Banking Board of Ecuador

RESOLUTION No. JB-2015-3491

THE BANKING BOARD

CONSIDERING:

THAT according to the last paragraph of the Second Transitional Provision of the Organic Code of Monetary and Financial Law, published in the Official Register Second Supplement No. 332 of September 12, 2014, the Banking Board will continue to act until it resolves all appeals it was hearing as of the date of entry into force of this Code, for a period of one hundred and eighty days;

THAT by communication received at the Superintendence of Banks on January 31, 2014, Mr. Gonzalo Antonio Ricaurte Caicedo filed a complaint against Banco de Guayaquil S.A. regarding two unrecognized electronic transfers made on October 22, 2013;

THAT through Official Letter No. DNAE-SAU-2014-03675 of June 13, 2014, Dr. Mirian Muñoz Solano, Subdirector of User Attention, informed Economist Angelo Caputi Oyague, Executive President of Banco de Guayaquil S.A., that the complaint filed by Mr. Gonzalo Antonio Ricaurte Caicedo was accepted and, consequently, the banking entity was ordered to restore US$ 9,523.30 improperly debited from checking accounts Nos. 001850251-8 and 018500434, in the amounts of US$ 4,985.80 and US$ 4,538.00, respectively;

THAT through Official Letter No. s/n entered at the Superintendence of Banks on June 24, 2014, Banco de Guayaquil S.A. filed an appeal for reconsideration against the content of Official Letter No. DNAE-SAU-2014-03675 of June 13, 2014, which was rejected with Official Letter No. DNAE-SAU-2014-05184 of August 18, 2014, confirming the content contained therein;

THAT by communication received on September 2, 2014, at the Superintendence of Banks, Mr. Víctor Hugo Alcivar Álava, Executive Vice President – General Manager of Banco de Guayaquil S.A., under the provisions of Article 137 of the General Law of Financial System Institutions, and Article 5, Section II, Chapter II, Title XVI, Book I of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, filed an appeal for review against the content of Official Letter No. DNAE-SAU-2014-05184 of August 18, 2014;

THAT through Official Letter No. JB-2014-2464 of September 22, 2014, Lic. Pablo Cobo Luna, Secretary of the Banking Board, informed Mr. Víctor Hugo Alcivar Álava, Executive Vice President – General Manager of Banco de Guayaquil S.A., that the filed appeal for review was accepted for processing, and extended the term to resolve it by an additional sixty days; and, through Official Letter No. JB-2014-2565 of September 22, 2014, notified of the acceptance for processing;

THAT regarding the appellant's argument that the present case is one of computer fraud under the "phishing" modality and that for such cases the temporal limit for financial institutions to recognize the return of values to their clients was until March 21, 2011, according to what was stated in Interinstitutional Resolutions Nos. 001-FGE-SBS-2011 and No. 002-FGE-SBS-2011, of March 21 and April 25, 2011, respectively, it is necessary to point out that said resolutions issued by the Superintendents of Banks and Insurance and the Attorney General of the State were applicable to certain specific cases that were

Resolution No. JB-2015-3491

Page 2

detailed in them, within which Mr. Gonzalo Antonio Ricaurte Caicedo does not appear, whose complaint contains elements and facts distinct from those stated in the resolutions mentioned by the appellant, in which case, this argument is inappropriate in the present case. In that line, since there is explicit recognition by the entity of the phishing that its client suffered; the incorrect procedure is consequently demonstrated;

THAT according to Article 213 of the Constitution of the Republic, the Superintendence of Banks and Insurance is the technical body for surveillance, auditing, intervention, and control of financial activities and services provided by public and private entities that are part of the national financial system, with the purpose that these activities and services are subject to the legal framework and attend to the general interest. In harmony with this fundamental norm, Article 1 of the General Law of Financial System Institutions establishes that the Superintendence of Banks and Insurance is the entity in charge of the supervision and control of the financial system. Furthermore, financial activities are a matter of public order and have the fundamental purpose of preserving public deposits;

THAT Article 180, letter b) of the General Law of Financial Institutions, which has an organic character, obliges the Superintendence of Banks and Insurance to ensure the stability, solidity, and correct functioning of institutions subject to its control; and, in general, that they comply with the norms governing their functioning, attributions that are exercised in the administrative sphere as provided in Article 140 of the General Law of Financial System Institutions;

THAT Article 52, and numeral 25 of Article 66 of the Constitution of the Republic of Ecuador, provide as follows:

"Art. 52.- Persons have the right to dispose of goods and services of optimal quality and to choose them freely, as well as to receive precise and non-misleading information about their content and characteristics.

The law will establish the mechanisms for quality control and the procedures for the defense of consumers; and the sanctions for violation of these rights, the repair and indemnification for deficiencies, damages, or poor quality of goods and services, and for the interruption of public services that was not caused by fortuitous event or force majeure."

"Art. 66.- It is recognized and guaranteed to persons:

(...)

25. The right to access public and private goods and services of quality, with efficiency, effectiveness, and good treatment, as well as to receive adequate and truthful information about their content and characteristics.

(...)"

THAT the Organic Law for the Defense of the Consumer in numerales 1 and 2, of Article 4, establishes:

Banking Board of Ecuador

Resolution No. JB-2015-3491

Page 3

"Art. 4.- Consumer Rights.- The fundamental rights of the consumer, in addition to those established in the Political Constitution of the Republic, international treaties or conventions, internal legislation, general principles of law, and commercial custom, are the following:

1. Right to the protection of life, health, and safety in the consumption of goods and services, as well as to the satisfaction of fundamental needs and access to basic services;

2. Right that public and private providers offer competitive goods and services of optimal quality, and to choose them freely;

(...)" (The bolding is mine)

THAT based on the right to dispose of goods and services of optimal quality guaranteed by the Constitution and the aforementioned normative, it must be pointed out that Banco de Guayaquil S.A. offers various services to its clients, among which is the transfer of funds through virtual banking, for which it is obligated to evaluate and demand the necessary security measures in order to provide a service of optimal quality to its clients; therefore, the appellant's argument that the claimed transaction is the exclusive responsibility of Mr. Gonzalo Antonio Ricaurte Caicedo is not appropriate;

THAT the aforementioned banking entity must adequately manage the risks that exist in transactions carried out through virtual banking, in compliance with what is provided in Article 3, Section II "Risk Management", Title X, Book I of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board;

THAT it is essential to indicate that numeral 8.3, of Article 8, of Chapter III, Title XXV, of Book I of the aforementioned Compilation establishes the following:

"ARTICLE 8.- Deposits, withdrawals of funds, credits, debits, and any other transaction permitted in monetary deposit accounts, carried out through electronic or electromechanical means, must be supported by a written agreement between the bank and the account holder, in which the following conditions must appear, at least:

(...)

8.3 Banking entities will be obligated to maintain controls that guarantee the physical and technological security of this type of transaction, taking into account the risks inherent to their operation."

THAT according to the transcribed normative, banks are obligated to adopt security measures, for which effect they must establish in the contracts they celebrate with their checking or savings account holders such an obligation;

THAT Article 5 of Chapter IV "Procedure for the attention of complaints against Institutions of the Financial System", Title XX "Of the Superintendence of Banks and Insurance", Book I "General Norms for the application of the General Law of

Banking Board of Ecuador

Resolution No. JB-2015-3491

Page 4

Institutions of the Financial System" of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, provides:

"ARTICLE 5.- If the result of the analysis carried out by the Superintendence determines the need for the controlled institution to introduce corrective measures to regularize the situation that motivated the complaint, the Superintendent of Banks and Insurance or the official who has the delegation of said authority, will issue the corresponding disposition.

If the situation that motivated the complaint referred to in the previous paragraph originated in an incorrect procedure of the controlled institution, which caused harm to the complainant, the Superintendence of Banks and Insurance may order the return of the claimed values, granting the legal representative of the entity a term that may not exceed fifteen (15) days from the notification to send, under the warnings of Law, the proof of compliance with the order issued."

THAT numeral 9.6 of Article 9 of paragraph II "Right to information on financial products and services", of Chapter III "Transparency and user rights", of Book I of the aforementioned Compilation, establishes the following:

"(...)

9.6 Receive clear, non-misleading, and non-error-inducing advertising, which collects the necessary, complete, and adequate conditions of the advertised product or service. The advertising will have binding force when contracts or agreements are agreed upon based on the advertising offer; and,

(...)";

THAT from the constitutional, legal, and normative provisions transcribed in the preceding numerales, it follows that since the Superintendence of Banks is a technical body for surveillance, auditing, intervention, and control of economic activities, and of the services provided by private entities, with the purpose that these activities and services are subject to the legal framework and attend to the general interest, according to what is provided in Article 213 of the Constitution of the Republic of Ecuador, which is transcribed below, it is appropriate that the control body observe Banco de Guayaquil S.A. so that the services provided to the client are of optimal quality, which can also be chosen freely:

"Art. 213.- Superintendencies are technical bodies for surveillance, auditing, intervention, and control of economic, social, and environmental activities, and of the services provided by public and private entities, with the purpose that these activities and services are subject to the legal framework and attend to the general interest. Superintendencies will act ex officio or upon citizen request. The specific faculties of the superintendencies and the areas that require the control, auditing, and surveillance of each of them will be determined according to the law."

Banking Board of Ecuador

Resolution No. JB-2015-3491

Page 5

(...);

THAT it is worth adding that in the "Cash Transaction Log Report", it has been verified that Mr. Gonzalo Antonio Ricaurte Caicedo carries out his transactions habitually through "Virtual Banking" from IP Address No. 201.183.113.140 from September 5, 2013, to October 21, 2013, the date of the claimed transaction, in which an inconsistency in the bank's computer system is recorded because there are reiterative entries to "VIRTUAL BANKING - SUCCESS" from IP Address No. 200.37.251.170 until the successful validation of one of the claimed transfers;

THAT on October 21, 2013, in the record of checking account No. 18502518, it has been verified that until the entry of the beneficiary of the claimed transfer in the system, there are four successful entries to "Virtual Banking" and nine times that the computer system requested "Challenge Questions"; and, that despite the existence of a failed authentication attempt at 09:52:08, which is evidenced in the transactional history that was not habitual for the client for the system to perform challenge questions; however, the following steps were processed to complete the transfer for the value of USD$ 4,985.30. It has been evidenced that the bank's computer system continued to validate said procedure, without considering relevant aspects that are classified as unusual behavior within the profile of Mr. Gonzalo Antonio Ricaurte Caicedo, which were not alerted with the due opportunity by Banco de Guayaquil S.A.;

THAT from the statement of movements from August to October 2013 of checking account No. 18502518 in the name of Mr. Gonzalo Antonio Ricaurte Caicedo, no electronic transfers carried out by the client that have reached the maximum monthly quota of USD$ 9,999.99 are evidenced, which determines that the claimed transactions were outside the profile and habitual transactional pattern of the client. Likewise, it is evidenced that from checking account No. 18500434, in the same period, no transfers are recorded except the one that motivated the present administrative complaint for the value of USD$ 4,538.00 on October 22, 2013;

THAT regarding the statement made by Banco de Guayaquil S.A., it is indicated that the reliability of the services provided by the banking entity is the exclusive responsibility of such institutions, and the operational risk of said service cannot be transferred to users, since it is offered on behalf of and as part of the facilities offered by banking entities to their clients, being thus the obligation of the controlled institution to take all precautions and security measures;

THAT the National Legal Intendancy, through memorandum INJ-DNJ-SAL-2015-0207 of March 9, 2015, recommended to the Banking Board to reject the claim contained in the appeal filed by the Executive Vice President – General Manager of Banco de Guayaquil S.A.; and,

IN exercise of its legal attributions,

RESOLVES:

ARTICLE ONE.- REJECT the appeal for review filed by Mr. Víctor Hugo Alcivar Álava, Executive Vice President – General Manager of Banco de

Banking Board of Ecuador

Resolution No. JB-2015-3491

Page 6

Guayaquil S.A.; and, consequently, CONFIRM the administrative act contained in Official Letter No. DNAE-SAU-2014-05184 of August 18, 2014, through which Dr. Mirian Muñoz Solano, Subdirector of User Attention (e), ratified Official Letter No. DNAE-SAU-2014-03675 of June 13, 2014, with which it informed Economist Angelo Caputi Oyague, Executive President of Banco de Guayaquil S.A., that the complaint filed by Mr. Gonzalo Antonio Ricaurte Caicedo was accepted and, consequently, the banking entity was ordered to restore US$ 9,523.30 improperly debited from checking accounts Nos. 001850251-8 and 018500434, in the amounts of US$ 4,985.80 and US$ 4,538.00, respectively.

COMMUNICATE. Given at the Superintendence of Banks and Insurance, in Quito, Metropolitan District, on the seventeenth of June of two thousand fifteen.

Econ. Rodrigo Landeta Parra GENERAL INTENDANT (S) PRESIDENT OF THE BANKING BOARD SESSION (E)

I CERTIFY. Quito, Metropolitan District, on the seventeenth of June of two thousand fifteen.

Lic. Pablo Cobo Luna SECRETARY OF THE BANKING BOARD