Banking Board of Ecuador

RESOLUTION NO. JB-2015-3401

THE BANKING BOARD

CONSIDERING:

THAT this appeal is resolved in accordance with the First Transitional Provision of the Organic Monetary and Financial Code, published in the Official Register Second Supplement No. 332 on September 12, 2014, whose text states that resolutions contained in the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, and the norms issued by the control bodies, will remain in effect in all that does not oppose what is provided in the Organic Monetary and Financial Code, until the Monetary and Financial Policy and Regulation Board resolves what corresponds, according to the case; and, with the second paragraph of the Third Transitional Provision, which states that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures that it was hearing on the date of entry into force of the same, within a period of one hundred and eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT on September 26, 2013, through a complaint form, Mr. Pablo Roberto Vallejo Madrid filed a complaint against the National Development Bank (Banco Nacional de Fomento), with the aim that the financial institution return the sum of USD $3,593.95, "due to suspicion of cloning of debit card No. 6031600126016375". In view of Office No. IRG-DAYEU-V-R-2014-403 of May 9, 2014, the same complaint was entered into the Superintendence of Banks on October 7, 2013;

THAT with Office No. IRG-DAYEU-V-R-2014-403 of May 9, 2014, the lawyer Humberto Moya González, Regional Intendant of Guayaquil, resolved the complaint of Mr. Pablo Roberto Vallejo Madrid favorably and ordered the financial institution to return USD $3,743.95. In this line, through a document entered into the control body on May 30, 2014, the engineer Erika Palma Portilla, Commercial Manager of the National Development Bank, filed a request for reconsideration of Office No. IRG-DAYEU-V-R-2014-403 of May 9, 2014, whose claims were rejected with Office No. IRG-DAYEU-V-R-2014-631 of June 18, 2014;

THAT with a document entered into the Superintendence of Banks and Insurance on July 11, 2014, the engineer Erika Palma Portilla, Commercial Manager of the National Development Bank, with the professional sponsorship of lawyers María Angélica Pazmiño M. and Licencia Rizzo Zambrano, filed before the Banking Board an appeal for review of Office No. IRG-DAYEU-V-R-2014-631 of June 18, 2014;

THAT Articles 52, 66, and 213 of the Constitution of the Republic of Ecuador and Article 4 of the Organic Law for Consumer Defense guarantee the right of users of the financial system to have access to high-quality services, with efficiency, effectiveness, and good treatment. At the same time, the Superintendence of Banks is called upon to supervise that the services provided by the institutions of the financial system are subject to the legal framework and attend to the general interest;

---

Resolution No. JB-2015-3401

Page 2

THAT Articles 1, 51, literal a), 142, and 180 of the General Law of Institutions of the Financial System, in force on the date of the complaint, provide as follows:

"Article 1.- This Law regulates the creation, organization, activities, functioning, and extinction of the institutions of the private financial system, as well as the organization and functions of the Superintendence of Banks, the entity in charge of the supervision and control of the financial system, in all of which the protection of the public's interests is taken into account. In the text of this Law, the Superintendence of Banks will be called abbreviatedly 'the Superintendence'. (...)."

"Article 51.- Banks may carry out the following operations in national or foreign currency, or in accounting units established in the Law:

a) Receive public resources in demand deposits. Demand deposits are banking obligations, comprising monetary deposits payable upon presentation of checks or other payment and registration mechanisms; savings deposits payable upon presentation of savings books or other payment and registration mechanisms; and, any other payable within a period of less than thirty days. They may be constituted under various modalities and mechanisms freely agreed upon between the depositor and the depositary;

(...)."

"Article 142.- When an institution of the financial system fails to comply with the resolutions of the Banking Board, the provisions of the Superintendence of Banks, and other applicable norms, particularly those referred to the required technical equity levels, the Superintendent will necessarily demand and approve the regularization programs that are necessary and verify their compliance; will dispose of all those preventive and corrective measures that are necessary and impose the pertinent sanctions, without prejudice to the civil and criminal actions that may arise.

"Article 180.- The Superintendent of Banks has the following functions and attributes:

(...)

j) Impose administrative sanctions on the institutions it controls, when they contravene the provisions that govern them, as well as on their directors, administrators, and officials, and on the credit subjects that infringe the provisions of this Law, in the cases indicated in it;

(...)."

---

Resolution No. JB-2015-3401

Page 3

THAT in this regard, integral risk management is one of the responsibilities attributed to financial institutions that are part of the system; by virtue of this, the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, in Articles 2 and 3 of Chapter I, Title X, Book I, provides as follows:

"Article 2.- For the purposes of the application of this chapter, the following definitions are determined:

2.1 Risk.- It is the possibility that an event generating losses that affect the economic value of the institutions occurs;

2.2 Risk Management.- It is the process by which institutions of the financial system identify, measure, control/mitigate, and monitor the risks inherent to the business, with the objective of defining the risk profile, the degree of exposure that the institution is willing to assume in the development of the business, and the hedging mechanisms, to protect its own and third-party resources that are under its control and administration;

(...)

2.9 Operational Risk.- It is the possibility that losses occur due to events originating from failures or insufficiency of processes, people, internal systems, technology, and in the presence of unexpected external events. It includes legal risk but excludes systemic and reputational risks.

It groups a variety of risks related to internal control deficiencies; inadequate systems, processes, and procedures; human errors and fraud; failures in computer systems; occurrence of adverse external or internal events, that is, those that affect the institution's ability to respond to its commitments in a timely manner, or compromise its interests (...)."

"Article 3.- Institutions of the financial system have the responsibility to manage their risks, to which effect they must have formal integral risk management processes that allow identifying, measuring, controlling/mitigating, and monitoring the risk exposures they are assuming.

(...)."

THAT in the same way, the pertinent part of Article 4, of Chapter V, of Title X, of Book I of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board provides as follows:

---

Resolution No. JB-2015-3401

Page 4

"Article 4.- With the purpose that the probability of incurring financial losses attributable to operational risk is minimized, the following aspects, which are interrelated, must be adequately managed:

4.3 Information Technology.- The controlled institutions must have information technology that guarantees the capture, processing, storage, and transmission of information in a timely and reliable manner; avoid business interruptions and ensure that information, including that under the modality of services provided by third parties, is intact, confidential, and available for appropriate decision-making.

To consider the existence of an appropriate operational risk management environment, the controlled institutions must formally define policies, processes, and procedures that ensure adequate planning and management of information technology.

4.3.4 With the objective of guaranteeing that the security administration system satisfies the entity's needs to safeguard information against unauthorized use, disclosure, and modification, as well as damage and losses, the controlled institutions must have at least the following:

4.3.4.8 Formal controls to protect information contained in documents; storage media or other external devices; the electronic use and exchange of data against damage, theft, unauthorized access, use, or disclosure of information for purposes contrary to the interests of the entity, by all its personnel and its providers;

4.3.4.12 The controlled institutions that offer electronic transfer and transaction services must have information security policies and procedures that guarantee that operations can only be carried out by duly authorized persons; that the communication channel used is secure, through information encryption techniques; that there are alternative mechanisms that guarantee the continuity of the offered service; and, that they ensure the existence of audit trails.

4.3.8 Security measures in electronic channels.- With the objective of guaranteeing that transactions carried out through electronic channels have the controls, measures, and security elements to avoid the commission of fraudulent events and guarantee the security and quality of user information as well as the assets of the clients in charge of the controlled institutions, these must comply with at least the following:

4.3.8.8 Offer clients the necessary mechanisms so that they can personalize the conditions under which they wish to carry out their transactions through the

---

Resolution No. JB-2015-3401

Page 5

different electronic channels and cards, within the conditions or maximum limits that each entity must establish.

Among the main personalization conditions for each type of electronic channel, there must be: registration of the accounts to which they wish to make transfers, registration of authorized computer IP addresses, the authorized mobile phone number(s), maximum amounts per daily, weekly, and monthly transaction, among others.

(...)."

THAT also Articles 1, 4, 5, 6, and 18, of Chapter III, of Title XIV, of Book I, of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, in the present case in force by virtue of the First Transitional Provision of the Organic Monetary and Financial Code, provide as follows:

"Article 1.- This Code has the object of establishing the principles and rules that govern the exercise and protection of the rights of the user of the financial system, considering that financial activities are of public order and must be subject, in particular, to principles of sound practices applied by the corporate governance of the institutions that make up the financial system. Its scope of application involves the relationships between users and financial institutions controlled by the Superintendence of Banks and Insurance of Ecuador, without prejudice to other legal provisions that contemplate measures and instruments of protection for the user of the financial system.

For the purposes of this Code, the legal terms contained in its text must be understood in accordance with the glossary contained in the final article."

"Article 4.- The rights of the user of the financial system contained in this Code are irrenounceable as financial services are considered of public order, social interest, and mandatory observance throughout the country. Any stipulation to the contrary shall be considered null."

"Article 5.- The rights of the user of the financial system regarding the financial products and services offered by the institutions of the financial system, in accordance with the law and sound practices, will be protected, in the first instance, by the client defender of the financial institutions, and by the Superintendence of Banks and Insurance, and for this purpose it may act ex officio or at the request of a party according to what is expressly mandated by the

Constitution and applicable laws, without prejudice to the competencies that other authorities exercise according to the law.

---

Resolution No. JB-2015-3401

Page 6

Nevertheless, any public authority, in application of its competencies and in accordance with the law, will protect the rights of the user of the financial system. (...)."

"Article 6.- Users of financial products and services will exercise their rights within the framework of the universal principle of good faith."

"Article 18.- The Superintendence of Banks and Insurance, in the exercise of its constitutional and legal functions of regulation and supervision, preventive and corrective, will have as a fundamental principle the protection of the rights of the user of the financial system."

THAT in application of what is provided in letter o), of Article 180 of the General Law of Institutions of the Financial System, the Banking Board issued Resolution No. JB-2005-747, of January 25, 2005, which was reformed with Resolution No. JB-2009-1303, of May 14, 2009, on the procedure for the attention of complaints against the institutions of the financial system, which is contained in Chapter IV, Title XX, Book I of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, whose Article 5 provides:

"Article 5.- If the result of the analysis carried out by the Superintendence determines the need for the controlled institution to introduce corrective measures that regularize the situation that motivated the complaint, the Superintendent of Banks and Insurance or the official who has the delegation of said authority, will issue the corresponding disposition.

If the situation that motivated the complaint referred to in the previous paragraph originated in an incorrect procedure of the controlled institution, which caused damage to the complainant, the Superintendence of Banks and Insurance may order the return of the claimed values, in the exercise of the functions and attributes contemplated in letters b) and o) of Article 180 of the General Law of Institutions of the Financial System, granting the legal representative of the entity a period that cannot exceed fifteen (15) days from the notification to send, under the warnings of the Law, the proof of compliance with the order issued." (Emphasis added);

THAT by virtue of the cited norms, the client delivers money to a financial institution with the option to withdraw it, in part or totally, at the moment he requires it, while the depositary entity assumes the obligation to keep or safeguard the deposited values and satisfactorily attend all those withdrawal operations required by the holder, with diligence and professional care;

THAT the financial institution has the obligation to safeguard the deposited values and satisfactorily attend all the withdrawal operations required by the client; in the same way, it is responsible for providing with efficiency and responsibility the services offered to the users of the system, among which

---

Resolution No. JB-2015-3401

Page 7

is the withdrawal through different channels such as ATMs, even of several financial entities. In this line, the Bank is obliged to evaluate and demand the appropriate securities in order to be able to fulfill its obligations as depositary of the monies that its clients have entrusted to it, with the purpose of being able to provide a quality service;

THAT it has been evidenced in the present case that the National Development Bank is incurring in Article 5 of Chapter IV, Title XX, Book I of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, by virtue of the transactions carried out caused economic damages to the client, originated by an incorrect procedure of the controlled institution by not monitoring or implementing alerts on the movements that occurred in the account entrusted to its custody, allowing the security controls of the card delivered by the bank to be violated;

THAT in Office No. IRG-DAYEU-2014-328 of October 13, 2014, the lawyer Humberto Moya González, Regional Intendant of Guayaquil, held the following: "(...) it is determined that the NATIONAL DEVELOPMENT BANK, being an entity dedicated to exercising financial activities, has among its purposes, the obligation to keep or safeguard the deposited values and satisfactorily attend all types of operations, with diligence and professional care (...);"

THAT according to the Regional Intendant of Guayaquil, the incorrect procedure in which the National Development Bank incurred in the context of the complaint of Mr. Pablo Roberto Vallejo Madrid is configured;

THAT the Superintendence of Banks is in charge of supervising and controlling the operations of the institutions that form part of the national financial system, as well as protecting the interests of the users of this sector;

THAT both the Constitution of our country, the General Law of Institutions of the Financial System, and the Compilation of Resolutions of the Superintendence of Banks and the Banking Board watch over the compliance and implementation of procedures and mechanisms that protect and disseminate the rights of financial users, attributing corrective, controlling, and sanctioning faculties to the Superintendence of Banks, so that it carries out such functions;

THAT for greater clarity, it is important to point out that the contracts celebrated to offer services to the clients of the National Development Bank related to a wider coverage of ATMs are the exclusive responsibility of the referred entities, not being able to transfer the operational risk of said service to Mr. Pablo Roberto Vallejo Madrid;

THAT the National Legal Intendancy, through memorandum INJ-DNJ-SAL-2014-1047 of December 19, 2014, recommended to the Banking Board reject the claim

---

Resolution No. JB-2015-3401

Page 8

contained in the appeal filed by the Commercial Manager of the National Development Bank; and,

In exercise of its legal attributions,

RESOLVES:

SINGLE ARTICLE.- REJECT the petition contained in the appeal for review filed; and, consequently, PARTIALLY CONFIRM Office No. IRG-DAYEU-V-R-2014-631 of June 18, 2014, with the caveat that the sum that must be returned to Mr. Pablo Roberto Vallejo Madrid, by the National Development Bank, is USD $1,943.95, due to a credit note for the value of USD $1,800.00, in view of the recommendation contained in Office No. IRG-DAYEU-2014-328 of October 13, 2014, signed by the lawyer Humberto Moya González, Regional Intendant of Guayaquil.

NOTIFY.- Given at the Superintendence of Banks and Insurance, in Quito, Metropolitan District, on the eighth of May of two thousand fifteen.

Econ. Rodrigo Landeta Parra GENERAL INTENDANT (S) PRESIDENT OF THE BANKING BOARD SESSION (E)

I CERTIFY.- Quito, Metropolitan District, on the eighth of May of two thousand fifteen.

Lcdo. Pablo Cobo Luna SECRETARY OF THE BANKING BOARD