Banking Board Resolution JB-2015-3500

Banking Board of Ecuador

RESOLUTION No. JB-2015-3500 THE BANKING BOARD

CONSIDERING:

THAT by Resolution No. JB-2015-3339 of April 8, 2015, the Banking Board resolved: "REJECT the claim contained in the review appeal filed by Mr. Antonio Acosta Espinosa, Vice President of Banco Pichincha C.A.; and, consequently PARTIALLY CONFIRM the administrative act contained in letter No. DNAE-SAU-2014-04101 of June 30, 2014, through which the User Attention Directorate rejected the reconsideration appeal filed, and resolved to ratify the administrative act contained in letter No. DNAE-SAU-2014-03725 of June 16, 2014; and ORDER Banco Pichincha C.A. to proceed with the full refund of the value claimed by Mrs. Sandra Ximena Tapia Córdova regarding the internet transfer made on February 9, 2014, in the amount of USD $390.00 (three hundred ninety dollars/00); since the file does not contain evidence that Banco Pichincha C.A. has refunded any value," fundamentally for the following considerations:

"(...)

THAT this appeal is resolved in accordance with the First Transitional Provision of the Organic Monetary and Financial Code, published in the Official Register Second Supplement No. 332 of September 12, 2014, whose text states that resolutions contained in the Codification of Resolutions of the Superintendency of Banks and Insurance and the Banking Board, and norms issued by control bodies, will remain in force insofar as they do not oppose what is provided in the Organic Monetary and Financial Code, until the Monetary and Financial Policy and Regulation Board resolves what corresponds, according to the case; and with the second paragraph of the Third Transitional Provision, which states that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures it was handling on the date of entry into force of the same, within a period of one hundred eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT Mrs. Sandra Ximena Tapia Córdova, through communication received by the control body on April 24, 2014, filed a complaint against Banco Pichincha C.A., stating: "(...) a transfer of US$ 390.00 was made from my account via internet, which I did not make (...) the bank cannot assume the value withdrawn from my account because they have many security measures, and to help me they can recognize 50% of the withdrawal, if I accept this they can print the investigation report for the file, otherwise they cannot facilitate it. On my part, I indicated that I do not agree with that report (...) I never received any message on my cell phone indicating that a transfer was made from my account, as usually happens when I do a mobile recharge (...) and the money was stolen while it was in the bank's possession, not mine. (...) therefore I request that 100% of my money be returned to me";

THAT through letter No. DNAE-SAU-2014-02706 of April 29, 2014, the full content of the complaint filed against said bank was forwarded to it, granting a term of 5 days to present relevant explanations and defenses; in response to said requirement, with letter No. BP-ACEC-2014-0485 of April 22, 2014, submitted to the Superintendency on May 27, 2014, the financial entity presented the explanations and defenses related to the claim presented by Mrs. Sandra Ximena Tapia Córdova, justifying its action, mainly as follows:

"In virtue of the above and taking into account the client's responsibility regarding transactions carried out through electronic means, Banco Pichincha C.A. in no way can be held responsible for transactions carried out with the client's personal keys or coordinates.

Notwithstanding the above, exclusively considering the commercial relationship maintained with Mrs. TAPIA CORDOVA SANDRA XIMENA and without this representing any institutional recognition, it was considered to approve 50% of the value claimed by said client. (...)

6. The transfer subject of the complaint was made in basic account No. 2201306492, belonging to Mr. GUTIERREZ QUIROZ CHRISTIAN JONATHAN(...)

THAT through letter No. DNAE-SAU-2014-03725 of June 16, 2014, the Acting Deputy Director of User Attention issued the administrative resolution resolving the complaint presented, in the following sense:

"(...) Banco Pichincha C.A., having incurred an incorrect procedure in the transaction subject of this complaint, that is, that the system did not generate the security key however the bank debited the amount of the transfer in question from the holder's savings account, consequently the Directorate under my charge disposes (...) the refund for the difference that has not been recognized, that is, for the amount of ONE HUNDRED NINETY-FIVE DOLLARS OF THE UNITED STATES OF AMERICA ($ 195.00).";

THAT through communication received on June 25, 2014, BANCO PICHINCHA C.A. filed a reconsideration appeal against the administrative act contained in letter No. DNAE-SAU-2014-03725 of June 16, 2014; and, with letter No. DNAE-SAU-2014-04101 of June 30, 2014, the User Attention Directorate rejected the reconsideration appeal filed, and resolved to confirm the administrative act contained in letter No. DNAE-SAU-2014-03725 of June 16, 2014;

THAT through a document entered in the Superintendency of Banks and Insurance on July 10, 2014, Mr. Antonio Acosta Espinosa, Vice President of Banco Pichincha C.A., with the professional sponsorship of Dr. Pablo Cadena Merlo, filed a review appeal before the Banking Board against the administrative act contained in letter No. DNAE-SAU-2014-04101 of June 30, 2014; arguing the following:

• That "The alerts generated by my representative have been fulfilled, for which reason the Bank is relieved of all responsibility.

• That "(...) the client's private keys as well as the respective coordinates of the e-key card constitute the main and only mechanism to access Internet transfer services, which must be considered by the Control Body.

• That "(...) the administrative act contained in letter No. DNAE-SAU-2014-04101 of June 30, 2014, signed by Dr. Mirian Muñoz Solano, Acting Deputy Director of User Attention, be REVOKED, by which it ratifies the administrative act contained in letter No. DNAE-SAU-2014-03725 of June 16, 2014, through which it is in turn ordered that my representative proceed with the refund of US$ 195.00 (one hundred ninety-five dollars of the United States of America), to Mrs. Sandra Ximena Tapia Córdova";

THAT through letter No. JB-2014-1971 of July 25, 2014, the Secretary of the Banking Board accepted the review appeal for processing; and, with letter No. JB-2014-1972 of the same date, notified Mrs. Sandra Ximena Tapia Córdova regarding the acceptance of said appeal;

THAT the Superintendency of Banks, as the competent body, in accordance with articles 1 and 180, letter b) of the General Law of Financial System Institutions, as well as what is provided in article 5 of chapter IV regarding the "Procedure for the attention of complaints against Financial System Institutions", title XX "Of the Superintendency of Banks and Insurance", book I "General norms for the application of the General Law of Financial System Institutions" of the Codification of Resolutions of the Superintendency of Banks and Insurance and the Banking Board, has the function and attribution to ensure the stability, solidity, and correct functioning of institutions subject to its control; to supervise that they comply with the norms that govern them; and to require that said institutions present and adopt the corresponding corrective measures when necessary; under this context, based on the referred legal and regulatory provisions, it is inferred that this control body has the legal and normative faculty to hear financial user complaints, and in case of determining an incorrect procedure by the entities, to dispose of the restitution of values to them, therefore the administrative acts it issues to resolve them, arise from the control and supervision attributions, in whose activity, the protection of public interests must be taken into account;

THAT regarding the bank having no responsibility in the objected transaction, since said damage occurs due to the incorrect use of the electronic channel and not due to the lack of security of the entity's systems, and can only be imputable to the user, taking into account that personal keys and coordinates constitute the only mechanism to access internet transfer services; the first paragraph of article 1, chapter III "Code of User Rights of the Financial System", book I of the Codification ibidem, establishes that users, as well as the controlled financial entity, have rights and obligations to fulfill based on a contract, the first to maintain due custody of their personal key and card coordinates delivered by the bank, the second to comply with orders on funds entrusted to it, in harmony with the pertinent legal and regulatory norms with the implementation of adequate internal controls that safeguard the interests of their clients; in this sense, Banco Pichincha C.A., by offering its clients the internet transfer service via virtual banking, and in order to guarantee the safeguarding of deposited values, is obliged to implement security procedures and policies that avoid the risk of possible diversions or misappropriation of deposited economic resources;

THAT among the bank's policies to carry out internet transfers and for this to be successful "it is necessary to enter the biometric user and biometric key generated by the client, in addition, if applicable, the respective security code, information that is exclusively known to the client (...) the Bank implemented the personal and non-transferable card called "E-key", in which it registers the coordinate requested by the system to accept the transaction, being equally the exclusive responsibility of the client (...)"; it is observed within said procedure a lack of compliance by the entity with what is provided in several of the provisions contained in article 4, section II, chapter V "Of Operational Risk Management", title X "Of Risk Management and Administration", book I, of the Codification of Resolutions of the Superintendency of Banks and Insurance and the Banking Board, which provide:

"(...) 4.3.5 Security measures in electronic channels.- In order to guarantee that transactions carried out through electronic channels have the controls, measures, and security elements to avoid the commission of fraudulent events and guarantee the security and quality of user information as well as the assets of clients under the control of the institutions, they must comply at least with the following:...

(...) 4.3.5.8. Establish procedures to monitor, control, and issue online alarms that inform timely about the status of electronic channels, in order to identify unusual, fraudulent events or correct failures...

4.3.5.9. (...) Among the main conditions of customization for each type of electronic channel, it must include: the registration of accounts to which monetary transfers are desired to be made, basic service supply numbers, fixed and mobile phone numbers, maximum amounts per daily, weekly, and monthly transaction, among others. (...)

4.3.5.11. Financial system institutions must register IP addresses and mobile phone numbers from which transactions are made (...)

4.3.5.13. Institutions must establish control procedures and mechanisms that allow registering the profile of each client regarding their transaction behaviors involving money movement in the use of electronic channels and cards and define procedures to monitor online and allow or reject timely the execution of transactions involving money movement that do not correspond to their habits which must be immediately notified to the client via mobile messaging, email, or other mechanism (...)";

THAT from the cited regulation it is inferred that the financial entity has not implemented all the necessary security measures to provide the level of reliability for the claimed electronic transfer, since the transaction subject of the complaint was made from an unusual IP address of the claimant for making transfers, which does not fall within the typical patterns of the client that should have been established by the bank, without it having yielded any alert signal. Said transfer made from a different IP address should have issued the corresponding security alerts, so in the present case, weakness in the application of the entity's procedures is evidenced as provided in the quoted numeral 4.3.5.13, which caused economic harm to the claimant, as mandated by numeral 4.3.5.13 cited above, in the present case, if said norm had been complied with, the controversial transfer would not have been made from an IP that has not been registered within her transactionality;

THAT in addition to the review of the file, it is evident that the basic account No. 2201306492 to which the claimed transfer was made, belongs to Christian Jonathan Gutiérrez Quiroz, which was opened on February 8, 2014, and on February 27, 2014, its "ACCOUNT CANCELLATION EFFECTIVE" is recorded; it is important to note that this account is registered as a beneficiary in other cases with the following detail:

# CLAIM	CLAIMANT	CLIENT ID	CLAIM VALUE	ACCOUNT	TRANSFER DATE	BENEFICIARY ACCOUNT
2457702	LOPEZ VASQUEZ CARLOS ALBERTO	0801884966	293.00	3886423200	10/02/2014	2201306492
2462330	MANTILLA OÑA PATRICIA ELIZABETH	1709181190	302.00	3033757000	10/02/2014	2201306492

THAT Banco Pichincha C.A. states that the security schemes implemented for transactions through Internet are the most secure and complete, however in the claimed transaction, the SMS message report to number 593 985695159 does not show that in the transaction of February 9, 2014, the system validated the security code, considering that prior to entering the security code, the system links the verification and confirmation of the biometric user identity and biometric key, in addition, there is no evidence of sending amount change alerts, or entries from an IP address different from those maintained in the transactional profile as provided by the cited regulation, these facts resulting in incorrect procedures in which the bank has incurred, since it is its responsibility to adequately manage risks, subject to what is provided in numeral 2.2 of article 2, section I, chapter I, title X, book I of the aforementioned Codification, which states:

"(...) Risk Management.- It is the process by which financial system institutions identify, measure, control/mitigate, and monitor risks inherent to the business, in order to define the risk profile, the degree of exposure the institution is willing to assume in the development of the business, and coverage mechanisms, to protect its own and third-party resources that are under its control and administration;";

THAT it is important to reiterate the obligation of Banco Pichincha C.A. to implement information security actions and procedures through virtual banking - the electronic channel that offers its clients online services for carrying out their transactions -, aimed at timely warning of the risk of alteration and unauthorized access to their accounts, thereby preventing electronic fraud, as well as other types of crimes, that due to the lack of application of the norm issued for the effect, violate the patrimony of their clients, so the responsibility for the claimed transfer cannot be shifted to Mrs. Sandra Ximena Tapia Córdova;

THAT regarding the logs sent by the bank, it is observed that since February 8, 2014, at 12:00:39, from IP 186.5.75.211, an access was made through the internerxo electronic channel of Banco Pichincha C.A., for "Authentest - Signature Validation in the Biometric Entry System", which says in the respective column: "Denied because the user's biometric registry indicated a possible fraud"; subsequently, at 12:01:26, two actions are recorded simultaneously: "Activation of accounts for Transfers" for "$5,001.00" and "ekey Validation"; subsequently on February 9, 2014, from the same unusual IP 186.5.75.211 appears:

DATE/TIME	IP	OPERATION	VALUE	EXTRA
2014-02-09 11:43:34	186.5.75.211	Authentest - Signature Validation in the Biometric Entry System		Denied because the user's biometric registry indicated a possible fraud
2014-02-09 11:45:17	186.5.75.211	ekey Validation		null
2014-02-09 11:45:18	186.5.75.211	Transfers - Email Notification
2014-02-09 11:45:18	186.5.75.211	Third-party Transfer	390.00

THAT finally, because the complaint presented by Mrs. Sandra Ximena Tapia Córdova originated from an incorrect procedure of the controlled institution, widely detailed since the transactional record shows, that the banking institution did not detect the user's unusual behavior nor validated the entry into the Virtual Banking service with the security code that should have been sent to the user's cell phone, and that additionally, there is no evidence of sending amount change alerts, or entries from an IP address different from those maintained in the transactional profile; all this allowed the claimed transfer to be made, without the bank having issued the security alert to which it was obliged according to the norm previously stated; in this case, the requirement established in article 5, chapter IV "Procedure for the attention of complaints against Financial System Institutions", title XX "Of the Superintendency of Banks and Insurance", book I "General norms for the application of the General Law of Financial System Institutions" of the Codification of Resolutions of the Superintendency of Banks and Insurance and the Banking Board was met. Additionally, it is noted that it has not been evidenced that the bank has made any partial restitution;"

THAT through communication received by the Superintendency of Banks on May 28, 2015, Mr. Antonio Acosta Espinosa, Vice President of Banco Pichincha C.A., with the professional sponsorship of Dr. Pablo Cadena Merlo and lawyer María José Araujo Álvarez, filed a reconsideration appeal against the administrative act in Resolution No. JB-2015-3339 of April 8, 2015;

THAT the Banking Board, in a session held on June 24, 2015, in accordance with the second paragraph of article 3, chapter II, title XVI, book I of the Codification of Resolutions of the Superintendency of Banks and Insurance and the Banking Board, heard the appeal referred to in the preceding paragraph and determined that it does not comply with what is provided in the first paragraph ibidem, that is, that there are no new elements of fact or law that motivate the preparation of corresponding reports, so it decided to deny it outright; and,

IN exercise of its legal attributions,

RESOLVES:

SINGLE ARTICLE.- DENY the reconsideration appeal filed by Mr. Antonio Acosta Espinosa, Vice President of Banco Pichincha C.A., against the administrative act contained in Resolution No. JB-2015-3339 of April 8, 2015; and, consequently, CONFIRM said resolution.

NOTIFY.- Given in the Superintendency of Banks, in Quito, Metropolitan District, on June twenty-four, two thousand fifteen.

[Signature] Econ. Rodrigo Landeta Parra GENERAL SUPERINTENDENT, S PRESIDENT OF THE BANKING BOARD, E

I CERTIFY.- Quito, Metropolitan District, on June twenty-four, two thousand fifteen.

[Signature] Lcdo. Pablo Cobo Luna SECRETARY OF THE BANKING BOARD