LogoRegulatory Alerts
2015-05-20 | JB-2015-3431

Banking Board Resolution JB-2015-3431

The Banking Board of Ecuador rejected the appeal filed by Produbanco and confirmed the administrative act requiring the bank to refund US$ 10,395.50 to customer Charlotte Susen Knopf García. The Board determined that the bank failed to implement adequate security measures, specifically regarding IP address monitoring and transaction pattern analysis, which allowed unauthorized transfers from an unregistered IP address. Consequently, the bank was held liable for the fraudulent transactions due to its failure to detect unusual activity and issue required security alerts.

Superintendencia de Bancos Ecuador logo

Ecuador

Superintendencia de Bancos Ecuador

Click to view thumbnail

Banking Board of Ecuador

RESOLUTION No. JB-2015-3431

THE BANKING BOARD

CONSIDERING:

THAT this appeal is resolved in accordance with the First Transitional Provision of the Organic Monetary and Financial Code, published in the Official Register Second Supplement No. 332 of September 12, 2014, whose text states that resolutions contained in the Codification of Resolutions of the Superintendency of Banks and Insurance and of the Banking Board, and the norms issued by the control bodies, will remain in effect in all that does not oppose what is provided in the Organic Monetary and Financial Code, until the Monetary and Financial Policy and Regulation Board resolves what corresponds, according to the case; and, with the second paragraph of the Third Transitional Provision, which states that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures that it was hearing as of the date of entry into force of the same, within a period of one hundred and eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT through communications received by this control body on November 29, 2013, and December 6, 2013, Mrs. Charlotte Susen Knopf García filed a claim against BANCO DE LA PRODUCCIÓN S.A. PRODUBANCO, requesting that the aforementioned bank be ordered to return the sum of US$ 10,395.50, debited from her checking account No. 02013010091, basing her claim on the following facts: a) That on November 28, 2013, she received a message from Banco de la Producción S.A. Produbanco, indicating that 10 transfers via SPI of US$ 999.00 and one of US$ 400.00 had been made from her aforementioned checking account; b) That these 11 transactions were carried out from 21:06 to 21:27, all of which were fraudulent; c) That in the 10 years she has maintained her account, she has never made this type of bank transfer; d) That she does not know the recipient of the funds; and, e) That she has been a victim of electronic theft;

THAT by letter No. DAyEU-ISFP-REQ-2013-1783 of December 20, 2013, the full content of the claim filed against the aforementioned bank was forwarded to said bank, granting it a term of 5 days to present the pertinent explanations and defenses; the file contains the "Report on Claims for Transfers," in its pertinent part stating the following:

"CONCLUSION:

The client presents a case of information compromise, by having entered a fake page, on which she compromised the coordinates of her card and the challenge questions, that is, all the information to access the bank's website(...)

It is observed that the bank made the respective notifications to the client in order to warn about the proper use of the keys delivered and other information that the client has in her custody, as well as the notification of the various transactions carried out prior to proceeding with transfers via internet banking.";

Banking Board of Ecuador

Resolution No. JB-2015-3431

Page 2

THAT through letter No. DAyEU-V-R-2014-408 of May 15, 2014, the User Attention and Education Directorate issued the administrative resolution resolving the claim presented, in the following sense:

"1. ACCEPT the claim presented by Mrs. CHARLOTTE SUSEN KANOPF(sic) GARCÍA, with citizenship ID No. 090888350-7, against the controlled financial institution BANCO DE LA PRODUCCIÓN S.A. PRODUBANCO, on the grounds that it has not been evidenced that the claimant failed to comply with the recommendations issued by the entity for the process of internet transfers.";

THAT through communication received by this control body on May 27, 2014, BANCO DE LA PRODUCCION S.A. PRODUBANCO filed an appeal for reconsideration against the administrative act contained in letter No. DAyEU-V-R-2014-408 of May 15, 2014, which was rejected with letter No. IRG-DAYEU-V-R-2014-758 of July 14, 2014.;

THAT through a document entered into the Superintendency on July 25, 2014, Dr. Jorge Alvarado Carrera, General Secretary – Judicial Attorney of BANCO DE LA PRODUCCIÓN S.A. PRODUBANCO, filed before the Banking Board an appeal for review against the administrative act contained in letter No. IRG-DAYEU-V-R-2014-758 of July 14, 2014, arguing:

  • That the obligations acquired by the claimant due to the effect of the online banking contract signed between her and the Bank have not been analyzed, neither in the resolution nor in the appeal for reconsideration filed in the present case.
  • That there is also no analysis regarding the fact that the Bank did not breach any legal or contractual obligation and additionally informs its clients constantly about the security measures they must observe when carrying out transactions via electronic means.
  • That Produnet satisfies the obligation of personalization conditions and in what specifically concerns the registration of authorized IPs, when the user logs in from an IP different from the registered ones, the system does not allow the user direct access to carry out transactions but requests authentication through challenge questions.
  • That the sole custody of the keys for access and administration of her account was the claimant, therefore it is impossible for any third party to enter and transact through Produnet, unless through act or omission the user has delivered it to third parties, since it is factually impossible for a third party to have access to such information without it having been provided by her sole custody.

THAT by letter No. JB-2014-2044 of August 4, 2014, Lic. Pablo Cobo Luna, Secretary of the Banking Board, accepted the appeal for review for processing; and, by letter No. JB-2014-2045, of the same date, notified Mrs. Charlotte Susen Knopf García regarding the acceptance of said appeal;

THAT the Superintendency of Banks, as the competent body, in accordance with articles 1 and 180, letter b) of the General Law of Institutions of the Financial System,

Banking Board of Ecuador

Resolution No. JB-2015-3431

Page 3

as well as what is provided in article 5 of chapter IV regarding the "Procedure for the attention of claims against Institutions of the Financial System", title XX "Of the Superintendency of Banks and Insurance", book I "General norms for the application of the General Law of Institutions of the Financial System" of the Codification of Resolutions of the Superintendency of Banks and Banking Board, has the function and attribution to ensure the stability, solidity, and correct functioning of the institutions subject to its control; to supervise that they comply with the norms that govern them; and, to require that said institutions present and adopt the corresponding corrective measures when necessary; under this context, based on the referred legal and regulatory provisions, it is inferred that this control body has the legal and normative faculty to hear the claims of financial users, and in case of determining an incorrect procedure by the entities, to dispose of the restitution of values to them, therefore the administrative acts issued to resolve them, arise from the control and supervision attributions, in whose activity, the protection of the public's interests must be taken into account;

THAT regarding the fact that the bank has no responsibility in the objected transaction, since said affectation occurs due to the incorrect use of the electronic channel and not due to the lack of security of the entity's systems, and can only be imputable to the user, taking into account that personal keys, challenge questions, and coordinates constitute the only mechanism to access internet transfer services; the first paragraph of article 1, chapter III "Code of Rights of the Financial System User", book I of the Codification ibidem, establishes that users, like the controlled financial entity, have rights and obligations to fulfill based on a contract, the first to maintain due custody of their personal key and card coordinates delivered by the bank, the second to comply with orders on the funds entrusted to it, in harmony with the pertinent legal and regulatory norms with the implementation of adequate internal controls that safeguard the interests of their clients; in this sense, BANCO DE LA PRODUCCIÓN S.A. PRODUBANCO, when offering its clients the service of transfers via virtual banking, and in order to guarantee the safeguarding of deposited values, is obliged to implement procedures and security policies that avoid the risk of possible diversions or misappropriation of deposited economic resources;

THAT Banco de la Producción S.A. Produbanco has acknowledged in its defenses that the questioned transfer was made from IP address 181.112.217.211, being this IP not habitual for the claimant to make transfers through virtual banking, and not registered by her for such effects; inasmuch as until the date of the claimed transfers, Mrs. Charlotte Susen Knopf García had not carried out any operation in virtual banking, even subsequently to the impugned transfers she did not make virtual transfers; it is observed within said procedure a lack of compliance by the entity with what is provided in several of the provisions contained in article 4, section II, chapter V "Of Operational Risk Management", title X "Of Risk Management and Administration", book I of the Codification of Resolutions of the Superintendency of Banks and Insurance and of the Banking Board, which dispose:

Banking Board of Ecuador

Resolution No. JB-2015-3431

Page 4

"(...) 4.3.5 Security measures in electronic channels.- In order to guarantee that transactions carried out through electronic channels have the controls, measures, and security elements to avoid the commission of fraudulent events and guarantee the security and quality of user information as well as the assets of clients in charge of controlled institutions, these must comply at minimum with the following: (...)

(...) 4.3.5.8. Establish procedures to monitor, control, and issue online alarms that inform timely about the status of electronic channels, in order to identify unusual, fraudulent events or correct failures...

(...) 4.3.5.9. (...) Among the main personalization conditions for each type of electronic channel, it must include: the registration of the accounts to which one wishes to make monetary transfers, numbers of basic service supplies, fixed and mobile telephone numbers, maximum amounts per daily, weekly, and monthly transaction, among others.

(...) 4.3.5.11. Financial system institutions must register IP addresses, and mobile telephone numbers from which transactions are carried out (...)

(...) 4.3.5.13. Institutions must establish control procedures and mechanisms that allow registering the profile of each client regarding their transactional behaviors that imply money movement in the use of electronic channels and cards and define procedures to monitor online and allow or reject timely the execution of transactions that imply money movement that do not correspond to their habits which must be immediately notified to the client via mobile messaging, email, or other mechanism (...)";

THAT Banco de la Producción S.A. Produbanco, points out in the referred report that the user commented to the executive who attended her through the Call Center channel, that she exposed her banking information contained in: key, challenge questions, and all coordinates on a web page, but said bank never attached to the file any proof demonstrating what was asserted, such as the audio recording of the telephone call made by the claimant, besides the bank demonstrates through its defenses that the only way to matriculate or register both IP addresses, as well as accounts, is through entry to Produnet, which exclusively is achieved with the validation of the key granted to its clients, therefore, that clients compromise said information frees the bank from any responsibility for the mishandling of this key. However, in the case at hand, it is not evidenced that Mrs. CHARLOTTE SUSEN KNOPF GARCÍA, has compromised at any time her access key nor neglected the custody of the coordinate card granted by the controlled entity;

THAT from the cited regulation it is inferred that the financial entity has not implemented all the necessary security measures to provide the level of reliability for the carrying out of the claimed electronic transfer, since the transaction subject of the claim was carried out from an IP address not habitual for the claimant to make transfers, which does not fit within the typical patterns of the client that should have been raised

Banking Board of Ecuador

Resolution No. JB-2015-3431

Page 5

by the bank, without it having yielded any alert signal. Said transfer made from a different IP address, should have emitted the corresponding security alerts, so in the present case, weakness in the application of procedures of the controlled entity is evidenced in accordance with the quoted numeral 4.3.5.13, which caused an economic detriment to the claimant, in the present case, had said norm been complied with by the bank, the controversial transfer would not have been carried out from an IP that has not been registered within her transactionality;

THAT likewise it is worth mentioning that integral risk management is one of the responsibilities attributed to institutions that are part of the Financial System, by virtue of that, and since it is their responsibility to adequately manage risks, subject to what is provided in numeral 2.2 of article 2, title X "Of risk management and administration", chapter I "Of integral risk management and control", book I of the Codification of Resolutions of the Superintendency of Banks and Insurance and of the Banking Board, it is stated:

"2.2 Risk Management.- It is the process by which financial system institutions identify, measure, control / mitigate and monitor the risks inherent to the business, in order to define the risk profile, the degree of exposure that the institution is willing to assume in the development of the business and the coverage mechanisms, to protect own and third-party resources that are under their control and administration.";

THAT BANCO DE LA PRODUCCIÓN S.A. PRODUBANCO has the obligation to implement security actions and procedures through virtual banking - electronic channel that offers its clients online services for carrying out their transactions -, aimed at timely warning of the risk of alteration and unauthorized access to their accounts, preventing in this way electronic frauds, as well as other types of crimes, that due to lack of application of the norm issued for the effect, violate the patrimony of their clients, so the responsibility for the claimed transfer cannot be transferred to Mrs. Charlotte Susen Knopf García;

THAT inasmuch as the claim presented by Mrs. Charlotte Susen Knopf García, originated from an incorrect procedure of the controlled institution, widely detailed since from the transactional record it is appreciated, that the banking institution did not detect the unusual behavior of the user, or entries from an IP address different from those maintained in the transactional profile; all this allowed the claimed transfers to be carried out, without the bank having emitted the security alert to which it was obliged in accordance with the norm previously stated; in this case, the requirement established in article 5, chapter IV "Procedure for the attention of claims against Institutions of the Financial System", title XX "Of the Superintendency of Banks and Insurance", book I "General norms for the application of the General Law of Institutions of the Financial System" of the Codification of Resolutions of the Superintendency of Banks and Insurance and of the Banking Board was fulfilled;

THAT the National Legal Intendency, through memorandum INJ-DNJ-SAL-2015-0144 of February 9, 2015, recommended to the Banking Board to reject the claim contained in the

Banking Board of Ecuador

Resolution No. JB-2015-3431

Page 6

appeal filed by the General Secretary – Judicial Attorney of BANCO DE LA PRODUCCION S.A. PRODUBANCO; and,

IN exercise of its legal attributions,

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the appeal for review presented by Dr. Jorge Alvarado Carrera, General Secretary – Judicial Attorney of BANCO DE LA PRODUCCIÓN S.A. PRODUBANCO; and, consequently CONFIRM the administrative act contained in letter No. IRG-DAYEU-V-R-2014-758 of July 14, 2014, through which the Regional Intendency of Guayaquil rejected the appeal for reconsideration filed, and resolved to ratify the administrative act contained in letter No. DAyEU-V-R-2014-408 of May 15, 2014 in which it concluded: "2. ORDER BANCO DE LA PRODUCCIÓN S.A. PRODUBANCO to proceed to restitute (...) the sum of TEN THOUSAND THREE HUNDRED NINETY-FIVE 50/100 DOLLARS OF THE UNITED STATES OF AMERICA (US$ 10,395.50), in checking account No. 02013010091 that it maintains in said bank, value that corresponds to the unauthorized transfer by the user via internet (...).

NOTIFY. Given at the Superintendency of Banks and Insurance, in Quito, Metropolitan District, on the twentieth of May of two thousand fifteen.

Econ. Rodrigo Landeta Parra
GENERAL INTENDENT (S)
PRESIDENT OF THE BANKING BOARD SESSION (E)

I CERTIFY. Quito, Metropolitan District, on the twentieth of May of two thousand fifteen.

Lcdo. Pablo Cobo Luna
SECRETARY OF THE BANKING BOARD

Share