SEC Registration Compliance for Online Lending Apps Philippines

SEC Registration Compliance for Online Lending Apps (Philippine Context)

Short take: If you lend to the public in the Philippines using a website or mobile app, you must (1) be a Philippine domestic corporation, (2) secure a Certificate of Authority (CA) from the Securities and Exchange Commission (SEC) as a lending company (RA 9474) or financing company (RA 8556), and (3) satisfy online-specific rules on platforms, disclosures, data privacy, collections, advertising, and anti-money laundering. Operating or marketing to Philippine residents without the proper license is unlawful and invites takedowns, fines, and criminal exposure.

I. Legal & Regulatory Framework

  • Lending Company Regulation Act (RA 9474) and its IRR – governs lending companies (primary business is granting loans from own capital).
  • Financing Company Act (RA 8556) – for financing companies (financing of merchandise or services, consumer/merchant finance, factoring, etc.).
  • Revised Corporation Code – corporate governance, reporting, and sanctions.
  • Truth in Lending Act (RA 3765)clear and meaningful disclosure of finance charges and effective cost of credit.
  • Anti-Money Laundering Act (RA 9160), as amended – lending/financing companies are covered persons; KYC, CDD, recordkeeping, CTR/STR filing, AML program.
  • Cybercrime Prevention Act (RA 10175) – relevant for platform abuses, unauthorized access, data interference.
  • Data Privacy Act (RA 10173) – DPO appointment, privacy notices, security measures, breach response.
  • E-Commerce Act (RA 8792) – legal effect of e-documents/e-signatures; e-contracting standards.
  • Consumer Act and SEC rules on unfair collection practices – prohibit harassment, shaming, threats, contact scraping.

Key distinction: “Lending company” vs “financing company” depends on the business model; both require SEC authority but have different capital, purpose, and scope features. Choose the right license at incorporation.

II. Can You Lend Without an SEC License?

No. It is illegal to operate, advertise, or hold out to the public as a lender/financier without an SEC Certificate of Authority. Individuals and partnerships cannot engage in the business of lending; you must incorporate as a domestic corporation with a proper primary purpose and then obtain the CA before starting operations. Violations can lead to cease-and-desist orders, site/app takedowns, administrative fines, criminal cases, and directors’/officers’ liability.

III. Incorporation & Certificate of Authority (CA)

1) Incorporation essentials

  • Entity: Philippine domestic corporation.
  • Name: Must comply with SEC name rules; lending companies typically include “Lending” or “Lending Company”; financing companies use “Financing”.
  • Primary purpose clause: Must squarely cover lending/financing per RA 9474/RA 8556.
  • Capitalization: Observe minimum paid-in capital applicable to the chosen license (lending companies generally lower than financing companies). Keep proof of paid-in capital and bank certificates.
  • Directors/officers: Fit-and-proper standards; submit IDs, NBI clearances where required.

2) CA application (post-incorporation)

  • Corporate documents: Articles/By-laws, GIS, board resolutions.
  • Business plan: Target market, underwriting, pricing, collection policies, risk/compliance structure.
  • Operations manuals: Credit, collections, complaints handling, KYC/AML, information security.
  • Compliance attestations: Truth-in-Lending disclosures, privacy program, AML/CFT program, complaint channels.
  • Branching: Register branches and secure corresponding local permits.

No CA, no lending. Do not market, accept applications, or disburse loans before CA issuance.

IV. Extra Compliance for Online Lending Platforms (OLPs)/Apps

Regulators treat a website/app as an extension of your lending office. Expect the SEC to require prior notification/registration of your domain(s), app name(s), and store listings, and to keep them updated.

Your app/website must show, clearly and prominently:

  • Exact corporate name and SEC registration number, CA number, principal office address.
  • Customer assistance channels: phone, email, chat hours, turnaround times, escalation path.
  • Full price disclosure: nominal rate, any add-on rates, fees/charges, APR/EIR where applicable, amortization schedule, total cost of credit.
  • Repayment terms: due dates, grace periods (if any), penalties/interest on arrears, prepayment rules.
  • Privacy notices & consents: stated purposes, data categories collected, third-party sharing, retention periods, data subject rights, DPO contact.
  • Collection policy summary: prohibited practices and your complaint redress mechanism.

You must NOT:

  • Access contact lists, photos, media, or files unrelated to credit assessment without necessity and consent.
  • Use shaming, threats, profanity, doxxing, or social-media exposure to collect.
  • Misstate approvals (“pre-approved” when not), hide fees, or bait-and-switch rates.
  • Use look-alike names/logos to imitate licensed institutions.
  • Onboard borrowers without adequate identity verification and contract delivery (e-sign with robust audit trails).

V. Collections & “Unfair Debt Collection” Rules

SEC rules prohibit abusive collection. Core bans typically include:

  • Threats of violence, obscene language, repeated calls at unreasonable hours, and public shaming.
  • Contacting persons in the borrower’s phonebook or workplace to shame or disclose debt.
  • False representation as a lawyer, court officer, or law-enforcement agent.
  • Disclosing the borrower’s debt to third parties without lawful basis.

Do this instead:

  • Contact only through declared channels, within reasonable hours, with scripted, recorded interactions.
  • Provide verifiable company/agent IDs, call reference numbers, and a clear dispute pathway.
  • Maintain a Collector’s Code of Conduct, training, and disciplinary matrix.

VI. Truth-in-Lending & Pricing Governance

  • Disclose all finance charges up front: interest, service/convenience fees, processing charges, insurance (if optional, say so), taxes, penalties.
  • Present a sample loan computation (principal, term, installment, total payment, EIR/APR).
  • Avoid fee stacking and hidden add-ons that distort the effective rate.
  • Give borrowers loan contracts and amortization tables in durable electronic form (PDF/email) before disbursement.
  • Honor prepayment terms; if you charge pretermination fees, disclose basis and ceiling in the contract.

While usury ceilings were lifted, courts may strike “unconscionable” rates or penalties. Build a Pricing Policy that caps combined charges and requires periodic review.

VII. Data Privacy, Security & Digital Onboarding

  • Designate a DPO, maintain a Privacy Manual and Data Breach Response Plan.
  • Implement purpose limitation and data minimization—collect only what is necessary for KYC and credit scoring.
  • Use layered privacy notices and granular consents (contact scraping and unnecessary device permissions are high-risk).
  • Perform Privacy Impact Assessments for the app, SDKs, analytics, and outsourcing.
  • Secure encryption in transit/at rest, role-based access, and audit logs; test for OWASP Mobile Top 10 risks.
  • Provide data subject rights mechanisms (access, correction, deletion where applicable).

VIII. AML/CFT Obligations

As covered persons, lending/financing companies must:

  • Approve a board-level ML/TF Risk Assessment and AML Compliance Program.
  • Appoint a Compliance Officer and an Alternate; register with AMLC (goAML).
  • Conduct KYC/CDD (full name, DOB, address, IDs, face match/liveness, sanctions/PEP screening); apply EDD when risks are higher.
  • File CTR/STR on time; keep records for the required period; ensure secure retrieval for exams.
  • Monitor digital red flags (device/IP anomalies, mule patterns, rapid borrow/spend cycles, crypto off-ramps).
  • Perform independent testing (internal audit) and annual AML training.

IX. Advertising & App-Store Presence

  • All ads (digital, influencer, in-app banners) must state the licensed entity, SEC/CA numbers, and representative sample rates/fees.
  • Prohibit claims of guaranteed approvals or “0% with hidden fees”.
  • Keep a marketing approvals log (legal sign-off) and archives of ad copies.
  • Align your app-store listing (screenshots, description) with actual disclosures in-app and on your website.

X. Outsourcing & Third Parties

  • Written agreements with BPOs, collection agencies, KYC vendors, cloud providers, analytics partners.
  • Vendor due diligence: info-sec posture, privacy compliance, incident history, subcontracting limits.
  • Right-to-audit clauses, SLA/OLA metrics, data localization/backups, exit/transition plans.
  • Ensure collectors act within SEC collection rules; your license is on the line for vendor misconduct.

XI. Reporting to the SEC & Corporate Housekeeping

  • Annual Audited FS and General Information Sheet (GIS).
  • Regulatory returns prescribed for lending/financing companies (e.g., periodic reports on portfolio, branches, officers, OLPs).
  • Promptly update the SEC on new/changed domains, apps, officers, branches, capital changes, and material events (e.g., data breaches).
  • Maintain board minutes, policies, and compliance evidence (training logs, call scripts, QA results).

XII. Cross-Border & “Lending into the Philippines”

If you target Philippine residents (PH language, pricing in PHP, PH ads, accepts PH IDs/e-wallets), you are doing business in the Philippines and must be licensed by the SEC. The SEC can order blocking/takedown and pursue directors/officers even if your company is offshore.

XIII. Penalties & Enforcement Exposure

  • Administrative: Fines, revocation of CA, app/domain takedowns, disqualification of directors/officers.
  • Criminal: Operating without CA, fraudulent schemes, unfair collection practices that constitute separate crimes (grave threats, libel, unjust vexation, etc.).
  • Civil: Borrower suits for rescission, damages, and injunctions; class-type complaints; privacy and consumer-protection liabilities.
  • AML: Sanctions for program failures, late/missed STR/CTR, and KYC breaches.

XIV. Implementation Playbook (Practical)

  1. Entity & License

    • Choose lending vs. financing model → incorporate → apply for CA.

  2. Policies & Manuals

    • Credit, Pricing, Collections, Complaints, AML, Privacy/InfoSec, Outsourcing, IT Change Mgmt.

  3. App/Website Build

    • Embed clear disclosures; enable contract delivery; instrument audit trails; limit permissions.

  4. AML & KYC Stack

    • ID capture, liveness, sanctions/PEP screening, transaction monitoring; CTR/STR workflows.

  5. Collections Program

    • Scripts, approved channels/hours, QA monitoring, complaints desk; ban harassment and third-party disclosure.

  6. Reporting & Governance

    • Board oversight, compliance calendar, breach drills, independent audit/testing.

  7. Go-Live Checklist

    • CA on hand; app store copy matches license; privacy/terms published; DPO/CO posted; vendor contracts signed; helpdesk staffed.

  8. Ongoing

    • File SEC and AML returns; update the SEC on any new OLPs/domains; refresh policies annually; keep a regulatory change log.

XV. Common Pitfalls

  • Launching the app or running ads before CA issuance.
  • Using shell entities while the lending engine is offshore.
  • Contact-list scraping and social-media shaming.
  • Hiding fees in non-interest “convenience” charges; no APR/EIR disclosure.
  • Weak KYC and device security; no audit trails for e-signatures.
  • No complaints desk or unresolved ticket backlogs.
  • Failure to notify SEC of new domains/apps or corporate changes.
  • Treating collectors as “independent” and disowning their violations—principal is liable.

XVI. FAQs

Do I need both corporate registration and a CA? Yes. Both are mandatory. Incorporation alone is insufficient.

Can foreign investors own 100%? Foreign equity is generally allowed, subject to constitutional/statutory limits and any special rules for specific activities. Always confirm current negative-list constraints and licensing conditions.

Are e-signatures valid for loan contracts? Yes, if executed with reliable methods (identity/authentication, intent, integrity, audit trail) under the E-Commerce Act and evidence rules.

Can I charge any interest I want? Usury ceilings were lifted, but courts can strike unconscionable rates/penalties. Transparent pricing and reasonableness are essential.

May I hire a third-party collector? Yes, but you remain responsible. Ensure contracts, training, monitoring, and strict compliance with SEC debt-collection rules.

What if I only “broker” loans via an app? If you solicit, process, or arrange loans for the public, you may still fall within regulated activity or require an appropriate license/authorization; structure and disclosures matter.

One-Page Compliance Checklist

  • Incorporated domestic corporation with proper purpose
  • SEC Certificate of Authority issued (lending/financing)
  • Domains/apps notified to SEC; listings match disclosures
  • Truth-in-Lending: full price, APR/EIR, amortization, contracts delivered
  • Collections policy bans harassment/shaming; scripts & QA in place
  • DPO, Privacy Manual, DPIAs, security controls, breach plan
  • AML program approved; AMLC registration; KYC/CDD; CTR/STR; audit
  • Outsourcing: vendor DD, DPAs, SLAs, right-to-audit
  • Reporting calendar (AFS, GIS, regulatory returns)
  • Governance: board oversight, training, incident logs, change control

This article is a comprehensive overview for orientation and compliance planning. For specific structures, rates, and documentation, align with your chosen license (lending vs. financing), your risk profile, and the latest SEC/NPC/AMLC guidance.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login