Banking Board of Ecuador

RESOLUTION No. JB-2015-3473

THE BANKING BOARD

CONSIDERING:

THAT this appeal is resolved in accordance with the First Transitional Provision of the Organic Monetary and Financial Code, published in the Official Register Second Supplement No. 332, on September 12, 2014, whose text states that resolutions contained in the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, and the norms issued by control bodies, will remain in effect insofar as they do not oppose what is provided in the Organic Monetary and Financial Code, until the Monetary and Financial Policy and Regulation Board resolves what corresponds, according to the case; and with the second paragraph of the Third Transitional Provision, which states that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures it was hearing as of the date of entry into force of the same, within a period of one hundred eighty (180) days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT by Resolution No. 054-2015-F, published in the Supplement of the Official Register No. 467, on March 26, 2015, the Monetary and Financial Policy and Regulation Board extended by one hundred eighty (180) additional days the deadline for the Banking Board to continue acting and resolve all claims, appeals, and other administrative procedures within its competence;

THAT by writing presented at the Regional Intendancy of Guayaquil on September 5, 2013, Ms. Celia Paola Cazar Troya filed a claim against Banco de Guayaquil S.A., regarding debits through unauthorized transactions in the amount of USD $451.00 from her multiple savings account No. 15239382, on August 16, 2013;

THAT by letter No. DAyEU-ISFP-REQ-2013-1250 of October 14, 2013, the Director of User Attention and Education of the Regional Intendancy of Guayaquil requested Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., to submit defenses and explanations regarding the claim filed by Ms. Celia Paola Cazar Troya;

THAT through letter No. UAC-SBS-2013-596 of October 24, 2013, received by this Superintendence of Banks and Insurance on November 21, 2013, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., in response to the request from the control body, submitted copies of the documents in the file of the claim of Ms. Celia Paola Cazar Troya;

THAT by letter No. IRG-DAYEU-V-R-2014-012 of January 9, 2014, the lawyer Humberto Moya González, Regional Intendant of Guayaquil, resolved to order Banco de Guayaquil S.A. to restore to Ms. Celia Paola Cazar Troya the sum of USD $451.00 in account No. 15239382, an amount corresponding to the unauthorized transfer by the user;

Resolution No. JB-2015-3473

Page 2

via internet and submit to the control body within eight days, evidence of compliance with this resolution; and, through communication received by this Superintendence on January 21, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., with the sponsorship of Dr. Rosa Tobar Reina, filed an appeal for reconsideration of that administrative act; which was rejected through letter No. IRG-DAYEU-V-R-2014-832, of July 29, 2014;

THAT through communication received by this Superintendence on August 12, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., filed before the Banking Board an appeal for review of the administrative act contained in letter No. IRG-DAYEU-V-R-2014-832, of July 29, 2014; which was accepted for processing by Licentiate Pablo Cobo Luna, Secretary of the Banking Board, through letter No. JB-2014-2275, of August 26, 2014;

THAT among the factual and legal grounds are the following:

• That the coordinate card system, Bancontrol, increases the security of static passwords and represents an additional barrier against electronic fraud, a mechanism that provides random keys to give peace of mind to its clients and in all matters involving fund movements, the use of this coordinate card is necessarily required, which is delivered to the client in a sealed envelope, meaning it is known only to the client, whose custody is their absolute responsibility.

• That to use virtual banking from an unusual IP address, it must necessarily be authorized by the client through a security process; once the IP address is authorized, the client chooses whether to register it or not for future transactions.

• That the security system of the controlled entity does contemplate the registration of accounts to which transfers are to be made. For the registration of the account, the system sends a security code to the email address registered by the client at the bank; this code must be entered on the Virtual Banking page prior to entering the coordinates, which are for the personal use of the client, so there is no responsibility on the part of the bank in the execution of this type of transaction.

• That as a new element in the appeal for reconsideration, evidence of the security measures that allowed the client to be alerted about the transaction subject of her claim was attached, the logs and withdrawals of said transaction, where it was evidenced that the client did receive the messages and that the accounts were registered as beneficiaries, as well as attaching the Electronic Services Document - Assignment of Bancontrol Card.

• That the user was informed about the possibility of customizing the service of transactions through electronic channels, which she indeed knew from the moment the coordinate card was delivered to her, in which her declarations of being duly and timely informed are stated, as stipulated in the electronic services document – assignment of Bancontrol card;

Resolution No. JB-2015-3473

Page 3

THAT from the file formed regarding this appeal for review and the arguments of the financial institution, the following is derived:

THAT Banco de Guayaquil S.A. highlights the observance and compliance with the corresponding reforms regarding security measures in electronic channels, ATMs, point of sale, and electronic banking.

THAT regarding this, Article 4, Chapter V, Title X, Book I "On Integrated Management and Risk Control" of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, provides as follows:

"(...)"

Article 4.- With the purpose of minimizing the probability of incurring financial losses attributable to operational risk, the following aspects, which are interrelated, must be adequately managed:

4.3 Information Technology.- Controlled institutions must have information technology that guarantees the capture, processing, storage, and transmission of information in a timely and reliable manner; avoid business interruptions and ensure that information, including that under the modality of services provided by third parties, is integral, confidential, and available for appropriate decision-making.

4.3.4.12 Controlled institutions that offer transfer and electronic transaction services must have information security policies and procedures that guarantee that operations can only be performed by duly authorized persons; that the communication channel used is secure, through information encryption techniques; that there are alternative mechanisms that guarantee the continuity of the offered service; and, that they ensure the existence of audit trails.

4.3.8 Security Measures in Electronic Channels.- In order to guarantee that transactions carried out through electronic channels have the controls, measures, and security elements to prevent the commission of fraudulent events and guarantee the security and quality of user information as well as the assets of clients under the care of controlled institutions, these must comply at minimum with the following:

4.3.8.8 Offer clients the necessary mechanisms to customize the conditions under which they wish to carry out their transactions through the different electronic channels and cards,

Resolution No. JB-2015-3473

Page 4

within the conditions or maximum limits that each entity must establish.

Among the main customization conditions for each type of electronic channel, there must be: registration of accounts to which transfers are to be made, registration of authorized computer IP addresses or authorized mobile phone numbers, maximum amounts per daily, weekly, or monthly transaction.

(...)

THAT the financial institution states that the only way to register or enroll both IP addresses and accounts is through Virtual Banking, which is only achieved with the validation of the key granted to its clients; therefore, if clients compromise this information, this frees the bank from responsibility for the mishandling of this key. However, in the case at hand, it is not evidenced that Ms. Celia Paola Cazar Troya compromised her access key to virtual banking at any time nor neglected the custody of the Bancontrol coordinate card delivered by the financial institution;

THAT paragraph a) of Article 51 of the General Law of Financial System Institutions states that banks are authorized to receive public resources in demand deposits, which are banking obligations, comprising monetary deposits payable upon presentation of checks or other payment mechanisms and registration;

THAT Banco de Guayaquil S.A. assumed the obligation to keep or safeguard deposited values with diligence and professional care; it is also responsible for other services offered to its clients, such as transfers through different electronic channels. In this sense, it is obliged to evaluate and demand the necessary securities as a depositary of the money its clients have entrusted to it;

THAT Article 3, Chapter I, Title X "On Risk Management and Administration", Book I of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, states that integrated risk management is one of the responsibilities attributed to financial institutions;

THAT from the above, it is derived that financial institutions have the responsibility to manage their risks with formal administration processes that allow them to identify, measure, control, mitigate, and monitor the risk exposures they are assuming;

THAT Banco de Guayaquil S.A. affirms that the report of notifications complied with the procedure established in the reforms corresponding to security measures in electronic channels, ATMs, point of sale, and electronic banking; however, the presentation of said documentation does not modify the circumstances under which the claimant, Ms. Celia Paola Cazar Troya, challenged the transfers made from her savings account No. 15239382;

Resolution No. JB-2015-3473

Page 5

THAT the main ground exposed by the claimant is the existence of unauthorized bank transfers through virtual banking, evidenced in the defenses presented by Banco de Guayaquil S.A., through which the entity maintained that the mentioned transfers were carried out due to compromising personal information such as the personal key and lack of care with the Bancontrol coordinate card, on the part of the claimant;

THAT from what is referred to in the previous paragraph, it is determined that Banco de Guayaquil S.A. intends to shift the risks of the organization and execution of the transfer service through electronic channels offered by the institution to the user, by holding her responsible for the misuse of her virtual banking access key and compromising the custody of her Bancontrol coordinate card, of which, as indicated, there is no record whatsoever in the file of the case at hand, a ground that allowed the rejection of the appellant's claims, insisting that it is not appropriate to place the responsibility for the possible lack of custody and care of the Bancontrol coordinate card information, and consequently the responsibility for said virtual transaction,

THAT the second paragraph of Article 5 of Chapter IV, Title XX, Book I, of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, provides:

"Article 5.- If the result of the analysis carried out by the Superintendence determines the need for the controlled institution to introduce corrective measures to regularize the situation that motivated the claim, the Superintendent of Banks and Insurance or the official who holds the delegation of said authority will issue the corresponding disposition.

If the situation that motivated the claim referred to in the previous paragraph originated in an incorrect procedure of the controlled institution, which caused harm to the claimant, the Superintendence of Banks and Insurance may order the return of the claimed values, in the exercise of the functions and attributes contemplated in letters b) and o) of Article 180 of the General Law of Financial System Institutions, granting the legal representative of the entity a period that may not exceed fifteen (15) days from notification to submit, under the legal warnings, the proof of compliance with the order issued";

THAT the invoked norm empowers this control body to exercise its functions and attributes, both constitutional and legal, to order the return of values claimed by users of the financial system, provided that the situation object of the claim originated in an incorrect procedure on the part of the controlled institution, as evidenced in the present case;

Resolution No. JB-2015-3473

Page 6

THAT the National Legal Intendancy, through memorandum INJ-DNJ-SAL-2015-0156 of February 11, 2015, recommended to the Banking Board to reject the claim contained in the appeal for review filed;

AND IN exercise of its legal attributes,

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the appeal for review filed by Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A.; and, consequently, CONFIRM letter No. IRG-DAYEU-V-R-2014-832, of July 29, 2014, through which the lawyer Humberto Moya González, Regional Intendant of Guayaquil, rejected the appeal for reconsideration, and ratified the content of letter No. IRG-DAYEU-V-R-2014-012 of January 9, 2014, with which it was ordered to the controlled entity to restore the value of USD $451.00 corresponding to the challenged electronic transfers.

NOTIFY.- Given at the Superintendence of Banks, in Quito, Metropolitan District, on June 10, two thousand fifteen.

---

Econ. Rodrigo Landeta Parra
GENERAL INTENDANT, S
PRESIDENT OF THE BANKING BOARD, E

I CERTIFY.- Quito, Metropolitan District, on June 10, two thousand fifteen.

Lic. Pablo Cobo Luna
SECRETARY OF THE BANKING BOARD