Resolution No. JB-2015-3425 of the Banking Board of Ecuador

Banking Board of Ecuador

RESOLUTION No. JB-2015-3425

THE BANKING BOARD

CONSIDERING:

THAT the second paragraph of the Third Transitional Provision of the Organic Monetary and Financial Code determines that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures it was handling on the date of entry into force of that Code, within a period of one hundred and eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT through a communication entered into the Superintendence of Banks on December 13, 2013, Mrs. Keyla Annabell Coca Ortega filed a claim against Banco de Guayaquil S.A., seeking that the regulatory body order said financial institution to restore USD $409.00, in view of the fact that said value had been transferred from her account to another without the authorization of the account holder;

THAT by Official Letter No. IRG-DAyEU-V-R-2014-325 of April 16, 2014, lawyer Humberto Moya González resolved the claim of Mrs. Keyla Annabell Coca Ortega favorably and ordered the financial institution to restore USD $409.00. In this regard, by document entered into the regulatory body on May 2, 2014, Mr. Víctor Hugo Alcívar Álava, Executive Vice President and General Manager of Banco de Guayaquil S.A., filed an appeal for reconsideration against Official Letter No. IRG-DAyEU-V-R-2014-325 of April 16, 2014, whose requests were rejected with Official Letter No. IRG-DAyEU-V-R-2014-673 of June 24, 2014;

THAT by document entered into the Superintendence of Banks on July 4, 2014, Mr. Víctor Hugo Alcívar Álava, Executive Vice President and General Manager of Banco de Guayaquil S.A., filed before the Banking Board an appeal for review against Official Letter No. IRG-DAyEU-V-R-2014-673 of June 24, 2014;

THAT Articles 52, 66, and 213 of the Constitution of the Republic of Ecuador and Article 4 of the Organic Law for Consumer Defense guarantee the right of users of the financial system to have access to services of optimal quality, with efficiency, effectiveness, and good treatment. At the same time, the Superintendence of Banks is called upon to supervise that the services provided by institutions of the financial system comply with the legal framework and attend to the general interest;

THAT integral risk management is one of the responsibilities attributed to financial institutions that are part of the system; by virtue of this, the Codification of Resolutions of the Superintendence of Banks and the Banking Board, in Articles 2 and 3 of Chapter I, Title X, Book I, provides as follows:

"Article 2.- For the purposes of the application of this chapter, the following definitions are determined:

2.1 Risk.- It is the possibility that an event generating losses that affect the economic value of institutions occurs;

2.2 Risk Management.- It is the process by which institutions of the financial system identify, measure, control/mitigate, and monitor the risks inherent to the business, with the objective of defining the risk profile, the degree of exposure that the institution is willing to assume in the development of the business, and the mechanisms

---

Banking Board of Ecuador

Resolution No. JB-2015-3425 Page 2

of coverage, to protect own and third-party resources that are under their control and administration;

(...)

2.9 Operational Risk.- It is the possibility that losses occur due to events originating from failures or insufficiency of processes, people, internal systems, technology, and in the presence of unexpected external events. It includes legal risk but excludes systemic and reputational risks.

It groups a variety of risks related to internal control deficiencies; inadequate systems, processes, and procedures; human errors and fraud; failures in computer systems; occurrence of adverse external or internal events, that is, those that affect the institution's ability to respond to its commitments in a timely manner, or compromise its interests (...)."

"Article 3.- Institutions of the financial system have the responsibility to manage their risks, for which purpose they must have formal integral risk management processes that allow identifying, measuring, controlling/mitigating, and monitoring the risk exposures they are assuming.

(...)

THAT the pertinent part of Article 4, Chapter V, Title X, Book I of the Codification of Resolutions of the Superintendence of Banks and the Banking Board provides as follows:

"Article 4.- With the purpose of minimizing the probability of incurring financial losses attributable to operational risk, the following aspects, which are interrelated, must be adequately managed:

4.3 Information Technology.- Controlled institutions must have information technology that guarantees the capture, processing, storage, and transmission of information in a timely and reliable manner; avoid business interruptions and ensure that information, including that under the modality of services provided by third parties, is integral, confidential, and available for appropriate decision-making.

To consider the existence of an appropriate operational risk management environment, controlled institutions must formally define policies, processes, and procedures that ensure adequate planning and administration of information technology.

4.3.4 With the objective of guaranteeing that the security administration system satisfies the entity's needs to safeguard information against unauthorized use, disclosure, and modification, as well as damage and losses, controlled institutions must have at least the following:

4.3.4.8 Formal controls to protect information contained in documents; storage media or other external devices; the electronic use and exchange

---

Resolution No. JB-2015-3425 Page 3

of data against damage, theft, access, unauthorized use, or disclosure of information for purposes contrary to the interests of the entity, by all its personnel and its providers;

4.3.4.12 Controlled institutions that offer electronic transfer and transaction services must have information security policies and procedures that guarantee that operations can only be carried out by duly authorized persons; that the communication channel used is secure, through information encryption techniques; that there are alternative mechanisms that guarantee the continuity of the offered service; and, that they ensure the existence of audit trails.

4.3.8 Security measures in electronic channels.- With the objective of guaranteeing that transactions carried out through electronic channels have the controls, measures, and security elements to prevent the commission of fraudulent events and guarantee the security and quality of user information as well as the assets of clients under the care of controlled institutions, these must comply at minimum with the following:

4.3.8.8. Offer clients the necessary mechanisms to personalize the conditions under which they wish to carry out their transactions through the different electronic channels and cards, within the conditions or maximum limits that each entity must establish.

Among the main personalization conditions for each type of electronic channel, there must be: registration of the accounts to which they wish to make transfers, registration of authorized computer IP addresses, the authorized mobile phone number(s), maximum amounts per daily, weekly, and monthly transaction, among others.

(...)

THAT also Articles 1, 4, 5, 6, and 18, Chapter III, Title XIV, Book I, of the Codification of Resolutions of the Superintendence of Banks and the Banking Board, in the present case in force by virtue of the First Transitional Provision of the Organic Monetary and Financial Code, provide as follows:

"Article 1.- This Code aims to establish the principles and rules governing the exercise and protection of the rights of the user of the financial system, considering that financial activities are of public order and must be subject, in particular, to principles of sound practices applied by the corporate governance of the institutions that make up the financial system. Its scope of application involves the relationships between users and financial institutions controlled by the Superintendence of Banks of Ecuador, without prejudice to other legal provisions that contemplate measures and instruments of protection for the user of the financial system.

For the purposes of this Code, the legal terms contained in its text must be understood in accordance with the glossary contained in the final article."

"Article 4.- The rights of the user of the financial system contained in this Code are irrenounceable as financial services are considered of public order, social interest

---

Resolution No. JB-2015-3425 Page 4

and mandatory observance throughout the country. Any stipulation to the contrary shall be considered null."

"Article 5.- The rights of the user of the financial system regarding the financial products and services offered by institutions of the financial system, in accordance with the law and sound practices, will be protected, in the first instance, by the client defender of the financial institutions, and by the Superintendence of Banks and Insurance, and for this purpose it may act ex officio or at the request of a party in accordance with what is expressly mandated by the Constitution and applicable laws, without prejudice to the competencies that other authorities exercise in accordance with the law.

Nevertheless, any public authority in the application of its competencies and in accordance with the law, will protect the rights of the user of the financial system. (...):"

"Article 6.- Users of financial products and services will exercise their rights within the framework of the universal principle of good faith."

"Article 18.- The Superintendence of Banks in the exercise of its constitutional and legal functions of regulation and supervision, preventive and corrective, will have as a fundamental principle the protection of the rights of the user of the financial system."

THAT in application of what is provided in letter o), of Article 180 of the General Law of Institutions of the Financial System, the Banking Board issued Resolution No. JB-2005-747 of January 25, 2005, which was reformed with Resolution No. JB-2009-1303 of May 14, 2009, regarding the procedure for the attention of claims against institutions of the financial system, which is contained in Chapter IV, Title XX, Book I of the Codification of Resolutions of the Superintendence of Banks and the Banking Board, whose Article 5 provides:

"Article 5.- If the result of the analysis carried out by the Superintendence determines the need for the controlled institution to introduce corrective measures to regularize the situation that motivated the claim, the Superintendent of Banks and Insurance or the official who has the delegation of said authority, will issue the corresponding disposition.

If the situation that motivated the claim referred to in the previous paragraph originated in an incorrect procedure of the controlled institution, which caused harm to the claimant, the Superintendence of Banks may order the return of the claimed values, in the exercise of the functions and attributions contemplated in letters b) and o) of Article 180 of the General Law of Institutions of the Financial System, granting the legal representative of the entity a period that may not exceed fifteen (15) days from the notification to send, under the warnings of the Law, the proof of compliance with the order issued." (Emphasis added);

THAT the client delivers money to a financial institution with the option to withdraw it, in part or entirely, at the moment they require it, while the depositary entity assumes the

---

Banking Board of Ecuador

Resolution No. JB-2015-3425 Page 5

obligation to keep or safeguard the deposited values and satisfactorily attend to all withdrawal operations required by the holder, with diligence and professional care;

THAT the financial institution has the obligation to safeguard the deposited values and satisfactorily attend to all withdrawal operations required by the client; likewise, it is responsible for providing with efficiency and responsibility the services offered to users of the system, among which are transfers through different electronic channels. In this line, the Bank is obliged to evaluate and demand the appropriate securities in order to fulfill its obligations as a depositary of the monies that its clients have entrusted to it, with the purpose of being able to provide a quality service;

THAT as derived from Official Letter No. IRG-DAyEU-2014-298 of September 25, 2014, lawyer Humberto Moya González, Regional Intendant of Guayaquil concludes in his technical report that "(...) Banco de Guayaquil S.A., by Official Letter No. UAC-SBS-2013-111, received by this Control Body on January 30, 2014, sent an internal report in which it was evidenced that according to the ITREPORTS application, the movements of the client's account on the date corresponding to the transaction that was the subject of the claim, were processed through IP address 186.162.7.55, located in Lima, Peru, being the aforementioned IP not habitual for the claimant to make transfers, nor registered by her for such effects (...)

THAT in this way, according to the criterion of the Regional Intendant of Guayaquil, the incorrect procedure in which Banco de Guayaquil S.A. incurred is configured in the context of the claim of Mrs. Keyla Annabell Coca Ortega;

THAT the Superintendence of Banks is in charge of supervising and controlling the operations of institutions that are part of the national financial system, as well as protecting the interests of users of this sector;

THAT Banco de Guayaquil S.A. maintains in its defenses that the only way to register IP addresses is through access to Virtual Banking, which is exclusively achieved with the validation of the password granted to its clients; therefore, the financial institution erroneously concludes that the fact that clients commit said information frees the bank from any responsibility for the mishandling of this password, without considering the content of the norms transcribed above;

THAT Banco de Guayaquil S.A. intends to transfer to the financial user the risks inherent to the organization and execution of the transfer service through electronic channels offered by the institution, by holding them responsible for the same due to the misuse of their virtual banking access password and the compromise of the custody of their "Bancontrol" coordinate card; however, there is no record in the case file under consideration regarding these facts, a reasoning that also allowed, through the administrative act contained in Official Letter No. IRG-DAyEU-V-R-2014-673 of June 24, 2014, to reject the requests of the appellant, insisting that it is not appropriate to place the responsibility for the possible lack of custody and care of the information of the "Bancontrol" coordinate card on the claimant, and, therefore, the responsibility for said transaction carried out via the internet;

THAT both the Constitution of our country, the General Law of Institutions of the Financial System, and the Codification of Resolutions of the Superintendence of Banks and the Banking Board ensure the compliance and implementation of procedures and mechanisms that protect and disseminate the rights of financial users, attributing corrective, controlling, and sanctioning faculties to the Superintendence of Banks, so that it carries out such functions;

THAT the National Legal Intendancy, through memorandum INJ-DNJ-SAL-2015-0089 of February 2, 2015, recommended to the Banking Board to reject the request contained in the appeal filed by the Executive Vice President and General Manager of Banco de Guayaquil S.A.; and,

In exercise of its legal attributions,

RESOLVES:

SINGLE ARTICLE.- REJECT the request contained in the appeal for review filed; and, consequently, RATIFY Official Letter No. IRG-DAyEU-V-R-2014-673 of June 24, 2014, with which the payment order of USD $409.00 was confirmed, contained in Official Letter No. IRG-DAyEU-V-R-2014-325 of April 16, 2014, in favor of Mrs. Keyla Annabell Coca Ortega, in the context of the claim she maintains against Banco de Guayaquil S.A.

COMMUNICATE.- Given at the Superintendence of Banks and Insurance, in Quito, Metropolitan District, on the twentieth of May of the two thousand fifteen.

(Signature) Econ. Rodrigo Landeta Parra GENERAL INTENDANT (S) PRESIDENT OF THE BANKING BOARD SESSION (E)

I CERTIFY.- Quito, Metropolitan District, on the twentieth of May of the two thousand fifteen.

(Signature) Lcdo. Pablo Cobo Luna SECRETARY OF THE BANKING BOARD