Verifying Legitimacy of Lending Companies in Philippines

Verifying the Legitimacy of Lending Companies in the Philippines

A practitioner’s guide for consumers, in-house counsel, and compliance teams

1) Why legitimacy matters

Borrowing from an unlicensed lender can expose you to abusive collection tactics, unlawful data harvesting, inflated charges, and unenforceable or predatory terms. It also creates AML/CTF risks for counterparties and potential personal data breaches for borrowers and their contacts. Philippine law provides a concrete framework to separate legitimate players from illegal or rogue operators—offline and online.

2) The regulatory map

Primary supervisor (corporate conduct):

  • Securities and Exchange Commission (SEC). Oversees lending companies under the Lending Company Regulation Act of 2007 (Republic Act No. 9474) and financing companies under the Financing Company Act of 1998 (RA 8556) and related regulations. The SEC issues the Certificate of Authority (CA) to operate and may suspend or revoke it, impose fines, and file criminal actions.

Other relevant regulators and regimes:

  • Bangko Sentral ng Pilipinas (BSP). Regulates banks and certain non-bank financial institutions (NBFIs). If a product is issued by a bank, it is under BSP (not SEC).
  • National Privacy Commission (NPC). Enforces the Data Privacy Act of 2012 (RA 10173)—critical for online lending apps (permissions, consent, data minimization, breach notification).
  • Anti-Money Laundering Council (AMLC). Enforces AMLA (RA 9160, as amended). SEC-supervised lending/financing companies are covered persons and must perform KYC, monitor transactions, and file covered/suspicious transaction reports.
  • Department of Trade and Industry (DTI) and Consumer Act (RA 7394). General consumer protection (misrepresentations, deceptive or unfair sales).
  • Truth in Lending Act (RA 3765). Requires clear disclosure of the true cost of credit (finance charges and effective interest).
  • Cooperative Development Authority (CDA). Cooperatives lending to members fall under CDA, not the SEC lending regime.
  • Microfinance NGO Act (RA 10693). Microfinance NGOs carry a PCNC/DOF accreditation framework, distinct from SEC-licensed lending/financing companies.
  • Revised Penal Code / Special laws. Cover threats, coercion, libel, unjust vexation, cybercrime, and similar abuses during debt collection.
  • Usury Law ceilings are suspended (Central Bank Circular No. 905), but courts may still strike unconscionable interest and penalty rates.

3) Who may legally lend—and who may not

3.1 Lending vs. financing companies vs. others

  • Lending company. A corporation (not a sole proprietorship or partnership) primarily engaged in granting loans from its own capital. Requires SEC registration and a Certificate of Authority under RA 9474.
  • Financing company. Also a corporation under RA 8556 that extends credit through loans, discounts, factoring, lease-purchase, etc. Requires SEC registration and CA under RA 8556.
  • Banks (BSP-regulated), cooperatives (CDA), microfinance NGOs (RA 10693) may also legally lend within their own frameworks—they do not need an SEC CA as a lending/financing company.
  • Pawnshops and money service businesses have their own BSP/NPC compliance regimes.

3.2 The online twist—OLAs/OLPs

  • Online Lending Applications/Platforms (OLAs/OLPs) that solicit and process loans digitally must be tied to an SEC-licensed lending/financing company and comply with SEC memoranda on online operations, advertising, disclosures, and complaint handling.
  • Apps that harvest contacts, photos, and location beyond what is necessary, or that engage in “contact-shaming” collections, often breach NPC and SEC rules.

4) The legal test for legitimacy (practical checklist)

Use this layered verification before dealing with any lender or app:

A. Corporate & authority checks

  1. SEC Registration (Articles/By-laws; Registration Number).
  2. Certificate of Authority (CA). Distinct from mere SEC registration; it authorizes the lending/financing business. Validate the exact corporate name and status.
  3. Principal office address and active contact channels (hotline/email).
  4. Key officers/beneficial owners disclosed per SEC beneficial ownership rules.

Red flags: “Registered with DTI only,” “Mayor’s Permit only,” or “SEC-registered company but no CA.” Sole proprietorships cannot be “lending companies” under RA 9474.

B. Product & disclosure checks (RA 3765)

  1. Clear, written disclosure of: principal, finance charges, effective interest rate, fees (processing, disbursement, collection), penalties, tenor, amortization schedule, APR/annualized cost, and total cost of credit.
  2. No hidden fees; receipts for every payment; prepayment rules disclosed.

Red flags: “₱0 interest” but layered “service” and “convenience” fees; unclear penalty computation; mandatory add-ons (insurance, tips).

C. Privacy & cyber checks (RA 10173)

  1. Privacy notice that is specific and understandable, stating purpose, data collected, retention, sharing, rights, and DPO contact.
  2. Data minimization: app permissions strictly necessary (e.g., no blanket access to contacts/photos/microphone).
  3. Security safeguards and breach reporting processes.

Red flags: Access to your contacts for “collection purposes,” location tracking after repayment, or messages threatening to blast your phonebook.

D. Conduct & collections

  1. Fair collection practices. No threats, profanities, doxxing, harassment, or shaming; no contacting your employer or contacts except in lawful, limited circumstances (e.g., verified guarantor).
  2. Complaint handling: formal channel with turnaround times; escalation path to the SEC/NPC.

Red flags: Use of anonymous numbers, social-media shaming, or threats of criminal cases for mere non-payment of a civil loan (absent bouncing check/fraud).

E. AML/CTF & sanction screening

  1. Know-Your-Customer and beneficial ownership capture; source of funds questions for high-risk clients; covered/suspicious transaction escalation.
  2. No requests to route funds through personal e-wallets or third-party accounts without clear documentation.

Red flags: Cash pickups with no receipts; layered transfers to avoid reporting thresholds; refusal to identify owners.

5) Documentation you should expect

  • Corporate: SEC Certificate of Incorporation, SEC CA, latest General Information Sheet (for officers/owners), and principal office details.
  • Licensing/operations: Any SEC memoranda compliance attestations (e.g., for online platforms), customer service policy.
  • Credit: Loan agreement, disclosure statement (RA 3765), schedule of charges, data privacy notice/consent form, receipts.
  • AML: KYC forms, ID capture/verification records (where applicable).

6) Interest, fees, and enforceability

  • No fixed legal cap currently applies because Usury Law ceilings are suspended.
  • Courts may still void or reduce “unconscionable” rates and penalties, especially where disclosure was unclear or bargaining power was grossly unequal.
  • Compounded penalties, layered “processing” fees, or post hoc “collection fees” often fail the reasonableness and disclosure tests.
  • Truth in Lending violations (non-disclosure of finance charges) can lead to administrative/criminal liability and weaken enforcement of charges.

7) Advertising, e-commerce, and “Buy Now, Pay Later” (BNPL)

  • Marketing must be truthful and not misleading (Consumer Act).
  • Digital credit and BNPL models that involve the business of extending credit still require the proper SEC/BSP licensing depending on structure (e.g., if a bank underwrites). Calling something “BNPL” does not remove it from lending/financing rules.
  • Cross-border apps soliciting Philippine residents must comply with Philippine licensing and privacy laws when targeting local users.

8) Typical illegality patterns (what they look like)

  • No SEC CA, but the entity offers loans to the public (website/app/Facebook).
  • DTI certificate only (business name) with “lending” in the trade name.
  • App permission overreach and contact-shaming threats.
  • Ghost addresses, prepaid numbers, or constantly changing brand names.
  • Fund disbursement/repayment via personal accounts without receipts.
  • “Agent” or “franchise” schemes where unlicensed individuals solicit on behalf of a supposed mother company, without documentation tying them to a licensed principal.

9) Step-by-step due diligence workflow (for individuals and SMEs)

  1. Match the brand to a legal name. Get the exact corporate name behind the trade name/app name.
  2. Validate the SEC CA. Confirm that the corporate name and CA match the brand in use and that status is active.
  3. Check the product legalities. Ensure the loan agreement + RA 3765 disclosure are given before you commit; compute the effective annual cost yourself.
  4. Review privacy controls. On mobile, deny non-essential permissions; read the privacy notice; check DPO contact.
  5. Inspect collection policy. Look for a written policy prohibiting harassment; ask how they contact you if you miss a payment.
  6. Trace money flows. Disbursement/repayment should go through accounts in the company’s name with official receipts.
  7. Keep records. Store signed contracts, screenshots, consent forms, receipts, and all communications.

10) Remedies and escalation

  • SEC (Enforcement and Investor Protection). Report unlicensed activity, misrepresentation, or violations of RA 9474/RA 8556 or SEC memoranda; request CA verification.
  • NPC. File complaints for unlawful processing, excessive permissions, contact-shaming, data breaches, or failure to honor data subject rights.
  • BSP. If the lender is a bank/NBFI under BSP, use BSP’s consumer assistance channels.
  • DTI. For false advertising or deceptive sales practices.
  • NBI/PNP-ACG. For harassment, threats, doxxing, cyber-libel, extortion, or identity theft.
  • Courts (including Small Claims). To contest unconscionable charges, recover damages for abusive collection, or enforce/defend rights under the contract.
  • App stores / platforms. Report illegal apps or pages that solicit lending without licenses.

11) Special topics

11.1 Corporate structure and foreign participation

Foreign equity/participation rules for lending/financing companies have evolved under the Foreign Investments Act and subsequent negative lists/legislative updates. Because the exact caps and conditions can change, verify the current foreign ownership rules before onboarding foreign shareholders or counterparties.

11.2 Agents, aggregators, and white-label arrangements

If a platform or agent markets loans for a licensed principal, obtain the written agency/partnership agreement, check whose CA covers the product, and make sure disclosure documents bear the true lender’s corporate name.

11.3 Collections outsourcing and data sharing

Third-party collectors must follow the same legal limits and privacy standards as the lender. Data sharing needs a lawful basis, data sharing agreement, and proportionality.

12) Quick reference—What you should see from a legitimate lender

  • SEC Certificate of Authority (active, matches corporate name)
  • Loan disclosure statement (RA 3765) with finance charges and APR/effective cost
  • Privacy notice and DPO contact; minimal app permissions
  • Fair collection policy (no harassment, no contact-shaming)
  • Official receipts and a clear amortization schedule
  • Customer service and regulatory complaint channels

13) Model clauses & controls (for compliance teams)

  • Disclosure clause: “Lender shall provide the borrower, prior to consummation, a disclosure statement under RA 3765 stating the principal, finance charge, total of payments, schedule, and effective interest rate.”
  • Privacy: Limit data collection to what is necessary to assess creditworthiness and service the loan; prohibit access to contacts/photos; designate a DPO; implement breach protocols.
  • Collections: Prohibit harassment, public shaming, threats, and contacting third parties other than authorized guarantors; require call recording and audit trails.
  • AML/CTF: KYC (ID, liveness, beneficial ownership), risk-based monitoring, CTR/STR filing, sanctions screening.
  • Third parties: Data sharing agreements; oversight over collection agencies and platform partners; right to audit.

14) Bottom line

A legitimate Philippine lending operation sits at the intersection of:

  1. Proper authority (SEC CA or the appropriate regulator),
  2. Transparent pricing (RA 3765 compliance),
  3. Lawful data handling (RA 10173),
  4. Fair collection conduct, and
  5. AML/CTF controls.

If any of these pillars is missing, proceed with caution, document everything, and be ready to disengage or escalate to regulators.

Note: Laws and agency circulars evolve. For transactions with material value or regulatory exposure, consult counsel and verify the current SEC/NPC/BSP guidance and ownership rules before proceeding.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login