SEC-Registered Online Lending Apps Philippines

Philippine context; practical, compliance-oriented; suitable for borrowers, founders, compliance officers, and counsel.

1) What counts as an “online lending app” (OLA)

An online lending app is any digital channel—mobile app, website, or social platform—used by a lending company or financing company to market, accept applications for, approve, and collect on money loans. In the Philippines:

  • Banks and non-bank financial institutions supervised by the Bangko Sentral ng Pilipinas (BSP) are not “lending companies” or “financing companies” for SEC purposes.
  • Lending companies and financing companies are corporations under the Securities and Exchange Commission (SEC) regime and must obtain a separate Certificate of Authority (CA) to operate, on top of SEC corporate registration.
  • If lending is done primarily through an app or website, the online lending platform (OLP) itself is treated as part of the regulated activity—its name/URL/app ID must be reported to and approved/recorded by the SEC.

2) Core legal sources (what governs OLAs)

  1. Lending Company Regulation Act (LCRA) (Republic Act No. 9474) and its IRR – creates the SEC licensing framework for lending companies and penalizes unlicensed lending.
  2. Financing Company Act (as amended) and its IRR – parallel regime for financing companies.
  3. Revised Corporation Code – corporate governance, directors’ duties, and sanctions.
  4. Financial Products and Services Consumer Protection Act (FCPA) (Republic Act No. 11765) – cross-sector consumer-protection standards (disclosure, suitability, fair treatment, complaints handling) implemented by the SEC for its supervised entities.
  5. Data Privacy Act (DPA) (Republic Act No. 10173) + NPC issuances – consent, purpose limitation, data minimization, security, and breach notification.
  6. Special rules on OLAs and collections – SEC Memorandum Circulars (MCs) addressing unfair debt collection, registration/reporting of online platforms, advertising disclosures, and use of trade names (numbers and wording evolve; always follow the latest form attached to the SEC’s notices).
  7. Jurisprudence on interest and penalties – while statutory usury ceilings were suspended, Philippine courts strike down unconscionable interest/penalties and may recompute to reasonable rates.

Practical takeaway: To operate an OLA lawfully, you need (a) a corporation, (b) an SEC Certificate of Authority, (c) duly reported OLPs (each app/URL), and (d) DPA compliance (NPC registration/notifications as applicable, privacy notices, security program). Then implement FCPA-grade consumer protection across the lifecycle.

3) Who may operate and under what licenses

  • Lending company: A stock corporation organized for lending from its own capital; must secure an SEC CA to Operate as a Lending Company.
  • Financing company: A corporation engaged in financing activities (e.g., installment financing, factoring, direct lending); requires an SEC CA to Operate as a Financing Company.
  • Trade names/brands: You may market under a registered trade name, but the corporate name and CA number/status must be clearly disclosed in the app, website, and advertising.
  • OLP registration/reporting: Each app name, bundle ID, Play/App Store listing, and website used for loan origination/collection must be declared to the SEC before use and kept in sync when updated. Shadow or mirror apps are red flags.

4) Borrower-facing obligations (what a lawful OLA must show and do)

a) Marketing & onboarding

  • Present the corporate name, SEC Registration No., and Certificate of Authority No.
  • Provide a Key Information Statement (FCPA-style) before the borrower commits, showing: principal, all fees/charges, effective rate/APR methodology, due dates, repayment channels, consequences of late payment, and contact points for complaints.
  • Avoid deceptive claims (“instant approval”, “0% interest” that is offset by “processing fees”). If fees exist, name and quantify them.

b) Data privacy

  • Privacy Notice in plain language, stating purposes (credit assessment, fraud prevention, collections), lawful basis, retention, sharing, and data subject rights.
  • Data minimization: Access only what is necessary. Phonebook scraping, mass contact scraping, microphone/camera/geolocation access unrelated to underwriting/servicing are high-risk and often unlawful.
  • Third-party processors (KYC vendors, cloud services) require Data Processing Agreements and appropriate cross-border safeguards.

c) Credit assessment & suitability

  • Apply fair, explainable criteria; avoid discriminatory variables.
  • Disclose if decisions are automated and provide a way to contest or seek human review.

d) Collections conduct (strict rules)

Prohibited practices include:

  • Harassment, threats, profanity, or shaming (including social-media doxxing and “shame texts”).
  • Contacting people other than the borrower, except guarantors and references for legitimate location purposes, and even then without disclosure of the borrower’s debt.
  • Misrepresenting as law enforcement, court officials, or regulators; fake legal notices.
  • Excessive contact frequency or calling at odd hours. Required practices: identify your company, provide accurate account status, respect cease-and-desist or preferred channel requests when lawful, and keep call recordings/logs.

e) Complaints handling

  • Maintain a written complaints policy, dedicated helpdesk/e-mail, acknowledgment timelines, and resolution turn-around consistent with FCPA standards.
  • Keep audit trails for all complaints and resolutions.

5) Interest, fees, and “unconscionability”

  • The old usury ceilings are suspended; however, courts routinely invalidate or reduce interest and penalties that are excessive or shocking to conscience (especially when combined with layered “processing,” “service,” and “convenience” fees).

  • To withstand scrutiny, OLAs should:

    • Disclose the effective rate and provide a total cost of credit example.
    • Cap penalties to a reasonable level (avoid “interest on interest” cascades).
    • Offer grace periods, payment plans, or hardship programs and document these.

6) Enforcement landscape (what happens if you violate)

  • Cease and Desist Orders (CDOs) against the company and the specific app/URL; takedown coordination with app stores.
  • Revocation or suspension of the Certificate of Authority; disqualification of directors/officers for repeated violations.
  • Administrative fines and criminal prosecution for unlicensed lending and false statements in filings.
  • Data privacy sanctions (NPC): compliance orders, monetary penalties, and possible criminal liability for willful violations.
  • Other exposure: Cyber-libel, grave coercion, unjust vexation, anti-harassment laws, and civil damages for abusive collection and reputational harm.

7) Due-diligence checklist (for borrowers)

  1. Verify the company:

    • Exact corporate name (not just app name).
    • SEC Registration No. and Certificate of Authority status.
    • Check that the app/URL matches the company’s declared OLPs.

  2. Read the Key Information Statement: principal, fees, APR/effective rate, repayment schedule.

  3. Check the privacy notice: does it explain what data they collect and why?

  4. Assess the collection clause: pay attention to permissions to contact third parties and the call time windows.

  5. Red flags: threats in ads, lack of corporate identity, changing app names, requests to upload unrelated personal files, or pressure to sign blank forms.

  6. Keep records: screenshots of terms, invoices, and payment proof.

8) Compliance roadmap (for founders and compliance teams)

Phase 0 – Structuring

  • Pick the correct vehicle (lending vs financing company).
  • Draft Articles/By-laws aligned to regulated activities.

Phase 1 – Licensing

  • Secure SEC corporate registration and Certificate of Authority.
  • File beneficial ownership disclosures and fit-and-proper documents for directors/officers.

Phase 2 – Platform approvals

  • Report every OLP (app/website), trade name, and marketing domain.
  • Maintain a content governance register: app store assets, screenshots, version history, and URLs with timestamps.

Phase 3 – Risk & privacy

  • Appoint a Compliance Officer and Data Protection Officer (DPO); register with NPC as applicable.
  • Implement a Privacy Management Program, PIAs (privacy impact assessments), Breach Response Plan, and vendor DPAs.

Phase 4 – Consumer protection

  • Produce Key Information Statements, Templates (loan agreements, disclosures), cooling-off/withdrawal logic if offered, and complaints SOP.
  • Design collections playbooks with quality monitoring (call scripts, call-time windows, frequency caps).

Phase 5 – Monitoring & reporting

  • File periodic reports required by the SEC (financial statements, compliance attestations, OLP updates).
  • Maintain audit trails of approvals, complaints, refunds, and corrective actions.

9) Special issues and common pitfalls

  • Using multiple app names for one corporation without properly reporting them to the SEC.
  • Outsourcing collections to agencies that ignore the unfair collection prohibitions—the principal remains liable.
  • Phonebook scraping and mass texts to contacts: highly likely DPA violations; invites NPC complaints and reputational damage.
  • Hidden fees disguised as “processing” or “convenience” charges that dwarf the “headline” interest.
  • Cross-border data transfers without safeguards or notice.
  • Non-existent complaints desk or slow responses—now a statutory problem under the FCPA.

10) Borrower remedies & where to complain

  • SEC (for licensing/collections/OLA misconduct) – file complaints with supporting screenshots, contracts, and call logs.
  • National Privacy Commission (for data privacy breaches and abusive data use) – provide evidence of unauthorized contacts, overbroad permissions, and shaming.
  • PNP-Anti-Cybercrime Group – for threats, doxxing, cyber-libel, extortion.
  • Courts – civil actions for damages; ask courts to reduce unconscionable interest/penalties and to enjoin harassment.
  • DTI/Local authorities – for unfair business practices overlapping with consumer protection and advertising.

Practical tip: Keep a chronology: dates of app install, disclosures captured by screenshots, each call/SMS (with numbers and timestamps), payment proofs, and complaint e-mails. This timeline often decides cases.

11) Documentation pack (borrowers & lenders)

For borrowers

  • Loan contract & KIS snapshots
  • Payment receipts/bank proof (GCash/Instapay screenshots with reference nos.)
  • All communications (SMS, in-app, e-mail, call recordings if lawful)
  • Copy of privacy notice at the time of application

For lenders

  • Licensing file (SEC REG/CA, OLP reports)
  • Current app store profiles and version control
  • Privacy program (DPO appointment, PIA, breach plan)
  • Complaints log and resolutions dashboard
  • Collections QA reports, vendor oversight files

12) Model clauses & sample artifacts

a) Key Information Statement excerpt (illustrative)

  • Principal: ₱____
  • Total fees (itemized): ₱____ (processing ₱, disbursement ₱, others ₱__)
  • Stated interest: __% per __ (methodology)
  • Estimated total cost of credit at maturity: ₱____
  • Due date(s): ____
  • Cooling-off/withdrawal (if any): ____
  • Complaints desk: e-mail/phone, response within __ business days

b) Collections Code (outline)

  • Contact window: 8:00–20:00 local time; no more than __ attempts/day and __/week
  • No contact with third parties except guarantors/references; no debt disclosure to them
  • No threats, profanity, or misrepresentation
  • Mandatory ID of collector and company in each contact
  • Recording notice and opt-out where applicable

c) Consent & Privacy (outline)

  • Specific purposes (credit assessment, fraud prevention, servicing, regulatory reporting)
  • No access to contacts/media files unless demonstrably necessary and explained
  • Data retention schedule (e.g., active life + __ years) and secure deletion policy
  • Data subject rights workflow (access, correction, deletion, objection)

13) Frequently asked questions

Q: Is an app “registered” if the company is registered? A: Not automatically. The company must be SEC-registered and have a Certificate of Authority; each app/URL must be reported/cleared per SEC OLP rules.

Q: Can OLAs hire lawyers or agencies for collections? A: Yes, but the principal remains responsible for any unfair collection acts done on its behalf.

Q: Are OLAs allowed to call my employer or family? A: As a rule, no disclosure to third parties; limited “location” inquiries may be allowed without revealing the debt. Persistent calls and shaming are prohibited.

Q: Are ultra-high rates legal? A: Courts may strike down rates/penalties that are unconscionable even if the borrower “agreed” in the app; expect recomputations to reasonable amounts.

14) Bottom line

For borrowers: Deal only with SEC-licensed lenders whose apps/websites are declared to the SEC, read the KIS, keep records, and assert your privacy and fair-collection rights. For lenders: Licensing + OLP reporting, privacy-by-design, FCPA-grade disclosures, and clean collections are non-negotiable. Governance and evidence are your best defense.

This guide focuses on principles that remain constant even as specific memorandum numbers, forms, and disclosure formats evolve. Always follow the latest SEC and NPC circulars attached to your filings or posted in court/agency notices.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login