Banking Board of Ecuador

RESOLUTION No. JB-2015-3313

THE BANKING BOARD

CONSIDERING:

THAT the second paragraph of the Third Transitional Provision of the Organic Monetary and Financial Code determines that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures that it was handling on the date of entry into force of that Code, within a period of one hundred and eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT Ms. Evelin Paola Pérez Castillo, through a communication received at the Regional Superintendent's Office of Guayaquil on September 19, 2013, filed a claim against Banco de Guayaquil S.A., requesting that the return of the sum of US$ 1,500.00 debited from her checking account No. 14610421 be ordered, via an electronic transfer on August 22, 2013, without her authorization, to Mr. Cleber Paredes Cevallos;

THAT, having accepted the claim for processing, the National Directorate of User Attention and Education of the Regional Superintendent's Office of Guayaquil, through Official Letter No. DAYEU-ISFP-REQ-2013-1275 of October 21, 2013, forwarded said claim to Banco de Guayaquil S.A. and requested explanations and defenses regarding the case;

THAT, through Official Letter No. UAC-SBS-2014-591 received at said Regional Superintendent's Office on October 31, 2013, Mr. Víctor Hugo Alcívar Álava, Executive Vice President – General Manager of Banco de Guayaquil S.A., presented the required explanations and defenses and stated, in principal, the following:

"(...) Within the review carried out and according to what was stated by Ms. Pérez Castillo, it was determined that the client was a victim of computer fraud known as 'Phishing', (...) (Emphasis added)

The entity has a fraud prevention system that includes an authentication process in Virtual Banking (...), which constitutes the validation of the client's identification on this channel. (...)

This process includes the Bancontrol card, which is a coordinate card system, a tool that increases the security of static passwords and constitutes an additional barrier against electronic fraud; this mechanism provides random keys to give peace of mind to our clients, (...)

It is important to explain that our institution on its website: (...), shows its clients the following security message 'Remember that Banco de Guayaquil does not send emails (sic) or text messages requesting personal data information, Bancontrol card coordinates, username, password for your accounts or credit cards, do not access any link included within an unknown email'.

(...)"

THAT, through Official Letter No. IRG-DAYEU-V-R-2014-212 of March 21, 2014, the Regional Superintendent's Office of Guayaquil issued an administrative resolution, which favorably attended the claim presented by Ms. Evelin Paola Pérez Castillo, ordering Banco de Guayaquil S.A. the following:

"(...)"

---

Resolution No. JB-2015-3313

Page No. 2

In virtue of the above, (...), this Office resolves:

1. ACCEPT the claim presented by Ms. EVELIN PAOLA PÉREZ CASTILLO, (...) against (...) BANCO DE GUAYAQUIL S.A., on the grounds that it has not been evidenced that the claimant failed to comply with the recommendations issued by the entity for the internet transfer process.

2. ORDER the BANK (...) to proceed to restore to Ms. (...) the sum of (...) (US$1,500.00) (...), which corresponds to the unauthorized transfer by the user, via internet;

THAT, through a document entered in the Regional Superintendent's Office of Guayaquil on April 4, 2014, the Executive Vice President – General Manager of Banco de Guayaquil S.A., filed an appeal for reconsideration against the administrative act contained in Official Letter No. IRG-DAYEU-V-R-2014-212 of March 21, 2014;

THAT, through Official Letter No. IRG-DAYEU-V-R-2014-484 of May 21, 2014, the Regional Superintendent's Office of Guayaquil resolved to reject the appeal for reconsideration filed and confirmed the administrative act contained in Official Letter No. IRG-DAYEU-V-R-2014-212 of March 21, 2014, because it determined that the appellant did not provide documentary evidence or new information on the merits of the subject matter of the administrative claim that would change the circumstances under which said letter was issued;

THAT, through a document entered in the Superintendency on June 2, 2014, Mr. Víctor Hugo Alcívar Álava, Executive Vice President-General Manager of Banco de Guayaquil S.A., with the professional sponsorship of Dr. Rosa Tobar Reina, filed an appeal for review before the Banking Board against Official Letter No. IRG-DAYEU-V-R-2014-484 of May 21, 2014, arguing in principal the following: that "(...) the present is a case of computer fraud under the phishing modality, (...) falls within the norms contained in Interinstitutional Resolutions No. 001-FGE-SBS-2011 and No. 002-FGE-SBS-2011, (...)"); that "(...) the security mechanisms maintained by the Bank (...) in its transactional channels consisted of an efficient fraud prevention system, strengthened with the use of a coordinate card called Bancontrol, (...) which was delivered to the client on June 6, 2012 (...) contains the coordinates through which the client carries out transactions in Virtual Banking, and its custody is of their absolute responsibility, (...)"); that "(...) the Bank has implemented as a security measure the registration of IP addresses of authorized computers, as a control pursuant to regulations on security measures in electronic channels, controls that are implemented in 100% in the virtual banking channel, a fact that is fully verifiable."; and, that "(...) the transactions in question were correctly processed, because in them the system validated the client's key and coordinates, which are only known and custodied by them, without requiring any additional verification, and the beneficiary account registration procedure, IP registration, and notifications on the transactions carried out were also fulfilled."; that "(...) in the Appeal for Reconsideration, new elements and proof of compliance (...) with the Security measures that allowed the client to be alerted about the transactions, subject of the claim, logs and records of said transactions, bank account contract, where it was evidenced that the client did receive the messages and that the accounts were registered as beneficiaries, (...) as well as the Electronic Services Document-Assignment of Bancontrol Card."; and, that "(...) the only cause for which the authority can order the reimbursement of the claimed values is when the controlled institution commits an incorrect procedure that causes harm to the claimant, (...). However, in the present case my represented party did not commit any incorrect procedure, since the transfer of funds was made with the client's secret keys (...)");

---

Banking Board of Ecuador

Resolution No. JB-2015-3313

Page No. 3

THAT, through Official Letter No. JB-2014-1488 of June 11, 2014, the Secretary of the Banking Board (s), accepted the appeal for processing; and, through Official Letter No. JB-2014-1489 of the same date, notified Ms. Evelin Paola Pérez Castillo regarding the acceptance of said appeal;

THAT Articles 52 and 66, numeral 25 of the Constitution of the Republic, guarantee to persons access to dispose of quality public and private services. Furthermore, financial activities are a service of public order and have the fundamental function of preserving public deposits. In such virtue, Banco de Guayaquil S.A., with the purpose of providing an optimal service to its clients, such as carrying out transfers through virtual banking, is under the obligation to evaluate and provide all necessary security measures, so it is not appropriate to disclaim the bank's responsibility;

THAT the Superintendency of Banks and Insurance, as the competent authority, pursuant to Articles 1 and 180, letter b) of the General Law of Institutions of the Financial System, as well as what is provided in Article 5 of Chapter IV "Procedure for the attention of claims against Institutions of the Financial System", title XX "Of the Superintendency of Banks and Insurance", book I "General norms for the application of the General Law of Institutions of the Financial System" of the Codification of Resolutions of the Superintendency of Banks and Insurance and the Banking Board, has the function and attribution to ensure the stability, solidity, and correct functioning of institutions subject to its control; to supervise that they comply with the norms that govern them; and, to demand that said institutions present and adopt the corresponding corrective measures when necessary; under this context, based on the aforementioned legal and regulatory provisions, it is inferred that this control organism has the legal and normative faculty to hear financial users' claims, and in case of determining an incorrect procedure on the part of the entities, to order the restitution of values to them, therefore the administrative acts issued to resolve them, arise from the control and supervision attributions, in whose activity, the protection of public interests must be taken into account;

THAT regarding the argument alleged by the appellant about the interinstitutional resolutions 001-FGE-SBS-2011 of February 21, 2011 and 002-FGE-SBS-2011 of April 25, 2011, issued by the Superintendant of Banks and Insurance and the Attorney General of the State, it is necessary to point out that they did not constitute grounds for the resolution adopted in the present case, by virtue of which, no pronouncement on them is appropriate within this appeal. Furthermore, the aforementioned interinstitutional resolutions were applicable to certain specific cases that were detailed in them, within which the claim of Ms. Evelin Paola Pérez Castillo against Banco de Guayaquil S.A. is not recorded;

THAT although the appellant alleges that the transaction questioned by the claimant was carried out on August 22, 2013, using the personal keys and coordinates recorded in the Bancontrol Coordinate Card of exclusive responsibility of the client, it is not appreciated that Banco de Guayaquil S.A. contributed to issuing a reasoned response to the claimant, it merely transferred the responsibility for the handling of said card to the client itself; on the other hand, the Superintendency of Banks and Insurance has the legal and normative faculty to hear clients' claims;

THAT the appellant argues that "(...) the cards and keys from which the client carries out transactions in Virtual Banking are of their exclusive responsibility, and constitute the indispensable validation of their identification (...) so that Ms. EVELIN PAOLA PEREZ CASTILLO is the exclusive responsible (sic) for all operations or transactions that have been carried out with her Bancontrol Coordinate Card." Regarding this, it must be pointed out that both the client and the financial entities have

---

Resolution No. JB-2015-3313

Page No. 4

rights and obligations to fulfill, since regardless of whether the client fulfills their obligations regarding the good custody of their Bancontrol card and the use of keys and coordinates known by them, it is the responsibility of the depositary bank to implement the necessary "technological security" measures, as well as effective monitoring and internal control procedures so that the internet transfer service guarantees security to users;

THAT under this context, from the file formed around the present appeal, it is observed that there are no documentary defenses that support the client's responsibility for the mishandling of her Bancontrol card and secret keys;

THAT the bank's obligation, in the capacity of custodian of the deposited money, is to restore it at the time of the request of its owner or account holder, taking care with due diligence that said values go to the property of the depositor, in the form agreed in the corresponding legal document, and instrumented under the protection of Article 51 of the General Law of Institutions of the Financial System;

THAT it is important to indicate, according to the defenses on file, that the bank with Official Letter No. UAC-SBS-2013-591 of October 28, 2013, concluded: "(...) Within the review carried out and according to what was stated by Ms. Pérez Castillo, it was determined that the client was a victim of computer fraud known as 'Phishing,' (...) and with the 'INTERNAL REPORT' FR-I-2013-392 of August 26, 2013, prepared by the Unit of Claims and Frauds, attached to said letter, it established: "(...) Based on the antecedents and the review of the claim presented by the client, it is concluded that it is IMPROPER because the client was probably a victim of computer fraud (...)";

THAT regarding these assertions, it is necessary to emphasize the responsibility that Banco de Guayaquil S.A. has to implement security actions and procedures through virtual banking, -an electronic channel that offers its clients online services to carry out their transactions-, aimed at avoiding alteration and unauthorized access to their accounts, thus preventing them from electronic frauds known as "Phishing" through virtual banking, which could harm their assets, so it is not appropriate to hold the client responsible for the transfer carried out fraudulently, which the bank itself determined was the victim, Ms. Evelin Paola Perez Castillo;

THAT in that line, with reference to that "(...) the security mechanisms that the Bank (...) maintained (...) in its transactional channels (...) consisted of an efficient fraud prevention system, strengthened with the use of a coordinate card called Bancontrol, (...) which was delivered to the client on June 6, 2012 (...) contains the coordinates through which the client carries out transactions in Virtual Banking, and its custody is of their absolute responsibility, (...)" and that the bank has implemented as a security measure the registration of IP addresses, noting that the controls relative to security measures in electronic channels are implemented at 100%; it is determined within said procedure a lack of compliance on the part of the entity with what is provided in Article 4, Chapter V "Of Operational Risk Management", title X "Of Operational Risk Management", book I of the Codification of Resolutions of the Superintendency of Banks and Insurance and the Banking Board, which provides:

ARTICLE 4.- With the purpose that the probability of incurring financial losses attributable to operational risk is minimized, the following aspects must be adequately administered, which are interrelated:

(...) 4.3. Information Technology.- Controlled institutions must have information technology that guarantees the capture, processing, storage, and transmission of information in a timely and reliable manner;

---

Banking Board of Ecuador

Resolution No. JB-2015-3313

Page No. 5

avoid business interruptions and ensure that information, including that under the modality of services provided by third parties, is integral, confidential, and available for appropriate decision-making.

To consider the existence of an appropriate operational risk management environment, controlled institutions must define policies, processes, and procedures that ensure adequate planning and administration of information technology.

(...) 4.3.5. Security measures in electronic channels.- With the object of guaranteeing that transactions carried out through electronic channels have the controls, measures, and security elements to avoid the commission of fraudulent events and guarantee the security and quality of user information as well as the assets of clients in charge of controlled institutions, these must comply at minimum with the following:

(...)

4.3.5.8. Establish procedures to monitor, control, and issue online alarms that inform timely about the status of electronic channels, in order to identify unusual, fraudulent events or correct failures (...)

4.3.5.9.

(...)

Among the main customization conditions for each type of electronic channel, the following must be recorded: the registration of accounts to which monetary transfers are desired to be made, numbers of basic service supplies, fixed and mobile telephone numbers, maximum amounts per daily, weekly, and monthly transaction, among others.

(...)

4.3.5.13. Institutions must establish control procedures and mechanisms that allow registering the profile of each client regarding their transactional behaviors that imply money movement in the use of electronic channels and cards and define procedures to monitor online and allow or reject in a timely manner the execution of transactions that imply money movement that do not correspond to their habits, which must be immediately notified to the client via mobile messaging, email, or another mechanism (...) (Underlining added);

THAT Banco de Guayaquil S.A. evidenced that according to the ITREPORTS application, the movements of the client's account on the date corresponding to the claimed transaction, were processed through IP address 181.65.162.158, located in Lima, Peru; being said IP not habitual for the claimant to make transfers, nor registered by her for such purposes. Said transfer carried out from a different IP address, should have issued the corresponding security alerts, so in the present case there was an omission of procedures on the part of the entity to the aforementioned regulation, which caused economic harm to the user;

THAT according to the historical behavior between May 1 and August 31, 2013, contained in the IP Address Detail sent by the bank, the financial user carries out transactions for "Payment of Services" not exceeding US$ 79.11 from various IP addresses, in contrast with the interbank transfer claimed carried out on August 22,

---

Resolution No. JB-2015-3313

Page No. 6

August 2013, for an amount of US$ 1,500.00 from the aforementioned IP address located in Lima, Peru, whose beneficiary is Mr. Cleber Paredes Cevallos;

THAT regarding the argument of the appellant in the sense that if he attached in the appeal for reconsideration new elements and proof of compliance on the part of the bank, relative to the security measures; the Regional Superintendent's Office of Guayaquil, in the technical report issued to resolve the present appeal for review, referencing Article 3, Section I "Of the reconsideration", Chapter II "Norms for the application of reconsideration and review appeals in topics related to the financial system and the social security system; and, of appeal in private insurance matters, regarding administrative acts of the Superintendency of Banks and Insurance", title XVI "Of sanctions and of appeals in the administrative venue", book I of the Codification of Resolutions of the Superintendency of Banks and Insurance and the Banking Board, according to which, the appeal for reconsideration must be based only on the existence of elements of fact or law not known by the Superintendency or the Banking Board at the time of issuing the resolution, whose record, if it had existed, could have decisively influenced the sense of the resolution, and the administrative act contained in Official Letter No. IRG-DAYEU-V-R-2014-212 of March 21, 2014; textually indicates that: "(...) the only document attached by the controlled entity, when filing the appeal for reconsideration, was the notification report that evidences that the procedure established in the corresponding reforms to security measures in electronic channels, ATMs; however, the presentation of said documentation does not modify the circumstances under which the claimant, (...) challenged the transfer carried out from her checking account." (sic);

THAT from the above, it is derived that Banco de Guayaquil S.A. incurred in an incorrect procedure, by not detecting the unusual behaviors of the transactions through effective monitoring and internal control procedures aimed at guaranteeing technological security taking into account the risks inherent to its operation as demanded by the aforementioned regulation, in order to avoid or prevent fraudulent transactions from causing harm to its clients. Consequently and in application of what is provided in Article 5, Chapter IV "Procedure for the attention of claims against Institutions of the Financial System", title XX "Of the Superintendency of Banks and Insurance", book I "General norms for the application of the General Law of Institutions of the Financial System" of the Codification of Resolutions of the Superintendency of Banks and Insurance and the Banking Board, it was appropriate for the control organism to have ordered the return of the value claimed by Ms. Evelin Paola Pérez Castillo;

THAT the National Legal Superintendent's Office, through memorandum INJ-DNJ-SAL-2014-0984 of December 9, 2014, recommended the Banking Board to reject the claim contained in the appeal filed by the Executive Vice President-General Manager of Banco de Guayaquil S.A.; and,

In exercise of its legal attributions,

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the appeal for review filed by Mr. Víctor Hugo Alcívar Alava, Executive Vice President-General Manager of Banco de Guayaquil S.A.; and, consequently CONFIRM the administrative act contained in Official Letter No. IRG-DAYEU-V-R-2014-484 of May 21, 2014, through which the Regional Superintendent's Office of Guayaquil rejected the appeal for reconsideration filed by the bank, against Official Letter No. IRG-DAYEU-V-R-2014-212 of March 21, 2014, with which it ordered the aforementioned banking entity "(...) to restore to Ms. EVELIN PAOLA PÉREZ CASTILLO the sum of (...) (US$1,500.00), in checking account No. 14610421, (...) which corresponds to the unauthorized transfer by the user, via internet (...)" (sic).

NOTIFY.- Given in the Superintendency of Banks and Insurance, in Quito, Metropolitan District, on the twenty-fifth of March of two thousand fifteen.

Signature
Econ. Rodrigo Landeta Parra
GENERAL SUPERINTENDENT (s)
PRESIDENT OF THE BANKING BOARD SESSION (E)

I CERTIFY.- Quito, Metropolitan District, on the twenty-fifth of March of two thousand fifteen.

Signature
Lcdo. Pablo Cobo Luna
SECRETARY OF THE BANKING BOARD