Verifying SEC Registration for Online Loan Companies in the Philippines

A practitioner’s guide for consumers, compliance teams, and counsel

1) Why SEC verification matters

In the Philippines, only corporations may lawfully engage in lending or financing. A company that offers loans through a website or mobile app must have:

  1. Primary registration with the Securities and Exchange Commission (SEC) (Certificate of Incorporation), and
  2. A secondary license/authority from the SEC to operate as a Lending Company (under the Lending Company Regulation Act) or a Financing Company (under the Financing Company Act).

Operating an online lending platform (OLP) without the correct secondary authority—or misusing a generic SEC registration number—is unlawful and exposes the business and its officers to fines, cease-and-desist orders, and criminal liability. It also voids any claim that borrowers “consented” to abusive collection or data practices.

2) The legal framework, at a glance

  • Corporations only: Lending and financing activities must be conducted by a Philippine corporation with an exclusive or principal purpose to lend/finance (as stated in the Articles of Incorporation). Sole proprietorships and partnerships may not engage in lending/financing activities.
  • Lending Company Regulation Act (LCRA): Requires a Certificate of Authority (CA) to operate as a Lending Company (separate from SEC incorporation). Sets conduct standards and penalizes unlicensed lending.
  • Revised Financing Company Act: Requires a CA to operate as a Financing Company (often providing longer-term or asset-backed financing).
  • Online Lending Platform (OLP) rules: SEC imposes specific registration/notification and disclosure requirements on OLPs (each app/site is treated as an extension of the licensed entity; many rules require that each app be declared/authorized).
  • Data Privacy Act (DPA): Requires lawful basis for data processing, limits data collection to what’s necessary, mandates privacy notices, and prohibits unauthorized contact harvesting and “doxxing.”
  • Consumer protection & e-commerce: Truthful advertising, fair collection practices, and valid electronic contracts (E-Commerce Act) are required.
  • No deposit-taking: Only BSP-supervised banks/quasi-banks may take deposits. Lending/financing companies cannot accept deposits.

Note on capital requirements. Minimum paid-in capital depends on license type (lending vs. financing) and, for financing companies, sometimes the location/scale of operations. Confirm the then-current thresholds in the company’s SEC filings and CA.

3) What “properly licensed” looks like

A legitimate online lender typically possesses and discloses the following, on its website/app, loan agreement, and customer communications:

  • Exact corporate name (matching SEC records), SEC Registration Number, date of incorporation.
  • Secondary license: “Certificate of Authority to Operate as a Lending Company/Financing Company,” indicating the SEC CA number and date of issuance (and any amendments).
  • Registered principal office address in the Philippines and contact details (phone/email).
  • Named officers/directors if required by disclosure rules.
  • Data Privacy documents: privacy notice, purpose of processing, retention periods, rights of data subjects, and Data Protection Officer (DPO) contact.
  • Transparent pricing: nominal rate, effective APR, all fees (processing, service, disbursement, late charges), and sample computations.
  • Collections policy and complaint desk contact, including turnaround times and escalation path.

Absence of any of the above—especially the CA/secondary license—should be treated as a red flag.

4) How to verify a lender (step-by-step)

Step A — Confirm the corporate identity

  • Obtain the exact corporate name as advertised in the app/store listing, website, or loan agreement.
  • Compare it to the legal name printed on the SEC Certificate of Incorporation. Watch for spelling variations or the use of a “brand” name that is not properly disclosed as a business name of the licensed entity.

Step B — Check the secondary license

  • Ask for a copy or details of the company’s Certificate of Authority (CA) to operate as a Lending/Financing Company.
  • Confirm: CA number, date, status (valid/suspended/revoked), and whether the scope covers the app/website used to onboard borrowers.

Step C — Verify each Online Lending Platform (OLP)

  • Many SEC rules treat each mobile app or website as part of the licensed activity. Companies generally must register/notify the SEC of each OLP they operate.

  • Check that the app name (as seen in app stores), developer account name, and website URL(s) appear in the company’s SEC submissions and public disclosures.

  • Be cautious when:

    • The developer account name in the app store doesn’t match the licensed corporation;
    • The same app has been relaunched under new names to evade enforcement;
    • An app funnels users to an unrelated entity for the loan agreement.

Step D — Review disclosures and contracts

  • In the app/website and loan agreement, confirm:

    • Full cost disclosures (APR and fees) and no blank fields.
    • E-signature or click-wrap flow that clearly shows consent, with a timestamp and ability to download the contract.
    • Privacy notice and DPO contact visible before sign-up.
    • No excessive permissions (e.g., mandatory contact list scraping or media access) unrelated to credit evaluation.

Step E — Cross-check conduct

  • Harassment, shaming, or threats (e.g., contacting friends/colleagues, posting defamatory content) are prohibited.
  • Debt collection must be professional, during reasonable hours, and only through channels consented to by the borrower.
  • Data minimization: collecting entire contact lists or unrelated photos is typically unlawful.

5) Practical checklists

For consumers

  • Does the app/website show the SEC Registration Number and CA number?
  • Does the corporate name on those numbers match the name on the loan agreement and app listing?
  • Are interest and fees clearly shown before you apply? Are sample computations provided?
  • Is there a privacy notice and a named DPO?
  • Does the app require unnecessary permissions (contacts, gallery, location) for a cash loan?
  • Is there a complaints email/phone that actually works?
  • Any reports of harassment or demand that you pay outside official channels? (Red flag.)

For compliance teams (lenders/fintechs)

  • Articles of Incorporation list lending/financing as the primary purpose; share capital and minimum paid-in capital meet current thresholds.
  • CA to Operate is active; renewals/updates are timely.
  • Each OLP (app/site) is registered/notified with the SEC and disclosed publicly (include app store links and URLs).
  • Product disclosures (APR, fees) are consistent across marketing, app, and contracts.
  • Privacy governance: DPO designated, processing registered where required, records of processing maintained, DPIAs for high-risk features.
  • Collections: written policies, agent training, call scripts, channel restrictions, and audit trails; no third-party collectors without proper contracts and oversight.
  • Complaints handling: turnaround standards; logs for SEC/NPC/ACG escalations.
  • Vendor management: KYC/AML providers, cloud, analytics, and collection vendors under DPAs and localization rules as applicable.

6) Red flags indicating an unlicensed or non-compliant lender

  • No CA number anywhere; staff refuse to provide it.
  • Mismatched names: app/website name ≠ developer account name ≠ corporate name on the CA.
  • Demands for upfront fees before disbursement or payment only through personal e-wallets.
  • Contact scraping or threats to call your employer/family.
  • APR or fees not disclosed, or “interest-free” marketing with hefty “processing” or “service” charges.
  • Loan agreements referencing an entity other than the one disclosed in the app.
  • Multiple apps using the same backend but only one is disclosed to regulators.
  • Short-lived apps that disappear and re-emerge under new names.

7) What to do if you suspect illegality or abuse

Document everything: screenshots (store listing, app permissions, disclosures), copies of emails/SMS/chat threads, payment receipts, and the loan agreement.

File the right complaints (you can do several in parallel):

  • SEC Enforcement (for unlicensed lending, OLP violations, unfair collection).
  • National Privacy Commission (NPC) (for unlawful data collection/sharing, harassment using contacts, lack of privacy notice).
  • PNP–Anti-Cybercrime Group / NBI–Cybercrime (for threats, extortion, doxxing).
  • Telecom/Platform (report abusive numbers, spoofing, or non-compliant apps).

In your complaint, include: the corporate name(s), SEC reg/CA numbers (if any), app names/URLs, dates, and a concise narrative of the abusive/illegal acts.

Effect on your loan. An unlicensed lender’s claims may be legally vulnerable (and penalties may apply), but borrowers should seek legal advice before withholding payment; courts may still enforce principal obligations while disallowing illegal fees and abusive practices.

8) Special issues & nuances

  • Branding vs. legal entity. A lending app’s brand can be different from the corporation’s legal name, but the brand must be tied (by disclosure) to the licensed entity.
  • Group structures. If a group has multiple licensed entities, each entity needs its own CA, and each app should be tied to a specific licensee.
  • Cross-border tech stacks. Using offshore vendors or servers does not excuse compliance with Philippine law, especially DPA and SEC oversight.
  • Loan brokers/lead generators. Entities that merely source leads must not hold themselves out as lenders unless licensed; they must clearly disclose their intermediary role and data processing basis.
  • Interest limits. The usury cap remains effectively suspended for most private loans; however, unconscionable interest/fees can be struck down, and special caps may apply to regulated products (e.g., credit cards) or under specific circulars. Disclose the effective APR to avoid deceptive pricing.
  • E-signatures. Properly implemented e-sign/click-wrap is valid if the borrower had reasonable notice and manifested consent, with logs and document integrity preserved.

9) Model clauses & disclosures (for compliance teams)

On the homepage/onboarding:

  • [Corporate Name], Inc. is registered with the Securities and Exchange Commission under Reg. No. [XXXX] and holds Certificate of Authority No. [CA-XXXX] to operate as a [Lending/Financing] Company. This app ([App Name]) is an online channel of [Corporate Name].”

In the loan summary:

  • “Annual Percentage Rate (APR): [XX.X%]. Fees: [list]. Total cash to receive: ₱[X]. Total to repay on due date(s): ₱[Y]. Example calculation provided.”

In the privacy notice:

  • Lawful bases for processing, specific data categories, third-party transfers, retention, user rights, and DPO contact.
  • Clear statement that contacts, photos, and unrelated files are not collected (unless truly necessary and justified).

Collections policy (borrower-facing):

  • “We contact you only via [channels/hours]. We do not contact your employer/contacts or publish your information.”

10) Due diligence template (for investors/counterparties)

  1. Corporate pack: SEC Certificate of Incorporation, GIS, Articles/By-Laws (purpose clause), tax registrations.
  2. License pack: SEC Certificate of Authority, latest renewals, any SEC show-cause or orders; list of all OLPs (apps/sites) with dates.
  3. Compliance pack: DPA registrations/ROPA, DPO appointment, DPIAs, privacy notices, consent records.
  4. Product pack: rate cards, fee schedules, standard loan agreements, KFS (key facts statement), sample computations.
  5. Collections pack: policies, vendor agreements, QA/audit samples, complaint log summary.
  6. Tech pack: app store developer IDs, domains, data residency, vendor list, incident response.
  7. Litigation/enforcement: pending cases, resolved CDOs, remediation evidence.

11) Frequently asked questions

Q: Is a generic SEC Registration Number enough? No. A secondary license (CA) as a lending/financing company is required.

Q: The app shows a brand name only—no corporation. Is that legal? Not by itself. The licensed corporation behind the app must be clearly disclosed, with SEC and CA numbers.

Q: They say they’re “partnering” with a licensed lender. Then the actual lender of record (the one issuing the loan and owning the receivable) must be the licensed entity and must be named in your contract and disclosures.

Q: Can collectors call my employer or relatives? Not without a lawful basis and consent—and harassment/shaming practices are prohibited.

Q: Can they require access to my contacts/gallery? Generally no for routine cash loans; it’s rarely necessary and triggers DPA risks.

12) Bottom line

To verify a Philippine online lender:

  1. Match names across the app, contract, and SEC records.
  2. Confirm the secondary license (CA) and that each app/website is covered and disclosed.
  3. Check disclosures for full pricing, privacy, and fair collection practices.
  4. Treat inconsistencies, missing CA details, and invasive permissions as red flags—and report abuses to the proper authorities.

This article summarizes prevailing requirements and best practices in the Philippine context. Regulations and SEC circulars evolve; always review the most current SEC issuances, your contract documents, and—when in doubt—seek legal advice.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login