Banking Board of Ecuador

RESOLUTION No. JB-2015-3314

THE BANKING BOARD

CONSIDERING:

THAT with a written submission dated October 18, 2013, Ms. Paulina Elizalde filed a complaint with the National Development Bank (Banco Nacional de Fomento), indicating that on October 3 of the same year, she had made a deposit into her savings account and had not carried out any other transactions in said account; that nevertheless, on October 15, upon reviewing her account via the internet, she noticed several withdrawals made via debit card that she had never authorized, totaling USD 2,611.30, which caused her great surprise as she had never made withdrawals of that amount; that the questioned withdrawals (10) took place between October 7 and 15, 2013, in amounts of one hundred, ninety, and eighty dollars daily, for which she requested the bank to investigate and refund the money stolen from her savings account;

THAT with a written submission dated October 25, 2014, received by the Superintendence of Banks and Insurance on the 31st of the same month and year, Mrs. Paulina Elizalde filed a complaint against the National Development Bank regarding the unauthorized withdrawals detailed in the previous paragraph, at the same time requesting that the corresponding inquiries be made so that she can recover her money and hold the bank responsible for not safeguarding the interests of clients who trust in that banking entity;

THAT the National Directorate of Education and User Attention, through Official Letter No. DNAE-SAU-2014-1257 of February 26, 2014, denied the processing of the complaint presented by Mrs. Paulina Elizalde Elizalde and ordered the archiving of the case; that on March 18, 2013, Mrs. Paulina Elizalde, in response to the adopted resolution, pointed out that the analysis had not considered the banks and institutions where the withdrawals were made, nor the location of the ATMs, since she carries out transactions at her place of residence in the institutions operating there; that the bank, by offering the service at other ATMs, is jointly responsible for the operations carried out at those ATMs, especially if in any of them the information of her card was compromised with withdrawals exceeding the permitted daily limit; that the entity made a partial refund of the funds from her account, regarding which nothing is mentioned in the challenged act, for which the bank was responsible for the claimed withdrawals; and, that therefore she requested that the decision be reviewed and that the return of the money stolen from her account be ordered in accordance with the law, a request that was processed by the customer service unit as an appeal for reconsideration;

THAT through Official Letter No. DNAE-SAU-2014-2498 of April 22, 2014, the Customer Attention Subdirectorate requested explanations from the National Development Bank regarding the complaint, with emphasis on the partial refunds made by the bank;

THAT on April 28, 2014, an internal audit report of the National Development Bank was presented to the Superintendence of Banks regarding several cases of unauthorized withdrawals, among which was the case of Mrs. Paulina Elizalde Elizalde; that in said report, the existence of a duplicate card in the possession of unidentified persons is indicated, for which the bank requested the presentation of the debit card to several clients; that even in the case of the complainant, it was evidenced that once her card was annulled, there were 4 transaction attempts at ATMs using the duplicate card; that the management of transactional software is handled by Multiservice S.A. (which operates as an interface between the bank and Banred), contracted by the bank to register ATM transactions with clients, validate the status of debit cards, validate the maximum withdrawal limit, redirect the transaction to the authorizing institution or card owner, and respond to the channel that generated the transaction; that because the software is managed by the aforementioned company, bank personnel only access the different queries, which generates technical dependence for the bank and limits the detection of hidden frauds or illegal acts, violating numeral 1.3.3.2 of Article 1, Chapter V, Title X, Book I of the Codification of Resolutions of the Superintendence of Banks and the Banking Board; that said report concludes the lack of integrity in the information processed through the Multiservice ATM system; and, that in the client's case, it was determined that she did not change her PIN since the date of card activation; and, that the case was reported to the insurance, and the value of USD 1,800.00 was covered by BANRED, which was credited to the client's account on January 7, 2014;

Resolution No. JB-2015-3314

Page 2

THAT through Official Letter No. DNAE-SAU-2014-03238 of May 26, 2014, the National Director of Attention and Education to the User, based on the fact that the bank has not demonstrated that Mrs. Paulina Elizalde has misused her debit card, nor has she breached her duty of custody; and that the risk of alleged cloning falls on the bank, as responsible for the adequate administration of its risks, resolved the appeal for reconsideration in favor of Mrs. Elizalde, ordering the bank to refund the value of USD 811.30 to her savings account, a value corresponding to the difference between the value of the insurance already credited to the client and the claimed value;

THAT on June 9, 2014, economist Fredy Alfonso Monge Muñoz, in his capacity as General Manager of the National Development Bank, filed an appeal for review against the administrative act contained in Official Letter No. DNAE-SAU-2014-03238 of May 26, 2014; that the General Manager of the National Development Bank bases his appeal on: that Mrs. Paulina Elizalde did not apply the basic security recommendations for the handling of her debit card, which are formulated through various means at the national level, through which clients are instructed, such as: security flex, ATM messaging, transaction receipts, circulars, etc.; that therefore the complaint lacks legal and moral foundation and there is no basis to order the restitution of values; that the Superintendence was notified that the bank currently does not have the SMS and email notification service; that the entity, based on Resolution No. 2148, is working on the project that will allow having a transaction monitoring system in order to perform notifications via SMS or email; that the bank requested the National Director of Attention and Education to the User through Official Letter No. 2915, to kindly urge financial institutions that the requirements made by the bank be attended to in a timely manner in order to comply with what was requested by the control organism, which has not been considered in the resolution; that through Official Letter No. DNAE-SAU-2014-1258 of February 26, 2014, the Subdirector of User Attention denied the complaint of Mrs. Elizalde; that the challenged resolution determines that it is not possible to impose the responsibility for the possible cloning of the debit card on the client, since the bank has not fulfilled the obligation to be guarantor and custodian of the money deposited with it; that Article 130, numeral 4 of the Organic Code of the Judicial Function establishes as an essential faculty of judges to exercise jurisdictional attributions in accordance with the Constitution, International Human Rights Instruments, and laws; that there is no motivation if the resolution does not enumerate the norms or legal principles on which it is based and does not explain the pertinence of their application to the factual background; that in the conclusions of the challenged act there is no clear and precise report to accept the complaint of Mrs. Elizalde; that the appealed resolution does not meet the requirements of due motivation since the

Banking Board of Ecuador

Resolution No. JB-2015-3314

Page 3

judge does not use technical legal language as he uses terms like "it is observed," "it falls within," with which the responsibility of the bank cannot be established, which entails the nullity of the resolution; that clauses fourth and eighth of the agreement celebrated with the savings account state that the client commits to custodian the card received from the bank and not to disclose the assigned number to third parties, being therefore the only responsible before the bank and third parties for misuse; that the client is the only responsible for loss, theft, misplacement, theft, deterioration, etc. of the card whether during the operation and handling of services or outside them. Likewise, that it is their duty not to reveal the secret number provided by the bank, to carry out transactions correctly; to respond for the misuse of the card and to notify the bank immediately of the loss, theft, robbery, or misplacement of the card, and to respond for any transaction, payment, or withdrawal made by other persons in whose possession it is, up to 48 hours after the bank is notified; that once the Banking Board analyzes the evidence of defense presented, it will verify that the bank fully complied with the presentation of the information requested as established by the General Law of Institutions of the Financial System; that the content of the response letter and annexes sent to the Subdirector of User Attention must be taken into account; that the facts were already analyzed by said official according to Official Letter No. DNAE-SAU-2014-1258 of February 26, 2014; that the motives that generated the complaint of Mrs. Paulina Elizalde constitute a criminal offense (cloning), therefore it corresponds to the competent tribunals and judges, within the scope of criminal law, after the corresponding fiscal investigation, to establish the corresponding responsibilities and only at that moment is the intervention of the Superintendence appropriate; that according to what is provided in numerales 1 and 3 of Article 168 of the Constitution and Article 8 of the Organic Code of the Judicial Function, no Function, organ, or authority of the State can intervene in the exercise of its attributions, in concordance with the principle of independence mentioned; that the control organism cannot attend the request of the complainant, since by reason of the matter it belongs to the Judicial Function; that therefore the pertinent procedure should have been given before the Attorney General's Office and only when there is a judicial determination of responsibility for the criminal act will it correspond to establish the corresponding sanctions and payments (refund), for which the Subdirector of Attention and Education to the User must abstain from processing and ruling on the complaint; that furthermore, Article 213 of the Constitution states that the sanctions of the Superintendence of Banks and Insurance will be made within the scope of its administrative competence; that the resolution has violated the guarantee established in literal i) of numeral 7) of Article 76 of the Constitution, since the resolution issued the order for refund without invoking the legal norms in which it is established that the bank incurred in non-compliance, which entails its nullity, for which it is the duty of the Superintendent to guarantee legal security, in order to preserve procedural validity; and, that in the processing of the complaint, the inherent normativity of the Codification of Resolutions of the Superintendence of Banks and the Banking Board was not complied with, violating due process, that is, the bank's right of defense; and, that he presents an appeal for review and asks that the administrative acts contained in Official Letters Nos. DNAE-SAU-2014-03238 of May 26, 2014 and Official Letter No. DNAE-SAU-2014-1258 of February 26, 2014 be left without effect.

THAT regarding the grounds of the appeal presented by the legal representative of the National Development Bank, it must be pointed out that the case subject of the complaint has to do with a possible cloning of the debit card, a situation that the internal audit report corroborates when it states that the holder attempted some transactions after the card had been annulled by the titular; that therefore this

Resolution No. JB-2015-3314

Page 4

fact cannot be assumed as an act generated by the omission of custody by the client;

THAT the bank has expressly recognized that it does not have the SMS and email notification service and that it is implementing it, so this fact has constituted a limitation for the client to report the irregular and unauthorized withdrawals immediately;

THAT regarding the fact that the bank asked the National Director of Attention and Education to the User to urge financial institutions that the requirements made by it be attended to in a timely manner in order to comply with what was requested by the control organism, it is important to point out that the same internal audit report mentions that the entity has not yet fulfilled the obligation established in numeral 1.3.3.2, Article I, Chapter V, Title XX, Book I of the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, tending to reduce dependence on external service providers, this last weakness in operational risk management is also due to deficiencies in the administration and access to software of the company Multiservice S.A., which has also been observed in the audit report;

THAT the competence of the Superintendence of Banks to dispose in the administrative scope measures of control and sanction on its controlled entities, among which are corrective measures, when resolving, were Article 213 of the Constitution, in concordance with Articles 1, 140, and 180 of the General Law of Institutions of the Financial System, for which it had full competence to have resolved the complaint presented by Mrs. Paulina Elizalde, in the terms in which it did;

THAT regarding the argument of lack of motivation, it is important to point out that the administrative act contained in Official Letter No. DNAE-SAU-2014-03238 of May 26, 2014, clearly exposes the operational risk administration failures accused against the bank as well as the absence of analysis of the client's behavior; in the fact of the possible duplication of the card that continued to operate even when the client had already annulled the original card, which has been revealed by the bank's internal audit; and that it was not applied only to the case of Mrs. Elizalde but to other clients, a report that also mentioned the lack of integrity of the information processed by Multiservice regarding the ATM system, failing to observe what is provided in numeral 4.3.3.1, Article 4, Chapter V, Title X, Book I of the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, a situation that has not been able to be disproven by the bank;

THAT clauses fourth and eighth of the agreement celebrated with the savings account regarding the responsibility of the client, not to disclose the assigned number to other persons and to respond for the misuse of the card, apply to the case where the client had revealed her PIN and misused her card, but not to the case where third parties have stolen the information of her card, for which this argument lacks support;

THAT although the bank presented the information required by the control organism and that the client did not change her PIN since she activated the card, these facts are not related to the weaknesses in the bank's risk administration;

THAT regarding the fact that the cloning must be judged by the competent authorities

Banking Board of Ecuador

Resolution No. JB-2015-3314

Page 5

as it is a criminal offense, that is what corresponds; however, the provision issued for the bank to restore values to the client does not rest on its criminal responsibility for the cloning, but on the lack of operational risk administration, and said provision was issued in the administrative scope that belongs to the control organism; and, for the reason stated above, the bank's argument that the constitutional principle of judicial independence established in numerales 1 and 3 of Article 168 of the Constitution and Article 8 of the Organic Code of the Judicial Function has been observed also has no basis; and, the argument that the normativity inherent to the attention of complaints contained in the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board has not been complied with also lacks support;

THAT Article 5, Chapter IV, Title XX of the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board provides:

"ARTICLE 5.- If the result of the analysis carried out by the Superintendence determines the need for the controlled institution to introduce corrective measures to regularize the situation that motivated the complaint, the Superintendent of Banks and Insurance or the official who has the delegation of said authority will issue the corresponding provision.

If the situation that motivated the complaint referred to in the previous paragraph originated in an incorrect procedure of the controlled institution, which has caused harm to the complainant, the Superintendence of Banks and Insurance may order the return of the claimed values, in the exercise of the functions and attributions contemplated in letters b) and o) of Article 180 of the General Law of Institutions of the Financial System, granting the legal representative of the entity a period that cannot exceed fifteen (15) days from the notification to send, under the legal warnings, the proof of compliance with the order issued (...)". (the underline belongs to me)

THAT the aforementioned normativity requires the determination by the control organism of an incorrect procedure of the financial institution, as a condition to order the restitution of the claimed values, which, in the present case, has been fulfilled; and, that the last paragraph of the aforementioned norm, in force at the date when the questioned withdrawals by the client occurred, states that for complaints of unauthorized withdrawals due to evidence of attempts or frauds produced in ATMs, the Superintendence will order the return of the claimed values to the institution issuing the credit card or where the client maintains their account, if said withdrawals originated in an incorrect procedure of the controlled institution, which may repeat against the institution owning or operating the ATM due to whose defects or lack of security measures the fraud occurred;

THAT the second paragraph of the Third Transitional Provision of the Organic Monetary and Financial Code determines that the Banking Board will continue to act until resolving all complaints, appeals, and other administrative procedures that it was hearing on the date of entry into force of said Code, within a period of one hundred eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT the National Legal Intendancy, through memorandum INJ-DNJ-SAL-2014-0797 of October 17, 2014, recommended to the Banking Board to reject the claim contained in the appeal filed by the General Manager of the National Development Bank; and,

Resolution No. JB-2015-3314

Page 6

IN exercise of its legal attributions;

RESOLVES:

SINGLE ARTICLE.- REJECT the appeal for review filed by economist Freddy Monge Muñoz, General Manager of the National Development Bank; and, consequently, RATIFY the content of Official Letter No. DNAE-SAU-2013-03238 of May 26, 2014, with which the appeal for reconsideration filed by Mrs. Paulina Elizalde Elizalde was accepted and the administrative act contained in Official Letter No. DNAE-SAU-2014-01257 of February 26, 2014 was left without effect, with which the request of the complainant was denied and the processing was concluded and the archiving of the case was ordered.

NOTIFY.- Given at the Superintendence of Banks and Insurance, in Quito, Metropolitan District, on the twenty-fifth of March of the two thousand fifteen.

Econ. Rodrigo Landeta Parra GENERAL INTENDANT (S) PRESIDENT OF THE BANKING BOARD SESSION (E)

I CERTIFY.- Quito, Metropolitan District, on the twenty-fifth of March of the two thousand fifteen.

Lcdo. Pablo Cobo Luna SECRETARY OF THE BANKING BOARD