Banking Board of Ecuador

RESOLUTION No. JB-2015-3359

THE BANKING BOARD

CONSIDERING:

THAT according to the last paragraph of the Third Transitional Provision of the Organic Code of Monetary and Financial Law, published in the Official Register Second Supplement No. 332, of September 12, 2014, the Banking Board will continue to act until it resolves all appeals it was hearing as of the date of entry into force of this Code, for a period of one hundred and eighty days;

THAT through a communication received by the Superintendence on March 25, 2014, Ms. Germania Sambache Chicaiza, with citizenship card No. 171499776-2, filed an administrative complaint against Banco Pichincha C.A., in the following terms:

"(...)

I, Germania Sambache Chicaiza..., owner of Checking Account No. 53033445 at BANCO PICHINCHA. I bring to your attention the case that occurred to me on February 11, 2014, when I received a message on my cell phone stating: 'Dear client, your transfer to account 6324078200 for the amount of $ 4,482.23 has been successfully completed.' This account belongs to Mr. Douglas Andrés Jiménez, owner of the savings account at Banco Pichincha. (sic)

I was surprised by this transaction because I had the e-key expert card in my possession at that time. I called the call center of BANCO PICHINCHA to report what happened, and they told me they would block my account and the beneficiary's account and that I should go to the bank's customer service as soon as possible, which I did. I went to the Atahualpa Branch, and since it was already 4:20 PM, they told me to come back the next day to file a report. It was my desperation because they left me with only $ 72 in my account. (sic)

(...)

On March 25, I called Miss Tatiana Suarez to ask if I had a response to my request, and she told me that the COMMERCIAL RELATIONS department is returning 50% of the amount and that if I agree, I must sign accepting the aforementioned conditions, or otherwise I must fill out a form where I waive the return of the 50% and see what I do.

(...)

That is why, Mr. Superintendent of the Superintendence of Banks and Insurance, I respectfully request your help so that Banco Pichincha returns my money in full, as I did not make that transaction. (sic)

(...)",

---

Resolution No. JB-2015-3359

Page No. 2

THAT with letter No. DNAE-SAU-2014-02051, of April 1, 2014, the then Undersecretary for User Attention, admitted the aforementioned complaint for processing, while requesting the aforementioned financial institution to provide substantiated and documented information with respective physical backups regarding the aforementioned complaint; and, with letter No. DNAE-SAU-2014-02050, of the same date, informed the complainant about the matter;

THAT through letter No. BP-ACEC-2014-0372, of April 22, 2014, Ms. Catalina Salazar Mejía, Authorized Signatory of Banco Pichincha C.A., responded to the letter from the control body, and attached several documents related to the complaint;

THAT through letter No. DNAE-SAU-2014-03729, of June 16, 2014, the Acting Undersecretary for User Attention, resolved the complaint in question, in the following terms:

"(...)

The cancellation of the card requested by the client was carried out on February 11, 2014, via call center, once she was notified by SMS to her cell phone of the unrecognized transfer.

According to the documentation sent by the bank, it is observed that the transactions registered by the beneficiary account do not correspond to the client's behavior or profile, as the withdrawal parameters are for amounts less than USD $300.00, a fact that should have activated alerts for transactional unusualness.

Banco Pichincha C.A. offers to recognize 50% of the claimed amount without presenting substantiated defenses.

Taking into consideration principles of justice, equity, and sound practices, contemplated in Article 2, Section I, Chapter IV, Title XIV, Book I, of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, and based on what is provided in the General Law of Institutions of the Financial System, of an organic nature, Articles 1 and 180 letters b) and o) in conjunction with Article 5, Section I, Chapter IV, Title XX, Book I, of the Compilation..., it is resolved:

That Banco Pichincha C.A. return the total amount claimed, that is, the sum of USD $4,482.34, for which effect it shall credit said amount to the complainant's account within a term of three days, counted from the date of receipt of the present letter. Proof of the action taken shall be sent to the Superintendence of Banks and Insurance within a term of two days from the crediting.

(...)",

THAT through a communication received in the Superintendence on June 25, 2014, the Vice President and Legal Representative of Banco Pichincha C.A. filed

---

Resolution No. JB-2015-3359

Page No. 3

an appeal for reconsideration against the administrative act contained in letter No. DNAE-SAU-2014-03729, of June 16, 2014, an appeal that was rejected through letter No. DNAE-SAU-2014-05543, of September 1 of the current year, in which the Undersecretary for User Attention confirmed the appealed administrative act;

THAT through a document received in the Superintendence on September 10, 2014, Mr. Antonio Acosta Espinosa, Adjunct President of Banco Pichincha C.A., with the professional sponsorship of Dr. Pablo Cadena Merlo and lawyer María José Araujo Álvarez, filed an appeal for review against letter No. DNAE-SAU-2014-05543, of September 1, 2014;

THAT the arguments raised by the appellant are limited to stating that the bank maintains an efficient fraud prevention system for its transactional channels; that the transactions in question were correctly processed, because in them the system validated the client's key and coordinates, which are only known and safeguarded by the client, that is, under their responsibility; that the client must keep secret the coordinates on their "E-key" card, which constitute the only mechanism to access internet transfer services; that according to the systems area report, the disputed transfer was processed with the information and coordinates of E-key card No. 2588662 corresponding to the complainant; that the harm to the client arises not from a lack of security in the bank's systems, but from the incorrect use of the electronic channel, which can only be imputable to the user; that the "permanent insecurity in which we live cannot constitute an argument for the consequences of acts committed by common crime to be blamed on the Bank..."; that the appealed administrative act lacks motivation; and, that the bank did not incur in any incorrect procedure to the detriment of the complainant;

THAT with letter No. JB-2014-2460, of September 11, 2014, the Secretary of the Banking Board accepted the aforementioned appeal for review for processing;

THAT with respect to the arguments of the appellant regarding the fact that the bank maintains an efficient fraud prevention system for its transactional channels; that the transactions in question were correctly processed, because in them the system validated the client's key and coordinates, which are only known and safeguarded by the client, that is, under their responsibility; and that the client must keep secret the coordinates on their "E-key" card, which constitute the only mechanism to access internet transfer services; that according to the systems area report, the disputed transfer was processed with the information and coordinates of E-key card No. 2588662 corresponding to the complainant; that the harm to the client arises not from a lack of security in the bank's systems, but from the incorrect use of the electronic channel, which can only be imputable to the user; and, that the bank did not incur in any incorrect procedure to the detriment of the complainant, it is necessary to point out the following:

• The complaint filed by Ms. Germania Sambache Chicaiza against Banco Pichincha C.A. refers to a transfer made via the internet on February 11, 2014, in favor of a beneficiary unknown to her, for the value of US $4,482.23,

---

Resolution No. JB-2015-3359

Page No. 4

from IP address 190.81.102.239, a transaction not usual for the complainant to make transfers since the client did not perform transactions via the internet and the amounts of those she performed are quite inferior compared to the amount in dispute.

• Regarding this, Article 52 of the Constitution of the Republic establishes:

"Art. 52.- People have the right to dispose of goods and services of optimal quality and to choose them freely, as well as to receive precise and non-misleading information about their content and characteristics.

The law will establish the mechanisms for quality control and the procedures for the defense of consumers; and the sanctions for violation of these rights, the repair and indemnification for deficiencies, damages, or poor quality of goods and services...".

• Article 1 and letters b) and o) of Article 180 of the General Law of Institutions of the Financial System determine:

"Art. 1.- This Law regulates the creation, organization, activities, functioning, and extinction of private financial system institutions, as well as the organization and functions of the Superintendence of Banks, the entity in charge of the supervision and control of the financial system, in all of which the protection of public interests is taken into account...". (Emphasis added)

"Art. 180.- The Superintendent of Banks has the following functions and attributes:

(...)

b) To ensure the stability, solidity, and correct functioning of the institutions subject to its control and, in general, that they comply with the norms governing their functioning, through permanent extra-situ supervision and in-situ inspection visits, in accordance with international best practices, without any restriction and allowing determination of the entity's economic and financial situation, management of its business, evaluation of risk management quality and control, and verification of the truthfulness of the information it generates;

(...)

o) To require that controlled institutions present and adopt the corresponding corrective and remedial measures in cases that so require;

(...)",

• Article 5 of Section I.- General Provisions, Chapter IV.- Procedure for the attention of complaints against institutions

---

Resolution No. JB-2015-3359

Page No. 5

of the financial system, Title XX.- Of the Superintendence of Banks and Insurance, Book I.- General norms for the application of the General Law of Institutions of the Financial System, of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, states:

"ARTICLE 5.- If the result of the analysis carried out by the Superintendence determines the need for the controlled institution to introduce corrections to regularize the situation that motivated the complaint, the Superintendent of Banks and Insurance or the official who has the delegation of said authority will issue the corresponding disposition.

If the situation that motivated the complaint referred to in the previous paragraph originated in an incorrect procedure of the controlled institution, which caused harm to the complainant, the Superintendence of Banks and Insurance may order the return of the claimed values, in exercise of the functions and attributes contemplated in letters b) and o) of Article 180 of the General Law of Institutions of the Financial System, granting the legal representative of the entity a term that may not exceed fifteen (15) days from notification to send, under the warnings of Law, the proof of compliance with the order issued.

(...)",

• From the transcribed legal norms, it is inferred that the State guarantees citizens the right to dispose of goods and services of optimal quality and that the Superintendence, as the competent authority, has the function and attribute to ensure the stability, solidity, and correct functioning of the institutions subject to its control; to monitor that they comply with the norms governing them; and, to require that said institutions present and adopt the corresponding corrective measures when necessary; likewise, if the control body determines incorrect procedures on the part of the controlled financial institutions, which had caused harm to a complainant, it must act as ordered for those effects.

• From the aforementioned norm, it is inferred that financial institutions, when offering their financial products to their clients, are obligated to put at their service policies for disseminating the conditions surrounding said products, including the security measures implemented and their possible risks when accessing said services.

• In the present case, by stating that Banco Pichincha C.A. itself that the "permanent insecurity in which we live cannot constitute an argument for the consequences of acts committed by common crime to be blamed on the Bank...", it is acknowledging that the present is a case of "phishing", since the transfer of funds is made through virtual banking and with the use of the client's personal keys; a statement reinforced by the

---

Resolution No. JB-2015-3359

Page No. 6

offer of Banco Pichincha C.A. to return to the client 50% of the claimed value.

Furthermore, it is important to note that Ms. Germania Sambache Chicaiza, at the moment the disputed transaction was made, had in her possession E-key Expert Card No. 2588662.

THAT therefore, Banco Pichincha C.A., by failing to detect that the disputed transaction fits as non-usual, since the complainant did not perform transfers via the internet and the amounts are quite inferior compared to the claimed amount, did not comply with several of the obligations provided in Article 4 of Section II.- Factors of Operational Risk, Chapter V.- Of operational risk management, Title X.- Of risk management and administration, Book I.- General norms for the application of the General Law of Institutions of the Financial System, of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, whose texts say:

"ARTICLE 4.- With the purpose that the probability of incurring financial losses attributable to operational risk is minimized, the following aspects must be adequately administered, which are interrelated:

(...)

4.3.- Information Technology.- Controlled institutions must have information technology that guarantees the capture, processing, storage, and transmission of information in a timely and reliable manner; avoid business interruptions and ensure that information, including that under the modality of services provided by third parties, is integral, confidential, and available for appropriate decision-making. To consider the existence of an appropriate operational risk management environment, controlled institutions must formally define policies, processes, and procedures that ensure adequate planning and administration of information technology. These policies, processes, and procedures will refer to:

(...)

4.3.8.- Security measures in electronic channels.- With the object of guaranteeing that transactions carried out through electronic channels have the controls, measures, and security elements to prevent the commission of fraudulent events and guarantee the security and quality of user information as well as the assets of clients in charge of controlled institutions, these must comply at minimum with the following:

(...)

4.3.8.2 Establish procedures and mechanisms to periodically monitor the effectiveness of the implemented security levels in

---

Resolution No. JB-2015-3359

Page No. 7

hardware, software, networks, and communications, as well as in any other electronic or technological element used in electronic channels, in such a way that the security and quality of information is permanently guaranteed;

(...)

4.3.8.7 Establish procedures to monitor, control, and issue online alarms that inform timely about the status of electronic channels, in order to identify unusual, fraudulent events, or correct failures;

(...)

4.3.8.8 (...)

Among the main conditions of customization for each type of electronic channel, there must be: registration of accounts to which one wishes to make transfers; registration of IP addresses of authorized computers, the authorized mobile phone numbers, maximum amounts per daily, weekly, and monthly transaction, among others.

(...)

4.3.8.11 Incorporate into information security administration procedures, the blocking of electronic channels or cards when unusual events that warn of fraudulent situations occur or after a maximum number of three (3) failed access attempts. Additionally, procedures must be established that allow online notification to the client through mobile messaging, email, or another mechanism, as well as their secure reactivation; (Incorporate into information security administration procedures, the blocking of electronic channels or cards when unusual events that warn of fraudulent situations occur or after a maximum number of three (3) failed access attempts. Additionally, procedures must be established that allow online notification to the client through mobile messaging, email, or another mechanism, as well as their secure reactivation;

(...);

THAT in virtue of what has been exposed, in the present case there is responsibility of Banco Pichincha C.A. in the disputed transactions since, at the date of the complaint, the bank did not maintain for its transactional channels an efficient fraud prevention system, which caused third parties with bad intentions to commit the computer crime known as "phishing" through which they transferred the complainant's funds to a third person unknown to her; with which, it has been evidenced that Banco Pichincha C.A. is incurring in Article 5 of Chapter IV, Title XX, Book I of the Compilation of Resolutions of the Superintendence of Banks and Insurance and

---

Resolution No. JB-2015-3359

Page No. 8

of the Banking Board, since the situation that motivated the complaint originated in incorrect procedures of the controlled institution detailed;

THAT with respect to what was stated by the appellant regarding the fact that the appealed administrative act lacks motivation, it is necessary to point out that both letter No. DNAE-SAU-2014-03729, of June 16, 2014, and letter No. DNAE-SAU-2014-05543, of September 1, 2014, were issued based on the factual grounds of the specific case and based on the applicable current regulations for the complaint and the appeal for reconsideration, respectively;

THAT the National Legal Intendancy, through memorandum INJ-DNJ-SAL-2014-0902 of November 14, 2014, recommended to the Banking Board to reject the claim contained in the appeal for review filed; and,

IN exercise of its legal attributes,

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the appeal for review presented by the Adjunct President of Banco Pichincha C.A.; and, consequently CONFIRM the administrative act contained in letter No. DNAE-SAU-2014-05543, of September 1, 2014, with which letter No. DNAE-SAU-2014-03729, of June 18, 2014, is ratified, through which the Undersecretary for User Attention ordered Banco Pichincha C.A. to effect the return of the values claimed by Ms. Germania Sambache Chicaiza, whose amount amounts to US $4,482.23.

NOTIFY.- Given in the Superintendence of Banks, in Quito, Metropolitan District, on the fifteenth of April of two thousand fifteen.

Econ. Rodrigo Lándeta Parra
GENERAL INTENDENT, S
PRESIDENT OF THE BANKING BOARD, E

I CERTIFY.- Quito, Metropolitan District, on the fifteenth of April of two thousand fifteen.

Lcdo. Pablo Cobo Luna
SECRETARY OF THE BANKING BOARD