Banking Board Resolution JB-2015-3470

Banking Board of Ecuador

RESOLUTION No. JB-2015-3470

THE BANKING BOARD

CONSIDERING:

THAT this appeal is resolved in accordance with the First Transitional Provision of the Organic Monetary and Financial Code, published in the Official Register Second Supplement No. 332, of September 12, 2014, whose text states that resolutions contained in the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, and norms issued by control bodies, will remain in force in all that does not oppose what is provided in the Organic Monetary and Financial Code, until the Monetary and Financial Policy and Regulation Board resolves what corresponds, according to the case; and with the second paragraph of the Third Transitional Provision, which states that the Banking Board will continue to act until it resolves all complaints, appeals, and other administrative procedures it was handling on the date of entry into force of the same, within a period of one hundred eighty (180) days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT by Resolution No. 054-2015-F, published in the Supplement of the Official Register No. 467, of March 26, 2015, the Monetary and Financial Policy and Regulation Board extended by one hundred eighty (180) additional days the period for the Banking Board to continue acting and resolve all complaints, appeals, and other administrative procedures within its competence;

THAT from the aforementioned provisions, it is established that the Banking Board is competent to resolve this appeal for review;

THAT Mrs. Fanny Yadira Lasso Merchán, through communication entered into the Superintendence of Banks and Insurance on December 16, 2013, filed a complaint against Banco de Guayaquil S.A., in which she stated: "(...) On November 29, 2013, I accessed the virtual page of Banco de Guayaquil to make a transfer of $50.00; the same was rejected by the system, indicating 'insufficient funds', when I checked my balance I only had $5.41; upon checking the savings account movement, I noted [sic] that without my consent they had made a virtual transfer of $2,100.00 from my savings account No. 13033727 to a savings account of Banco Pichincha No. 2201109772 assigned to Rosero Reina Narcisa Elizabeth, so I immediately called Banco de Guayaquil to request an explanation of what happened without receiving a satisfactory response (...) that the transaction had been carried out through the bank's legal mechanisms, that is, the respective keys and passwords were used (...) at no time did I authorize the mentioned transaction and that they do not take responsibility for the illegal act committed against my patrimony (...) what is obvious at first glance is that the computer security measures available to Banco de Guayaquil lack guarantee and security for those of us who use their banking and financial services (...); I appeal to you so that it is ordered that Banco de Guayaquil initiate the legal and regulatory investigations that correspond to it in order to clarify the complaint filed and that said financial institution be obliged to restore the values improperly extracted from my

Banking Board of Ecuador Resolution No. JB-2015-3470 Page No. 2

savings account at Banco de Guayaquil, as indicated by the cited legal norm, since the illegal transfer would fit what is determined in article 41.2, having entered my banking records illicitly or fraudulently, and that the insurance that Banco de Guayaquil was required to contract be made effective and that I be reimbursed the value of $2,100. (...)" [sic];

THAT by letter No. DAYEU-ISFP-REQ-2014-014, of December 3, 2014 [sic], the Director of Attention and User Education of the Regional Intendancy of Guayaquil, transferred the complaint to Banco de Guayaquil S.A. and ordered it to submit the pertinent explanations and defenses, attaching the supporting documentation detailed in the annex related to the questioned electronic transfers;

THAT by letter No. UAC-SBS-2014-072, of January 20, 2014, Mr. Víctor Hugo Alcívar Álava, Executive Vice President General Manager, of Banco de Guayaquil S.A., in response to the request from the control body, informed: "(...) Within the review carried out and according to what was stated by Mrs. Lasso Merchán, it was determined that the client was a victim of computer fraud known as 'Phishing', which is the act of fraudulently acquiring through deception personal information such as passwords or other sensitive client information; it consists of the ability to maliciously duplicate bank web pages and indiscriminately send emails so that one accesses this page and the user provides the confidential and non-transferable access data to their bank. (...)";

THAT by letter No. IRG-DAyEU-V-R-2014-348, of April 30, 2014, the Regional Intendant of Guayaquil, after analyzing the case, and in exercise of the powers contained in Chapter II, Title III of the Organic Statute of Organizational Management by Processes of the Superintendence of Banks and Insurance, resolved: "(...) ACCEPT the complaint filed by engineer FANNY YADIRA LASSO MERCHÁN (...). ORDER BANCO DE GUAYAQUIL S.A. to proceed to restore to engineer FANNY YADIRA LASSO MERCHÁN the sum of TWO THOUSAND ONE HUNDRED 00/100 DOLLARS OF THE UNITED STATES OF AMERICA (US$2,100.00), in the savings account No. 13033727 that she maintains in the aforementioned bank, a value corresponding to the transfer not authorized by the user via internet (...)";

THAT with a document received at the Superintendence of Banks and Insurance on May 16, 2014, the Executive Vice President - General Manager of Banco de Guayaquil S.A. filed an appeal for reconsideration against letter No. IRG-DAyEU-V-R-2014-348, of April 30, 2014, described above;

THAT by letter No. IRG-DAyEU-V-R-2014-781, of July 16, 2014, the Regional Intendant of Guayaquil, confirmed the content of the appealed letter and denied the appeal for reconsideration; a fact communicated to the complainant with the same letter;

THAT by a document entered into the Superintendence of Banks and Insurance on July 30, 2014, Mr. Víctor Hugo Álava Alcívar, Executive Vice President General Manager of Banco de Guayaquil S.A., with the professional sponsorship of Dr. Rosa Tobar Reina, filed an appeal for review against letter No. IRG-DAyEU-V-R-2014-781, of July 16, 2014, on the following

Banking Board of Ecuador Resolution No. JB-2015-3470 Page No. 3

arguments: that, "Regarding Interinstitutional Resolutions No. 001-FGE-SBS-2011 and No. 002-FGE-SBS-2011", the fund transfer challenged by the client occurred on November 27, 2013, that is, two years and more than seven months after the period indicated in Resolutions 001 and 002 expired, for which reason the obligation to refund the transferred values cannot be attributed to her represented party; that, regarding the "Responsibility of Financial Institutions in Computer Crimes", the assertion of the control authority in the sense that in the claimed transactions there is supposedly weakness in operational controls and absence of good banking practices is striking. He emphasizes, "that it is not the bank's responsibility to prove whether a client properly or improperly safeguards their personal keys, what the bank must verify is that transactions are made with those personal keys, since these constitute the undisputed identification of the client in electronic transactions. (...)"; that, "the bank is not responsible for proving when and how the phishing took place, as this proof would be simply impossible. (...) The bank is responsible for verifying that transactions are processed with the client's personal and secret keys, which the bank did fulfill in this case."; that, "Regarding the security mechanisms for transactions in the Virtual Banking of Banco de Guayaquil S.A., the transaction subject of this complaint was carried out on November 27, 2013 through the transactional channel Virtual Banking, and for this the keys and coordinates listed on Bancontrol Coordinate Card No.- 97268, of exclusive responsibility of Mrs. FANNY YADIRA LASSO MERCHÁN, were used; that "this Bancontrol Coordinate Card was delivered to the client on October 7, 2010 in a sealed envelope and in perfect condition (...); that the transaction in question was correctly processed, because in it the system validated the client's key and coordinates, which are only known and safeguarded by him, without requiring any additional verification."; that "Regarding the quality of electronic signature regarding instructions made under the key and security coordinates granted to the client for the use of the virtual banking channel, (...) the application of the Electronic Commerce Law, article 15, evidences that the Bank in this transaction complied with said provision, it could verify the identity of the person through the use of the key and entry to virtual banking, keys that are the responsibility and custody of the client"; that, "Regarding the criterion of the Guayaquil Intendancy on a case of phishing.- Precisely due to the client's failure to fulfill the obligation of safeguarding their keys and coordinates, the consequence of this personal responsibility of the client has been attempted to be shifted to the Bank. The Guayaquil Intendancy through Resolution No. IDG-DAyEU-V-R-2012-113, dated December 28, 2012, (...) issued its criterion on the present issue. (...) That is, the control authority itself, (...) issued its criterion and resolved that the practice by which the bank did not accept the complaint filed by the client was and is correct, since it was proven that the referred transaction can only be carried out with the client's coordinate card and personal and non-transferable key."; that, regarding "Letter No. IRG-DAyEU-V-R-2014-348 (...) our Security system does contemplate the registration of accounts to which transfers are desired to be made. For the registration of such accounts, the system sends a security code to the email address registered by the client in the bank, this code must be entered on the Virtual Banking page prior to entering the coordinates which are for personal use by the client, and which are requested randomly, evidently for entry to the client's email.

Banking Board of Ecuador Resolution No. JB-2015-3470 Page No. 4

it is necessary for the user to have the personal key. (...); that, regarding Letter No. IRG-DAyEU-V-R-2014-781, (...) our fraud prevention systems [sic] (...) includes an authentication process in Virtual Banking (...) to reinforce the security of the information, the process includes the BANCONTROL card (...) of PERSONAL knowledge of the client, with which the security of the static password is increased and constitutes another barrier against electronic fraud (...); that, with respect to the "Power of the Superintendence to order the return of values due to incorrect procedures carried out by Financial Institutions (IFIS), we must mention that the only cause for which the authority can order the refund of the claimed values is when the controlled institution commits an incorrect procedure that causes harm to the claimant, as established in Art. 5 of Section I, of Title XX, of Book I of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board. However, in the present case my represented party did not commit any incorrect procedure, since the transfer of funds was made with the client's secret keys (...)";

THAT by letter No. JB-2014-2130 of August 11, 2014, the Secretary of the Banking Board communicated to Mr. Víctor Hugo Alcívar Álava, Executive Vice President - General Manager of Banco de Guayaquil S.A., that the filed appeal for review has been accepted for processing; and, with letter No. JB-2014-2131 of the same date, communicated the particular to Mrs. Fanny Yadira Lasso Merchán;

Articles 1 and 180, letters b) and o) of the General Law of Institutions of the Financial System, determine that the Superintendence of Banks and Insurance, as the competent authority, has the function and attribution to ensure the stability, solidity, and correct functioning of institutions subject to its control; to supervise that they comply with the norms governing their functioning; and, to require that said institutions present and adopt the corresponding corrective measures when necessary.

THAT the Banking Board, with the purpose of achieving effective compliance with the provisions emanating from both the control body and the collegiate body, integrated into Chapter IV, of Title XX, of Book I, of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, the procedure for the attention of complaints against institutions of the financial system, always attentive to the protection of the public's interests as mandated by law, whose article 5 establishes that if the result of the analysis carried out by the Superintendence determines the need for the controlled institution to introduce corrective measures to regularize the situation that motivated the complaint, the Superintendent of Banks and Insurance or his delegate will issue the corresponding order. Likewise, if the situation that motivated the complaint referred to in the previous paragraph originated in an incorrect procedure of the controlled institution, which had caused harm to the claimant, the Superintendence of Banks and Insurance may order the return of the claimed values, granting the legal representative of the entity a period that may not exceed fifteen (15) days from the notification to submit, under the legal warnings, the proof of compliance with the order issued;

Banking Board of Ecuador Resolution No. JB-2015-3470 Page No. 5

THAT the bank's obligation as custodian of the values deposited by its clients is to restore them at the time of the request of the owner or holder of the account, taking due diligence that said values return to the depositor when he so requires, in the form agreed in the corresponding legal document, and implemented under the protection of article 51 of the General Law of Institutions of the Financial System;

THAT the file contains letter No. UAC-SBS-2014-072, of January 20, 2014, which contains the response of Banco de Guayaquil S.A. to the information request from the control body regarding the complaint of Mrs. Fanny Yadira Lasso Merchán, in which it determined that the client "was a victim of computer fraud known as 'Phishing'; and that "The fund transfer was carried out through Virtual Banking, using coordinate card No. 97268, which was delivered to the client on October 7, 2010". Part of the aforementioned letter is Internal Report No. FR-I-2013-466 of November 29, 2013, from the Fraud Prevention Unit, in which it notes, that upon reviewing the ITREPORTS application, it was observed that the transaction was processed through IP address 190.113.209.143, located in Lima Peru, on November 27, 2013, for the value of USD 2,100.00, at 13:05:04, to account No. 220xxxxx9772 of Banco Pichincha C.A. whose holder is Mrs. Narciza Rosero. In its "CONCLUSION", it says: "Based on the background and the review of the complaint filed by the client, it is concluded that the same is IMPROPER because the client was probably a victim of computer fraud, which consists in obtaining personal information fraudulently, through fake web pages, emails that seem to come from the bank, through which the client provided their information and coordinate keys";

THAT the appellant argued that the fund transfer challenged by the client occurred on November 27, 2013, that is, two years and more than seven months after the period indicated in Interinstitutional Resolutions 001-FGE-SBS-2011 and 002-FGE-SBS-2011, issued by the Superintendents of Banks and Insurance and the Attorney General of the State, in order to recognize the values to clients who had suffered patrimonial losses due to computer fraud, and for that reason, the bank cannot be adjudged the obligation to refund the transferred values;

THAT the aforementioned resolutions were issued as a result of the analysis and resolution of complaints filed, at that time, by several clients and users of the financial system, due to patrimonial damages reported, and whose refund of funds were processed specifically for each case, as determined in said regulation; consequently, the referred argument is not appropriate, the contrary would be to leave subsequent claimants in a state of defenselessness, depriving them of the exercise and protection of their rights as clients and users of the financial system;

THAT the appellant argued that in the same Interinstitutional Resolution No. 002-FGE-SBS-2011, emphasis was placed on the responsibility of clients for their acts and omissions in the handling of their secret keys and the obligation to use secure computer systems for their transactions and that "the bank is responsible for verifying that transactions are processed with the client's personal and secret keys, which the bank did fulfill in this case. "Regarding this, if

Banking Board of Ecuador Resolution No. JB-2015-3470 Page No. 6

although it is pertinent to insist on the responsibility of the client and user of the financial system regarding compliance with their contractual commitments, among them, the proper safeguarding of their documents, it corresponds to the bank, as custodian of the deposited values, to verify beforehand that the transactions being executed are surrounded by the internal controls proper to the bank that provide security to a transaction, in order for the funds delivered to the bank to be returned to the owner of the account, at their request, in the form agreed in the corresponding legal document, and implemented under the protection of article 51 of the General Law of Institutions of the Financial System, a norm in force on the date of the event, therefore, it is not appropriate to shift the responsibility solely to the client for the fact of having delivered the card and the key, since additional verifications are required by the bank in which the transaction is processed, contrary to what the appellant affirms;

THAT the appellant specified that the bank's security system contemplates the registration of accounts to which transfers are desired to be made. In this regard, the file contains the "Cash Transaction Log Report" sent by the bank, carried out between November 5, 2013, to November 27, 2013, a period within which the claimed transaction was processed. From this document it is observed that the bank's system reported around one hundred sixty logins, in most cases with the "description": "Attempting to call user challenges 0702513938 for the transaction GET_SITEKEY". On November 27, 2013, it is recorded in the aforementioned report that entry to virtual banking was successful, from IP 190.113.209.143; the same information is recorded in letter No. UAC-SBS-2014-072, of January 20, 2014, which contains the ITREPORTS application, of the client's account movement on the date and time corresponding to the transaction subject of the complaint, indicates that it was processed through this IP, located in Lima - Peru;

THAT numeral 4.3.8.8. of article 4, title X "Of integrated management and control and of risks", of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, a norm in force at the time of the event, states that controlled institutions must, within their policies and procedures, which ensure adequate administration of information technology, offer their clients the necessary mechanisms so that they can personalize the conditions under which they wish to carry out their transactions through the different electronic channels and cards, registration of destination accounts for transfers, registration of IP addresses of authorized computers, among others. Therefore, in the questioned transfer, it is not observed that the IP from which it was made has been registered for such effect, even though the bank states that the fact was notified to the user's email, which evidences a lack of bank control in the process of authenticating the beneficiary account in "Virtual Banking" for the processing of the claimed transfer;

THAT from the user's statement of account it is appreciated that after the aforementioned transfer, an effective balance of USD 5.41 is verified, as the account holder/saver stated;

Banking Board of Ecuador Resolution No. JB-2015-3470 Page No. 7

THAT the operating system of Banco de Guayaquil S.A., by not alerting the client in a timely manner to an operation that was being executed from an unregistered IP, from which a myriad of previous failed logins are observed before the transfer of USD 2,100.00 is made to the beneficiary account, a circumstance that caused economic harm to Mrs. Fanny Yadira Lasso Merchán; consequently, the budget established in article 5, chapter IV, title XX, book I of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, previously transcribed, has been met;

THAT the National Legal Intendancy, through memorandum INJ-DNJ-SAL-2015-0202 of March 9, 2015, recommended to the Banking Board to reject the claim contained in the appeal for review filed;

AND IN exercise of its legal powers,

RESOLVES:

SINGLE ARTICLE.- REJECT the appeal for review filed by Mr. Víctor Hugo Alcívar Álava, Executive Vice President - General Manager of Banco de Guayaquil S.A., and consequently, CONFIRM the administrative act contained in letter No. IRG-DAyEU-V-R-2014-781, of July 16, 2014, which ratified letter No. IRG-DAyEU-V-R-2014-348, of April 30, 2014, in which the Regional Intendant of Guayaquil resolved: "(...) ACCEPT the complaint filed by Mrs. FANNY YADIRA LASSO MERCHÁN (...) and order BANCO DE GUAYAQUIL S.A. to proceed to restore to engineer FANNY YADIRA LASSO MERCHÁN the sum of TWO THOUSAND ONE HUNDRED DOLLARS OF THE UNITED STATES OF AMERICA, (US$ 2,100), (...) value that corresponds to the transfer not authorized by the user via internet, (...)".

COMMUNICATE.- Given at the Superintendence of Banks, in Quito, Metropolitan District, on the tenth day of June of two thousand fifteen.

[Signature] Econ. Rodrigo Landeta Parra GENERAL INTENDANT, S PRESIDENT OF THE BANKING BOARD, E

I CERTIFY.- Quito, Metropolitan District, on the tenth day of June of two thousand fifteen.

[Signature] Lcdo. Pablo Cobo Luna SECRETARY OF THE BANKING BOARD