty? Depends on the contract; prepayment penalties must be disclosed and reasonable. Undisclosed penalties are disputable.

19) Practical templates

A) Borrower complaint to lender

Subject: Request for Ledger and Correction of Charges Dear [Lender], Please provide my complete transaction ledger, including all interest, fees, and penalties applied. I dispute the following charges: [list]. Kindly correct these within 7 days and confirm my updated schedule.

B) Privacy complaint (NPC/SEC)

Subject: Online Lending App – Harassment/Privacy Breach The app [name] accessed my [contacts/photos/SMS] without necessity and contacted third parties about my debt, causing harm. Attached are screenshots/recordings. I request investigation, order to stop processing, and sanctions.

C) Cease-and-desist to collector

Effective immediately, contact me only at [number/email] during [hours]. Do not contact any third party. Further harassment will be reported.

20) Key takeaways

  • License first: Apps that lend to the public must have an SEC Certificate of Authority; unlicensed lending is illegal.
  • Privacy is central: Contact scraping and shaming are regulatory red flags.
  • Collections must be fair: No threats, no misrepresentations, no third-party harassment.
  • Disclose the real cost: Clear rates, fees, and schedules; avoid unconscionable charges.
  • AMLA applies: KYC and reporting are mandatory.
  • Borrowers have remedies: Keep records, demand transparency, and report abuses.

If you want, share the app name, your contract screenshots (rates/fees), and a brief timeline. I can map your exact options (regulatory complaints, demand letters, and a repayment plan) tailored to your case.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login