Banking Board of Ecuador

RESOLUTION No. JB-2015-3390

THE BANKING BOARD

CONSIDERING:

THAT this appeal is resolved in accordance with the First Transitional Provision of the Organic Monetary and Financial Code, published in the Official Register Second Supplement No. 332, of September 12, 2014, whose text states that resolutions contained in the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, and the norms issued by the control bodies, will remain in effect in all that does not oppose what is provided in the Organic Monetary and Financial Code, until the Monetary and Financial Policy and Regulation Board resolves what corresponds, according to the case; and with the second paragraph of the Third Transitional Provision, which states that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures that it was hearing as of the date of entry into force of the same, within a period of one hundred and eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board, which grants the control body competence to hear and resolve this review appeal;

THAT through a communication entered into the control body on January 10, 2014, Mr. Néstor Alejandro Orrala García filed a claim against Banco de Guayaquil S.A., stating the following:

"(...)

On Wednesday, January 8, 2014, upon approaching the bank to make a cash withdrawal from the teller window of my aforementioned savings account, it was verified that a DIRECT PAYMENT TO BANCO PICHINCHA had been made for the value of 2,350.00 dollars. Upon inquiring about this, I was told that I had to go to the customer service area, which I did on January 8 at approximately 12:15, at the 9 de Octubre and Rumichaca street branch. The person to whom I reported what happened, after checking on the computer, indicated that the money would be returned to me in 7 days after asking for my cell phone number to contact me.

Not satisfied with this, upon arriving home at night, I logged into the BANCONTROL of one of my computers exclusively for my property, from which I only perform this operation.

Surprise: I found 7 accounts registered with Banco del Pichincha (sic) and 1 account with Banco del Austro (sic) without prior authorization or confirmation of said registrations. It should be noted that on Tuesday, January 7, I received a message on my cell phone regarding the registration of an account. For this, I called 3730100 at the bank, which indicated that it was the registration of an account that I had performed, for which I immediately deleted it (sic).

---

Resolution No. JB-2015-3390

Page No. 2

I am putting all this in knowledge for the respective investigation... (sic) I attach a copy of the accounts that are registered, which I am unaware of. And a copy of the movement of the Account.";

THAT through Official Letter No. DAyEU-ISFP-REQ-2014-154, of January 17, 2014, the Directorate of Attention and Education to the User of the Regional Intendancy of Guayaquil, accepted the claim for processing and requested explanations and defenses from Banco de Guayaquil S.A. With Official Letter No. UAC-SBS-2014-128, of January 28, 2014, entered into the control body on February 5, 2014, the financial institution attended to what was requested and indicated the following:

"(...)

Within the review performed and according to what was manifested by Mr. Orrala García, it was determined that the client was a victim of computer fraud known as "Phishing," which is the act of fraudulently acquiring, through deception, personal information such as passwords or other sensitive client information. It consists of the ability to maliciously duplicate bank web pages and indiscriminately send emails so that access is granted to this page and the user provides the confidential and non-transferable access data to their bank.

(...)

During the access process to the Virtual Banking of Banco de Guayaquil S.A., upon entering the user ID that identifies the client, the security image and the name assigned to it are displayed, factors that identify the authenticity of the bank's web page, prior to entering the password defined by the client.

(...)

The fund transfers were carried out through Virtual Banking, using Coordinate Card No. 171871, which was delivered to the client on July 19, 2012.

(...); (sic)

THAT with Official Letter No. IRG-DAyEU-V-R-2014-334, of April 22, 2014, the Regional Intendancy of Guayaquil, after the analysis performed, resolved the following:

"(...)

1. ACCEPT the claim presented by Mr. NÉSTOR ALEJANDRO ORRALA GARCÍA, with citizenship ID No. 091016384-9, against the controlled financial institution BANCO DE GUAYAQUIL S.A., on the grounds that it has not been evidenced that the

---

Resolution No. JB-2015-3390

Page No. 3

claimant failed to comply with the recommendations issued by the entity for the internet transfer process.

2. ORDER BANCO DE GUAYAQUIL S.A. to proceed to restore to Mr. NÉSTOR ALEJANDRO ORRALA GARCÍA the sum of TWO THOUSAND THREE HUNDRED FIFTY 00/100 DOLLARS OF THE UNITED STATES OF AMERICA (US$ 2,350.00), in the savings account No. 27123835 that he maintains in the aforementioned bank, a value that corresponds to the unauthorized transfer by the user via internet, and send to this Office, within a term of eight days, counted from the receipt of this letter, the documentation that accredits the compliance with this resolution.

(...);

THAT through a document entered into the Superintendence of Banks and Insurance on May 5, 2014, Mr. Víctor Hugo Alcívar Álava, Executive Vice President - General Manager of Banco de Guayaquil S.A., with the sponsorship of lawyer Rosa Tobar Reina, filed an appeal for reconsideration against the administrative act contained in Official Letter No. IRG-DAyEU-V-R-2014-334, of April 22, 2014;

THAT through Official Letter No. IRG-DAyEU-V-R-2014-551, of June 10, 2014, the Regional Intendancy of Guayaquil, resolved the following:

"(...)

1. REJECT the claim contemplated in the appeal for reconsideration filed by Banco de Guayaquil S.A.; and, consequently, CONFIRM the administrative act contained in Official Letter No. IRG-DAyEU-V-R-2014-334, of April 22, 2014.

(...);

THAT through a document entered into the control body on June 25, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., with the professional sponsorship of Dr. Rosa Tobar Reina, filed before the Banking Board a review appeal against the administrative act contained in Official Letter No. IRG-DAyEU-V-R-2014-551, of June 10, 2014;

THAT the appellant bases the appeal filed on the following arguments:

That "According to the known factual elements, this is a case of computer fraud, under the phishing modality, since the fund transfer is made through virtual banking and with the use of the client's personal keys, who alleges not having delivered them;

The Interinstitutional Resolution No. 001-FGE-SBS-2011, of March 21, 2011, issued by the Superintendents of Banks and Insurance and the Attorney General of the State, ordered that values be recognized to clients who had suffered patrimonial losses due to computer fraud only in the period between January 1, 2010, and March 21, 2011;

(...).

Given these antecedents, the fund transfer challenged by the client occurred on January 8, 2014, that is, two years and more than seven months after the period indicated by Resolutions 001 and 002 had expired, for which reason the obligation to reintegrate the transferred values cannot be attributed to my represented party;

(...);

That "(...) it is striking the authority's assertion that in the claimed transactions there is supposedly weakness in operational controls and absence of good banking practices, thereby disregarding all the security measures maintained by the Bank for these transactions. In fact, these controls and security measures have been verified in the visits and audits performed by the Superintendence of Banks itself, (...) so it is contradictory that now their Authority disregards them, when they constitute the highest level of security;

(...);

That the coordinate card system, Bancontrol, increases the security of static passwords and represents an additional barrier against electronic fraud, a mechanism that provides random keys to give peace of mind to its clients and in all that implies fund movements, the use of this coordinate card is necessarily required, which is delivered to the client in a sealed envelope, that is, of unique knowledge of the client, whose custody is of their absolute responsibility;

That throughout this claim, Banco de Guayaquil S.A. has demonstrated that there was no procedural error or incorrectness, and the authority has not demonstrated the contrary, but has considered imprecisely security measures that in its opinion would have been necessary, but which are not provided for in the applicable regulation;

That the Regional Intendancy of Guayaquil through Resolution No. IDG-DAyEU-V-R-2012-113, of December 28, 2012, issued its criterion and did not accept the claim presented by Mr. Hugo Javier Pumagualli Pérez against the Bank, establishing that the claimed transactions could only be carried out with the client's coordinate card and key, when these were active and under their custody, and that the blocking order was only made by the client after the claimed events, as occurs in the present claim;

---

Resolution No. JB-2015-3390

Page No. 5

THAT with Official Letter No. JB-2014-1685, of July 1, 2014, the licentiate Pablo Cabo Luna, Secretary of the Banking Board, accepted the review appeal filed for processing; and, through Official Letter No. JB-2014-1686, of July 1 of the same month and year, notified Mr. Néstor Alejandro Orrala García of the appeal filed by the financial institution;

THAT regarding the appellant's argument that the present is a case of computer fraud under the "phishing" modality and that for such cases the temporal limit for financial institutions to recognize the return of values to their clients was until March 21, 2011, according to what is stated in Interinstitutional Resolutions Nos. 001-FGE-SBS-2011 and No. 002-FGE-SBS-2011, of March 21 and April 25, 2011, respectively, it is necessary to point out that said resolutions issued by the Superintendents of Banks and Insurance and the Attorney General of the State, were applicable to certain specific cases that were detailed in them, within which the claim of Mr. Néstor Alejandro Orrala García does not appear, for which reason the argument raised by the appellant has no legal or technical basis;

THAT regarding operational risk factors and the security measures maintained by the Bank in transactions through electronic channels, it must be indicated that Banco de Guayaquil S.A., within the controls and securities that must be taken into account when offering services through electronic channels, is to issue timely alerts that prevent the possible commission of computer crimes, therefore, financial institutions when offering their financial products to their clients, are obliged to put at their service policies of dissemination of the conditions surrounding them, including the implemented securities and their possible risks when accessing said services;

THAT regarding this, the Internal Report No. FR-I-2014-0012 of January 14, 2014 sent by Banco de Guayaquil S.A., signed by the Senior Officer of Losses and Frauds, in which it was concluded that: "Based on the antecedents and the review of the claim presented by the client, it is concluded that it is IMPROPER because the client was probably a victim of computer fraud, which consists in the fraudulent obtaining of personal information, through fake web pages, emails that seem to come from the bank, through which the client provided their information and coordinate keys.";

THAT from the conclusion reached by the aforementioned Internal Report, and from the arguments raised by the financial institution, only the financial user is held responsible for the handling and use of the information and the Bancontrol coordinate card in the execution of the transaction carried out through electronic banking, without considering that the bank has the obligation not only to safeguard the deposited money, but also to deliver quality services;

THAT the financial institution is responsible for managing the risks inherent to the electronic banking channel, so it must have the necessary safeguards

---

Resolution No. JB-2015-3390

Page No. 6

necessary to allow the elimination of unauthorized accesses to its clients' accounts; it should be indicated that from the file formed around this appeal, there is no documented evidence to support the responsibility of the financial user for the mishandling of the coordinate card, therefore, the financial institution cannot disclaim its responsibility for the operational service implemented;

THAT from the Internal Report No. FR-I-2014-0012, of January 14, 2014, issued by the Fraud Prevention Unit of Banco Guayaquil S.A., and from the analysis of the transaction log, it is observed that the transaction subject of the claim was carried out on January 8, 2014, from an IP located in Lima, Peru, as detailed below:

Transaction Date	Type	IP Address	USD Value	Time	Account	Account Holder Name
08/01/2014	ND	186.162.6.99	$2,350.00	09:15:25	526580210 0 Banco Pichincha	CHUNGA TARAPUES NELSON MIGUEL
TOTAL			$2,350.00

THAT from the review of the transaction history carried out by the user through Virtual Banking, it is appreciated that the transaction subject of the claim was carried out from an IP not usual for the claimant, which was not registered in the financial institution for such purposes;

THAT section 4.3.8.8 of numeral 4.3.8 of article 4 of chapter V, title X, book I of the Codification of Resolutions of the Superintendence of Banks and of the Banking Board, states the following:

"ARTICLE 4.- The controlled institutions must have information technology that guarantees the capture, processing, storage, and transmission of information in a timely and reliable manner; avoid business interruptions and ensure that information, including that under the modality of services provided by third parties, is integral, confidential, and available for appropriate decision-making.

(...)

4.3.8. Security measures in electronic channels.- With the objective of guaranteeing that transactions carried out through electronic channels have the controls, measures, and security elements to prevent the commission of fraudulent events and guarantee the security and quality of user information as well as the assets of clients in charge of the controlled institutions, they must comply at least with the following:

(...)

---

Resolution No. JB-2015-3390

Page No. 7

4.3.8.8 Offer clients the necessary mechanisms so that they personalize the conditions under which they wish to carry out their transactions through the different electronic channels and cards, within the conditions or maximum limits that each entity must establish.

Among the main personalization conditions for each type of electronic channel, they must be: registration of the accounts to which they wish to make transfers, registration of authorized computer IP addresses, the authorized mobile phone number(s), maximum amounts per daily, weekly, and monthly transaction, among others.

(...);

THAT in the present case, the securities pointed out by the financial institution did not constitute an efficient system that prevents the possible commission of a computer crime, executing the corresponding blocking of the electronic channel, its deactivation, and subsequently the timely review by authorized technical personnel of the institution, considering the client's unusual behavior, by carrying out an electronic transfer from an unregistered IP address;

THAT regarding the appellant's argument that the Regional Intendancy of Guayaquil in a similar case did not accept the user's claim, it is necessary to point out that each of the claims attended by the Superintendence of Banks and Insurance has its own antecedents, circumstances, and particularities, so it cannot be generalized or treat all "phishing" cases under a single resolution pattern, since in the claim that originated this review appeal, there are several analyzed aspects that led to the issuance of the appealed administrative acts;

THAT articles 52 and 66 of the Constitution of the Republic establish that people have the right to dispose of and access public and private services of optimal quality, as well as to receive non-misleading information about their content and characteristics; in virtue of this, the financial entity, upon receiving money from its clients, assumes the obligation and responsibility to keep and safeguard the deposited values with diligence and professional care;

THAT the first paragraph of article 1 and letters b) and o) of article 180 of the General Law of Institutions of the Financial System determine that the Superintendence of Banks is in charge of supervising and controlling the financial system, in all of which, the protection of the public interest is taken into account, so it must watch over the stability, solidity, and correct functioning of the institutions subject to its control; watching that they comply with the legal norms that govern them; and requiring that said institutions present and adopt the corresponding corrective measures when necessary;

THAT article 5 of chapter IV "Procedures for the attention of claims against Institutions of the Financial System", title XX. "Of the Superintendence of Banks and Insurance", book I "General Norms for the

---

Resolution No. JB-2015-3390

Page No. 8

application of the General Law of Institutions of the Financial System" of the Codification of Resolutions of the Superintendence of Banks and of the Banking Board, establishes:

"ARTICLE 5.- If the result of the analysis performed by the Superintendence determines the need for the controlled institution to introduce corrective measures to regularize the situation that motivated the claim, the Superintendent of Banks and Insurance or the official who has the delegation of said authority, will issue the corresponding disposition.

If the situation that motivated the claim referred to in the previous paragraph originated in an incorrect procedure of the controlled institution, which caused harm to the claimant, the Superintendence of Banks and Insurance may order the return of the claimed values, in exercise of the functions and attributes contemplated in letters b) and o) of Article 180 of the General Law of Institutions of the Financial System, granting the legal representative of the entity a term that cannot exceed fifteen (15) days from the notification to send, under the legal warnings, the proof of compliance with the order issued.

(...);

THAT from the review and analysis performed, it emerges that Banco de Guayaquil S.A. transferred the responsibility of the facts to Mr. Néstor Alejandro Orrala García, as the person who safeguards the card and keys, without considering that the bank has the obligation not only to safeguard the deposited money, but also to provide security in the channels of the offered services. In this sense, there is responsibility of Banco de Guayaquil S.A. in the disputed transactions since, as of the date of the claim, the bank did not maintain for its transactional channels an efficient fraud prevention system, which caused, according to the bank itself, that third parties maliciously consumed the computer crime known as "phishing" through which, the claimant's funds were transferred to an unknown third person; which evidences that Banco de Guayaquil S.A. is subject to what is provided in article 5 of chapter IV, title XX, book I of the Codification of Resolutions mentioned above, given that the claimed economic harm originated in incorrect procedures on the part of the controlled institution, detailed in this memorandum;

THAT the National Legal Intendancy, through memorandum INJ-DNJ-SAL-2015-0075 of January 28, 2015, recommended the Banking Board to reject the claim contained in the review appeal filed;

AND, in exercise of its legal attributes,

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the review appeal presented by the Executive Vice President - General Manager of Banco

---

Resolution No. JB-2015-3390

Page No. 9

of Guayaquil S.A.; and, consequently CONFIRM the administrative act contained in Official Letter No. IRG-DAyEU-V-R-2014-551, of June 10, 2014, with which Official Letter No. IRG-DAyEU-V-R-2014-334, of April 22, 2014, was ratified, through which the Regional Intendant of Guayaquil ordered Banco de Guayaquil S.A. to effect the return of the values claimed by Mr. Néstor Alejandro Orrala García, whose amount amounts to USD 2,350.00.

NOTIFY.- Given at the Superintendence of Banks, in Quito, Metropolitan District, on the thirtieth of April of two thousand fifteen.

Econ. Rodrigo Landeta Parra GENERAL INTENDANT, S PRESIDENT OF THE BANKING BOARD, E

I CERTIFY.- Quito, Metropolitan District, on the thirtieth of April of two thousand fifteen.

Lic. Pablo Cabo Luna SECRETARY OF THE BANKING BOARD

---

Banking Board of Ecuador

---