Resolution No. JB-2015-3459 of the Banking Board of Ecuador

Banking Board of Ecuador

RESOLUTION No. JB-2015-3459

THE BANKING BOARD

CONSIDERING:

THAT this appeal is resolved in accordance with the First Transitional Provision of the Organic Monetary and Financial Code, published in the Official Register Second Supplement No. 332 of September 12, 2014, whose text states that resolutions contained in the Codification of Resolutions of the Superintendency of Banks and Insurance and the Banking Board, and the norms issued by control bodies, will remain in effect in all that does not oppose what is established in the Organic Monetary and Financial Code, until the Monetary and Financial Policy and Regulation Board resolves what corresponds, according to the case; and with the second paragraph of the Third Transitional Provision, which states that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures it was hearing as of the date of entry into force of the same, within a period of one hundred and eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board, which grants the control body competence to hear and resolve this review appeal;

THAT through communication entered into the control body on January 15, 2014, Mr. Washington Fernando Calvache Carrasco filed a complaint against the National Development Bank (Banco Nacional de Fomento), stating that: "(...) I have been harmed by the donation [cloning] of my debit card, from September 20, 2013 to October 15, 2013. For this reason, I ask in the best way that you investigate my case, since the Development Bank (sic) has not given me any response regarding my fraud (...).";

THAT through Office No. DNAE-SAU-2014-00654 of January 29, 2014, the User Attention Subdirectorate of the National Directorate of User Attention and Education of the Superintendency, accepted the complaint for processing and requested explanations and defenses from the National Development Bank. Through Office No. 3219 of March 7, 2014, entered into the control body on the 8th of the same month and year, the financial institution attached the required information and stated that it has made requests to other financial institutions involved, to which only certain banks sent the required information;

THAT with Office No. DNAE-SAU-2014-03179 of May 21, 2014, the User Attention Subdirectorate of the National Directorate of User Attention and Education of the Superintendency of Banks, after the analysis carried out regarding the complaint filed, concluded and resolved the following:

"(...) 4. CONCLUSION

According to what has been stated, it can be concluded that:

The entity has not demonstrated, nor has it supported having offered a totally secure channel, for the withdrawal of funds from its own network of automated teller machines (ATMs) that is free from cloning risks or through the associated banks to BANRED through which access was given to the user, fundamental elements that should have been considered before providing said service.

---

Banking Board of Ecuador

Resolution No. JB-2015-3459 Page 2

In a card cloning process, information is taken through devices placed in ATMs that do not have the necessary security measures; this means that the holder (sic) did not misuse her debit card or that she did not fail in the custody and reservation of the assigned PIN.

The entity has not evidenced that it warned Mr. Washington Fernando Calvache Carrasco of the risk of donation [cloning] that he could suffer in ATMs that do not have the necessary anti-skimming security measures.

It has been observed that it is not the user who is called upon to verify that ATMs maintain the necessary security; that responsibility falls on the financial entity, and it is this entity that is called upon to ensure that the channel, whether its own or third-party, provides users with all the security measures that prevent exposure to this type of risk, (...).

5. RESOLUTION

For the above reasons, and in adherence to the norms contemplated in Article 1 and 180 letters b) and o) of the General Law of Institutions of the Financial System, in concordance with what is established in Article 5, Chapter IV, Title XX, Book I of the Codification of Resolutions of the Superintendency of Banks and Insurance and the Banking Board, inasmuch as the National Development Bank has incurred in incorrect procedures in money withdrawal by ATM, this Superintendency orders the financial institution to proceed with the return of the money claimed by Mr. Washington Fernando Calvache Carrasco; for which it must credit the claimant's account with the sum of USD 7,680.00 within a term of three (3) days counted from the receipt of the present office.

(...)";

THAT through a document entered into the Superintendency of Banks on June 6, 2014, the economist Freddy Alfonso Monge Muñoz, General Manager and Legal Representative of the National Development Bank, with the professional sponsorship of doctors Fabián Zapata Ozano, Fabián Gómez Vizuete, and Johana Herrera Zambrano, filed an appeal for reconsideration against the administrative act contained in Office No. DNAE-SAU-2014-3179 of May 21, 2014;

THAT through Office No. DNAE-SAU-2014-04210 of July 8, 2014, the User Attention Subdirectorate of the National Directorate of User Attention and Education of the Superintendency, regarding the appeal for reconsideration filed, resolved:

"(...) For all the above and having duly answered the factual and legal grounds presented by you, this office (sic) ratifies the content of Office No. DNAE-SAU-2014-03179 of May 21, 2014, (...), consequently, the appeal for reconsideration filed is rejected, and it must proceed with compliance with the dispositions issued by this control body in the terms indicated in the impugned administrative act, providing evidence of the actions taken within a term of eight days from the date of receipt of the present office.";

---

Banking Board of Ecuador

Resolution No. JB-2015-3459 Page 3

THAT through a document entered into the control body on July 22, 2014, the economist Freddy Alfonso Monge Muñoz, General Manager and Legal Representative of the National Development Bank, with the professional sponsorship of doctors Fabián Zapata Ozano and Fabián Gómez Vizuete, filed before the Banking Board a review appeal against the administrative act contained in Office No. DNAE-SAU-2014-04210 of July 8, 2014;

THAT the appellant based the review appeal on the following arguments:

• That in the impugned resolution it is inferred that the undue withdrawals of money from the claimant's account, made in ATMs, occurred through fraudulent mechanisms involving the commission of a crime, which in no way can be imputed to the National Development Bank, which evidences the impossibility of the Superintendency of Banks to attribute responsibilities in both criminal and civil matters and consequently the correlative obligation to reintegrate the claimed values;

• That the alleged deficiencies attributed generically to the lack of security in the use of ATMs, posed in a generalized manner, cannot constitute within an administrative procedure, proof or sufficient support that backs a concrete procedural reality;

• That Mr. Washington Fernando Calvache Carrasco did not apply basic security recommendations for the handling of the debit card, given through various means in which users are instructed to observe security signs, the ATM messaging, transaction receipts, circulars, etc.;

• That the National Development Bank is constantly carrying out efforts so that the information required by the control body is delivered by the financial institutions that own the ATMs, for which reason, the information is subject to predispositions of third parties; even more so when the withdrawals subject to the complaint used ATMs that do not belong to the National Development Bank;

• That the impugned administrative act suffers from a lack of adequate motivation, which renders it null for violating the constitutional mandate provided in Article 76 of the Constitution of the Republic, inasmuch as the factual and legal grounds exposed were not considered at the moment the control body issued the impugned resolution;

THAT through Office No. JB-2014-1977 of July 28, 2014, the lawyer Pablo Cobo Luna, Secretary of the Banking Board, accepted the review appeal for processing; and, through Office No. JB-2014-1976, of the 28th of the same month and year, Mr. Washington Fernando Calvache Carrasco was notified of the appeal filed by the financial institution;

THAT the appellant argues the lack of legal attributions that the Superintendency of Banks has to establish civil or criminal responsibilities and consequently the

---

Banking Board of Ecuador

Resolution No. JB-2015-3459 Page 4

correlative obligation to reintegrate the claimed values; regarding what was stated, it is necessary to clarify that Article 226 of the Constitution of the Republic establishes that State institutions, their bodies, and dependencies that act by virtue of a state power will exercise only the competencies attributed to them in the Constitution and the Law;

THAT Article 213 of the Constitution of the Republic, in concordance with what Article 1 of the Organic Law of Institutions of the Financial System determines, establishes that the Superintendency of Banks is the administrative entity in charge of supervising and controlling the financial system, in all matters regarding the protection of public interests, as well as ensuring the stability, solidity, and correct functioning of institutions subject to its control; monitoring that they comply with the legal norms that govern them; and at the same time, requiring that said institutions present and adopt the corresponding corrective measures when necessary;

THAT the faculty to establish and impute responsibility in civil and/or penal matters corresponds to the judges who make up the Judicial Function, officials who exercise jurisdictional power according to the Constitution, international human rights instruments, and the Law; consequently, to the Superintendency of Banks within the exercise of its functions, it falls to regulate and supervise in a preventive and corrective manner all institutions that make up the public and private financial system, safeguarding that the financial products and/or services offered are safe, efficient, and reliable; guaranteeing that the rights of financial clients are protected, for which it can act ex officio or at the request of a party; for the indicated reason, the appellant's argument in the present case is not legally admissible;

THAT regarding the assertion of the National Development Bank that the deficiencies alleged by this control body cannot constitute proof or sufficient support that backs a concrete procedural reality, it must be indicated that Articles 52 and 66 of the Constitution of the Republic establish that people have the right to dispose of and access public and private services of optimal quality, as well as to receive non-misleading information about their content and characteristics; in such virtue, the financial entity, upon receiving money from its clients, assumes the obligation and responsibility to keep and safeguard the deposited values with diligence and professional care;

THAT within the controls and security measures that must be taken into account when offering services through electronic channels, is the issuance of timely alerts to avoid the possible commission of computer crimes; therefore, financial institutions are obliged to put at the service of users policies on the dissemination of the conditions surrounding their use, including the implemented security measures and their possible risks when accessing said services; in this sense, the National Development Bank cannot disclaim its responsibility over the integral control that minimizes the risk of exposure of its clients, nor the co-responsibility in the service offered by companies associated with the interbank payments network "BANRED";

THAT from the information provided by the National Development Bank, it emerges that the claimed transactions do not adjust to the client's transactional profile, for which reason the bank's security system should have generated alerts to make the client aware

---

Banking Board of Ecuador

Resolution No. JB-2015-3459 Page 5

of the operations carried out. In this sense, the Internal Audit Manager of the bank, in Office No. 008-UIA-2014 of April 24, 2014, stated the following:

"(...) DEBIT CARDS WITH INDICATIONS OF CLONING

(...) the transactional behavior of the cases analyzed in the present report before and during the dates when the reported events occurred, presented the following anomalies:

The monthly average of the transactions carried out by the clients detailed in the following table, from the date of activation of the debit card until before the events occurred, were minimal compared to those carried out during the reported days, presenting a number of three sequential daily transactions and up to an amount of 291.50, that is, using the entire authorized limit, as indicated in the following table:

CLIENT	DEBIT CARD NO.	AVERAGE OF TRANSACTIONS DURING THE PREVIOUS 12 MONTHS	NO. TRANSACTIONS DURING THE REPORTED MONTH
Washington Fernando Calvache Carrasco	6031600083033650	2	48

(...) In the ATM transactional LOG of the National Development Bank, several transactions were recorded with dates subsequent to the cancellation or blocking of the debit card (...), 6031600083033650 (Washington Fernando Calvache Carrasco), (...), transactions that were rejected by the authorized host of the BNF, aspects that reveal the existence of a double card in the possession of unidentified persons (...).

Withdrawals from ATMs related to other reported complaints

In the videos provided by the different financial entities involved, the following was observed:

1.- In the cases of the clients (...), Washington Fernando Calvache Carrasco, (...), the withdrawals were carried out by the same person who is also the author of unusual withdrawals in other cases reported by clients of the National Development Bank, a situation that indicates that several BNF client cards are in

---

Banking Board of Ecuador

Resolution No. JB-2015-3459 Page 6

possession of this same person and accomplices, who are permanently carrying out withdrawals through cloned cards; therefore, the entity is being the victim of a criminal band that possibly possesses information about its clients. (...).

(...)";

THAT from what was stated by the Internal Audit Manager of the National Development Bank, it emerges that the bank did not offer a secure channel for the withdrawal of funds, which provides users with all the security measures that prevent exposure to this type of risk. The bank's obligation as custodian of the deposited values is to restore them upon the request of the owner or holder of the account, taking care with due diligence that they go to the property of the depositor, in the form agreed in the corresponding legal document, and implemented under the auspices of Article 51 of the General Law of Institutions of the Financial System. Having agreed on restitution through ATM withdrawals, this mode of restitution should have been surrounded by optimal security, which did not happen in the present case, failing to establish what is established in Article 3, of Chapter I "On integral management and risk control"; Title X "On risk management and administration"; of Book I "General Norms for the application of the General Law of Institutions of the Financial System", of the Codification of Resolutions of the Superintendency of Banks and the Banking Board, for which the transfer of responsibility to the client is not appropriate;

THAT regarding the argument that Mr. Washington Fernando Calvache Carrasco did not apply basic security recommendations when using the electronic service, it must be mentioned that the process of cloning a debit card is carried out by taking the information of financial users, through devices that are placed in ATMs that do not have the necessary anti-skimming security measures; for the aforementioned reason, the user is not called upon to prove the good functioning of the ATMs inasmuch as the National Development Bank is the one that provided this transactional service, therefore, the financial institution cannot disclaim its responsibility for the offered service;

THAT regarding the efforts made with other financial institutions to have the information required by the Superintendency of Banks, it must be pointed out that the National Development Bank, based on the "BANRED" service contract, under no concept can claim that the client should present his complaint before the institution that owns the ATMs where the point of compromise occurred, since the commercial relationship is with the institution with which he signed the contract, for which the use of third-party ATMs arises as a service offered by the bank, for which reason, the burden of proof falls on the financial institution;

THAT regarding the due motivation consigned by the current legal order, it must be pointed out that Offices Nos. DNAE-SAU-2014-04210 of July 8, 2014, and DNAE-SAU-2014-03179 of May 21, 2014, contain the pertinent factual and legal grounds, and are based on legal and regulatory norms established in the General Law of Institutions of the Financial System and in the norms issued for that effect, for which reason, it is important to note that the requirement of motivation required in numeral 7, letter I) of Article 76 of the Constitution of the Republic was fulfilled, for which the argument regarding the lack of motivation has no legal basis;

---

Banking Board of Ecuador

Resolution No. JB-2015-3459 Page 7

THAT the first paragraph of Article 1 and letters b) and o) of Article 180 of the General Law of Institutions of the Financial System determine that the Superintendency of Banks and Insurance is in charge of supervising and controlling the financial system, in all of which, the protection of public interest is taken into account, for which it must ensure the stability, solidity, and correct functioning of institutions subject to its control; monitoring that they comply with the legal norms that govern them; and requiring that said institutions present and adopt the corresponding corrective measures when necessary;

THAT Article 5 of Chapter IV "Procedures for the attention of complaints against Institutions of the Financial System", Title XX "Of the Superintendency of Banks and Insurance", Book I "General Norms for the application of the General Law of Institutions of the Financial System" of the Codification of Resolutions of the Superintendency of Banks and the Banking Board, establishes:

"ARTICLE 5.- If the result of the analysis carried out by the Superintendency determines the need for the controlled institution to introduce corrective measures to regularize the situation that motivated the complaint, the Superintendent of Banks and Insurance or the official who has the delegation of said authority, will issue the corresponding disposition.

If the situation that motivated the complaint referred to in the previous paragraph originated in an incorrect procedure of the controlled institution, which has caused harm to the claimant, the Superintendency of Banks and Insurance may order the return of the claimed values, in the exercise of the functions and attributions contemplated in letters b) and o) of Article 180 of the General Law of Institutions of the Financial System, granting the legal representative of the entity a term that cannot exceed fifteen (15) days from the notification to send, under the legal warnings, the proof of compliance with the order issued.";

THAT from the review and analysis carried out, it emerges that the National Development Bank transferred the responsibility of the facts to Mr. Washington Fernando Calvache Carrasco for being the person who safeguards the card and PINs, without considering that the bank has the obligation not only to safeguard the deposited money, but also to provide security in the channels of the offered services. In this sense, there is responsibility of the National Development Bank in the disputed transactions since, as of the date of the complaint, the bank did not maintain for its transactional channels an efficient fraud prevention system, which caused, according to the bank itself, that third parties maliciously committed the computer crime known as "skimming" through which the funds held by the claimant in the controlled institution were withdrawn, which evidences that what is established in Article 5 of Chapter IV, Title XX, Book I of the Codification of Resolutions mentioned above was fulfilled, since the situation that motivated the complaint originated in incorrect procedures of the controlled institution detailed in the present resolution;

THAT the National Legal Intendency, through memorandum INJ-DNJ-SAL-2015-0022 of January 14, 2015, recommended the Banking Board to reject the claim contained in the appeal filed by the General Manager and Legal Representative of the National Development Bank; and,

---

Banking Board of Ecuador

Resolution No. JB-2015-3459 Page 8

IN exercise of its legal attributions,

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the review appeal filed by the economist Freddy Alfonso Monge Muñoz, General Manager and Legal Representative of the National Development Bank; and consequently CONFIRM the administrative act contained in Office No. DNAE-SAU-2014-04210 of July 8, 2014, which ratifies Office No. DNAE-SAU-2014-3179 of May 21, 2014, through which the User Attention Subdirectorate of the National Directorate of User Attention and Education ordered the National Development Bank to effect the return of the values claimed by Mr. Washington Fernando Calvache Carrasco, whose amount amounts to USD $ 7,680.00.

NOTIFY.- Given at the Superintendency of Banks and Insurance, in Quito, Metropolitan District, on the fourth of June of the two thousand fifteen.

[Signature] Econ. Rodrigo Landeta Parra GENERAL INTENDENT (S) PRESIDENT OF THE BANKING BOARD SESSION (E)

I CERTIFY.- Quito, Metropolitan District, on the fourth of June of the two thousand fifteen.

[Signature] Law. Pablo Cobo Luna SECRETARY OF THE BANKING BOARD