Resolution No. JB-2015-3430 of the Banking Board

Banking Board of Ecuador

RESOLUTION No. JB-2015-3430

THE BANKING BOARD

CONSIDERING:

THAT according to the last paragraph of the Second Transitional Provision of the Organic Code of Monetary and Financial Law, published in the Official Register Second Supplement No. 332 of September 12, 2014, the Banking Board will continue to act until it resolves all appeals it was hearing as of the date of entry into force of that Code, for a period of one hundred and eighty days;

THAT Mr. Napoleon Matovelle Aguirre, on January 27, 2014, filed a complaint with the Superintendence of Banks against the National Development Bank, in which he stated: "(...) Since 07/25/2013 I have not been able to withdraw money from ATMs. At Banco de Fomento they indicate that I exceeded daily limits when I had not done so; the withdrawal of 5,991.85 was made by other people for almost 15 days; I complained to the bank about these withdrawals and to the Napo Prosecutor's Office I asked for the money back because I did not make the withdrawals. I filed a complaint with the Napo Prosecutor's Office, but their action does not progress in the investigation. I never lost my card (...)" (sic);

THAT the Deputy Director of User Attention, through letter No. DNAE-SAU-2014-01040 of February 19, 2014, requested the sending of documentary information regarding the aforementioned complaint, accompanied by the reasoned report of the analysis carried out on the complaint, especially from the information security and customer service areas, in which it indicates whether the user's card was exposed to cloning or information theft prior to the claimed withdrawals and points of compromise;

THAT through letter No. 04283 of April 9, 2014, Engineer Marco Ruales Valverde, Director of the Customer Service Unit of the National Development Bank, in response to the requirement of this control body, in pertinent parts states that:

"(...)

It should be noted that it cannot be established in this type of complaint that all cases are cloning, despite having information and videos; because the Bank in similar cases has been able to verify that the claimed withdrawals are made by people from the client's environment, and in other cases it has been misuse of the debit card.

(...)";

THAT attached to the letter is Annex No. 1 "CONFIDENTIAL Review Report", approved by the Deputy Manager of Operational Risk of the National Development Bank, in which it concludes:

"(...)

Banking Board of Ecuador Resolution No. JB-2015-3430 Page 2

From the above, it is determined that the transaction records were successful and carried out normally; it was not possible to find evidence of compromise of our client's card according to the analysis of matches based on BANRED Security Committee reports; however, the client accessed ATMs of other Banks where there could have been a possible compromise of his debit card information (...)

According to the review of the movements recorded by the client and his transactions carried out in ATMs of other Banking Institutions, it is recommended to the Customer Service Unit to start the process of reviewing requirements to apply the "Secure Transaction" insurance to this case, as established by BANRED.

(...)". (sic);

THAT through Letter No. DNAE-SAU-2014-02447 of April 21, 2014, addressed to Economist José Andrade López, General Manager of the National Development Bank, the Deputy Director of User Attention, in charge at that date, after the analysis carried out on the complaint of Mr. Napoleon Matovelle Aguirre, stated:

"(...)

IV. CONCLUSIONS

Based on the background exposed and the analysis carried out on the complaint presented, the following is concluded:

• In a card cloning process, information is taken through devices placed in ATMs, which do not have the necessary protections, so the debit card was exposed in the present case.

• It has been evidenced that it is not the user who is called upon to verify that ATMs maintain the necessary security; that responsibility falls on the card-issuing Bank, and it is responsible that the channel enabled, whether its own or third-party, provides its customers with all security measures with the purpose of avoiding exposure to this type of risk.

• The banking entity, in this case, does not present substantiated defenses, has not complied with the procedures indicated above in money withdrawals by ATM; as well as has not carried out a comprehensive analysis of the facts taking into consideration principles of justice, equity, and good practices, contemplated in Article 2, Section I, Chapter IV "Procedure for the Attention of complaints against institutions of the financial system", Title XIV, Book I of the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board.

Banking Board of Ecuador Resolution No. JB-2015-3430 Page 3

V. DISPOSITION

(...)

• It orders its represented entity that, within a period of seventy-two (72) hours counted from the receipt of the present letter, effect the reimbursement of the values claimed by its client and corresponding to the withdrawals registered by ATM from July 10 to 29, 2013, according to the fifty-nine transactions detailed in the descriptive table corresponding to numeral 3.1, minus the value of USD$1,800 already credited to the client, including the value of commissions generated. The value to be credited to the claimant Mr. Napoleon Matovelle Aguirre will be USD$3,919.35 (Value included commissions for each transaction carried out through BANRED ATMs)

(...)";

THAT through a document entered into this Superintendence of Banks on June 6, 2014, the General Manager of the National Development Bank, filed an appeal for reconsideration against letter No. DNAE-SAU-2014-02447 of April 21, 2014;

THAT through letter No. DNAE-SAU-2014-04306 of July 11, 2014, the Deputy Director of User Attention, in charge, after analyzing the appeal for reconsideration filed by the legal representative of the National Development Bank, resolved to ratify letter No. DNAE-SAU-2014-02447 of April 21, 2014, and consequently, reject the referred appeal;

THAT through a document received in the Superintendence of Banks on July 22, 2014, Economist Freddy Alfonso Monge Muñoz, General Manager of the National Development Bank, filed before the Banking Board an appeal for review against the administrative act contained in letter No. DNAE-SAU-2014-04306 of July 11, 2014, with which the appeal for reconsideration filed at that time by this cause was rejected;

THAT the arguments raised by the appellant are limited to the following: That it is important to indicate that the client Napoleon Matovelle Aguirre did not apply basic security recommendations for the handling of his debit card, recommendations given through different means with which clients are instructed on security measures they must take into account; that the National Development Bank is permanently carrying out efforts so that the information requested, as in the present case, is delivered by the private financial entities responsible for the ATMs where the irregular withdrawals were made and thus be able to attend the requirements of the control body, since without access to these files they are subject to the private financial entities having less predisposition to provide this information, which in many cases is delivered partially, especially

Banking Board of Ecuador Resolution No. JB-2015-3430 Page 4

when the claimant used ATMs that do not belong to the National Development Bank; that the bank requested this Superintendence of Banks to kindly urge financial institutions so that the requirements made by said bank are attended to in a timely manner in order to be able to comply with what is required by the control body;

THAT the appeal for review was accepted for processing by Lawyer Pablo Cobo Luna, Secretary of the Banking Board, through letter No. JB-2014-1960 of July 25, 2014;

THAT articles 52 and 66, numeral 25, of the Constitution of the Republic of Ecuador, establish that people have the right to dispose of and access public and private services of optimal quality, as well as to receive non-misleading information about their content and characteristics.

THAT articles 1 and 180, of the General Law of Institutions of the Financial System, in force at the date of filing the appeal, provide:

"Art. 1.- This Law regulates the creation, organization, activities, functioning and extinction of the institutions of the private financial system, as well as the organization and functions of the Superintendence of Banks and Insurance, within the scope of its competence, entity in charge of the supervision and control of the financial system, in all of which the protection of the interests of the public is taken into account.

(...)" (Emphasis added)

"Art. 180.- The Superintendent of Banks has the following functions and attributes:

(...)

b) To ensure the stability, solidity and correct functioning of the institutions subject to its control and, in general, that they comply with the norms governing their functioning, through permanent extra situ supervision and in situ inspection visits, in accordance with international best practices, without any restriction and that allow determining the economic and financial situation of the entity, the management of its business, evaluate the quality and control of risk management and verify the veracity of the information it generates;

(...)

o) To require that controlled institutions present and adopt the corresponding corrective and remedial measures in cases that so require; (...)";

Banking Board of Ecuador Resolution No. JB-2015-3430 Page 5

THAT article 308 of the Constitution of the Republic of Ecuador, provides that financial activities are a service of public order, and may be exercised, with prior authorization of the State, in accordance with the law; therefore, they will have the fundamental purpose of preserving deposits and attending financing requirements for the achievement of the country's development objectives, and that financial activities will intermediated in an efficient manner the resources captured to strengthen national productive investment, and socially and environmentally responsible consumption;

THAT from the aforementioned regulations, it can be inferred that the Superintendence of Banks is the control body in charge of supervising and monitoring the financial system at all times in accordance with what is established in the Constitution of the Republic and the General Law of Institutions of the Financial System, and that its main mission is the protection of the interests of the people who have placed their trust in the banking system, therefore according to article 308 ibidem the fundamental purpose of financial activities is to preserve the deposits of its clients. (Emphasis added);

THAT from the transcribed legal norms it is also inferred that the State guarantees citizens to have access to goods and services of optimal quality and that the Superintendence of Banks as the competent authority, has the function and attribute to ensure the stability, solidity and correct functioning of the institutions subject to its control; to monitor that they comply with the norms that govern them; and, to require that said institutions present and adopt the corresponding corrective measures when necessary;

THAT with respect to the argument of the appellant in the sense of transferring the responsibility of the disputed transactions to his client, for the fact of having handed over a debit card and of manifesting that the client Napoleon Matovelle Aguirre did not apply basic security recommendations in the handling of said card, recommendations given through different means, through which clients are instructed on the security measures they must take into account, it is totally insufficient to justify the refusal to reimburse the values claimed by said client; since, on the other hand, the National Development Bank, upon receiving resources from the public, also has the obligation of their proper custody, in order to return to the depositor the monetary equivalent deposited, at the moment that it is required; from there that the responsibility of the client regarding the transactions he carries out through ATMs must be surrounded in parallel with physical and information security that only the corresponding financial institution can provide;

THAT it is intended then to transfer the entire burden of proof to the client, simply for the fact of having used ATMs that do not belong to the National Development Bank, when this control body has determined in the different stages of the administrative process that it is a case of debit card cloning due to the existence of points of compromise of the same, then it must be considered that the security of the ATMs, whether their own or of the network, corresponds exclusively to the financial entities and not to the client;

Banking Board of Ecuador Resolution No. JB-2015-3430 Page 6

THAT the financial entity has the legal obligation that the ATM service, whether its own or of the network it has contracted, guarantees and has the security measures to strengthen the ATM service, which are not only encompassed in the correct custody and use of the debit card by the client, but also in the expected and efficient functioning of the fraud prevention system adopted by the National Development Bank;

THAT in virtue of the above, it is worth mentioning what is provided in article 5 of chapter IV "Procedure for the attention of complaints against Institutions of the Financial System", title XX "Of the Superintendence of Banks and Insurance", book I "General norms for the application of the General Law of Institutions of the Financial System" of the Codification of Resolutions of the Superintendence of Banks and Insurance and of the Banking Board, states:

"ARTICLE 5.- If the result of the analysis carried out by the Superintendence determines the need for the controlled institution to introduce corrective measures to regularize the situation that motivated the complaint, the Superintendent of Banks and Insurance or the official who has the delegation of said authority, will issue the corresponding disposition.

If the situation that motivated the complaint referred to in the previous paragraph, originated in an incorrect procedure of the controlled institution, which caused damage to the claimant, the Superintendence of Banks and Insurance may order the return of the claimed values, in exercise of the functions and attributes contemplated in letters b) and o) of article 180 of the General Law of Institutions of the Financial System, granting the legal representative of the entity a period that cannot exceed fifteen (15) days from the notification to remit, under the precautions of Law, the proof of compliance with the order issued.";

THAT concomitant with the above, if the Superintendence of Banks determines incorrect procedures on the part of the controlled institutions, which caused damage to a claimant, it must act as ordered for these effects. Therefore, it corresponds for this control body to dispose of the return of the claimed value, since the bank has not proven in any way that its client has been negligent in the handling of his debit card, nor does it refer in any way to the levels or standards of quality, validation and review of the ATMs own and of the network within the different stages of the process until the transaction is qualified as successful; more so, considering that the entity does not have the notification controls implemented both to the cell phone and to the email registered by the client, with which the risk for this type of fraud would be minimized;

THAT the National Legal Intendancy, through memorandum INJ-DNJ-SAL-2015-0010 of January 7, 2015, recommended to the Banking Board to reject the claim

Banking Board of Ecuador Resolution No. JB-2015-3430 Page 7

contained in the appeal filed by the General Manager of the National Development Bank; and,

IN exercise of its legal attributes,

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the appeal for review filed by Economist Freddy Monge Muñoz, General Manager of the National Development Bank; and, consequently, CONFIRM letter No. DNAE-SAU-2014-04306 of July 11, 2014, with which the User Attention Subdirectorate rejected the appeal for reconsideration, and ratified the administrative act contained in letter No. DNAE-SAU-2014-02447 of April 21, 2014, in which it was ordered to the National Development Bank to proceed to credit to the claimant Mr. Napoleon Matovelle Aguirre the value of USD 3,919.35 (Value included commissions for each transaction carried out through BANRED ATMs.)

NOTIFY.- Given at the Superintendence of Banks and Insurance, in Quito, Metropolitan District, on the twentieth of May of two thousand fifteen.

(Signature) Econ. Rodrigo Landeta Parra GENERAL INTENDANT (S) PRESIDENT OF THE BANKING BOARD SESSION (E)

I CERTIFY.- Quito, Metropolitan District, on the twentieth of May of two thousand fifteen.

(Signature) Lawyer Pablo Cobo Luna SECRETARY OF THE BANKING BOARD