Banking Board of Ecuador

RESOLUTION No. JB-2015-3437

THE BANKING BOARD

CONSIDERING:

THAT this appeal is resolved in accordance with the First Transitional Provision of the Organic Monetary and Financial Code, published in the Official Register Second Supplement No. 332, of September 12, 2014, whose text states that resolutions contained in the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, and the norms issued by control bodies, will maintain their validity in all that does not oppose what is established in the Organic Monetary and Financial Code, until the Monetary and Financial Policy and Regulation Board resolves what corresponds, according to the case; and, with the second paragraph of the Third Transitional Provision, which states that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures that it was hearing as of the date of validity of the same, within a period of one hundred and eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT by Resolution No. 054-2015-F, of March 5, 2015, published in the Official Register No. 467, of March 27, 2015, the aforementioned period has been extended by one hundred and eighty additional days;

THAT by means of a complaint form presented to the Superintendence of Banks and Insurance on November 5, 2013, Mr. Teodoro Manuel Jaime Vera stated:

"(...) FRAUDULENT WITHDRAWAL OF THE AMOUNT OF $250.00 TRANSFERRED TO AN UNKNOWN ACCOUNT (ACCORDING TO ATTACHMENT) REF: CHECKING ACCT. 110870-0 GUAYAQUIL BANK IN THE NAME OF TEODORO JAIME VERA I REQUEST REIMBURSEMENT OF THE AMOUNT MENTIONED ABOVE (...)"

THAT by letter No. DAyEU-ISFP-REQ-2013-1555 of November 22, 2013, the Director of User Attention and Education of the Regional Intendancy of Guayaquil requested Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., to submit defenses and explanations regarding the complaint filed by Mr. Teodoro Manuel Jaime Vera, a requirement attended with letter No. UAC-SBS-2013-716 of December 10, 2013, entered into this Superintendence of Banks on December 16, 2013;

THAT by letter No. IRG-DAyEU-V-R-2014-022 of January 13, 2014, the lawyer Humberto Moya González, Regional Intendant of Guayaquil, resolved

---

Resolution No. JB-2015-3437

Page 2

to order Banco de Guayaquil S.A. to proceed to restore to Mr. Teodoro Manuel Jaime Vera the sum of USD $250.00 in checking account No. 1108700, an amount corresponding to the unauthorized transfer by the user via internet, and to send evidence of compliance to the control body within eight days;

THAT through a communication, entered into this Superintendence on January 21, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., with the sponsorship of Dr. Rosa Tobar Reina, filed an appeal for reconsideration against the administrative act contained in letter No. IRG-DAyEU-V-R-2014-022 of January 13, 2014, which was rejected with letter No. IRG-DAyEU-V-R-2014-616, of June 13, 2014;

THAT through a communication entered into this Superintendence on July 4, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., filed before the Banking Board an appeal for review against the administrative act contained in letter No. IRG-DAyEU-V-R-2014-616, of June 13, 2014, an appeal that was accepted for processing by Lic. Pablo Cobo Luna, Secretary of the Banking Board, by letter No. JB-2014-1785, of July 10, 2014;

THAT among the factual and legal grounds exposed by Mr. Víctor Hugo Alcívar, the following are included:

• That the coordinate card system, Bancontrol, increases the security of static passwords and represents an additional barrier against electronic fraud, a mechanism that provides random keys to give peace of mind to its clients and in all that implies fund movements, the use of this coordinate card is necessarily required, which is delivered to the client in a sealed envelope, meaning it is known only to the client; whose custody is their absolute responsibility.

• That the security system of the controlled entity does contemplate the registration of the accounts to which transfers are desired. For the registration of the account, the system sends a security code to the email registered by the client at the bank, this code must be entered on the Virtual Banking page prior to the entry of the coordinates which are for the personal use of the client, therefore there is no responsibility on the part of the bank in the execution of this type of transaction.

• That as a new element in the appeal for reconsideration, evidence of the security measures that allowed the client to be alerted about the transaction subject of their complaint was attached, the logs and withdrawals of said transaction, where it was evidenced that the client did receive the messages and that the accounts were registered as beneficiaries, as well as attaching the Electronic Services Document-Bancontrol Card Assignment.

---

Resolution No. JB-2015-3437

Page 3

• That the claimant was provided with true, reliable, and timely information about the card, with which the system validated the keys and coordinates correctly entered, through the instruments indicated by the controlled entity itself, such as: the electronic services document-Bancontrol card assignment, the checking account contract signed by the claimant.

• That throughout this complaint, Banco de Guayaquil has demonstrated that there was no error or incorrect procedure, and the authority has not demonstrated the contrary, but has considered imprecisely security measures that in its opinion would have been necessary, but which are not provided for in the applicable regulations.

THAT Banco de Guayaquil sent an internal report in which it evidenced that according to the ITREPORTS application, the client's movements as of the date of the complaint, were processed through IP address 200.115.23.26, located in Lima-Peru, which is not a habitual IP of the claimant, to make transfers, nor has it been registered by him,

THAT the financial institution within the defenses presented regarding the case in question, recognized in its memo UAC-SBS-2013-716 of December 10, 2013, that the client was a victim of computer fraud known as "Phishing".

THAT the financial institution stated that the only way to register or record both IP addresses and accounts is through Virtual Banking, which is only achieved with the validation of the key granted to its clients, therefore, if clients compromise this information, this frees the bank from responsibility for the mishandling of this key. However, in the case in question, it is not evidenced that Mr. Teodoro Manuel Jaime Vera compromised his virtual banking access key at any time nor neglected the custody of the Bancontrol coordinate card delivered by the financial institution;

THAT paragraph a) of Article 51 of the General Law of Institutions of the Financial System in force at the time of the presentation of this complaint, stated that banks are authorized to receive public resources in demand deposits, which are banking obligations, comprising monetary deposits payable by presenting checks or other payment mechanisms and registration;

THAT Banco de Guayaquil S.A. assumes the obligation to keep or safeguard deposited values with diligence and professional care, as well as is responsible for the other services offered to its clients such as transfers through different electronic channels;

THAT from Article 3, Chapter I "Of Integral Management and Risk Management", Title X "Of Risk Management and Administration", Book I of the Codification of

---

Resolution No. JB-2015-3437

Page 4

Resolutions of the Superintendence of Banks and Insurance and the Banking Board, it is inferred that financial institutions have the responsibility to manage their risks integrally with formal processes that allow them to identify, measure, control, mitigate, and monitor them, a situation that has not occurred in the present case by Banco de Guayaquil S.A., since the bank's system did not emit any alert for the transaction carried out on November 4, 2013, allowing it to conclude successfully without the account holder realizing it, preventing them from giving immediate notice to the bank and thus avoiding the consummation of the fraud through an urgent blocking of funds;

THAT for the reasons exposed in this case, there is responsibility of Banco de Guayaquil S.A. in the disputed transaction, since as of the date of the complaint the bank did not maintain for its transactional channels, an efficient fraud prevention system, since as indicated it was never notified to the client the execution of the transaction subject of the complaint, which would have avoided the withdrawal of the money, this evidences the incorrect procedure in which the entity incurred, since the malfunction of the access alert signals to the virtual banking system allowed the withdrawal of the claimed funds;

THAT in line with what is referred to, the incorrect procedure is also evidenced at the moment when the bank itself recognizes that the client was a victim of the crime of phishing, with which the entity recognizes the violation of its computer system;

THAT the second paragraph of Article 5 of Chapter IV, Title XX, Book I, "General Norms for the Application of the General Law of Institutions of the Financial System", of the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, empowers this control body to dispose of the return of the values claimed by the controlled institutions, in exercise of the functions and attributions that both constitutional and legal norms establish;

THAT the Superintendence of Banks is in charge of supervising and controlling the operations of the institutions that form part of the financial system, as well as of protecting the interests of users of this sector as established in Article 1 of the General Law of Institutions of the Financial System, in force as of the date of the complaint;

THAT the bank maintained that the claimed transfer was made by compromising personal information such as the personal key and the lack of care with the Bancontrol coordinate card, at the charge of the claimant, which has not been evidenced in the analyzed file;

THAT the National Legal Intendancy, through memo INJ-DNJ-SAL-2015-0219 of March 16, 2015, recommended to the Banking Board to reject the claim contained in the appeal for review filed;

IN exercise of its legal attributions,

---

Resolution No. JB-2015-3437

Page 5

RESOLVES:

SINGLE ARTICLE REJECT the claim contained in the appeal for review filed by Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A.; and, consequently, CONFIRM letter No. IRG-DAyEU-V-R-2014-616, of June 13, 2014, through which the lawyer Humberto Moya González, Regional Intendant of Guayaquil, rejected the appeal for reconsideration, and ratified the content of letter No. IRG-DAyEU-V-R-2014-022 of January 13, 2014.

NOTIFY.- Given at the Superintendence of Banks, in Quito, Metropolitan District, on the twenty-seventh of May of two thousand fifteen.

Econ. Rodrigo Landeta Parra
GENERAL INTENDANT, S
PRESIDENT OF THE BANKING BOARD, E

I CERTIFY.- Quito, Metropolitan District, on the twenty-seventh of May of two thousand fifteen.

Lcdo. Pablo Cobo Luna
SECRETARY OF THE BANKING BOARD

---

Banking Board of Ecuador