Banking Board Resolution JB-2015-3524

Banking Board of Ecuador

RESOLUTION No. JB-2015-3524

THE BANKING BOARD CONSIDERING:

THAT on February 7, 2014, Mr. Fredy Hidalgo Cajo filed a complaint with the Attorney General's Office, Department of Comprehensive Care, stating: "THE CASE IS THAT YESTERDAY, FEBRUARY 6, 2014, AT APPROXIMATELY 14:30, I ENTERED THE PICHINCHA BANK QUERY SYSTEM TO VERIFY A DEPOSIT I HAD JUST MADE AT SAID FINANCIAL INSTITUTION, BUT UPON ENTERING THEY ASKED ME FOR THE COORDINATE KEY, SO THINKING IT WAS DATA REQUESTED BY THE BANK I WROTE MY KEY (...) BUT AT 14:48 I RECEIVED A MESSAGE FROM THE BANK TO MY CELLPHONE INDICATING THAT THE AMOUNT OF 4,885.23 HAD BEEN TRANSFERRED TO ACCOUNT NO. 3352030904, WHEREUPON I IMMEDIATELY WENT TO PICHINCHA BANK WHERE I BLOCKED MY ACCOUNT AND THE ONE TO WHICH MY MONEY WAS TRANSFERRED." (sic);

THAT on March 20, 2014, Mr. Fredy Roberto Hidalgo Cajo filed a claim against Banco Pichincha C.A. before the Superintendence of Banks, stating that on February 6, 2014, at around 14:30, he went to the Centro de Riobamba branch to make a deposit of USD 5,000 into his checking account; that he then went to work and checked his balance via the internet, but the page did not open; instead, it requested a series of keys from his e-key card, which he noticed was unusual, so he closed the page; that five minutes later a message arrived on his cell phone stating that a transfer of USD 4,885.23 to account No. 3352030904 was successfully completed; that at no time had he performed any transaction with anyone, especially since days earlier at the same bank he attempted to transfer USD 2,500.00 to his wife's account and the bank did not authorize it, indicating that transactions of that amount could not be made, but in this case they did; that immediately after receiving the message he went to the bank and requested information about the operation, and a service desk employee confirmed that the transaction was completed; that upon telling them what happened, they said fortunately the money was still in the receiving account, whose holder's information they could not provide due to banking secrecy, and that said account had been blocked; that they would call him and the maximum deadline for resolving his claim was March 5, 2014; that from then on he visited the bank daily without receiving any response; that part of the bank called him, Mr. Analuisa, who indicated that the holder of the receiving account was Jorge Adrián Flores León from Guayaquil; that the money had never been blocked and had already been collected via checks; that on March 12, 2014, he went to Quito and was later informed that his request had already been resolved, but upon approaching to learn the outcome he received a negative response from the bank's Business Manager, who stated that it could not assume responsibility for the claim. That is why he brought the matter to the control body so that the bank's irregularities would be known, since the user is the only one who loses due to the bank's negligence; that on the same day, the bank's advisor indicated that due

---

Banking Board of Ecuador

Resolution No. JB-2015-3524 Page 2

to the proper management of his checking account, the bank would, on its own and without assuming any responsibility, agree to pay him 50% of the transfer value after he signed a series of waiver documents so as not to pursue any legal action against the bank; and, therefore, he requests that the file be analyzed and the bank ordered to make the corresponding refund for the transfer it never made, which occurred due to the insecurity existing in the bank, and that the documentation regarding compliance with said order be forwarded;

THAT prior to a request and analysis of information requested from the bank, the Subdirectorate for User Assistance, through Official Letter No. DNAE-SAU-2014-02912 dated May 12, 2014, denied the claim filed by Mr. Fredy Hidalgo Cajo, due to the bank's responsibility not having been proven;

THAT through a document filed on June 11, 2014, Mr. Fredy Roberto Hidalgo Cajo filed a review appeal before the Banking Board against the administrative act contained in Official Letter No. DNAE-SAU-2014-02912 dated May 12, 2014, simultaneously requesting that it be revoked;

THAT the grounds on which Mr. Hidalgo Cajo bases his appeal are the same as those recorded in the claim filed before the control body on March 20, 2014, in which he reiterates that after making a deposit he went to his office and checked his balance through the bank's website, and that the page did not open, and that they requested a series of keys from his e-key card, which was unusual, so he proceeded to close the page. That later a message arrived on his cell phone regarding the transfer of USD 4,885.23 to account 3352030904 being successful; that days earlier at the same bank he wanted to make a transfer in favor of his wife and the bank did not authorize it; that on repeated occasions he has approached Mr. Jorge Flores León, holder of the receiving account, to inform him that he logged into his account and did not request the money but it was placed there, and has nothing to do with him; that he also does not know about the money; that he should follow the procedures since he will not pay anything because he did not request this money; that his lawyer also called and told him that he will not take responsibility since the bank is solely responsible; that he later received a response from the Subdirectorate for User Assistance denying his claim; that the bank has not called him regarding his transfer, whereas it did call him when he made transfers of 100 dollars; that the bank wanted to pay him 50% of the transfer after subscribing several documents;

THAT the First Transitional Provision of the Organic Monetary and Financial Code, published in the Official Register Second Supplement No. 332 on September 12, 2014, whose text states that resolutions recorded in the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, and norms issued by control bodies, will remain in force insofar as they do not oppose the Organic Monetary and Financial Code, until the Monetary and Financial Policy and Regulation Board resolves what corresponds, according to the case; and with the second paragraph of the Third Transitional Provision, which states that the Banking Board will continue to act until resolving all claims, appeals, and other administrative procedures it was processing as of the effective date of said Code, within

---

Banking Board of Ecuador

Resolution No. JB-2015-3524 Page 3

a period of one hundred eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT regarding the grounds for the appeal presented by Mr. Fredy Cajo, it must be noted that in the complaint he filed with the Attorney General's Office he mentioned the following: "(...) BUT UPON ENTERING THEY ASKED ME FOR THE COORDINATE KEY SO THINKING IT WAS DATA REQUESTED BY THE BANK I WROTE MY KEY (...)"; that in this regard it should be mentioned that Article 8, Chapter III, Title XXIV, Book I of the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, requires that electronic service use contracts include as an obligatory condition the one regarding the client's responsibility for transactions carried out through these means and the obligation to keep secret the key or securities assigned to him, as well as any changes he makes; that said norm obliges the client to safeguard his keys and coordinates; and, that consequently, since the client admitted that he provided his key and coordinates when accessing the bank's website, the client failed to fulfill his obligation to safeguard the key as required by the aforementioned Codification norm;

THAT it is necessary to point out that upon accessing the electronic banking service, Banco Pichincha C.A. displays the following security alert: "Never give your personal data, access keys and E-Key card by email, cell phone message, SMS, telephone, website, or other means (...)";

THAT based on the technical report presented by the Subdirector of User Assistance, it is observed that for transactions carried out through the electronic banking channel to be considered successful, the following must be met: 1) entry of the user created by the client; 2) entry of the personal security key of 12 to 16 characters with combinations of letters and numbers; 3) confirmation of the bank transfer by entering the coordinate card number requested; that these tools are under the custody of the account holder; and, that the filters to consider a transfer successful are exclusively known by the user;

THAT Article 5, Chapter IV, Title XX of the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board provides:

"ARTICLE 5.- If the result of the analysis conducted by the Superintendence determines the need for the controlled institution to introduce corrective measures that regularize the situation that motivated the claim, the Superintendent of Banks and Insurance or the official holding delegation of said authority will issue the corresponding order.

If the situation that motivated the claim referred to in the preceding paragraph originated from an incorrect procedure by the controlled institution, which caused harm to the claimant, the Superintendence of Banks and Insurance may order the refund of the claimed values, exercising the functions and powers contemplated in letters b) and o) of Article 180 of the General Law of Financial System Institutions, granting the legal representative a period that may not exceed fifteen

---

Banking Board of Ecuador

Resolution No. JB-2015-3524 Page 4

(15) days from notification to forward, under legal precautions, the proof of compliance with the issued order (...)";

THAT the aforementioned norm requires the determination by the control body of an incorrect procedure by the financial institution as a condition for ordering the restitution of claimed values, which, in this case, has not been met;

THAT the bank's obligation to generate alerts aims to inform the client about transactions on their accounts, without thereby obligating the bank to require the client's authorization when the client is authorized through the electronic channel to approve the transaction on their accounts;

THAT regarding the refusal of the checking account holder to whom the transfer was made to repay its value, this Superintendence lacks legal authority to rule;

THAT the National Legal Intendencia, through memorandum INJ-DNJ-SAL-2015-0101 dated February 3, 2015, recommended to the Banking Board reject the claim contained in the appeal filed by Mr. Fredy Roberto Hidalgo Cajo;

THAT through memorandum INSFPR-2015-0662 dated July 29, 2015, the National Intendencia of the Private Financial Sector, as a result of the special examination conducted on Banco Pichincha C.A., informs the following:

"2. Second Login: At 14:43:23 the user and biometric password were entered in the "internexo" application; upon performing validations, they were not successful, so an "OTP" was generated and sent to the email juceur10@gmail.com, which was entered and allowed access to client information at 14:44:40; accounts enabled for transfers were consulted; subsequently, at 14:45:30, the "Activation of accounts for transfers" option was entered and the transfer limit was modified to USD 5,000, entering the requested e-key coordinate; next, at 14:47:51 he entered the "Make direct transfers between accounts" option where he transferred USD 4,885.23 from account No. 3144480004 to account No. 3352030904, entering the requested e-key coordinate; once the transaction was completed, the system sent the transfer notification at 14:47:51 via SMS to cell phone No. 0994911495 and message to email juceur10@gmail.com.

CONCLUSION: From the above, it was determined that the maximum transfer limit through "internexo" in February 2014 could be personalized by each client through the bank's application, within the maximum allowed value, which at that date amounted to up to USD 5,000.

From the analysis of information provided by the bank (transactional logs) regarding the automatic process for assigning and accepting

---

Banking Board of Ecuador

Resolution No. JB-2015-3524 Page 5

the maximum daily authorized limit for electronic internet transfers of Mr. Fredy Roberto Hidalgo on February 6, 2014, it is clear that the "internexo" application performed validations of: user and biometric password; generation, sending, and confirmation of "OTP" code; request and validation of e-key coordinate for updating the personalized maximum transfer amount; as well as the request and validation of e-key coordinate for executing transfers between accounts."; and,

IN exercise of its legal powers;

RESOLVES:

SOLE ARTICLE.- REJECT the review appeal filed by Mr. Fredy Roberto Hidalgo Cajo; and, consequently, CONFIRM the administrative act contained in Official Letter No. DNAE-SAU-2014-02912 dated May 12, 2014.

BE IT NOTIFIED.- Given at the Superintendence of Banks, in Quito, Metropolitan District, on August 5, two thousand fifteen.

(Firma) Econ. Rodrigo Landeta Parra GENERAL INTENDENT (S) PRESIDENT OF THE BANKING BOARD SESSION (E)

I CERTIFY.- Quito, Metropolitan District, on August 5, two thousand fifteen.

(Firma) Lcdo. Pablo Cobo Luna SECRETARY OF THE BANKING BOARD

---

Banking Board of Ecuador