Philippine Lending Apps —
SEC Memorandum Circular 18 Violations
SEC Memorandum Circular 18 (2019) prohibits Philippine online lending apps from accessing a borrower's contacts, SMS messages, or call logs. This page audits the publicly-declared Android permissions of major lending apps in the Philippines and flags those that appear to violate the rule. All evidence is sourced directly from the apps' Google Play Store listings.
The presence of a permission in a Play Store listing means the app has the right to use it. That declaration alone — independent of how the app actually uses the permission at runtime — is direct, public, cite-able evidence of an apparent MC 18 violation. Last updated May 10, 2026.
7
Apps audited
6
With MC 18 violations
10
Total violations
Per-app findings
Tala Philippines
com.inventureaccess.safarirahisi
Cebuana Lhuillier
com.clrb.eCebuana2
Cashalo
com.oriente.cashalo
JuanHand
com.juanhand.fast.cash.peso.loan.app
Atome Philippines
ph.atome.paylater
M Lhuillier Financial Services
com.mlhuillier.mlwallet
Digido
com.finsmartsloan.dmentoring
What is SEC MC 18 (2019)?
SEC Memorandum Circular No. 18, Series of 2019, titled "Prohibition on Unfair Debt Collection Practices of Financing Companies (FCs) and Lending Companies (LCs)," was issued by the Philippine Securities and Exchange Commission on 11 September 2019. Section 1 of the rules prohibits FCs/LCs and their third-party service providers from contacting persons in the borrower's phone contacts (other than those listed as references), publicly threatening, harassing, or shaming a borrower, and using language that is obscene, insulting, or abusive in collection.
Implementing rules under SEC Memorandum Circular No. 19 series of 2019 (Implementing Rules) further require lending and financing companies to ensure that all data processing complies with the Data Privacy Act of 2012 (RA 10173). Apps that programmatically access a user's full contact list, incoming SMS, or call log violate both the spirit and letter of MC 18 — even when stated to be for "alternative credit scoring."
Methodology
- For each lending app available on Google Play Philippines, fetch the publicly-listed permissions via the standard Play Store metadata endpoint.
- Match each declared permission against keywords explicitly tied to MC 18 prohibitions (read contacts, modify contacts, read SMS, receive SMS, send SMS, read call log, write call log).
- List each match with the exact Play Store wording, the permission group, and a short description.
- Refresh weekly via automated cron. Apps may add or remove permissions over time; this report reflects the most recent snapshot.
This audit is informational and limited to declared permissions. It is not a legal determination of violation. SEC, NPC, and DTI are the agencies with statutory authority to determine MC 18 compliance. If you believe a lending app has misused the data they collected, file a complaint with the SEC Corporate Affairs Department or the National Privacy Commission.
Affected by debt-shaming or contact-list harassment?
File an NPC + SEC complaint citing this app's declared permissions as evidence. We help you generate the formal letter for both agencies in under 5 minutes.