Banking Board of Ecuador

RESOLUTION No. JB-2015-3409

THE BANKING BOARD

CONSIDERING:

THAT the second paragraph of the Third Transitional Provision of the Organic Code of Monetary and Financial Affairs determines that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures it was handling on the date this Code came into force, within a period of one hundred and eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT through Resolution No. 054-2015-F, dated March 5, 2015, published in the Official Register No. 467, dated March 27, 2015, the aforementioned Board extended the deadline by an additional one hundred and eighty days for the Banking Board to continue acting and resolve all claims, appeals, and other administrative procedures within its competence;

THAT through a communication received by the Regional Intendancy of Guayaquil on September 19, 2013, Ms. Verónica Isabel Costales Robalino filed a claim against Banco de Guayaquil S.A., requesting that the aforementioned Bank be ordered to return the sum of US$ 1,400.00, debited from her savings account No. 27744090, basing her claim on: a) That on August 23, 2013, the total amount of US$ 1,400.00 was debited from her savings account via an interbank transfer made at 05:00 in the early morning, in favor of Mrs. Miriam Viviana Morán Rodríguez, a person with whom she has no personal or commercial relationship. b) That she filed a claim with Banco de Guayaquil S.A. and that as of September 16, 2013, she had not received any response;

THAT the Intendancy of Guayaquil, through Office No. DAYEU-ISFP-REQ-2013-1294, dated October 22, 2013, admitted the claim filed by Ms. Verónica Isabel Costales Robalino to proceedings and forwarded it to the knowledge of Banco de Guayaquil S.A., requesting explanations and defenses regarding the case;

THAT through Office No. UAC-SBS-2013-592, dated October 28, 2013, received by the Regional Intendancy of Guayaquil on the 31st of the same month and year, Mr. Víctor Hugo Alcívar Álava, Executive Vice President – General Manager of Banco de Guayaquil S.A., presented the explanations and defenses related to the claim filed by Ms. Verónica Isabel Costales Robalino, basing his actions primarily on the following:

"Within the review performed and according to what was stated by Mrs. Costales Robalino, it was determined that the client was a victim of computer fraud known as 'Phishing'; which is the act of fraudulently acquiring, through deception, personal information such as passwords or other sensitive client information. It consists of the ability to maliciously duplicate bank web pages and indiscriminately send emails so that users access this page and provide their confidential and non-transferable access data to their bank.

(...)

Banking Board of Ecuador

Resolution No. JB-2015-3409
Page 2

FR-I-2013-276

INTERNAL REPORT

(...)

The claim CAS-79600352 from client Verónica Isabel Costales Robalino has been received, regarding the debits registered in her account for a transaction carried out through Virtual Banking, which the client states she did not perform, which is why she requests the immediate restitution of her funds.

CASE CRM	ACCOUNT TYPE	ACCOUNT NO.	CLAIM AMOUNT US$
7600352	Savings Account	27744090	1,400.00

REVIEW OF THE CLIENT'S CLAIM

The client's account movements were reviewed in the ITREPORTS application, for the date corresponding to the claimed transaction, observing that it was processed through IP address 181.65.162.158, which is located in Lima, Peru.

(...)

Below are detailed the transactions subject to the claim:

TRANSACTION DATE	ACCOUNTING DATE	TYPE	IP ADDRESS	VALUE US$	TIME	ACCOUNT	HOLDER NAME
23-08-2013	23-08-2013	NO	181.65.162.158	1,400.00	11:04:22	2200104679	Rodríguez Mirian Moran Viviana
TOTAL				1,400.00

The maximum transfer value of the client through Virtual Banking was verified, which at the date of the transactions amounted to US$ 9,999.99 monthly.

The client filed the claim on September 3 of the current year; therefore, the Bancontrol coordinate card was blocked.

(...)

It is important to note that Banco de Guayaquil has an authentication system that begins with the creation of a user and an alphanumeric password, the selection of a security image and the assignment of a name to the image, as well as answers to challenge questions (Credit Bureau) and personal nature, which constitutes the validation of the client's identification in the Virtual Banking channel.

This process includes the Bancontrol card, which is a coordinate card system, a tool that increases the security of static passwords and constitutes an additional barrier against electronic fraud. This mechanism provides random keys to give peace of mind to our

Banking Board of Ecuador

Resolution No. JB-2015-3409
Page 3

clients, in transactions involving the movement of funds, the use of the Bancontrol coordinate card is necessarily required.

During the access process to the Virtual Banking of Banco de Guayaquil S.A., upon entering the user that identifies the client, the security image and the assigned name are displayed, factors that identify the authenticity of the bank's web page, prior to entering the password defined by the client.

CONCLUSION:

Based on the background and the review of the claim presented by the client, it is concluded that it is UNWARRANTED because the client was likely a victim of computer fraud consisting of the fraudulent obtaining of personal information, through fake web pages, emails that appear to come from the bank, through which the client provided their information and coordinate keys."

THAT through Office No. IRG-DAYEU-V-R-2014-188, dated March 18, 2014, the Intendancy of Guayaquil, favorably attended the claim presented by Ms. Verónica Isabel Costales Robalino, resolving to order the controlled financial institution to proceed to restore to the claimant the sum of US$ 1,400.00, in the savings account No. 27744090 that she holds in the aforementioned bank, a value corresponding to the unauthorized transfer by the user via internet;

THAT through a communication received by the Regional Intendancy of Guayaquil on March 31, 2014, BANCO DE GUAYAQUIL S.A. filed an appeal for reconsideration against the administrative act contained in Office No. IRG-DAYEU-V-R-2014-188, dated March 18, 2014; and, with Office No. IRG-DAYEU-V-R-2014-643, dated June 19, 2014, the Regional Intendancy of Guayaquil resolved to confirm the administrative act contained in Office No. IRG-DAYEU-V-R-2014-188, dated March 18, 2014, thereby rejecting the appeal for reconsideration filed;

THAT through a communication entered in the Regional Intendancy of Guayaquil on July 4, 2014, Mr. Víctor Hugo Alcívar Álava, Executive Vice President – General Manager of Banco de Guayaquil S.A., filed an appeal for review before the Banking Board against Office No. IRG-DAYEU-V-R-2014-643, dated June 19, 2014, which ratifies the administrative act contained in Office No. IRG-DAYEU-V-R-2014-188, dated March 18, 2014, while also rejecting the appeal for reconsideration filed;

THAT with Office No. JB-2014-1800, dated July 11, 2014, Mr. Pablo Cobo Luna, Secretary of the Banking Board, accepted the appeal for review filed for proceedings; and, with Office No. JB-2014-1801, of the same day, month, and year, Ms. Verónica Isabel Costales Robalino was notified of the acceptance of said appeal, which is based primarily on the following arguments:

• "(...) this is a case of computer fraud, under the phishing modality, since the transfer of funds is made through virtual banking and with the

Banking Board of Ecuador

Resolution No. JB-2015-3409
Page 4

use of the client's personal keys, who alleges she did not hand them over.";

• "The transaction subject of this claim was carried out on August 23, 2013, through the Virtual Banking transactional channel, and for this purpose, the key and coordinates contained in the Bancontrol Coordinate Card No.- 155672, the exclusive responsibility of Mrs. VERÓNICA ISABEL COSTALES ROBALINO, were used.";

• "(...) the transactions in question were correctly processed, because in them the system validated the client's key and coordinates, which are only known and safeguarded by her, without requiring any additional verification, and the beneficiary account registration procedure, IP registration, and notifications regarding transactions carried out were also fulfilled.";

• "the only cause in which the authority can order the reimbursement of the claimed values is when the controlled institution commits an incorrect procedure that causes harm to the claimant, as established in Art. 5 of Section I, Chapter IV, of Title XX, of Book One of the Compilation of Resolutions of the Superintendence of Banks and Insurance of the Banking Board. However, in the present case the financial entity did not commit any incorrect procedure, since the transfer of funds was made with the client's secret keys (...)."; and,

• "(...) that there was no error or incorrect procedure on the part of the Bank, and the authority has not demonstrated the contrary, but has considered imprecisely security measures that in its opinion would have been necessary, but which are not provided for in the applicable regulations.";

THAT articles 52 and 66 numeral 25, of the Constitution of the Republic of Ecuador; and, numeral 2 of article 4 of the Organic Law of Consumer Defense, establish the right of persons to have access to goods and services of optimal quality; in virtue of this, Banco de Guayaquil S.A., offers various services to its clients, among which is the transfer of funds through its Virtual Banking, and is obligated to evaluate and demand the appropriate security measures in order to provide the service of optimal quality to its clients;

THAT regarding what was argued by Banco de Guayaquil S.A., in which it highlights the observance and compliance with the corresponding security measures in electronic channels, ATMs, point of sale terminals, and electronic banking, article 4, Chapter V.- "Of Operational Risk Management", Title X.- "Of Risk Management and Administration", Book I.- "General Norms for the application of the General Law of Institutions of the Financial System", of the Compilation of Resolutions of the Superintendence of Banks and of the Banking Board, states:

"ARTICLE 4.- With the purpose that the probability of incurring financial losses attributable to operational risk is minimized, the following aspects, which are interrelated, must be adequately managed:

(...)

Information Technology.- Controlled institutions must have information technology that guarantees the capture, processing, storage, and transmission of information in a timely and reliable manner; avoid business interruptions and ensure that information, including that under the modality of services provided by third parties, is integral, confidential, and available for appropriate decision-making.

To consider the existence of an appropriate operational risk management environment, controlled institutions must formally define policies, processes, and procedures that ensure adequate planning and administration of information technology. These policies, processes, and procedures will refer to:

(...)

4.3.8 Security measures in electronic channels.- With the object of guaranteeing that transactions carried out through electronic channels have the controls, measures, and security elements to avoid the commission of fraudulent events and guarantee the security and quality of user information as well as the assets of clients held by controlled institutions, these must comply at minimum with the following:

(...)4.3.8.8. Offer clients the necessary mechanisms so that they can personalize the conditions under which they wish to carry out their transactions through the different electronic channels and cards, within the conditions or maximum limits that each entity must establish.

Among the main personalization conditions for each type of electronic channel, there must be: registration of the accounts to which they wish to make transfers, registration of authorized computer IP addresses, the authorized mobile phone number(s), maximum amounts per daily, weekly, and monthly transaction, among others (...).

THAT regarding this matter, file Internal Report No. FR-I-2013-276, dated September 3, 2013, is on file, which contains the review of the claim of Ms. Verónica Isabel Costales Robalino, signed by Pedro Moncada G., in the capacity of Assistant, and Fátima Vite Z. in the capacity of Senior Officer, of the Claims and Fraud Unit of Banco de Guayaquil S.A., in which the following is highlighted:

"1. The client's account movements were reviewed in the ITREPORTS application, for the date corresponding to the claimed transaction, observing that it was processed through IP address 181.65.162.158, which is located in Lima, Peru.

Banking Board of Ecuador

Resolution No. JB-2015-3409
Page 6

(...)

CONCLUSION:

Based on the background and the review of the claim presented by the client, it is concluded that it is UNWARRANTED because the client was likely a victim of computer fraud consisting of the fraudulent obtaining of personal information, through fake web pages, emails that appear to come from the bank, through which the client provided their information and coordinate keys.";

THAT from the foregoing, Banco de Guayaquil S.A. leaves evident the lack of security in the virtual channel placed at the user's service, by stating that she was a "victim of computer fraud"; it also demonstrates through its defenses that the only way to register or record both IP addresses and accounts is through access to Virtual Banking, which is exclusively achieved with the validation of the key granted to its clients, therefore that clients compromise this information release the bank from any responsibility for the mishandling of this key; however, in the case at hand, it is not evident that Ms. VERÓNICA ISABEL COSTALES ROBALINO compromised her virtual banking access key at any time nor failed to safeguard the "Bancontrol" coordinate card, granted by the controlled entity; on the contrary, from the review of the file, it was determined that the transaction was carried out from IP address 181.65.162.158, located in Lima, Peru, the aforementioned IP not being habitual for the claimant to make transfers, nor registered by her for such purposes;

THAT integral risk management is one of the responsibilities attributed to institutions that are part of the Financial System, by virtue of which, the Compilation of Resolutions of the Superintendence of Banks and of the Banking Board, in its Book I "General Norms for the application of the General Law of Institutions of the Financial System", Title X "Of Risk Management and Administration", Chapter I "Of Integral Risk Management and Control", establishes in its third article the following:

"ARTICLE 3.- Financial system institutions have the responsibility to manage their risks, to which effect they must have formal integral risk management processes that allow identifying, measuring, controlling/mitigating, and monitoring the risk exposures they are assuming."

THAT the second paragraph of article 5 of Chapter IV.- "Procedure for the attention of claims against Financial System Institutions", Title XX.- "Of the Superintendence of Banks and Insurance", Book I "General Norms for the application of the General Law of Institutions of the Financial System" of the Compilation of Resolutions of the Superintendence of Banks and of the Banking Board, provides:

"ARTICLE 5.-(...) If the situation that motivated the claim referred to in the previous paragraph originated in an incorrect procedure of the controlled institution,

Banking Board of Ecuador

Resolution No. JB-2015-3409
Page 7

that has caused harm to the claimant, the Superintendence of Banks and Insurance may order the return of the claimed values, in exercise of the functions and attributes contemplated in letters b) and o) of article 180 of the General Law of Institutions of the Financial System, granting the legal representative of the entity a period that may not exceed fifteen (15) days from the notification to send, under the legal warnings, the proof of compliance with the order issued."

THAT the main foundation exposed by the claimant is the existence of the unauthorized bank transfer, through virtual banking. This transfer is evidenced in the defenses presented by Banco de Guayaquil S.A., requested through Office No. DAYEU-ISFP-REQ-2013-1294, dated October 22, 2013, through which the controlled entity maintained that the transfers in question were carried out due to compromising personal information such as the virtual banking key and the lack of custody of the "Bancontrol" coordinate card, by the claimant. The banking institution intends to transfer to the financial user the risks inherent to the organization and execution of the transfer service through electronic channels offered by the institution, holding her responsible for the same due to the misuse of her virtual banking access key and the alleged compromise of the custody of her "Bancontrol" coordinate card, facts of which there is no record in the case file at hand, a foundation that also allowed, through the administrative act contained in Office No. IRG-DAYEU-V-R-2014-188, dated March 18, 2014, to reject the petitioner's claims, insisting that it is not appropriate to place the responsibility for the possible lack of custody and care of the "Bancontrol" coordinate card information on the claimant and, therefore, the responsibility for said transactions carried out via internet;

THAT Banco de Guayaquil S.A. incurred in an incorrect procedure by not providing sufficient security measures aimed at preventing the commission of fraudulent events and guaranteeing the security and quality of user information; since these were violated, without it being evidenced or documented in the present case that the cardholder carried out the transactions or that there was negligence or mishandling of the debit card by the claimant;

THAT the National Legal Intendancy, through memorandum INJ-DNJ-SAL-2015-0140 of February 9, 2015, recommended the Banking Board to reject the claim contained in the appeal for review filed; and,

IN exercise of its legal attributes,

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the appeal for review filed by Mr. Víctor Hugo Alcívar Álava, Executive Vice President – General Manager of Banco de Guayaquil S.A.; consequently, CONFIRM Office No. IRG-DAYEU-V-R-2014-643, dated June 19, 2014, with which the Regional Intendancy of Guayaquil S.A. resolved to reject the claim contained in the appeal for reconsideration filed; and, confirmed the administrative act contained

Banking Board of Ecuador

Resolution No. JB-2015-3409
Page 8

in Office No. IRG-DAYEU-V-R-2014-188, dated March 18, 2014, through which it ordered Banco de Guayaquil S.A. to "(...) proceed to restore to Mrs. VERÓNICA ISABEL COSTALES ROBALINO the sum of ONE THOUSAND FOUR HUNDRED WITH 00/100 DOLLARS OF THE UNITED STATES OF AMERICA (US$ 1,400.00), in the savings account No. 27744090 that she holds in the aforementioned bank, a value corresponding to the unauthorized transfer by the user via internet (...)".

NOTIFY.- Given at the Superintendence of Banks, in Quito, Metropolitan District, on the thirteenth of May of two thousand fifteen.

Econ. Rodrigo Landeta Parra
GENERAL INTENDANT, S
PRESIDENT OF THE BANKING BOARD, E

I CERTIFY.- Quito, Metropolitan District, on the thirteenth of May of two thousand fifteen.

Lcdo. Pablo Cobo Luna
SECRETARY OF THE BANKING BOARD