The rapid expansion of financial technology (fintech) in the Philippines has revolutionized access to credit, making instant loans available at the tap of a smartphone screen. However, this digital credit boom has been accompanied by a rise in predatory lending, data privacy violations, and unfair collection mechanisms. To safeguard consumers and maintain financial stability, the Securities and Exchange Commission (SEC) enforces a stringent regulatory and licensing framework for Online Lending Apps (OLAs), legally referred to as Online Lending Platforms (OLPs).

For fintech founders, legal practitioners, and investors, understanding and complying with these regulations is paramount to operating legally within the jurisdiction.

I. The Statutory Foundation: Mandatory Corporate Form

Under Philippine law, engaging in the business of lending or financing requires a specific legal structure. Prospective operators cannot run an online lending application as a sole proprietorship, a general partnership, or an ordinary stock corporation without specialized secondary licensing.

• The Revised Corporation Code (Republic Act No. 11232): Any entity intending to offer loans to the public must incorporate as a stock corporation.
• Exclusion of General Purposes: The Articles of Incorporation must explicitly state that the company’s primary purpose is to operate as a lending or financing company.

II. The Dual-License Framework

An OLA cannot legally operate with a standard corporate registration alone. The SEC mandates a dual-licensing process: a Primary License to exist as a corporate entity, and a Secondary License to engage in credit operations.

1. Primary License (Certificate of Incorporation): Obtained through the SEC’s Electronic Simplified Processing of Applications for Financial Institutions (eSPARC) system, establishing the company’s legal personality.
2. Secondary License (Certificate of Authority): Before deploying an OLA or executing a single loan contract, the corporation must secure a Certificate of Authority (CA) to Operate as a Lending or Financing Company.

The operational and capitalization requirements vary depending on whether the entity registers under the Lending Company Regulation Act or the Financing Company Act:

III. SEC Memorandum Circular No. 19, Series of 2019: OLP Registration

To track the exact digital footprints of fintech lenders, the SEC enacted Memorandum Circular No. 19, Series of 2019. This requires existing and new lending or financing companies to register their specific online platforms before operation.

1. Registration of Digital Assets

A licensed corporation cannot simply launch an app on the Google Play Store or Apple App Store at will. It must file an affidavit with the SEC Corporate Governance and Finance Department (CGFD) declaring:

• The names, brand names, and URLs of all websites or applications.
• The identity of third-party platform developers, hosts, and operating systems.
• Proof of ownership or authorized use of the digital intellectual property.

2. Mandatory In-App Disclosures

To eliminate deceptive advertisements, the SEC requires OLAs to display specific transparency data prominently on their landing pages, user interfaces, and advertisements:

• The official Corporate Name (not just the app product name).
• The SEC Registration Number.
• The Certificate of Authority (CA) Number.
• A clear warning statement advising borrowers to study the terms and conditions before proceeding with any loan transaction.

3. Truth-in-Lending Compliance

Pursuant to the Truth in Lending Act (R.A. 3765), the app must display a clear, downloadable Disclosure Statement prior to the consummation of the loan contract. This statement must explicitly itemize:

• The principal loan amount.
• The net proceeds to be disbursed.
• All applicable deductions (processing fees, service fees, collection fees, and documentary stamp taxes).
• The total finance charges and the Effective Interest Rate (EIR) or Annual Percentage Rate (APR), rather than misleading daily nominal rates.

IV. Consumer Protection and Operational Constraints

Fintech operators are subject to intense scrutiny regarding data management and debt collection practices. Non-compliance with the following pillars can result in automatic cancellation of operational authority.

1. Prohibition of Unfair Debt Collection Practices (SEC MC No. 18, Series of 2019)

To curb widespread borrower harassment, the SEC outlines specific collection tactics that are deemed unlawful:

• Using profane, obscene, or abusive language.
• Disclosing or threatening to disclose the borrower’s default to third parties who are not guarantors or co-makers.
• Contact Harvesting: Accessing or downloading the borrower’s phone contacts list to message them regarding the debt.
• Contacting borrowers at unreasonable hours (defined as before 6:00 AM or after 10:00 PM), unless the account is past due for over 15 days and prior consent was obtained.

2. Data Privacy Act (R.A. 10173) Alignment

Online lending applications must strictly respect data privacy boundaries. Under National Privacy Commission (NPC) circulars, OLAs are prohibited from requiring excessive permissions—such as unrestricted access to the user's camera, gallery, files, or real-time GPS location—unless absolutely essential for the identity verification (KYC) process, and even then, only with explicit, granular consent.

The Regulatory Moratorium

To address an influx of predatory applications, the SEC implemented a strict moratorium on the registration of new online lending platforms (SEC Memorandum Circular No. 10, Series of 2021). Consequently, companies looking to deploy new apps must operate via highly scrutinized sandbox models, acquire or partner with existing licensed corporations holding active CAs, or wait for the targeted lifting of the moratorium on a case-by-case basis.

V. Ancillary Registration Requirements

Beyond the SEC, an OLA must navigate other critical regulatory agencies to achieve full operational legality:

• Anti-Money Laundering Council (AMLC): Lending and financing companies are considered "Covered Persons." They must register with the AMLC, formulate a Money Laundering and Terrorist Financing Prevention Program (MTPP), and establish strict Know-Your-Customer (KYC) identity verifications to flag suspicious or covered transactions.
• Credit Information Corporation (CIC): Under R.A. 9510, licensed lenders are required to submit basic credit data and borrower repayment histories to the centralized credit registry.

VI. Statutory Penalties and Enforcement Mechanisms

Operating an online lending app without proper SEC clearance or violating consumer protection circulars triggers heavy administrative and criminal liabilities.

• Unauthorized Operations: Engaging in the business of a lending or financing company without a Certificate of Authority is a criminal offense. Under R.A. 9474, violators can face fines ranging from ₱10,000 to ₱100,000, and corporate officers can face imprisonment terms from 6 months to 10 years.

• Administrative Sanctions: For licensed companies that fail to register specific apps or violate collection/privacy guidelines, the SEC's CGFD utilizes a tiered penalty scheme:

• First Offense: Formal reprimand and basic monetary fine.

• Second Offense: Fines scaling up to ₱1,000,000 and temporary suspension of lending operations.

• Third Offense: Issuance of a permanent Cease and Desist Order (CDO) and the revocation of the Certificate of Authority and Corporate Registration.

• Digital Takedowns: The SEC actively collaborates with the National Telecommunications Commission (NTC), Google, and Apple to remove unregistered apps from digital market spaces and block their domains nationwide.