Banking Board of Ecuador

RESOLUTION No. JB-2015-3399

THE BANKING BOARD

CONSIDERING:

THAT through a communication dated January 9, 2014, Ms. Norma del Rocío Romo Allauca filed a complaint with the Superintendency of Banks against the Banco Nacional de Fomento, in the following terms:

"(...) My complaint is to bring to your attention the money stolen from my Savings Account (SIC) without my consent through ATMs. It should be clarified that I have not used my card for at least 2 months as it is damaged and the ATM does not recognize its reading. For this reason, I ask that through you, you request the bank to return my money or provide detailed information about this harm that occurred from December 26, 2013, to January 2, 2014, for an estimated amount of $2,046.00 dollars (...)";

THAT with Official Letter No. IRG-DAYEU-V-R-2014-322 of April 16, 2014, the lawyer Humberto Moya González, Regional Intendant of Guayaquil, resolved favorably the complaint of Ms. Norma del Rocío Romo Allauca and ordered the financial institution to restore USD $2,337.50. In this line, through a document entered into the control body on May 2, 2014, the Banco Nacional de Fomento filed an appeal against Official Letter No. IRG-DAYEU-V-R-2014-322 of April 16, 2014, whose claims were rejected with Official Letter No. IRG-DAYEU-V-R-2014-766 of June 14, 2014;

THAT with a document entered into the Superintendency of Banks on July 29, 2014, Master Ángela Mercedes Avilés Gómez, Commercial Manager of the Banco Nacional de Fomento, filed before the Banking Board an appeal against Official Letter No. IRG-DAYEU-V-R-2014-766 of June 14, 2014;

THAT Articles 1 and 180 of the General Law of Financial System Institutions, in force at the time of the complaint, provide that the General Law of Financial System Institutions regulates the creation, organization, activities, functioning, and extinction of private financial system institutions, as well as the organization and functions of the Superintendency of Banks, the entity responsible for the supervision and control of the financial system, in all of which the protection of public interests is taken into account. In this line, the control body may impose administrative sanctions on the institutions it controls when they contravene the provisions governing them, as well as on their directors, administrators, and officials, and on credit subjects who infringe the provisions of this Law, in the cases indicated therein;

THAT in this regard, integral risk management is one of the responsibilities attributed to financial institutions that are part of the system; therefore, the Codification of Resolutions of the Superintendency of Banks and Insurance and of the Banking Board, in Articles 2 and 3 of Chapter I, Title X, Book I, provides as follows:

"Article 2.- For the purposes of the application of this chapter, the following definitions are determined:

2.1 Risk.- It is the possibility that an event generating losses affecting the economic value of institutions occurs;

2.2 Risk Management.- It is the process by which financial system institutions identify, measure, control/mitigate, and monitor the risks inherent to the business, with the objective of defining the risk profile, the degree of exposure the institution is willing to assume in the development of the business, and the hedging mechanisms, to protect its own resources and those of third parties under its control and administration;

(...)

2.9 Operational Risk.- It is the possibility that losses occur due to events originating from failures or insufficiencies in processes, people, internal systems, technology, and in the presence of unexpected external events. It includes legal risk but excludes systemic and reputation risks.

It groups a variety of risks related to internal control deficiencies; inadequate systems, processes, and procedures; human errors and fraud; failures in computer systems; occurrence of adverse external or internal events, that is, those that affect the institution's ability to respond to its commitments in a timely manner, or compromise its interests (...)".

"Article 3.- Financial system institutions have the responsibility to manage their risks, for which purpose they must have formal integral risk management processes that allow identifying, measuring, controlling/mitigating, and monitoring the risk exposures they are assuming.

(...)";

THAT likewise, the pertinent part of Article 4, Chapter V, Title X, Book I of the Codification of Resolutions of the Superintendency of Banks and Insurance and of the Banking Board provides as follows:

"Article 4.- With the purpose of minimizing the probability of incurring financial losses attributable to operational risk, the following aspects, which are interrelated, must be adequately managed:

---

Resolution No. JB-2015-3399

Page 2

4.3 Information Technology.- Controlled institutions must have information technology that guarantees the capture, processing, storage, and transmission of information in a timely and reliable manner; avoid business interruptions and ensure that information, including that under the modality of services provided by third parties, is intact, confidential, and available for appropriate decision-making.

To consider the existence of an appropriate operational risk management environment, controlled institutions must formally define policies, processes, and procedures that ensure adequate planning and management of information technology.

4.3.4 With the objective of guaranteeing that the security administration system satisfies the entity's needs to safeguard information against unauthorized use, disclosure, and modification, as well as damage and losses, controlled institutions must have at least the following:

4.3.4.8 Formal controls to protect information contained in documents; storage media or other external devices; the electronic use and exchange of data against damage, theft, unauthorized access, use, or disclosure of information for purposes contrary to the entity's interests, by all its personnel and its providers;

4.3.4.12 Controlled institutions that offer electronic transfer and transaction services must have information security policies and procedures that guarantee that operations can only be performed by duly authorized persons; that the communication channel used is secure, through information encryption techniques; that there are alternative mechanisms that guarantee the continuity of the offered service; and, that they ensure the existence of audit trails.

4.3.8 Security measures in electronic channels.- With the objective of guaranteeing that transactions carried out through electronic channels have the controls, measures, and security elements to prevent the commission of fraudulent events and guarantee the security and quality of user information as well as the assets of clients under the care of controlled institutions, these must comply with at least the following:

4.3.8.8 Offer customers the necessary mechanisms to personalize the conditions under which they wish to carry out their transactions through the different electronic channels and cards, within the conditions or maximum limits that each entity must establish.

---

Banking Board of Ecuador

Resolution No. JB-2015-3399

Page 3

Among the main personalization conditions for each type of electronic channel, the following must be included: registration of accounts to which transfers are desired, registration of authorized computer IP addresses, the authorized mobile phone number(s), maximum amounts per daily, weekly, and monthly transaction, among others. (...);

THAT also Articles 1, 4, 5, 6, and 18, Chapter III, Title XIV, Book I, of the Codification of Resolutions of the Superintendency of Banks and Insurance and of the Banking Board, in the present case in force by virtue of the First Transitional Provision of the Organic Monetary and Financial Code, provide as follows:

"Article 1.- This Code aims to establish the principles and rules governing the exercise and protection of the rights of the user of the financial system, considering that financial activities are of public order and must be subject, in particular, to principles of sound practices applied by the corporate governance of the institutions that make up the financial system. Its scope of application involves the relationships between users and financial institutions controlled by the Superintendency of Banks and Insurance of Ecuador, without prejudice to other legal provisions that contemplate measures and instruments of protection for the user of the financial system.

For the purposes of this Code, the legal terms contained in its text shall be understood in accordance with the glossary contained in the final article."

"Article 4.- The rights of the user of the financial system contained in this Code are irrenounceable as financial services are considered of public order, social interest, and mandatory observance throughout the country. Any stipulation to the contrary shall be considered null."

"Article 5.- The rights of the user of the financial system regarding the financial products and services offered by financial system institutions, in accordance with the law and sound practices, shall be protected, in the first instance, by the client defender of financial institutions, and by the Superintendency of Banks and Insurance, and for this purpose, it may act ex officio or at the request of a party in accordance with what is expressly mandated by the Constitution and applicable laws, without prejudice to the competencies that other authorities exercise in accordance with the law.

Nevertheless, any public authority, in the application of its competencies and in accordance with the law, shall protect the rights of the user of the financial system. (...)".

---

Banking Board of Ecuador

Resolution No. JB-2015-3399

Page 4

"Article 6.- Users of financial products and services shall exercise their rights within the framework of the universal principle of good faith."

"Article 18.- The Superintendency of Banks and Insurance, in the exercise of its constitutional and legal functions of regulation and supervision, preventive and corrective, shall have as its fundamental principle the protection of the rights of the user of the financial system."

THAT in application of what is provided in letter o) of Article 180 of the General Law of Financial System Institutions, the Banking Board issued Resolution No. JB-2005-747 of January 25, 2005, which was reformed with Resolution No. JB-2009-1303 of May 14, 2009, regarding the procedure for handling complaints against financial system institutions, which is contained in Chapter IV, Title XX, Book I of the Codification of Resolutions of the Superintendency of Banks and Insurance and of the Banking Board, whose Article 5 provides:

"Article 5.- If the result of the analysis carried out by the Superintendency determines the need for the controlled institution to introduce corrective measures to regularize the situation that motivated the complaint, the Superintendent of Banks and Insurance or the official who holds the delegation of said authority shall issue the corresponding disposition.

If the situation that motivated the complaint referred to in the previous paragraph originated in an incorrect procedure of the controlled institution, which caused harm to the complainant, the Superintendency of Banks and Insurance may order the return of the claimed values, in the exercise of the functions and attributions contemplated in letters b) and o) of Article 180 of the General Law of Financial System Institutions, granting the legal representative of the entity a period that shall not exceed fifteen (15) days from the notification to send, under the legal warnings, the proof of compliance with the issued order." (Emphasis added);

THAT by virtue of the cited norms, the client delivers money to a financial institution with the option to withdraw it, in part or entirely, at the moment it is required, while the depositary entity assumes the obligation to keep or safeguard the deposited values and satisfactorily attend all withdrawal operations required by the holder, with diligence and professional care;

THAT the financial institution has the obligation to safeguard the deposited values and satisfactorily attend all withdrawal operations required by the client; likewise, it is responsible for providing with efficiency and responsibility the services offered to system users, among which are transfers through different electronic channels, such as ATMs, even of several financial entities belonging to BANRED. In this line, the Bank is obligated to evaluate and demand the appropriate securities in order to

---

Banking Board of Ecuador

Resolution No. JB-2015-3399

Page 5

be able to fulfill its obligations as a depositary of the monies that its clients have entrusted to it, with the purpose of being able to provide a quality service;

THAT with regard to Official Letter No. IRG-DAYEU-V-R-2014-322 of April 16, 2014, it is noted that Banco Nacional de Fomento, regarding the present complaint, states: "(...) According to the review of notifications from the BANRED Security Committee, there are coincidences of compromise in ATMs used by our client, which are detailed below: On September 2, 2013, the BANRED Security Committee notified ATM 13280 of the Banco de Guayaquil as a possible point of compromise on date 31/08/2013... Taking into consideration the habitual nature of withdrawals, the amounts, place, and times of their execution, it can be concluded that although the transactions claimed with respect to the transactions made by the client present an atypical pattern (...)";

THAT in this way, according to the criterion of the Regional Intendant of Guayaquil, the incorrect procedure in which Banco Nacional de Fomento incurred is configured in the context of the complaint of Ms. Norma del Rocío Romo Allauca;

THAT the Superintendency of Banks is responsible for supervising and controlling the operations of institutions that are part of the national financial system, as well as for protecting the interests of users of this sector;

THAT Banco Nacional de Fomento intends to transfer to the financial user the risks inherent to the organization and execution of the transfer service through electronic channels offered by the institution through BANRED, by holding her responsible for the same due to the misuse of her debit card; however, there is no record in the case file regarding the facts in question;

THAT both the Constitution of our country, the General Law of Financial System Institutions, and the Codification of Resolutions of the Superintendency of Banks and the Banking Board ensure the compliance and implementation of procedures and mechanisms that protect and disseminate the rights of financial users, attributing corrective, controlling, and sanctioning faculties to the Superintendency of Banks, so that it carries out such functions;

THAT for the aforementioned reasons, it must be emphasized that it does not correspond to place the responsibility for the possible cloning of the debit card on Ms. Norma del Rocío Romo Allauca, based solely on the fact that the complainant used the card in BANRED ATMs, that is, in the manner she was contractually authorized to do so; such a situation does not represent evidence of failure to care for the assigned debit card, nor does it exempt Banco Nacional de Fomento from the duty to be a guarantor of the money deposited with it, nor does it transfer to her the risks inherent to the organization and execution of the ATM service;

---

Banking Board of Ecuador

Resolution No. JB-2015-3399

Page 6

THAT for further clarification, it is important to note that the contracts celebrated with BANRED to offer services to the clients of Banco Nacional de Fomento related to a wider coverage of ATMs are the exclusive responsibility of the referred entities, and the operational risk of said service cannot be transferred to Ms. Norma del Rocío Romo Allauca;

THAT the National Legal Intendency, through memorandum INJ-DNJ-SAL-2015-0118 of February 4, 2015, recommended to the Banking Board to reject the claim contained in the appeal filed by the Commercial Manager of Banco Nacional de Fomento; and,

In exercise of its legal attributions,

RESOLVES:

SINGLE ARTICLE.- REJECT the petition contained in the appeal filed; and, consequently, RATIFY Official Letter No. IRG-DAYEU-V-R-2014-766 of June 14, 2014, with which the payment order of USD $2,337.50 contained in Official Letter No. IRG-DAYEU-V-R-2014-322 of April 16, 2014, in favor of Ms. Norma del Rocío Romo Allauca, in the context of the complaint she maintains against Banco Nacional de Fomento, was confirmed.

NOTIFY.- Given at the Superintendency of Banks and Insurance, in Quito, Metropolitan District, on the eighth day of May of the year two thousand fifteen.

Signature: Econ. Rodrigo Landeta Parra
GENERAL INTENDANT (S)
PRESIDENT OF THE BANKING BOARD SESSION (E)

I CERTIFY.- Quito, Metropolitan District, on the eighth day of May of the year two thousand fifteen.

Signature: Lcdo. Pablo Cobo Luna
SECRETARY OF THE BANKING BOARD

---

Banking Board of Ecuador