Banking Board of Ecuador

RESOLUTION No. JB-2015-3358

THE BANKING BOARD

CONSIDERING:

THAT the second paragraph of the Third Transitional Provision of the Organic Monetary and Financial Code determines that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures it was handling on the date of entry into force of the aforementioned Code, within a period of one hundred and eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board, which determines that the body is competent to hear and resolve the present review appeal;

THAT through a communication received by the control body on February 10, 2014, Mr. Lázaro Estacio Quiñonez filed a claim against Banco Pichincha C.A., stating that on June 1, 2012, two financial operations were carried out that were not recognized, through the electronic internet channel, transfers made from savings accounts Nos. 59939100 and 526671400, to account No. 5985058200 belonging to Mrs. Narcisa Ramona Loza López, whom he indicates he does not know. The total debited amount amounts to USD $4,945.00, and when he went to Banco Pichincha C.A. to file the claim, he was informed that they regret what happened but cannot assume responsibility, so he appeals to the control body and requests that the facts be investigated and that the return of the arbitrarily transferred money be ordered;

THAT it must be indicated that the claimant filed the complaint regarding the non-executed transfers with the Attorney General's Office, for the alleged crime of fraud, a department that informed him that he had to go to the Superintendence of Banks and Insurance to file the respective claim;

THAT through letters Nos. DNAE-SAU-2014-01520 and DNAE-SAU-2014-01521, both dated March 10, 2014, the User Attention and Education Directorate accepted the claim for processing and requested explanations and defenses from Banco Pichincha C.A. regarding the case. With letter No. BP-ACEC-2014-0288, dated March 31, 2014, received by the control body on April 1, 2014, the financial institution attended to what was requested and stated:

"(...)

Within the procedure established by the Bank for the internet transfer process (year 2012), it is necessary to enter the biometric user and biometric key generated by the client, in addition to, if applicable, answering the selected question and image, information that is exclusively known by the client and constitutes the only mechanism to access the services offered through electronic means.

As a complementary security measure, the Bank implemented the personal and non-transferable card called "E-key," on which the coordinate requested by the system to accept the transaction is registered, being equally the exclusive responsibility of the client to keep secret the coordinates contained in their "E-key" card, and the strictest custody of it. It is worth mentioning that the system requests a single coordinate in each transaction.

The Bank has been publicly alerting through multiple media that clients should never deliver or facilitate their personal data, biometric keys, or "E-key" card coordinates, via email, cell phone message, SMS, telephone, web page, or other means.

In view of the above and taking into account the client's responsibility regarding transfers made through electronic means, Banco Pichincha C.A. cannot in any way be held responsible for transactions carried out with the client's personal keys or coordinates.

(...)."

THAT with letter No. DNAE-SAU-2014-03895, dated June 23, 2014, the National Directorate of User Attention and Education, after the analysis carried out regarding the claim, resolved and concluded the following:

"(...)

✓ Banco Pichincha C.A. has not demonstrated in the present case, nor has it adequately supported that the channel for internet transfers at the date they were processed is a secure access channel, nor are the inherent operational risks properly identified and controlled, which do not comply with current regulations.

✓ It has also not demonstrated that there was negligence on the part of its client in the handling of the internet transfer channel; it cannot absolve itself of providing the necessary security before, during, and after the service delivered.

(...)

For the reasons stated in the present letter and in compliance with the norms contemplated in articles 1 and 180 letters b) and o) of the General Law of Financial System Institutions, in concordance with what is provided in article 5, Chapter IV, Title XX, Book 1 of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, this Superintendence:

✓ Orders its regulated entity that within a term of five days counted from the receipt of the present letter, it effectuate the reimbursement of the values claimed by Mr. Lázaro Estacio Quiñonez and corresponding to the two electronic transfers made through the internet on June 1, 2012. The value to be credited is USD $4,945.00 (...)

(...).";

THAT through a document received by the Superintendence of Banks on July 1, 2014, Mr. Antonio Acosta Espinosa, Adjunct President of Banco Pichincha C.A., with the sponsorship of Dr. Pablo Cadena Merlo, filed

---

Resolution JB-2015-3358

Page No. 2

an appeal for reconsideration against the administrative act contained in letter No. DNAE-SAU-2014-03895, dated June 23, 2014;

THAT through letter No. DNAE-SAU-2014-05173, dated August 18, 2014, the National Directorate of User Attention and Education, after the analysis carried out regarding the appeal for reconsideration filed by the financial institution, resolved:

"(...)

III. RESOLUTION

(...), this Sub-directorate ratifies the resolution contained in letter No. DNAE-SAU-2014-03895 dated June 23, 2014 addressed to Banco Pichincha C.A., since the arguments that motivated the issuance of the contested letter have not changed and lack technical and legal foundation; consequently, the APPEAL FOR RECONSIDERATION filed is rejected, and the administrative act contained in letter No. DNAE-SAU-2014-03895 of June 23, 2014 is confirmed.

(...);"

THAT through a document received by the control body on August 27, 2014, Mr. Antonio Acosta Espinosa, Adjunct President of Banco Pichincha C.A., with the professional sponsorship of Dr. Pablo Cadena Merlo and lawyer María José Araujo Álvarez, files before the Banking Board a review appeal against the administrative act contained in letter No. DNAE-SAU-2014-05173, dated August 18, 2014;

THAT the appellant based his appeal on the following arguments:

That the present case is being investigated by the Attorney General's Office, therefore, it is under the knowledge of the ordinary justice; and, that in application of the principle of independence with which the Judicial Function possesses, this control body is not competent to hear the present appeal, therefore it must abstain from resolving it;

That Banco Pichincha C.A. has been publicly alerting through multiple media that clients should never deliver or facilitate their personal data, biometric keys, or "E-key" card coordinates, via email, cell phone message, SMS, telephone, web page, or other means. The client's personal keys as well as the respective coordinates have the character of secret and non-transferable, that is, that the keys, users, and coordinates constitute the only mechanism to access internet transfer services, so the financial institution is not responsible regarding the transactions subject of the claim. The damage to the client was the product of the incorrect use of the electronic channel;

That throughout the present claim, Banco Pichincha C.A. has demonstrated that there was no error or incorrect procedure; and, on the contrary, all required information was delivered, regarding the IP address from which the claimed electronic transfers were made, so Mr. Lázaro Estacio

---

Banking Board of Ecuador

Resolution JB-2015-3358 Page No. 4

Quiñonez is the one who should promote the corresponding complaint in case there is a criminal act;

THAT with letter No. JB-2014-2325, dated August 28, 2014, the lawyer Pablo Cabo Luna, Secretary of the Banking Board, accepted for processing the review appeal filed by Banco Pichincha C.A.; and, through letter No. JB-2014-2326, dated August 28 of the same month and year, Mr. Lázaro Estacio Quiñonez was notified of the appeal filed by the financial institution;

THAT articles 52 and 66 of the Constitution of the Republic establish that people have the right to dispose of public and private services of optimal quality, as well as to receive non-misleading information about their content and characteristics; in such virtue, the financial entity, upon receiving money from its clients, assumes the obligation and responsibility to guard and safeguard the deposited values with diligence and professional care;

THAT the first paragraph of article 1 and letters b) and o) of article 180 of the General Law of Financial System Institutions determine that the Superintendence of Banks and Insurance is in charge of supervising and controlling the financial system, in all of which, the protection of the public interest is taken into account, so it must ensure the stability, solidity, and correct functioning of the institutions under its control; monitoring that they comply with the legal norms that govern them; and, at the same time, requiring that said institutions present and adopt the corresponding corrective measures when necessary;

THAT regarding the argument concerning the competence of the control body, in front of judicial processes, it is important to point out, that the claimant Mr. Lázaro Estacio Quiñonez filed the complaint both in the Provincial Attorney's Office of Esmeraldas and in the Provincial Attorney's Office of Pichincha, departments in which the respective preliminary investigations were initiated, for the alleged crime of fraud, which the claimant follows against Banco Pichincha C.A. Regarding this, paragraph 1 of article 168 of the Constitution of the Republic, in concordance with article 8 of the Organic Code of the Judicial Function, determine the principle of independence with which the Judicial Function possesses, establishing that no other function, body, or authority of the State may interfere in the exercise of the duties and attributes of the Judicial Function;

THAT the second paragraph of article 6, of chapter IV "Procedures for the attention of claims against financial system institutions"; title XX "Of the Superintendence of Banks and Insurance", book I "General norms for the application of the General Law of Financial System Institutions" of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, states:

"ARTICLE 6.- If it is documented that the specific matter motivating the claim is under the knowledge and resolution of the ordinary justice at the instance of the claimant, user of the financial system, the Superintendence of Banks and Insurance will abstain from continuing to process it, in attention to the principle of independence of the Judicial Function, enshrined in paragraph 1 of article 168 of the

---

Banking Board of Ecuador

Resolution JB-2015-3358 Page No. 5

Constitution of the Republic, which agrees with article 8 of the Organic Code of the Judicial Function, a particular that will be communicated to the parties, informing them that, for such reason, the suspension or archiving of the process has been ordered, as appropriate.

Claims related to cases that, in parallel, are under the knowledge of the ordinary justice in criminal matters are excepted from the provision in the previous paragraph, in which case the Superintendence of Banks and Insurance will hear and resolve them, within the scope of its competence.";

THAT from what is stated, it is established that the appellant's argument lacks legal foundation, when it is the Constitution of the Republic and the current legal norms that determine the obligation of the Superintendence of Banks and Insurance to receive and process claims presented by clients as well as users of the financial system, even if the claim is in parallel under the knowledge of the ordinary justice, exclusively in case of criminal matter; which under no argument constitutes a violation of the Principle of Judicial Independence;

THAT regarding the responsibility attributed to Mr. Lázaro Estacio Quiñonez in the transactions subject of the present claim, it is important to indicate that Banco Pichincha C.A., by transferring exclusive responsibility to the client for the transactions in dispute, solely by the fact of having granted a coordinate card and biometric keys, is not acceptable; since although there is a written agreement between the parties regarding deposits, withdrawals of funds, credits, debits, and any other transaction permitted, carried out through electronic or electromagnetic means, it is no less true that Banco Pichincha C.A. has the obligation to safeguard the money delivered to its custody, in order to return it to the depositor when requested, hence the bank's responsibility consists of having physical and computer security in the internet transactional channel;

THAT from the report sent by Banco Pichincha C.A., through letter No. BP-ACEC-2014-0288, received by the control body on April 1, 2014, it is determined that the impugned transactions were carried out using card "E-key" No. 1895249, whose detail is the following:

Date and time	Name of source account	Value	Name of destination account	Destination account number	IP
01/06/2012 10:45	Lázaro Estacio Quiñonez (5993911000)	4,075.00	Narcisa Ramona Loza López	5985058200 Banco Pichincha C.A.	190.239.150.170
01/06/2012 10:47	Lázaro Estacio Quiñonez (5266671400)	870.00	Narcisa Ramona Loza López	5985058200 Banco Pichincha C.A.	190.239.150.170

THAT from the analysis carried out on the aforementioned report and the arguments of the appellant, it is established that the bank states that at the date the claim was produced, there were no norms regarding the registration of the IP address to carry out electronic transactions, but the appellant does not mention the notifications or alerts that the bank's computer system must necessarily issue in case of possible fraud;

---

Banking Board of Ecuador

Resolution JB-2015-3358 Page No. 6

THAT the "Transaction Log Report" sent by Banco Pichincha C.A. evidences that on June 1, 2012 at 08:40:42, 10:41:32, and 10:45:56 there were three messages indicating the possibility of attempted fraud, a fact that occurred prior to the transfers subject of the present claim, however, the bank's computer system did not emit the timely alarms to inform the client of what happened in their account, which violates what is established in paragraph 4.3.8.5, of article 4 of Chapter V "Of operational risk management"; of Title X "Of integral risk management and control"; of Book I "General norms for the application of the General Law of Financial System Institutions" of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, in force at the date of the claim;

THAT in the present case, the computer system implemented by Banco Pichincha C.A. validated the procedure of the impugned transfers, without considering relevant aspects such as possible fraud alerts, in addition to the analysis of the client's unusual behavior, including factors such as the origin, frequency, volume, characteristics, and destination account of the electronic transactions. Banco Pichincha C.A. notified via SMS message to phone number 097953981 of the transfer made for USD $4,075, a phone number that the claimant assured he did not know, while for the transfer of USD $870.00, there is no report whatsoever, which clearly indicates that there were failures in the transfer process through the electronic channel, so the appellant's argument is not valid;

THAT article 5 of chapter IV "Procedures for the attention of claims against Financial System Institutions", title XX. "Of the Superintendence of Banks and Insurance", book I "General Norms for the application of the General Law of Financial System Institutions" of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, establishes:

"ARTICLE 5.- If the result of the analysis carried out by the Superintendence determines the need for the controlled institution to introduce corrective measures to regularize the situation that motivated the claim, the Superintendent of Banks and Insurance or the official who has the delegation of said authority, will issue the corresponding disposition.

If the situation that motivated the claim referred to in the previous paragraph originated in an incorrect procedure of the controlled institution, which caused damage to the claimant, the Superintendence of Banks and Insurance may order the return of the claimed values, in exercise of the functions and attributes contemplated in letters b) and o) of Article 180 of the General Law of Financial System Institutions, granting the legal representative of the entity a term that cannot exceed fifteen (15) days from the notification to send, under the legal warnings, the proof of compliance with the order issued.

(...);"

---

Banking Board of Ecuador

Resolution JB-2015-3358 Page No. 7

THAT from the review and analysis carried out, it emerges that Banco Pichincha C.A. transferred the responsibility of the facts to Mr. Lázaro Estacio Quiñonez, for being the person who safeguards the card and keys, without considering that the bank has the obligation not only to safeguard the deposited money, but also to provide security in the channels of the offered services. In this sense, there is bank responsibility in the transactions in dispute since at the date of the claim the bank did not maintain for its transactional channels an efficient fraud prevention system, which allowed the funds to be transferred to an unknown third person; causing the claimed economic damage, which evidences that Banco Pichincha C.A. is subject to what is provided in article 5 of chapter IV, title XX, book I of the Compilation of Resolutions mentioned above;

THAT the National Legal Intendancy, through memorandum INJ-DNJ-SAL-2015-0072 of January 28, 2015, recommended to the Banking Board to reject the claim contained in the review appeal filed;

AND IN exercise of its legal attributes,

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the review appeal presented by the Adjunct President of Banco Pichincha C.A.; and, consequently CONFIRM the administrative act contained in letter No. DNAE-SAU-2014-05173, dated August 18, 2014, with which the content of letter No. DNAE-SAU-2014-03895, dated June 23, 2014, is ratified, through which the National Directorate of User Attention and Education ordered that Banco Pichincha C.A. effectuate the reimbursement of the values claimed by Mr. Lázaro Estacio Quiñonez, whose amount amounts to USD $4,945.00, plus the commissions generated by said transfers.

NOTIFY.- Given at the Superintendence of Banks, in Quito, Metropolitan District, on the fifteenth of April of two thousand fifteen.

Econ. Rodrigo Landeta Parra GENERAL INTENDENT, S PRESIDENT OF THE BANKING BOARD, E

I CERTIFY.- Quito, Metropolitan District, on the fifteenth of April of two thousand fifteen.

Lcdo. Pablo Cabo Luna SECRETARY OF THE BANKING BOARD