LogoRegulatory Alerts
2015-05-27 | JB-2015-3438

Resolution JB-2015-3438 of the Banking Junta of Ecuador

The Banking Junta of Ecuador issued Resolution JB-2015-3438 to reject the appeal filed by Banco Guayaquil S.A. regarding an unauthorized $300 transfer from a customer's account. The resolution confirms the previous administrative order requiring the bank to refund the disputed amount, ruling that the institution failed to implement adequate fraud prevention measures and did not notify the client of the transaction. The Junta determined that the bank bears responsibility for the loss because it did not maintain an efficient system to prevent fraud or alert the user to the suspicious activity.

Superintendencia de Bancos Ecuador logo

Ecuador

Superintendencia de Bancos Ecuador

Click to view thumbnail

Banking Junta of Ecuador

RESOLUTION No. JB-2015-3438

THE BANKING JUNTA

CONSIDERING:

THAT this appeal is resolved in accordance with the First Transitional Provision of the Organic Code of Monetary and Financial Affairs, published in the Official Register Second Supplement No. 332, of September 12, 2014, whose text states that resolutions contained in the Codification of Resolutions of the Superintendence of Banks and Insurance and of the Banking Junta, and the norms issued by the control bodies, will remain in force in all that does not oppose what is provided in the Organic Code of Monetary and Financial Affairs, until the Monetary and Financial Policy and Regulation Board resolves what corresponds, according to the case; and with the second paragraph of the Third Transitional Provision, which states that the Banking Junta will continue to act until it resolves all claims, appeals, and other administrative procedures that it was hearing on the date of entry into force of the same, within a period of one hundred and eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT by Resolution No. 054-2015-F, of March 5, 2015, published in the Official Register No. 467, of March 27, 2015, the aforementioned period has been extended by one hundred and eighty additional days;

THAT by means of a complaint form submitted to the Superintendence of Banks and Insurance on December 3, 2013, Ms. Josellyn Isabel Mendieta Torres, filed a complaint against Banco Guayaquil S.A., in which she stated:

"(...)

One day (sic) while reviewing the bank transactions of my savings account at Banco de Guayaquil, I noticed (sic) that a transfer of $300 had been made to Mr. Cristhian (sic) Javier Sotomayor Orellana, when I do not know him. It should be noted that this account had no activity since I was charged 1 insurance fee which I never requested, and at no time (sic) did I receive an email stating that the transfer to this Mr. (sic) had been made, nor a text message to my cell phone.

I ask that the total amount of the transferred money be returned to me since at no time (sic) did I know (sic) the person of the unauthorized transfer that was made (sic) from my savings account.

(...); (sic)"

THAT by letter No. DAYEU-ISFP-REQ-2013-1758 of December 19, 2013, the Regional Intendant of Guayaquil requested Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., to submit defenses and explanations regarding the complaint filed by Ms. Josellyn Isabel Mendieta Torres;

Resolution No. JB-2015-3438

Page 2

THAT through letter No. UAC-SBS-2014-009 of January 3, 2014, received by this Superintendence of Banks and Insurance on January 23, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., in response to the request from the control body, submitted copies of the documents held in the file of the complaint by Ms. Josellyn Isabel Mendieta Torres;

THAT by letter No. IRG-DAYEU-V-R-2014-349 of April 30, 2014, the lawyer Humberto Moya González, Regional Intendant of Guayaquil, resolved to order Banco de Guayaquil S.A. to proceed to restore to Ms. Josellyn Isabel Mendieta Torres the sum of USD $300.00 in savings account No. 21660421, an amount corresponding to the unauthorized internet transfer, and to send evidence of compliance with the present resolution to the control body within eight days;

THAT through communication, received by this Superintendence on May 16, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., with the sponsorship of lawyer Camila Peña Arellano, filed an appeal for reconsideration against the administrative act contained in letter No. IRG-DAYEU-V-R-2014-349 of April 30, 2014, which was rejected with letter No. IRG-DAYEU-V-R-2014-615, of June 13, 2014;

THAT through communication received by this Superintendence on July 4, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., filed before the Banking Junta an appeal for review against the administrative act contained in letter No. IRG-DAYEU-V-R-2014-615, of June 13, 2014, which was accepted for processing by Licentiate Pablo Cobo Luna, Secretary of the Banking Junta, through letter No. JB-2014-1787, of July 10, 2014;

THAT among the factual and legal grounds presented by Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., the following stand out:

  • That the coordinate card system, Bancontrol, increases the security of static passwords and represents an additional barrier against electronic fraud, a mechanism that provides random keys to give peace of mind to its clients, and in all matters involving fund movements, the use of this coordinate card is necessarily required, which is delivered to the client in a sealed envelope, meaning it is known only to the client, whose custody is their absolute responsibility.

  • That to use virtual banking from an unusual IP address, it must necessarily be authorized by the client through a security process; once the IP address is authorized, the client chooses whether to register it or not for future transactions.

  • That the security system of the controlled entity does contemplate the registration of accounts to which transfers are desired to be made. For the registration of such accounts, the system sends a security code to the email address registered by the client at the bank; this code must be

Resolution No. JB-2015-3438

Page 3

digitized on the Virtual Banking page prior to entering the coordinates that are for the personal use of the client, therefore there is no responsibility on the part of the bank in the execution of this type of transaction.

  • That logs and withdrawals of said transaction were attached as new evidence in the appeal for reconsideration, showing measures of security that allowed the client to be alerted about the transaction subject of their complaint, where it was evidenced that the client did receive the messages and that the accounts were registered as beneficiaries, as well as attaching the Electronic Services - Assignment of Bancontrol Card document.

  • That the user was informed about the possibility of personalizing the electronic channel transaction service, which she indeed knows from the moment the coordinate card is delivered to her, on which her declarations of being duly and timely informed are recorded, as stipulated in the electronic services document – assignment of Bancontrol card.

  • That the claimant was provided with true, reliable, and timely information about the card, with which the system validated the keys and coordinates correctly entered, through the instruments indicated by the controlled entity itself, such as: the electronic services document - assignment of Bancontrol card, the current account contract signed by the claimant.

  • That throughout this complaint, Banco de Guayaquil has demonstrated that there was no error or incorrect procedure, and the authority has not demonstrated the contrary, but has considered imprecisely security measures that in its opinion would have been necessary, but which are not provided for in the applicable regulations;

THAT Banco de Guayaquil sent an internal report in which it is evidenced that according to the ITREPORTS application, the client's transactions on the date subject of the complaint were processed through IP address 186.46.160.189, located in Quito, an IP address not usual for the claimant to make transfers nor registered by her.

THAT the financial institution, in the defenses regarding the case in question, recognized in its memorandum UAC-SBS-2014-009 of January 3, 2014, that the client was a victim of computer fraud known as "Phishing";

THAT the financial institution states that the only way to register or record both IP addresses and accounts is through Virtual Banking, which is only achieved with the validation of the key granted to its clients; therefore, if clients compromise this information, this frees the bank from responsibility for the mishandling of this key. However, in the case in question, it is not evidenced that Ms. Josellyn Isabel Mendieta Torres compromised at any time her access key to virtual banking nor neglected the custody of the Bancontrol coordinate card delivered by the financial institution;

THAT paragraph a) of article 51 of the General Law of Institutions of the Financial System, in force on the date of the complaint, stated that banks are authorized to receive public resources in demand deposits, which are banking obligations, comprising monetary deposits payable upon presentation of checks or other payment mechanisms and registration;

THAT from the aforementioned article 51, it is determined that Banco de Guayaquil S.A. assumes the obligation to keep or safeguard deposited values with diligence and professional care, and is also responsible for other services offered to its clients such as transfers through different electronic channels; it is obligated to evaluate and require the necessary securities as a depositary of the money entrusted to it by its clients;

THAT article 3, chapter I, title X "On Risk Management and Administration", of the Codification of Resolutions of the Superintendence of Banks and Insurance and of the Banking Junta, states that integral risk management is one of the responsibilities attributed to financial institutions. Therefore, it is inferred that financial institutions have the responsibility to manage their risks with formal management processes that allow them to identify, measure, control, mitigate, and monitor in a timely manner the possible risks they are assuming;

THAT the bank's system did not issue any alert for the transaction made on November 4, 2013, allowing it to conclude successfully without the account holder noticing it, preventing her from notifying the bank immediately and thus avoiding the fraud through an urgent blocking of funds. Therefore, Banco de Guayaquil S.A. did not comply with several of the obligations provided for in article 4, chapter V "On Operational Risk Management", title X "On Risk Management and Administration", book I "General Norms for Institutions of the Financial System", of the Codification of Resolutions of the Superintendence of Banks and Insurance and of the Banking Junta;

THAT in the present case, there is responsibility of Banco de Guayaquil S.A. in the disputed transaction, since on the date of the complaint the bank did not maintain for its transactional channels an efficient fraud prevention system, since the client was never notified of the execution of the transaction subject of the complaint;

THAT the second paragraph of article 5 of chapter IV, title XX, book I, "General Norms for the Application of the General Law of Institutions of the Financial System", of the Codification of Resolutions of the Superintendence of Banks and Insurance and of the Banking Junta, empowers this control body to order the return of the values claimed by the controlled institutions, in the exercise of the functions and attributes established by both constitutional and legal norms;

Resolution No. JB-2015-3438

Page 5

THAT the Superintendence of Banks is in charge of supervising and controlling the operations of institutions that form part of the financial system, as well as protecting the interests of users of this sector, as provided in article 1 of the General Law of Institutions of the Financial System;

THAT the bank maintained that the claimed transfer was made due to compromising personal information such as the key and the lack of care with the Bancontrol coordinate card, which was the responsibility of the claimant, of which there is no record in the file;

THAT for the reasons stated, it is determined that Banco de Guayaquil S.A. intends to shift the risks in the execution of the electronic channel transfer service to the user, evidencing that the non-compliance incurred by the controlled entity in the present case consists of the lack of security measures in the electronic channels;

THAT the National Legal Intendancy, through memorandum INJ-DNJ-SAL-2015-0220 of March 16, 2015, recommended to the Banking Junta to reject the claim contained in the appeal for review filed;

AND IN exercise of its legal powers,

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the appeal for review filed by Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A.; and, consequently, CONFIRM letter No. IRG-DAYEU-V-R-2014-615, of June 13, 2014, through which the lawyer Humberto Moya González, Regional Intendant of Guayaquil, rejected the appeal for reconsideration, and ratified the content of letter No. IRG-DAYEU-V-R-2014-349 of April 30, 2014.

NOTIFY.- Given at the Superintendence of Banks, in Quito, Metropolitan District, on the twenty-seventh of May of two thousand fifteen.

Econ. Rodrigo Vandeta Parra
GENERAL INTENDANT, S
PRESIDENT OF THE BANKING JUNTA, E

I CERTIFY.- Quito, Metropolitan District, on the twenty-seventh of May of two thousand fifteen.

Lcdo. Pablo Cobo Luna
SECRETARY OF THE BANKING JUNTA

Share