Resolution No. JB-2015-3486 of the Banking Board of Ecuador

Banking Board of Ecuador

RESOLUTION No. JB-2015-3486

THE BANKING BOARD

CONSIDERING:

THAT this appeal is resolved in accordance with the First Transitional Provision of the Organic Monetary and Financial Code, published in the Official Register Second Supplement No. 332 of September 12, 2014, whose text states that resolutions contained in the Codification of Resolutions of the Superintendency of Banks and Insurance and the Banking Board, and norms issued by control bodies, will remain in effect insofar as they do not oppose what is provided in the Organic Monetary and Financial Code, until the Monetary and Financial Policy and Regulation Board resolves what corresponds, according to the case; and with the second paragraph of the Third Transitional Provision, which states that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures it was handling on the date of entry into force of the same, within a period of one hundred and eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT through communication dated November 29, 2013, Mr. Fernando Germán Aguiar Villagómez filed a complaint against Banco de Guayaquil S.A. at the Regional Intendency of Guayaquil, regarding the unauthorized withdrawal of USD $820.00 from his savings account No. 38822271 on November 20, 2013;

THAT by letter No. DAYEU-ISFP-REQ-2013-1748 of December 18, 2013, the Director of User Attention and Education of the Regional Intendency of Guayaquil requested Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., to submit defenses and explanations regarding the complaint filed by Mr. Fernando Germán Aguiar Villagómez;

THAT through letter No. UAC-SBS-2014-031 of January 10, 2014, received by the Superintendency of Banks on January 23, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., in response to the request from the control body, submitted copies of the documents in the file of the complaint of Mr. Fernando Germán Aguiar Villagómez, in which it was indicated that the client was a victim of the crime of phishing;

THAT by letter No. IRG-DAyEU-V-R-2014-350 of April 30, 2014, the lawyer Humberto Moya González, Regional Intendant of Guayaquil, resolved to order Banco de Guayaquil S.A. to proceed to restore to Mr. Fernando Germán Aguiar Villagómez the sum of USD $820.00 in savings account No. 38822271, a value corresponding to the unauthorized transfers by the user via internet, and to send evidence of compliance with this resolution to the control body within eight days;

THAT through communication, received by this Superintendency on May 16, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., with the sponsorship of Dr. Rosa Tobar Reina, filed an appeal for reconsideration against the administrative act contained in letter No. IRG-DAyEU-V-R-2014-350 of April 30, 2014, which was rejected by letter No. IRG-DAyEU-V-R-2014-833 of July 29, 2014;

---

Banking Board of Ecuador Resolution No. JB-2015-3486 Page 2

THAT by communication received by this Superintendency on August 12, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., with the professional sponsorship of Dr. Rosa Tobar Reina, filed before the Banking Board an appeal for review against the administrative act contained in letter No. IRG-DAyEU-V-R-2014-833 of July 29, 2014, which was accepted for processing by lawyer Juan Francisco Simone Lasso, Secretary, substitute of the Banking Board, by letter No. JB-2014-2221 of August 19, 2014;

THAT among the factual and legal grounds exposed by Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., the following are noted:

• That this is a case of computer fraud, under the phishing modality, since the fund transfers are made through virtual banking and with the use of the client's personal keys, who alleges not having delivered them. Therefore, this case falls within the norms contained in Interinstitutional Resolutions No. 001-FGE-SBS-2011 and No. 002-FGE-SBS-2011.

• That the security system maintained by Banco de Guayaquil S.A. on the date the claimed event occurred consisted of an efficient fraud prevention system, strengthened with the use of the coordinate card, Bancontrol, which increases the security of static passwords and represents an additional barrier against electronic fraud, a mechanism that provides random keys to provide security in such transactions.

• That the Bank has implemented as a security measure the registration of IP addresses of authorized computers, as control pursuant to regulations on security measures in electronic channels, controls that are implemented in 100% in the virtual banking channel.

• That the security process was fulfilled, that is, the information emails about the transaction were sent to the email address registered by the client and with warnings about the transactions made, facts that can be proven with technological records, therefore, the client's assertion denying that these steps were fulfilled is incorrect.

• That the only cause in which the authority can order the reimbursement of the claimed values is when the controlled institution commits an incorrect procedure that causes harm to the claimant;

THAT Banco de Guayaquil S.A. emphatically determines that the present case is a computer fraud under the phishing modality and that therefore, this case falls within the norms contained in Interinstitutional Resolutions No. 001-FGE-SBS-2011 and No. 002-FGE-SBS-2011;

THAT paragraph a) of article 51 of the General Law of Institutions of the Financial System in force on the date of the complaint, empowered banks to receive public resources in demand deposits, which are banking obligations, comprising monetary deposits payable upon presentation of checks or other payment mechanisms and registration;

---

Banking Board of Ecuador Resolution No. JB-2015-3486 Page 3

THAT Banco de Guayaquil S.A. assumes the obligation to keep or custodian the deposited values with diligence and professional care, as well as is responsible for the other services offered to its clients such as transfers through different electronic channels, so it is obliged to evaluate and demand the security measures in case as depositary of the money that its clients have entrusted to it;

THAT referring to interinstitutional resolutions No. 001-FGE-SBS-2011 and No. 002-FGE-SBS-2011, they were applicable for certain specific cases detailed in them, within which the complaint of Mr. Fernando Germán Aguiar Villagómez against Banco de Guayaquil S.A. is not included;

THAT with reference to the argument that coordinate cards, Bancontrol, increase the security of static passwords and represent an additional barrier against electronic fraud, the controlled institution highlights the observance and compliance with the corresponding reforms to security measures in electronic channels, without prejudice to which the entity is obliged to implement security in these electronic channels in order to avoid harm to its clients such as the case subject of this analysis, as required by operational risk regulations collected in numerals 4.3.3.6, 4.3.3.8, 4.3.5, 4.3.5.9, 4.3.5.13 and 4.3.5.14 of article 4, chapter V "On Operational Risk Management", title X "On Risk Management and Administration", book I "General Norms for Institutions of the Financial System", of the Codification of Resolutions of the Superintendency of Banks and Insurance and the Banking Board;

THAT Banco de Guayaquil S.A. sent an internal report in which it evidenced that according to the ITREPORTS application, the client's movement on the date subject of the complaint, was processed through IP address 201.230.140.80, located in Lima-Peru, for which it is determined that it is not the habitual IP of the claimant for making transfers nor registered by him;

THAT the financial institution states that the only way to enroll or register both IP addresses and accounts is through Virtual Banking, which is only achieved with the validation of the key granted to its clients, therefore, if clients compromise this information, this releases the bank from responsibility for the mishandling of this key. However, in the case at hand, it is not evidenced that Mr. Fernando Germán Aguiar Villagómez has compromised at any time his access key to virtual banking nor neglected the custody of the Bancontrol coordinate card delivered by the financial institution;

THAT from article 3, chapter I "On Integral Management and Risk Management", title X "On Risk Management and Administration", book I of the referred Codification of Resolutions, it is inferred that financial institutions have the responsibility to manage their risks integrally with formal processes that allow identifying, measuring, controlling, mitigating, and monitoring possible risks, a situation that has not occurred in the present case by Banco de Guayaquil S.A., since the bank's system did not emit any alert for the transactions made on November 20, 2013, allowing them to conclude successfully without the account holder noticing it,

---

Banking Board of Ecuador Resolution No. JB-2015-3486 Page 4

preventing him from being able to notify the bank immediately and thus avoid the consummation of the fraud through an urgent blocking of funds;

THAT in the present case, there is responsibility of Banco de Guayaquil S.A. in the disputed transactions, since on the date of the complaint the bank did not maintain for its transactional channels an efficient fraud prevention system, since as indicated it never notified the client of the execution of the transactions subject of the complaint, which would have avoided the withdrawal of money, evidencing the incorrect procedure in which the entity incurred since the malfunction of the access alert signals to the virtual banking system allowed the withdrawal of the claimed funds;

THAT additionally, the incorrect procedure is evidenced at the moment when the bank itself recognizes that the client was a victim of the crime of phishing;

THAT the second paragraph of article 5, of chapter IV, title XX, book I of the Codification of Resolutions of the Superintendency of Banks and Insurance and the Banking Board, provides:

"Article 5.- If the result of the analysis carried out by the Superintendency determines the need for the controlled institution to introduce corrective measures to regularize the situation that motivated the complaint, the Superintendent of Banks and Insurance or the official who has the delegation of said authority, will issue the corresponding disposition.

If the situation that motivated the complaint referred to in the previous paragraph, originated in an incorrect procedure of the controlled institution, which caused harm to the claimant, the Superintendency of Banks and Insurance may order the return of the claimed values, in exercise of the functions and attributes contemplated in letters b) and o) of article 180 of the General Law of Institutions of the Financial System, granting the legal representative of the entity a period that may not exceed fifteen (15) days from notification to send, under the legal precautions, the proof of compliance with the order issued";

THAT the cited regulation empowers the control body to exercise its functions and attributes both constitutional and legal to dispose of the return of the values claimed by users of the financial system, provided that the situation object of the complaint had originated in an incorrect procedure by the controlled institution, as has happened in the present case;

THAT regarding the entity's argument that the mentioned transfers were made due to compromising personal information such as the personal key and lack of care with the Bancontrol coordinate card, on the part of the claimant, it must be pointed out that there is no record whatsoever in the file of the case at hand that reflects that the client compromised personal information;

THAT the National Legal Intendency, through memorandum INJ-DNJ-SAL-2015-0170 of February 19, 2015, recommended to the Banking Board to reject the claim contained in the appeal filed by the Executive Vice President - General Manager of Banco de Guayaquil S.A.; and,

---

Banking Board of Ecuador Resolution No. JB-2015-3486 Page 5

IN exercise of its legal attributes,

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the appeal for review filed by Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A.; and, consequently, CONFIRM letter No. IRG-DAyEU-V-R-2014-833 of July 29, 2014, through which the lawyer Humberto Moya González, Regional Intendant of Guayaquil, rejected the appeal for reconsideration, and ratified the content of letter No. IRG-DAyEU-V-R-2014-350 of April 30, 2014, through which, it resolved to order Banco de Guayaquil S.A. to proceed to restore to Mr. Fernando Germán Aguiar Villagómez the sum of USD $820.00 in savings account No. 38822271, a value corresponding to the unauthorized transfers by the user via internet.

NOTIFY.- Given at the Superintendency of Banks and Insurance, in Quito, Metropolitan District, on the seventeenth of June of two thousand fifteen.

(Signature) Econ. Rodrigo Landeta Parra GENERAL INTENDENT (S) PRESIDENT OF THE BANKING BOARD SESSION (E)

I CERTIFY.- Quito, Metropolitan District, on the seventeenth of June of two thousand fifteen.

(Signature) Lcdo. Pablo Cobo Luna SECRETARY OF THE BANKING BOARD

---

Banking Board of Ecuador