LogoRegulatory Alerts
2015-04-30 | JB-2015-3391

Resolution No. JB-2015-3391 of the Banking Board of Ecuador

The Banking Board of Ecuador issued Resolution No. JB-2015-3391 to reject the appeal filed by Banco de Guayaquil S.A. and confirm the administrative order requiring the bank to refund $1,130.00 to client Jonathan Rafael Galarza Romero. The Board determined that the bank failed to guarantee the security of electronic transfer channels by allowing a transaction from an unauthorized IP address in Peru, constituting a procedural error. This decision reinforces the bank's obligation to implement robust fraud prevention measures and verify user identity beyond simple credential validation.

Superintendencia de Bancos Ecuador logo

Ecuador

Superintendencia de Bancos Ecuador

Click to view thumbnail

Banking Board of Ecuador

RESOLUTION No. JB-2015-3391

THE BANKING BOARD

CONSIDERING:

THAT according to the last paragraph of the Second Transitional Provision of the Organic Monetary and Financial Code, published in the Official Register Second Supplement No. 332, of September 12, 2014, the Banking Board will continue to act until it resolves all appeals it was hearing on the date this Code took effect, for a period of one hundred and eighty days;

THAT Mr. Jonathan Rafael Galarza Romero, on November 27, 2013, filed a complaint with the Regional Intendancy of Guayaquil against Banco de Guayaquil S.A., stating that an interbank transfer was made from his checking account No. 15245964 in the total amount of $1,130.00, which were not authorized by the complainant, stating that without his consent the transfer was made via internet, violating all the security measures that the financial entity was obligated to provide. The complaint filed by Mr. Jonathan Rafael Galarza Romero was admitted for processing by the Regional Intendancy of Guayaquil through letter No. DAYEU-ISFP-REQ-2013-1705, of December 13, 2013; and, in the same administrative act, it was notified and served on Banco de Guayaquil S.A.;

THAT through letter No. UAC-SBS-2013-757, of December 30, 2013, Banco de Guayaquil S.A., in response to the request from the Guayaquil Intendancy requested through letter No. DAYEU-ISFP-REQ-2013-1705, of December 13, 2013, stated the following:

"(...) Within the review performed and according to what was stated by Mr. Jonathan Rafael Galarza Romero, it was determined that the client was a victim of computer fraud known as 'Phishing', which is the act of fraudulently acquiring through deception personal information such as passwords or other sensitive client information, consisting of the ability to maliciously duplicate bank web pages and indiscriminately send emails so that one accesses this page and the user provides the confidential and non-transferable access data to their bank. (sic)

The entity has a fraud prevention system that includes an authentication process in Virtual Banking that begins with the creation of a user, and an alphanumeric key, the selection of a security image and the assignment of the name to the image, as well as answers to challenge questions (Credit Bureau) and of a personal nature, which constitutes the validation of the client's identification in this channel."

Resolution No. JB-2015-3391

Page 2

During the access process to the Virtual Banking of Banco de Guayaquil S.A., upon entering the user that identifies the client, the security image and the name assigned to it are displayed, factors that identify the authenticity of the bank's web page, prior to entering the password defined by the client.

(...)

The transfer of funds was carried out through Virtual Banking, using coordinate card No. 213364, which was delivered to the client on July 31, 2013.

(...)" (sic);

THAT through letter No. IRG-DAYEU-V-R-2014-359, of April 30, 2014, the Regional Intendancy of Guayaquil resolved principally the following:

"(...) From the constitutional and regulatory framework cited above, it is determined that Banco de Guayaquil S.A., as responsible for the services offered to its clients, among which are transfers through electronic channels, is obligated to evaluate and demand the necessary security measures in order to fulfill its obligations as custodian of the monies that its clients have entrusted to it.

(...)

i) Banco de Guayaquil S.A. has acknowledged in its defenses that the questioned transfer was made from IP address 186.162.3.125, which is located in Peru. Regarding this, sections 4.3.4.8, 4.3.4.12, sub-paragraph 4.3.4, paragraph 4.3, article 4 section II, chapter V; title X; book I, of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board...

(...)

m) From the review of the file, it is determined that the transaction was carried out from IP address 186.162.3.125.

The file contains the history of interbank transfer transactions, in which the IP addresses from which Mr. Jonathan Rafael Galarza Romero has carried out operations through Virtual Banking are found, it can be appreciated that the transaction subject of the complaint was made from an IP located in Peru, an IP not habitual for the complainant to make transfers, nor registered by him for such purposes.

In merit of the above, and in exercise of the powers delegated by the Superintendent of Banks and Insurance, through

Resolution No. JB-2015-3391

Page 3

Resolution No. ADM-2013-11454, of April 2, 2013, this Office, resolves:

  1. ACCEPT the claim presented by Mr. JONATHAN RAFAEL GALARZA ROMERO, with citizenship card number 070342932-4, against the controlled financial institution BANCO DE GUAYAQUIL S.A., on the grounds that it has not been evidenced that the complainant failed to comply with the recommendations issued by the entity for the process of transfers via internet.

  2. ORDER BANCO DE GUAYAQUIL S.A. to proceed to restore to Mr. JONATHAN RAFAEL GALARZA ROMERO the sum of ONE THOUSAND ONE HUNDRED AND THIRTY 00/100 DOLLARS OF THE UNITED STATES OF AMERICA (US$ 1,130.00), in the checking account No. 15245964 that he maintains in the aforementioned bank, a value corresponding to the transfer not authorized by the user via internet, and send to this Office, within a term of eight days, counted from the receipt of this letter, the documentation that accredits the compliance with this resolution.

(...)" (sic);

THAT through a document entered in the Regional Intendancy of Guayaquil on May 16, 2014, Mr. Víctor Hugo Alcívar Álava, Executive Vice President – General Manager of Banco de Guayaquil S.A., with the professional sponsorship of lawyer Rosa Tobar Reina, filed an appeal for reconsideration against letter No. IRG-DAYEU-V-R-2014-359, of April 30, 2014, in which the total refund of the values claimed by Mr. Jonathan Rafael Galarza Romero was ordered;

THAT through letter No. IRG-DAYEU-V-R-2014-585, of June 11, 2014, the Regional Intendant of Guayaquil, upon analyzing the appeal for reconsideration filed by the Executive President – General Manager of the financial entity, principally concluded:

"(...)

  1. REJECT the claim contained in the appeal for reconsideration filed by Banco de Guayaquil S.A.; and, consequently, CONFIRM the administrative act contained in Letter No. IRG-DAYEU-V-R-2014-359, of April 30, 2014.
  2. NOTIFY the controlled financial institution BANCO DE GUAYAQUIL S.A., and Mr. JONATHAN RAFAEL GALARZA ROMERO, with the entire content of this letter, so that they may exercise the administrative appeals established in the current legal framework.

(...)" (sic);

Resolution No. JB-2015-3391

Page 4

THAT through communication entered in the Regional Intendancy of Guayaquil of the Superintendence of Banks and Insurance on June 23, 2014, Mr. Víctor Hugo Alcívar Álava, Executive Vice President - General Manager of Banco de Guayaquil S.A., filed before the Banking Board an appeal for review against the administrative acts contained in letters Nos. IRG-DAYEU-V-R-2014-359 and IRG-DAYEU-V-R-585, of April 30, 2014 and June 11, 2014, respectively; through the latter letter, the Regional Intendant of Guayaquil rejected the appeal for reconsideration and ratified letter No. IRG-DAYEU-V-R-2013-359, of April 30, 2014;

THAT the appeal for review was accepted for processing by lawyer Pablo Cobo Luna, Secretary of the Banking Board, through letter No. JB-2014-1683, of July 1, 2014;

THAT through letter No. JB-2014-1684, of July 1, 2014, lawyer Pablo Cobo Luna, Secretary of the Banking Board, informed Mr. Jonathan Rafael Galarza Romero of the appeal for review filed by Mr. Víctor Hugo Alcívar Álava, Executive Vice President - General Manager of Banco de Guayaquil S.A., and extended the term to resolve the filed appeal by an additional sixty days;

THAT the appellant bases his appeal for review on the following:

  • That according to the known factual elements, this is a case of computer fraud, under the phishing modality, since the transfer of funds is made through virtual banking and with the use of the client's personal keys, who alleges not having delivered them; therefore, this case falls within the norms contained in Interinstitutional Resolutions No. 001-FGE-SBS-2011 and No. 002-FGE-SBS-2011 issued by the then Superintendent of Banks and Insurance and the Attorney General of the State;

  • That the authority's assertion that in the questioned transactions there is supposedly a weakness in operational controls and absence of good banking practices, disregards all the security measures maintained by the bank; in fact, these controls and security measures have been verified in the visits and audits carried out by the control body itself, so it is contradictory that the authority now disregards these mechanisms, when they constitute security of the highest level;

  • That it is not the financial institution's burden to prove when and how the phishing took place, since this proof would be simply impossible, as from the proper or improper use of the client's personal keys, no proof can be asked of the bank, since this custody belongs exclusively to the client; the bank's burden is to verify that the transactions are processed with the client's personal and secret keys;

  • That the bank has implemented as a security measure the registration of IP addresses of authorized computers, as a control pursuant to the

Resolution No. JB-2015-3391

Page 5

regulations on security measures in electronic channels, controls that are implemented 100% in the virtual banking channel, so the transaction in question was correctly processed, because in them the system validated the client's key and coordinates which are only known and custodied by the user; and,

  • That it must be mentioned that the only cause for which the authority can order the refund of the claimed values is when the controlled institution commits an incorrect procedure that causes harm to the complainant, as established in article 5 of Section I, of Chapter IV, of Title XX, of Book I of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board; however, in the present case the financial institution did not commit any incorrect procedure, since the transfer of funds was made with the client's secret keys;

THAT section 4.3.4.12, of sub-paragraph 4.3.4, of paragraph 4.3, of article 4, of section II, chapter V, title X, book I of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, provides:

ARTICLE. 4.- With the purpose that the probability of incurring financial losses attributable to operational risk is minimized, the following aspects must be adequately administered, which are interrelated:

(...)

4.3 Information Technology.- Controlled institutions must have information technology that guarantees the capture, processing, storage, and transmission of information in a timely and reliable manner; avoid business interruptions and ensure that information, including that under the modality of services provided by third parties, is integral, confidential, and available for appropriate decision-making.

To consider the existence of an appropriate operational risk management environment, controlled institutions must formally define policies, processes, and procedures that ensure adequate planning and administration of information technology.

These policies, processes, and procedures will refer to:

(...)

4.3.4 With the object of guaranteeing that the security administration system satisfies the entity's needs to safeguard information against unauthorized use, disclosure, and modification, as well as damages and losses, controlled institutions must have at least the following:

Resolution No. JB-2015-3391

Page 6

(...) 4.3.4.12 Controlled institutions that offer transfer and electronic transaction services must have information security policies and procedures that guarantee that operations can only be performed by duly authorized persons; that the communication channel used is secure, through information encryption techniques; that there are alternate mechanisms that guarantee the continuity of the offered service; and, that ensure the existence of audit trails.

(...) "(Emphasis added);

THAT articles 1 and 180, of the General Law of Financial System Institutions, in force at the date the appeal was filed, provide:

Art. 1.- This Law regulates the creation, organization, activities, functioning, and extinction of private financial system institutions, as well as the organization and functions of the Superintendence of Banks and Insurance, within its competence, entity in charge of the supervision and control of the financial system, in all of which the protection of public interests is taken into account.

(...)"

Art. 180.- The Superintendent of Banks has the following functions and powers:

(...)

b) To ensure the stability, solidity, and correct functioning of institutions subject to its control and, in general, that they comply with the norms governing their functioning, through permanent off-site supervision and on-site inspection visits, in accordance with international best practices, without any restriction and that allow determining the economic and financial situation of the entity, the management of its business, evaluate the quality and control of risk management, and verify the veracity of the information it generates;

(...)

**o) Demand that controlled institutions present and adopt the corresponding corrective measures...";

THAT article 308 of the Constitution of the Republic of Ecuador provides that financial activities are a public order service, and may be exercised, with prior authorization of the State, in accordance with the law; therefore, they will have the fundamental purpose of preserving deposits and meeting financing requirements for the achievement of the country's development objectives, and that financial activities will intermediated efficiently the resources

Resolution No. JB-2015-3391

Page 7 captured to strengthen national productive investment, and socially and environmentally responsible consumption;

THAT from the current regulations mentioned above, it can be inferred that the Superintendence of Banks and Insurance is the control body in charge of supervising and monitoring the financial system at all times in accordance with what is established in the Constitution of the Republic and the General Law of Financial System Institutions, and that its main mission is the protection of the interests of persons who have placed their trust in the banking system, therefore, according to article 308 of the Constitution of the Republic, the fundamental purpose of financial activities is to preserve the deposits of its clients. (Emphasis added);

THAT paragraph 25, of article 66, Chapter Sixth, "Rights of Liberty" of the Constitution of the Republic of Ecuador, recognizes and guarantees to persons access to public and private goods and services of quality, with efficiency, effectiveness, and good treatment, as well as to receive adequate and truthful information about their content and characteristics;

THAT in the present case, Banco de Guayaquil S.A. has failed to fulfill its obligations as custodian of client values, since based on the right to dispose of goods and services of optimal quality guaranteed by the Constitution, it must be stated that Banco de Guayaquil S.A. when offering the transfer service through virtual banking, was obligated to evaluate and demand the necessary security measures in order to provide a secure, optimal, and efficient service to all its clients. This obligation was breached since in the present case it has been determined that the transaction was carried out from IP address No. 186.162.3.125, located in Peru, which is not habitual for the complainant to make transfers, nor registered by him for such purposes, which constitutes an infringement of number 4.3.8.8, of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board;

THAT the financial entity has the legal obligation that the transfer service guarantees and has the security measures to strengthen the Virtual Banking service, which are not only encompassed in the correct custody and use of the key and coordinates known by the client and delivered to him by the bank, but also in the expected and efficient functioning of the fraud prevention system adopted by Banco de Guayaquil S.A.; therefore, from the file subject to analysis, it is broken down that the authentication process used by Mr. Jonathan Rafael Galarza Romero until November 2013, did not have the computer security measures to prevent unauthorized access to the accounts of their holders, which is an evident incorrect procedure of the bank. To strengthen what is stated, it is necessary to point out what is provided in section 4.3.8.8, paragraph 4.3.8, of article 4, of chapter IV, title X, book I, of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board which provide:

Resolution No. JB-2015-3391

Page 8

4.3.8 Security measures in electronic channels.- With the object of guaranteeing that transactions carried out through electronic channels have the controls, measures, and security elements to prevent the commission of fraudulent events and guarantee the security and quality of user information as well as the assets of clients in charge of controlled institutions, these must comply at least with the following:

(...)

4.3.8.8. Offer clients the necessary mechanisms so that they personalize the conditions under which they wish to carry out their transactions through the different electronic channels and cards, within the conditions or maximum limits that each entity must establish.

Among the main personalization conditions for each type of electronic channel, there must be: registration of the accounts to which they wish to make transfers, registration of IP addresses of authorized computers, the authorized mobile phone number or numbers, maximum amounts per daily, weekly, and monthly transaction, among others.

(...) "(Emphasis added);

THAT in merit of the above, it is worth mentioning what is provided in article 5 of chapter IV.- "Procedure for the attention of complaints against Financial System Institutions", title XX.- "Of the Superintendence of Banks and Insurance", book I.- "General norms for the application of the General Law of Financial System Institutions" of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, states:

ARTICLE 5.- If the result of the analysis performed by the Superintendence determines the need for the controlled institution to introduce corrective measures to regularize the situation that motivated the complaint, the Superintendent of Banks and Insurance or the official who has the delegation of said authority, will issue the corresponding order.

If the situation that motivated the complaint referred to in the previous paragraph, originated in an incorrect procedure of the controlled institution, which caused harm to the complainant, the Superintendence of Banks and Insurance may order the return of the claimed values, in exercise of the functions and powers contemplated in letters b) and o) of article 180 of the General Law of Financial System Institutions, granting the legal representative of the entity a term that cannot exceed fifteen (15) days from the notification to send, under the legal warnings, the record of compliance with the order issued.";

Resolution No. JB-2015-3391

Page 9

THAT concomitant with the above, it is important to point out that Banco de Guayaquil S.A. has not been able to disprove its responsibility in the case claimed by Mr. Jonathan Rafael Galarza Romero, but on the contrary, from the file subject to analysis, internal report No. FR-I-2013-0463, addressed to engineer Dora Samaniego T., Sub-manager of the Prevention and Fraud Unit, in relation to the complaint presented by the complainant, is extracted, in which the history of transactions of interbank transfers is found, where the alleged operations through virtual banking are detailed, it is appreciated that the operations subject of the complaint were made from an IP located in Peru. In light of this, under the shelter of what is provided in section 4.3.8.8, paragraph 4.3.8, of article 4, of chapter IV, title X, book I, of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, transcribed in previous considerations, it is not appropriate for the financial entity to shift the responsibility to the user of the financial system, since the financial entity must guarantee the security in the handling and integrity of its clients' funds;

THAT as a consequence of what is expressed and in application of the aforementioned article 5, of chapter IV.- "Procedure for the attention of complaints against Financial System Institutions", title XX.- "Of the Superintendence of Banks and Insurance", book I.- "General norms for the application of the General Law of Financial System Institutions" of the Compilation of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, it corresponds for this control body to order the return of the claimed value;

THAT the National Legal Intendancy, through memorandum INJ-DNJ-SAL-2014-0865 of November 6, 2014, recommended the Banking Board to reject the claim contained in the appeal for review filed;

AND IN exercise of its legal powers,

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the appeal for review filed by Mr. Víctor Hugo Alcívar Álava, Executive Vice President - General Manager of Banco de Guayaquil S.A.; and, consequently, CONFIRM letter No. IRG-DAYEU-V-R-2014-585, of June 11, 2014, with which the Regional Intendancy of Guayaquil rejected the appeal for reconsideration, and ratified the administrative act contained in letter No. IRG-DAYEU-V-R-2013-359, of April 30, 2014, with which it was resolved: "(...) ORDER BANCO DE GUAYAQUIL S.A. to proceed to restore to Mr. JONATHAN RAFAEL GALARZA ROMERO the sum of **ONE THOUSAND ONE HUNDRED AND THIRTY

Share