Verifying the Legitimacy of Lending Companies in the Philippines

A comprehensive legal guide for consumers, founders, and compliance teams

1) Why legitimacy checks matter

Unlicensed or non-compliant lenders expose borrowers to abusive collection, unlawful data use, excessive or hidden charges, and unenforceable contracts. For founders, operating without proper authority risks criminal, administrative, and civil liability, app takedowns, and asset freezes. A structured verification process protects both sides.

2) The regulatory map (who regulates what)

Securities and Exchange Commission (SEC) Primary regulator of lending companies and financing companies (corporate entities that extend credit but cannot accept deposits). SEC issues the Certificate of Incorporation/Registration and the separate Certificate of Authority (CA) to Operate. It also polices online lending platforms (OLPs) and unfair collection practices.
Bangko Sentral ng Pilipinas (BSP) Regulates banks, quasi-banks, pawnshops, and credit card issuers. If an entity accepts deposits or engages in activities reserved for banks, it must be BSP-licensed. Lending/financing companies are not allowed to accept deposits.
National Privacy Commission (NPC) Enforces the Data Privacy Act, including lawful processing, consent, data minimization, security measures, and remedies against doxxing/shaming and intrusive contact-scraping by loan apps.
Anti-Money Laundering Council (AMLC) Implements AMLA obligations for covered persons. Many credit providers (including certain SEC-supervised institutions) have KYC, record-keeping, and reporting duties.
Other bodies, in context
- CDA for cooperatives that grant credit to members
- MNRC for microfinance NGOs
- DTI for business name registration of sole proprietors (note: a lending company under law must be a corporation)
- Local governments for business permits

3) The core legal framework (key statutes & rules to know)

Lending Company Regulation Act of 2007 (Republic Act No. 9474) and its IRR Requires lending companies to be stock corporations with minimum paid-in capital and to obtain an SEC Certificate of Authority before operating or advertising. Prohibits deposit-taking.
Financing Company Act (Republic Act No. 8556) and its IRR Governs financing companies (often vehicle/consumer/business finance). Similar SEC authorization and conduct rules apply.
Truth in Lending Act (Republic Act No. 3765) Requires clear disclosure of the finance charge and the effective interest rate/APR before consummation. Hidden or misleading charges can be unlawful and voidable.
Financial Consumer Protection Act (Republic Act No. 11765) Empowers financial regulators (including the SEC) to curb abusive practices, mandate fair disclosures, and provide administrative and restitution remedies to consumers.
Data Privacy Act (Republic Act No. 10173) Restricts over-collection of contacts/photos, bans unauthorized disclosure/shaming, and requires proper notices, consent, and security.
Civil Code & jurisprudence on unconscionable interest/penalties Courts may reduce or void interest, penalties, and liquidated damages that are excessive or shock the conscience, and invalidate abusive collection tactics that amount to intimidation, coercion, or defamation.

Note on interest ceilings: The old Usury Law ceilings were effectively suspended decades ago, but regulators have imposed product-specific caps (e.g., for certain markets like credit cards) and can act against unconscionable rates and hidden fees. Even without a fixed ceiling, courts and regulators scrutinize total cost of credit and collection behavior.

4) What a legitimate lending/financing company looks like

Minimum non-negotiables (corporate/legal status)

Correct legal form. A lending company must be a stock corporation (not a sole proprietorship or partnership) if organized under R.A. 9474.
SEC Certificate of Incorporation/Registration — proves the entity exists.
SEC Certificate of Authority (CA) to Operate — this is separate from incorporation and is the license to lend as a business.
No deposit-taking. If they accept deposits or offer bank-like products without BSP license, that is a red flag.
Local permits. Mayor’s permit and relevant LGU clearances for each physical office/branch.

For online lending platforms (OLPs)/loan apps

Must be tied to an SEC-authorized lending/financing company.
Should have clear privacy notices, terms, fee/interest disclosures, and a complaints channel.
App permissions should be proportionate (no blanket access to contacts/photos/microphone unless demonstrably necessary and consented to).

5) A practical, step-by-step verification workflow

A. Identify the entity and product

Ask for the full legal name, SEC registration number, CA number, principal office address, website/app links, and contact details.
Distinguish the corporate lender from any brand name or marketing affiliate. Match names exactly.

B. Validate corporate and licensing status

Confirm the SEC registration and the Certificate of Authority are real, current, and match the exact corporate name.
Watch for bait-and-switch tactics: a genuine SEC registration for a different company (e.g., a trading firm) passed off as a lending license.

C. Scrutinize disclosures and contract documents

Pre-contract key facts sheet: principal, all fees, total finance charge, APR/effective rate, repayment schedule, late charges, and collection processes.
Truth in Lending compliance: Are finance charge and effective rate stated clearly and before you sign?
Data Privacy: privacy notice, purpose of data collection, retention, third-party sharing, consent withdrawal, and contact of the Data Protection Officer (DPO).

D. Examine money flows and identity

Loan proceeds disbursed from an account in the company’s name; repayments to accounts owned by the company (not to personal e-wallets of agents).
Verify official receipts or Bureau of Internal Revenue (BIR)-compliant invoices.

E. Check conduct and collections

No threats, public shaming, contact-scraping of your phonebook, or messages to unrelated third parties.
Reasonable calling windows and respectful tone; no misrepresentation as law enforcement or court officers.
Clear complaints handling pathway with defined timelines.

F. Cross-check digital presence

Website/app showing correct corporate name, SEC registration and CA numbers, office address, and customer service channels.
Consistency across website, app store listing, and contract documents.

6) Red flags of illegitimate or non-compliant lenders

No SEC CA to Operate (or only a basic SEC registration presented as a “license”).
Deposit-taking or “investment” offers promising fixed yields by a non-bank.
Upfront processing fees demanded via personal e-wallets before any approval.
Aggressive data permissions and contact-list scraping; threats to shame you on social media.
Mismatched names between app, contract, bank account, and receipts.
Unclear or shifting fees; no pre-contract disclosure of the total cost of credit.
Fake or altered SEC/BIR documents (blurry seals, wrong fonts, inconsistent dates).
“We can fix your bad credit for a fee” bundling with the loan.

7) How legitimate lenders should collect debts (and what they must not do)

Permissible

Professional communications through disclosed channels
Clear statements of amounts due, computation basis, and lawful remedies
Respect for data privacy and confidentiality
Using third-party collectors that follow the same rules

Prohibited/abusive (often actionable)

Harassment, threats, obscenities, doxxing, and public shaming
Impersonating government or court officials
Contacting your employer or unrelated contacts to shame or coerce payment
Excessive, hidden, or cascading penalty charges
Processing personal data without lawful basis, or beyond stated purposes

Consequences for violators

SEC administrative penalties (fines, suspension/revocation of CA, app takedowns)
NPC penalties (administrative fines, compliance orders)
Civil damages (privacy, defamation, abusive collections)
Criminal exposure (e.g., grave coercion, unjust vexation, libel, cybercrime, falsification)

8) Interest, fees, and “unconscionability”

There is no across-the-board usury cap today, but lenders must disclose the true cost of credit.
Courts and regulators may strike down unconscionable interest or penalties (for example, steep compounding with layered “service,” “processing,” “convenience,” and “penalty” fees that obscure APR).
Penalty clauses may be reduced if iniquitous or unconscionable.
Short-term, small-amount loans attract stricter scrutiny of effective rates and collection tactics.

9) Special sectors and look-alikes

Pawnshops (BSP-supervised) may lend against pledged items; they are not “lending companies.”
Cooperatives (CDA-supervised) may lend to members under their bylaws.
Microfinance NGOs (MNRC oversight) provide microloans with special reporting and social performance standards.
Salary lenders/payroll-deduct schemes require employer arrangements and proper consent; beware of unauthorized deductions.
BNPL and embedded credit models must still comply with disclosure, privacy, and (where applicable) product-specific caps or conduct rules.

10) Due diligence checklist (borrowers)

Exact corporate name and SEC CA number (not just a trade name).
Physical office address you can verify.
Pre-contract disclosure: principal, all fees, APR/effective rate, repayment schedule.
Privacy notice and DPO contact; permissions limited to what’s necessary.
Disbursement and repayment through accounts in the company’s name; official receipts issued.
Complaint channel and timeline.
Contract free of blank spaces; receive a complete copy.

11) Due diligence checklist (founders/compliance)

Incorporate the correct corporate form (stock corporation) and obtain the SEC CA before advertising or operating.
Maintain minimum capitalization, fit-and-proper officers, and updated general information sheets.
Adopt Truth in Lending-compliant templates and Key Facts Sheets with APR and total cost.
Build a privacy management program (DPIA, consent records, access controls, breach response).
Implement collections SOPs (scripts, call windows, escalation, vendor oversight) aligned with fair collection rules.
Set up complaints handling, logs, and regulator liaison protocols.
Where applicable, register for AML/CFT obligations (KYC, STR/CTR filings, training).
Keep marketing truthful: no guaranteed approvals, no bait rates, no mislabeling as “bank.”

12) Documentation you should ask for or keep

SEC Certificate of Incorporation and Certificate of Authority
Latest GIS and Articles/By-laws (to confirm officers and authority signatories)
Mayor’s/business permits for each site
Standard loan agreement, Key Facts Sheet, schedule of fees
Privacy notice, consent forms, DPO appointment
Collection policies and third-party contracts
Audit trails: disbursement and repayment proofs; official receipts
Complaints register and resolution logs

13) Remedies if things go wrong

SEC complaint for unlicensed lending, unfair collection, false or misleading disclosures, or violations of lending/financing rules.
NPC complaint for data privacy breaches (unlawful contact scraping, public shaming, improper data sharing).
Civil actions for damages; injunctions against abusive practices.
Criminal actions for threats, coercion, defamation, cyber offenses, and document falsification.
Small Claims for money disputes within the current jurisdictional threshold (no lawyers required in many cases; check the prevailing limit and rules).
Preserve evidence: screenshots, recordings (subject to applicable consent rules), messages, call logs, receipts.

14) Frequently asked questions

Q: Is an SEC company registration enough? A: No. You also need an SEC Certificate of Authority to operate a lending/financing business.

Q: Can a sole proprietor legally operate a “lending company”? A: No. A lending company under R.A. 9474 must be a stock corporation. (A sole proprietor may still extend credit as part of their business, but that is not a licensed lending company.)

Q: Are sky-high interest rates automatically illegal? A: Not automatically—but unconscionable interest/penalties and undisclosed charges are vulnerable to regulatory action or judicial reduction/voiding.

Q: Can loan apps access my contacts? A: Only with lawful basis and proportionate necessity. Mass contact scraping and shaming are risky and can trigger NPC and SEC sanctions.

Q: The lender says they’re “SEC registered” but won’t show a CA. Deal? A: Treat as high risk. Operating or advertising without a CA can be unlawful.

15) Practical scripts & templates

Request for proof of authority (borrower → lender)

Kindly provide your SEC Certificate of Authority to Operate as a lending/financing company (distinct from the Certificate of Incorporation), your principal office address, and your Data Protection Officer’s contact details. Please also share the Key Facts Sheet showing the total finance charge and APR/effective interest rate. We will rely on these disclosures in making a decision.

Cease abusive collection (borrower → lender/collector)

This serves as formal notice to cease harassment and third-party contacts unrelated to my account. Future communications must be professional, limited to lawful channels, and consistent with the Data Privacy Act and applicable collection rules. Please provide a breakdown of my obligation (principal, interest, fees, and penalties) with dates and basis. Non-compliance may be reported to the SEC and NPC and pursued in court.

16) Bottom line

To verify legitimacy in the Philippine context, always confirm (1) corporate identity, (2) SEC Certificate of Authority, (3) full disclosures under the Truth in Lending Act, (4) privacy compliance, (5) lawful collections, and (6) clean money flows with official receipts. If any piece is missing or inconsistent, treat the lender as non-compliant or high risk and consider reporting or walking away.

This guide provides general information and is not a substitute for tailored legal advice on a specific transaction or dispute.