Banking Board of Ecuador

RESOLUTION No. JB-2015-3332

THE BANKING BOARD

CONSIDERING:

THAT the second paragraph of the Third Transitory Provision of the Organic Monetary and Financial Code determines that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures it was hearing as of the date of entry into force of this Code, within a period of one hundred and eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT Mrs. Judith Amparo Andrade Calisto, through a communication received by the control body on February 10, 2014, filed a claim against Banco Pichincha C.A., stating: "(...) On Thursday, February 6, 2014, around 2:00 PM, I tried to access my savings account at Banco Pichincha and did so through the page (...). Later, more than half an hour later, I received a new SMS message on my cell phone stating that the transfer was successful. Since I had not made any transaction whatsoever because I had only accessed my account via the internet, I immediately called the Banco Pichincha call center to find out what was happening with my account, telling the person who answered that I had received a message on my cell phone confirming that a transfer had been made: the bank call center agent who attended to me told me that a transfer of $4,956.23 had been made to an account at PRODUBANCO; I told her I had not made any transfer, so she asked me to go to the nearest bank branch to submit the respective claim (...)"; and requesting that this Superintendence "(...) order the immediate restitution of the total amount debited from my account, US $4,956.23, and credit it to my savings account with the respective interest that would be generated until the day such credit is made.(...)" (sic);

THAT, having accepted the claim for processing, the Subdirectorate of User Attention, through letters No. DNAE-SAU-2014-00970, DNAE-SAU-2014-01586, and DNAE-SAU-2014-02063 dated February 17, March 13, and April 1, 2014, respectively, requested explanations and defenses from the financial entity that could support it regarding the claim presented;

THAT Banco Pichincha C.A., through letters No. BP-ACEC-2014-0217, AUD-C-R-028-2014, and BP-ACEC-2014-0342 dated March 17 and 18, and April 14, 2014, in order, submitted the requested information;

THAT through letter No. DNAE-SAU-2014-02641, dated April 28, 2014, the Subdirector of User Attention, E, issued an administrative resolution, which favorably attended to the claim presented by Mrs. Judith Amparo Andrade Calisto, in the following sense:

"(...)

For the reasons stated, (...), given that Banco Pichincha C.A. has incurred in the indicated incorrect procedures, this Superintendence

Resolution No. JB-2015-3332

Page No. 2

orders the financial entity to proceed with the return of the value claimed by Mrs. Judith Amparo Calisto, amounting to USD $4,956.23, for the interbank transfer carried out from savings account No. 5685646100 of Banco Pichincha C.A., without having observed for said transfer the security measures in electronic channels of the current legal and regulatory framework." (sic);

THAT with communication received by this control body on May 8, 2014, Mr. Fernando Pozo Crespo, General Manager of Banco Pichincha C.A., filed an appeal for reconsideration against the administrative act contained in letter No. DNAE-SAU-2014-02641 of April 28, 2014;

THAT through letter No. DNAE-SAU-2014-04074 of June 30, 2014, the Subdirector of User Attention, E, rejected the appeal for reconsideration filed, and ratified the administrative act contained in letter No. DNAE-SAU-2014-02641, of April 28, 2014;

THAT through a document entered in the Superintendence of Banks and Insurance on July 10, 2014, Mr. Antonio Acosta Espinosa, Adjunct President of Banco Pichincha C.A., with the professional sponsorship of Dr. Pablo Cadena Merlo and lawyer María José Araujo Álvarez, filed an appeal for review before the Banking Board against letter No. DNAE-SAU-2014-04074, of June 30, 2014, arguing the following:

• Lack of motivation in the resolution of the public authority that leads to its nullity, contravening the articles stipulated regarding this in the Constitution of the Republic of Ecuador, and that the grounds of fact and law exposed by the bank in the appeal for reconsideration have not been entirely the object of analysis or specific motivation by this Superintendence.

• Taking into account that personal keys and coordinates of clients constitute the only mechanism to access internet transfer services, the bank has no responsibility in the objected transaction, since such damage can only be imputed to the user, as it occurs due to the incorrect use of the electronic channel and not due to the lack of security of the entity's systems.

• The bank has been publicly alerting clients through various media about security measures and advice before initiating any type of transaction or consultation.

• For the analysis of the case, it is important to consider what is referred to in the Internal Audit report contained in the file, according to which, based on the systems area report, the transfer was processed with the information and coordinates of the E-key card corresponding to the claimant.

• At the time, it delivered to this control body the IP address from which the controversial transaction was carried out, and if there has been a criminal act, it corresponds to the affected client to initiate the respective complaint.

The bank has not incurred in incorrect electronic transfer procedures that originated the user's claim, nor has this Superintendence determined the introduction of any corrective measure, so it is not appropriate to order the restitution of values;

THAT with letter No. JB-2014-1867, of July 17, 2014, the Secretary of the Banking Board, accepted the appeal for review filed for processing; and, with letter No. JB-2014-1868 of the same date, notified Mrs. Judith Amparo Andrade Calisto regarding the acceptance of said appeal;

THAT the Superintendence of Banks and Insurance, as the competent authority, pursuant to articles 1 and 180, letter b) of the General Law of Financial System Institutions, as well as what is provided in article 5 of chapter IV regarding the "Procedure for the attention of claims against Financial System Institutions", title XX.- "Of the Superintendence of Banks and Insurance", book I "General norms for the application of the General Law of Financial System Institutions" of the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, has the function and attribution to ensure the stability, solidity, and correct functioning of institutions subject to its control; to supervise that they comply with the norms that govern them; and, to require that such institutions present and adopt the corresponding corrective measures when necessary; under this context, based on the referred legal and regulatory provisions, it is inferred that this control body has the legal and normative faculty to hear financial users' claims, and in case of determining an incorrect procedure by the entities, to order the restitution of values to them, therefore the administrative acts issued to resolve them arise from the control and supervision attributions, in whose activity, the protection of public interests must be taken into account;

THAT regarding the appellant's argument concerning the alleged lack of motivation that leads to the nullity of the challenged resolution, according to what is stipulated in the Constitution of the Republic, and that the grounds of the appeal for reconsideration have not been entirely the object of analysis and motivation by this Superintendence, it is specified that in this case, the Subdirectorate of User Attention of the National Directorate of User Attention and Education considered and applied the provisions of the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board and the Service Provision Contract for Online and Real-Time Fund Transfers "Pago Directo" system issued by Banco Pichincha C.A.; the legal provisions that the entity failed to comply with were detailed in letters No. DNAE-SAU-2014-02641 and DNAE-SAU-2014-04074 with which said Unit, prior to the respective analysis and motivation of each of the grounds indicated by the bank, resolved both the initial claim and the appeal for reconsideration filed;

Resolution No. JB-2015-3332

Page No. 4

THAT regarding the bank's lack of responsibility in the objected transaction, since such damage occurs due to the incorrect use of the electronic channel and not due to the lack of security of the entity's systems, and can only be imputable to the user, taking into account that personal keys and coordinates constitute the only mechanism to access internet transfer services; the first paragraph of article 1, chapter III "Code of Rights of the Financial System User", book I of the Codification ibidem, establishes that users, like the controlled financial entity, have rights and obligations to fulfill based on a contract, the first to maintain due custody of their personal key and the card coordinates delivered by the bank, the second to comply with orders on funds entrusted to it, in harmony with pertinent legal and regulatory norms, with the implementation of adequate internal controls, which safeguard the interests of their clients; in this sense, Banco Pichincha C.A., by offering its clients the virtual banking transfer service, and in order to guarantee the safeguarding of deposited values, is obliged to implement security procedures and policies that avoid the risk of possible diversions or misappropriation of deposited economic resources;

THAT the Subdirectorate of User Attention, in the technical report contained in memorandum No. DNAE-SAU-2014-001034 of September 16, 2014, with reference to such argument specifies: "...this Office did not question in the challenged administrative act the use of (sic) service but the lack of application of the procedures established on the bank's website, which if applied would have prevented the transfer of the account holder who according to the claimant maintained an authorized amount by the bank for transfers of US$999 and not of US$4,956.23." (sic);

THAT with reference to the bank publicly alerting clients through various media about security measures and advice before initiating any type of transaction or consultation, Mrs. Catalina Salazar Mejía, Authorized Signatory of Banco Pichincha C.A., with letter BP-ACEC-2014-0217, indicated that for the internet transfer to be successfully carried out, the following must be fulfilled: "it is necessary to enter the biometric user and biometric key generated by the client, in addition, if applicable, the respective security code, information that is exclusively known by the client (...) the Bank implemented the personal and non-transferable card named "E-key", in which it registers the coordinate requested by the system to accept the transaction, being equally the exclusive responsibility of the client (...)"; it is observed within said procedure a lack of compliance by the entity with what is stipulated in several of the provisions contained in article 4, section II, chapter V.- Of Operational Risk Management, title X.- Of Risk Management and Administration, book I of the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, which stipulate:

"(...) 4.3.5 Security measures in electronic channels.- In order to guarantee that transactions carried out through electronic channels have the controls, measures, and security elements to avoid the commission of fraudulent events and guarantee the security and quality of user information as well as the assets

Resolution No. JB-2015-3332

Page No. 5

of clients in charge of controlled institutions, these must comply at minimum with the following:...

(...)

4.3.5.8. Establish procedures to monitor, control, and issue online alarms that inform timely about the status of electronic channels, in order to identify unusual, fraudulent events, or correct failures...

4.3.5.9.

(...)

Among the main conditions of customization for each type of electronic channel, the following must be stated: the registration of accounts to which one wishes to make monetary transfers, numbers of basic service supplies, fixed and mobile phone numbers, maximum amounts per daily, weekly, and monthly transaction, among others.

(...)

4.3.5.11. Financial system institutions must register IP addresses, and mobile phone numbers from which transactions are made..." (Underline added).

Concluding that the financial entity has not implemented the necessary measures to provide the level of security for electronic transfers, stipulated by this control body, which was sanctioned through letter No. INSFPR-D1-DNR-2014-0309 of February 20, 2014;

THAT numeral 4.3.5.13 of article 4, of the same chapter, title, and book of the mentioned Codification, establishes:

"(...) 4.3.5.13. Institutions must establish control procedures and mechanisms that allow registering the profile of each client regarding their transaction behaviors that imply money movement in the use of electronic channels and cards and define procedures to monitor online and allow or reject timely the execution of transactions that imply money movement that do not correspond to their habits which must be immediately notified to the client through mobile messaging, email, or other mechanism..." (Underline added).

THAT regarding this, as to whether the Internal Auditor's report should be analyzed, contained in letter No. AUD-C-R-028-2014 of March 18, 2014, which states that according to the systems area report, the transfer was processed with the information and coordinates of the claimant's E-Key card; from the review of the information and documentation sent by Banco Pichincha C.A. with letter BP-ACEC-2014-027 of March 17, 2014, the Subdirectorate of User Attention evidenced that according to the historical behavior

Resolution No. JB-2015-3332

Page No. 6

between November 6, 2013, and February 17, 2014, the financial user makes transfers not exceeding USD $948.00 from IP address 190.154.115.23, in contrast with the claimed transaction carried out on February 6, 2014, for an amount of USD $4,956.23 from an IP address located in Lima, Peru No. 190.81.102.239;

THAT the transaction subject of the claim was carried out from an IP address not habitual for the claimant to make transfers, which does not fall within the typical patterns of the client that should have been raised by the bank, without the same having yielded any alert signal. Such transfer carried out from a different IP address should have emitted the corresponding security alerts, so in the present case, a weakness in the application of the entity's procedures is evidenced as provided in the cited numeral 4.3.5.13, which caused economic damage to the claimant;

THAT in that line, regarding the fact that at the time the bank delivered to this control body the IP address from which the controversial transaction was carried out, and that if there has been a criminal act, it corresponds to the affected client to initiate the corresponding complaint, it can be stated that it is the bank's obligation to establish control procedures and mechanisms that allow registering the profile of each client regarding their transactional habits in the use of electronic channels, as demanded by numeral 4.3.5.13 of the aforementioned regulation, which in the present case, if complied with, the controversial transfer from an IP that has not been registered within its transactionality, that is, from Lima, Peru, would not have been carried out;

THAT the argument that the challenged administrative act be revoked, for not having incurred in incorrect procedures and that this Superintendence has not determined the introduction of any corrective measure, so it is not appropriate to order the restitution of values, has no basis, since the Subdirectorate of User Attention, upon reviewing the Interbank Transfer Manual in force at the date of the claimed transaction, sent by the entity with letter No. BP-ACEC-2014-0342 of April 14, 2014, in attention to the request formulated with letter No. DNAE-SAU-2014-02063 of April 1, 2014, which in its pertinent part informs: "corresponding to the Interbank Transfer Manual, is on the electronic banking portal (...) In order to provide the information contained on the Bank's page at the date on which (sic) the transfer subject of the claim was carried out, we attach the text that was in force on 01/06/2014"; verified that in the part corresponding to Direct Interbank Transfers, it maintains as the maximum allowed amount USD $2,000.00, and upon reviewing the referred annex that is part of the service provision contract for online and real-time fund transfers with the "Pago Directo" system of May 26, 2010, verified that "The amount allowed to transfer or make payments is a minimum of 5 USD and maximum 5000 USD daily", determining consequently, that in the indicated documents "...there is an inconsistency since the screens included in the manuals correspond to the same date March 11, 2014 at 15:20, but the two maintain (sic) a different value of maximum transfer amounts, this inconsistency does not allow this control body to have reasonable certainty of the information sent by its representative." (sic). Aspect that was indicated

Resolution No. JB-2015-3332

Page No. 7

within the analysis of both letter No. DNAE-SAU-2014-02461 and letter No. DNAE-SAU-2014-4074;

THAT furthermore, from the review of the alert report sent by the entity, it is observed that the notification was sent to the cell number 5939856545531 registered by the financial user in the databases of Banco Pichincha C.A., which was carried out on February 6, 2014 at 1:51 PM indicating that the transaction was "successful", that is, when the claimed transfer had already been carried out, moreover, no sends of alerts for amount changes, entries of IP address different from those maintained in their transactional profile as stipulated by the aforementioned regulation are evidenced, these facts, which result in incorrect procedures in which the bank has incurred.

THAT it is important to emphasize the obligation that Banco Pichincha C.A. has to implement security and information technology actions and procedures through virtual banking - electronic channel that offers its clients online services for the realization of their transactions -, tending to warn timely of the risk of alteration and unauthorized access to their accounts, preventing in this way electronic fraud, as well as other types of crimes, that due to lack of application of the norm issued for the effect, violate the patrimony of their clients, so the responsibility of the claimed transfer cannot be transferred to Mrs. Judith Amparo Andrade Calisto;

THAT for all the reasons stated, given that the claim presented by Mrs. Judith Amparo Andrade Calisto originated from an incorrect procedure of the controlled institution, since from the transactional record it is appreciated, that it did not detect the unusual behavior of the user, which allowed the claimed transfer to be carried out, without having emitted the security alert to which it was obliged according to what is stipulated in the aforementioned regulation, in this case, the requirement established in article 5, chapter IV.- "Procedure for the attention of claims against Financial System Institutions", title XX.- "Of the Superintendence of Banks and Insurance", book I.- "General norms for the application of the General Law of Financial System Institutions" of the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board was fulfilled, so it was appropriate for this control body to have ordered the return of the value claimed by the client;

THAT the National Legal Intendency, through memorandum INJ-DNJ-SAL-2014-1024 of December 17, 2014, recommended the Banking Board to reject the claim contained in the appeal for review filed;

AND,

In exercise of its legal attributions,

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the appeal for review filed by Mr. Antonio Acosta Espinosa, Adjunct President of Banco Pichincha C.A.; and, consequently CONFIRM the administrative act contained in letter No. DNAE-SAU-2014-04074 of June 30, 2014, to

Resolution No. JB-2015-3332

Page No. 8

through which the Subdirectorate of User Attention rejected the appeal for reconsideration filed by the bank, against letter No. DNAE-SAU-2014-02641 of April 28, 2014, with which it was resolved that the referred banking entity "...proceed with the return of the value claimed by Mrs. Judith Amparo Andrade Calisto, amounting to USD $4,956.23, (...), without having observed for said transfer the security measures in electronic channels of the current legal and regulatory framework." (sic).

NOTIFY.- Given in the Superintendence of Banks, in Quito, Metropolitan District, on the first of April of two thousand fifteen.

Econ. Rodrigo Landeta Parra GENERAL INTENDENT, PRESIDENT OF THE BANKING BOARD,

I CERTIFY.- Quito, Metropolitan District, on the first of April of two thousand fifteen.

Lcdo. Pablo Cobo Luna SECRETARY OF THE BANKING BOARD