Banking Board Resolution JB-2015-3429

Banking Board of Ecuador

RESOLUTION No. JB-2015-3429

THE BANKING BOARD

WHEREAS:

WHEREAS this challenge is resolved in accordance with Transitory Provision One of the Organic Monetary and Financial Code, published in Official Register Second Supplement No. 332 of September 12, 2014, whose text states that the resolutions contained in the Codification of Resolutions of the Superintendency of Banks and Insurance and of the Banking Board, and the norms issued by the control bodies, shall remain in force in everything that does not oppose the provisions of the Organic Monetary and Financial Code, until the Monetary and Financial Policy and Regulation Board resolves what corresponds, as the case may be; and, with the second paragraph of Transitory Provision Three, which states that the Banking Board shall continue to act until all claims, appeals, and other administrative procedures that it was aware of on the effective date thereof are resolved, within a period of one hundred eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

WHEREAS by communication of December 10, 2013, submitted to the Superintendency of Banks and Insurance on the same date, Mr. Héctor Mario Cajas Fajardo filed a claim against Banco de Guayaquil S.A., arising on November 22, 2013, due to alleged electronic fraud, which was carried out through an electronic transfer from his savings account No. 14330513 to the account belonging to Ms. GILDA MARINA BEJARANO CONTRERAS, for the value of $300.00;

WHEREAS by official letter No. DAYEU-ISFP-REQ-2013-1807 of December 24, 2013, the Director of User Attention and Education of the Regional Superintendency of Guayaquil requested Mr. Víctor Hugo Alcívar, Executive Vice President General Manager of Banco de Guayaquil S.A., to submit the defenses and explanations regarding the claim filed by Mr. Héctor Mario Cajas Fajardo;

WHEREAS through official letter No. UAC-SBS-2013-081 of January 22, 2014, entered into this Superintendency on February 3, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President General Manager of Banco de Guayaquil S.A., in response to the control body's request, submitted copies of the documents in the file of Mr. Héctor Mario Cajas Fajardo's claim;

WHEREAS by official letter No. IRG-DAYEU-V-R-2014-450 of May 15, 2014, attorney Humberto Moya González, Regional Superintendent of Guayaquil, resolved to order Banco de Guayaquil S.A. to restore to Mr. Héctor Mario Cajas Fajardo the sum of USD $300.00 in savings account No. 14330513, a value corresponding to the transfer unauthorized by the user via internet, and to submit to the control body within eight days evidence of compliance with this resolution;

---

Banking Board of Ecuador

Resolution No. JB-2015-3429 Page 2

WHEREAS through communication, entered into this Superintendency on May 28, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President General Manager of Banco de Guayaquil S.A., with the sponsorship of Dr. Rosa Tobar Reina, filed an appeal for reconsideration against the administrative act contained in official letter No. IRG-DAYEU-V-R-2014-450 of May 15, 2014;

WHEREAS by official letter No. IRG-DAYEU-V-R-2014-747 of July 9, 2014, attorney Humberto Moya González, Regional Superintendent of Guayaquil, rejected the appeal for reconsideration and ratified the content of official letter No. IRG-DAYEU-V-R-2014-450 of May 15, 2014;

WHEREAS by communication entered into the Superintendency of Banks on July 21, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President General Manager of Banco de Guayaquil S.A., with the professional sponsorship of Dr. Rosa Tobar Reina, filed an appeal for review before the Banking Board against the administrative act contained in official letter No. IRG-DAYEU-V-R-2014-747 of July 9, 2014, through which attorney Humberto Moya González, Regional Superintendent of Guayaquil, rejected the appeal for reconsideration and ratified the content of official letter No. IRG-DAYEU-V-R-2014-450 of May 15, 2014;

WHEREAS the appeal for review was accepted for processing by Mr. Pablo Cobo Luna, Secretary of the Banking Board, by official letter No. JB-2014-1980 of July 28, 2014;

WHEREAS among the factual and legal grounds presented by the Executive Vice President General Manager of Banco de Guayaquil S.A., are the following:

• That the present is a case of computer fraud, under the phishing modality, since the transfer of funds is made through virtual banking and with the use of the client's personal keys, who claims not to have provided them. Therefore, this case falls within the norms contained in Interinstitutional Resolutions No. 001-FGE-SBS-2011 and No. 002-FGE-SBS-2011.

• That the coordinate card system, Bancontrol, increases the security of static passwords and represents an additional barrier against electronic fraud, a mechanism that provides random keys to give peace of mind to its clients, and for everything that involves fund movements, the use of this coordinate card, which is delivered in a sealed envelope to the client, is necessarily required, meaning it is for the client's sole knowledge, and its custody is their absolute responsibility.

• That to use virtual banking from an unusual IP address, it necessarily has to be authorized by the client through a security process, and once the IP address is authorized, the client chooses whether or not to register it for future transactions.

---

Banking Board of Ecuador

Resolution No. JB-2015-3429 Page 3

• That evidence of the security measures that allowed the client to be alerted about the transaction subject to her claim, the logs and withdrawals of said transaction, where it was evidenced that the client did receive the messages and that the accounts were registered as beneficiaries, as well as the Electronic Services-Bancontrol Card Assignment document, were indeed attached as a new element in the appeal for reconsideration.

• That the only cause for the authority to order the reimbursement of the claimed amounts is when the controlled institution commits an incorrect procedure that causes harm to the claimant.

WHEREAS Banco de Guayaquil S.A. emphatically determines that the present case is a computer fraud under the phishing modality and that, therefore, this case falls within the norms contained in Interinstitutional Resolutions No. 001-FGE-SBS-2011 and No. 002-FGE-SBS-2011;

WHEREAS literal a) of article 51 of the General Law of Financial System Institutions states that banks are authorized to receive public funds in demand deposits, which are banking obligations, comprising monetary deposits payable upon presentation of checks or other payment and registration mechanisms;

WHEREAS from the aforementioned regulations, it is determined that Banco de Guayaquil S.A. assumes the obligation to guard or custody deposited values with diligence and professional care, and is also responsible for other services offered to its clients, such as transfers through various electronic channels, and is therefore obliged to evaluate and demand the necessary securities as a depositary of the monies its clients have entrusted to it;

WHEREAS additionally, it should be noted that said interinstitutional resolutions were applicable to certain specific cases detailed therein, among which the claim of Mr. Héctor Mario Cajas Fajardo against Banco de Guayaquil S.A. is not included;

WHEREAS with reference to the argument that coordinate cards, Bancontrol, increase the security of static passwords and represent an additional barrier against electronic fraud, the controlled institution highlights the observance and compliance with the corresponding reforms to security measures in electronic channels, ATMs, points of sale, and electronic banking;

WHEREAS in this regard, article 4, chapter V "On Operational Risk Management", title X "On Risk Management and Administration", book I "General Norms for Financial System Institutions", of the Codification of Resolutions of the Superintendency of Banks and Insurance and of the Banking Board, states:

"(...)"

---

Banking Board of Ecuador

Resolution No. JB-2015-3429 Page 4

Article 4.- In order to minimize the probability of incurring financial losses attributable to operational risk, the following interrelated aspects must be adequately managed:

4.3.3.6 Technical and functional tests that reflect the acceptance of authorized users; (included with resolution No. JB-2014-3066 of September 2, 2014)

4.3.3.8 Permanently updated technical and user documentation of the institution's applications; and, (included with resolution No. JB-2014-3066 of September 2, 2014)

4.3.5 Security measures in electronic channels.- In order to ensure that transactions carried out through electronic channels have the controls, measures, and security elements to prevent fraudulent events and guarantee the security and quality of user information as well as clients' assets under the responsibility of controlled institutions, these must comply, at a minimum, with the following:

4.3.5.9 Offer clients the necessary mechanisms to personalize the conditions under which they wish to carry out their transactions through different electronic channels and cards, within the maximum conditions or limits that each entity must establish. Among the main personalization conditions for each type of electronic channel, the following must be included: registration of accounts to which monetary transfers are desired, basic service supply numbers, fixed and mobile telephony numbers, maximum daily, weekly, and monthly transaction amounts, among others. (substituted with resolution No. JB-2014-3066 of September 2, 2014).

4.3.5.13 Institutions must establish control procedures and mechanisms that allow recording each client's profile regarding their transactional behaviors involving money movement in the use of electronic channels and cards, and define procedures to monitor online and timely allow or reject the execution of transactions involving money movement that do not correspond to their habits, which must be immediately notified to the client via mobile messaging, email, or other mechanism; (included with resolution No. JB-2012-2148 of April 26, 2012 and reformed with resolution No. JB-2014-3066 of September 2, 2014).

4.3.5.14. Incorporate into information security management procedures the blocking of electronic channels or cards when unusual events indicating fraudulent situations occur or after a maximum of three (3) failed access attempts. Furthermore, procedures must be

---

Banking Board of Ecuador

Resolution No. JB-2015-3429 Page 5

to allow online notification to the client via mobile messaging, email, or other mechanism, as well as their secure reactivation; (included with resolution No. JB-2012-2148 of April 26, 2012).

(...)"

WHEREAS Banco de Guayaquil sent an internal report evidencing that, according to the ITREPORTS application, the client's movement on the date of the claim was processed through IP address 186.162.77.227, located in Lima-Peru, which determines that it is not a usual IP for the claimant to make transfers nor registered by him;

WHEREAS the financial institution states that the only way to enroll or register both IP addresses and accounts is through Virtual Banking, which is only achieved with the validation of the key granted to its clients; therefore, if clients compromise this information, this releases the bank from responsibility for the mishandling of this key. However, in the present case, there is no evidence that Mr. Héctor Mario Cajas Fajardo at any time compromised his virtual banking access key or neglected the custody of the Bancontrol coordinate card provided by the financial institution;

WHEREAS from article 3, chapter I "On Integral Risk Management and Risk Management", title X "On Risk Management and Administration", book I "General Norms for Financial System Institutions", of the Codification of Resolutions of the Superintendency of Banks and Insurance, it is inferred that financial institutions have the responsibility to manage their risks integrally with formal administration processes that allow them to identify, measure, control, mitigate, and monitor them, a situation that has not occurred in the present case on the part of Banco de Guayaquil S.A.;

WHEREAS the bank's system did not issue any alert for the transaction carried out on November 22, 2013, allowing them to conclude successfully without the account holder noticing, preventing him from giving immediate notice to the bank and thus avoiding the fraud through an urgent blocking of funds. Therefore, Banco de Guayaquil S.A. failed to comply with several of the obligations provided in article 4, chapter V "On Operational Risk Management", title X "On Risk Management and Administration", book I "General Norms for Financial System Institutions", of the Codification of Resolutions of the Superintendency of Banks and Insurance and of the Banking Board, cited above;

WHEREAS in the present case, Banco de Guayaquil S.A. is responsible for the disputed transaction, since on the date of the claim the bank did not maintain an efficient fraud prevention system for its transactional channels, as the client was never notified of the execution of the transaction subject to the claim, which would have prevented the withdrawal of money, if the financial institution had not incurred in

---

Banking Board of Ecuador

Resolution No. JB-2015-3429 Page 6

incorrect procedures, such as the malfunction of the channel access alert signals available in the virtual banking system and allowing the beneficiaries of the disputed transaction to withdraw the claimant's funds;

WHEREAS the second paragraph of article 5 of chapter IV, title XX, book I, "General Norms for the Application of the General Law of Financial System Institutions", of the Codification of Resolutions of the Superintendency of Banks and Insurance and of the Banking Board, provides:

"ARTICLE 5.- If the result of the analysis carried out by the Superintendency determines the need for the controlled institution to introduce corrective measures to regularize the situation that motivated the claim, the Superintendent of Banks and Insurance or the official with delegated authority shall issue the corresponding provision. If the situation that motivated the claim referred to in the preceding paragraph originated from an incorrect procedure by the controlled institution, which caused harm to the claimant, the Superintendency of Banks and Insurance may order the return of the claimed amounts, in exercise of the functions and attributions contemplated in letters b) and o) of article 180 of the General Law of Financial System Institutions, granting the legal representative of the entity a period not exceeding fifteen (15) days from the notification to submit, under legal warnings, proof of compliance with the order issued.";

WHEREAS the aforementioned regulations empower this control body, in the exercise of its constitutional and legal functions and attributions, to order the return of amounts claimed by users of the financial system, provided that the situation subject to the claim originated from an incorrect procedure by the controlled institution, as has occurred in the present case;

WHEREAS the main argument presented by the claimant is the existence of an unauthorized bank transfer through virtual banking, evidenced in the defenses presented by Banco de Guayaquil S.A., through which the entity maintained that the mentioned transfer was carried out by compromising personal information such as the personal key and the lack of care with the Bancontrol coordinate card, under the claimant's responsibility, of which there is no record in the file of the present case;

WHEREAS it is determined that the "non-compliance" incurred by Banco de Guayaquil S.A. in the present case consists in that, evidently, it does not have optimal security measures, which allowed the security policies and procedures that electronic transaction services of the financial institution must have to be violated, which must

---

Banking Board of Ecuador

Resolution No. JB-2015-3429 Page 7

guarantee said operations, and thus provide clients with products and mechanisms that eliminate all types of technological risk;

WHEREAS the National Legal Superintendency, through memorandum INJ-DNJ-SAL-2015-0082 of February 2, 2015, recommended to the Banking Board to reject the claim contained in the appeal filed by the Executive Vice President and General Manager of Banco de Guayaquil S.A.; and,

In exercise of its legal attributions,

RESOLVES:

SOLE ARTICLE.- REJECT the claim contained in the appeal for review filed by Mr. Víctor Hugo Alcívar, Executive Vice President General Manager of Banco de Guayaquil S.A.; and, consequently, CONFIRM official letter No. IRG-DAYEU-V-R-2014-747 of July 9, 2014, through which attorney Humberto Moya González, Regional Superintendent of Guayaquil, rejected the appeal for reconsideration and ratified the content of official letter No. IRG-DAYEU-V-R-2014-450 of May 15, 2014, by which it was resolved to order Banco de Guayaquil S.A. to restore to Mr. Héctor Mario Cajas Fajardo the value of USD $300.00 corresponding to the electronic transfer unauthorized by the user via internet.

COMMUNICATE.- Given in the Superintendency of Banks and Insurance, in Quito, Metropolitan District, on May twentieth, two thousand fifteen.

(Signature) Econ. Rodrigo Landeta Parra GENERAL SUPERINTENDENT (S) PRESIDENT OF THE BANKING BOARD SESSION (E)

I CERTIFY IT.- Quito, Metropolitan District, on May twentieth, two thousand fifteen.

(Signature) Mr. Pablo Cobo Luna SECRETARY OF THE BANKING BOARD