Resolution No. JB-2015-3488 of the Banking Board of Ecuador

Banking Board of Ecuador

RESOLUTION No. JB-2015-3488

THE BANKING BOARD

CONSIDERING:

THAT this appeal is resolved in accordance with the First Transitional Provision of the Organic Monetary and Financial Code, published in the Official Register Second Supplement No. 332 of September 12, 2014, whose text states that resolutions contained in the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, and the norms issued by the control bodies, will maintain their validity in all that does not oppose what is provided in the Organic Monetary and Financial Code, until the Monetary and Financial Policy and Regulation Board resolves what corresponds, according to the case; and with the second paragraph of the Third Transitional Provision, which states that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures that it was hearing on the date of validity of the same, within a period of one hundred and eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT on November 21, 2013, Mr. Medardo García Macías filed a claim at the Regional Intendancy of Guayaquil against Banco de Guayaquil S.A., regarding the unauthorized withdrawal of USD $2,400.00 from his checking account No. 2340089;

THAT by letter No. DAYeU-ISFP-REQ-2013-1686 of December 12, 2013, the Director of User Attention and Education of the Regional Intendancy of Guayaquil requested Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., to submit defenses and explanations regarding the claim presented by Mr. Miguel Eusebio Merchán Cervantes;

THAT through letter No. UAC-SBS-2014-168 of February 6, 2014, received by the Superintendence of Banks on February 19, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., submitted copies of the documents held in the file of the claim of Mr. Miguel Eusebio Merchán Cervantes;

THAT by letter No. IRG-DAYeU-V-R-2014-434 of May 13, 2014, the lawyer Humberto Moya González, Regional Intendant of Guayaquil, resolved to order Banco de Guayaquil S.A. to proceed to restore to Mr. Miguel Eusebio Merchán Cervantes the sum of USD $2,400.00 in checking account No. 2340089, a value corresponding to the unauthorized transfer by the user via internet, and to send to the control body within eight days evidence of compliance with this resolution;

THAT through communication, received by this Superintendence on May 28, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., with the sponsorship of Dr. Rosa Tobar Reina, filed an appeal for reconsideration against the administrative act contained in letter No. IRG-DAYeU-V-R-2014-434 of May 13, 2014; which was rejected by letter No. IRG-DAYeU-V-R-2014-853 of August 5, 2014;

THAT through communication received by the Superintendence of Banks on August 15, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of

Banking Board of Ecuador

Resolution No. JB-2015-3488 Page 2

Banco de Guayaquil S.A., with the professional sponsorship of Dr. Rosa Tobar Reina, filed before the Banking Board an appeal for review against the administrative act contained in letter No. IRG-DAYeU-V-R-2014-853 of August 5, 2014, which was accepted for processing by letter No. JB-2014-2339 of September 1, 2014;

THAT among the factual and legal grounds are the following:

• That this is a case of computer fraud, under the phishing modality, since the transfer of funds is made through virtual banking and using the client's personal keys, who alleges not having delivered them. Therefore, this case falls within the norms contained in Interinstitutional Resolutions No. 001-FGE-SBS-2011 and No. 002-FGE-SBS-2011.

• That the security system maintained by Banco de Guayaquil S.A. on the date the claimed event occurred consisted of an efficient fraud prevention system, strengthened with the use of the coordinate card, Bancontrol, which increases the security of static passwords and represents an additional barrier against electronic fraud, a mechanism that provides random keys to provide security in such transactions.

• That the Bank has implemented as a security measure the registration of IP addresses of authorized computers, as control pursuant to regulations on security measures in electronic channels, controls that are implemented in 100% in the virtual banking channel.

• That the security process was indeed fulfilled, that is, the information emails about the transaction were sent to the email address registered by the client and with warnings about the transactions carried out, facts that can be proven with technological records, therefore, the client's assertion denying that these steps were fulfilled is not correct.

• That the only cause in which the authority can order the reimbursement of the claimed values is when the controlled institution commits an incorrect procedure that causes harm to the claimant.

THAT Banco de Guayaquil S.A. emphatically determines that this case is a computer fraud under the phishing modality and that therefore this case falls within the norms contained in Interinstitutional Resolutions No. 001-FGE-SBS-2011 and No. 002-FGE-SBS-2011;

THAT said interinstitutional resolutions were applicable to certain specific cases detailed therein, within which the claim of Mr. Miguel Eusebio Merchán Cervantes against Banco de Guayaquil S.A. is not included; consequently, at the moment the banking entity recognizes that Mr. Miguel Merchán was the victim of the computer fraud known as phishing, it is recognizing the vulnerability of its computer systems; thus concretizing an incorrect procedure of the Bank;

THAT paragraph a) of Article 51 of the General Law of Institutions of the Financial System applicable to this case, stated that banks are authorized to receive public resources in demand deposits, which are banking obligations, comprising monetary deposits payable upon presentation of checks or other payment mechanisms and registration;

THAT Banco de Guayaquil S.A. assumes the obligation to keep or safeguard deposited values with diligence and professional care, as well as is responsible for the other services offered to its clients such as transfers through the various electronic channels, so it is obliged to evaluate and demand the security measures as the depositary of the money its clients have entrusted to it;

THAT with reference to the argument that coordinate cards, Bancontrol, increase the security of static passwords and represent an additional barrier against electronic fraud, the controlled institution highlights the observance and compliance with the corresponding reforms to security measures in electronic channels;

THAT in Article 4, Chapter V "On Operational Risk Management", Title X "On Risk Management and Administration", Book I "General Norms for Institutions of the Financial System", of the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, the measures that entities must adopt to mitigate possible losses attributed to operational risk are established;

THAT Banco de Guayaquil S.A. sent an internal report in which it evidenced that according to the ITREPORTS application, the client's movement on the date subject of the claim, was processed through IP address 201.230.232.3, located in Lima-Peru, for which it is determined that it is not a habitual IP of the claimant to make transfers nor registered by him;

THAT the financial institution states that the only way to enroll or register both IP addresses and accounts is through Virtual Banking, which is only achieved with the validation of the key granted to its clients, therefore, if clients compromise this information, this frees the bank from responsibility for the mishandling of this key. However, in the case at hand, it is not evidenced that Mr. Miguel Eusebio Merchán Cervantes has compromised at any time his access key to virtual banking nor neglected the custody of the Bancontrol coordinate card delivered by the financial institution;

THAT the bank's system did not emit any alert for the transaction carried out on November 18, 2013, allowing it to conclude successfully without the account holder noticing it, preventing him from giving immediate notice to the bank and thus avoiding the consummation of the fraud through an urgent blocking of funds. Therefore, Banco de Guayaquil S.A. did not comply with several of the obligations provided in Article 4, Chapter V "On Operational Risk Management", Title X "On Risk Management and Administration", Book I "General Norms for Institutions of the Financial System", of the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board;

THAT in this case, there is responsibility of Banco de Guayaquil S.A. in the disputed transaction, since on the date of the claim the bank did not maintain for its transactional channels an efficient fraud prevention system, since the client was never notified of the execution of the transaction subject of the claim, which would have avoided the withdrawal of money, if the financial institution had not incurred in incorrect procedures, such as the malfunction of the access alert signals to the virtual banking system and allowing the beneficiaries of the disputed transaction to withdraw the claimant's funds;

THAT the second paragraph of Article 5 of Chapter IV, Title XX, Book I, "General Norms for the Application of the General Law of Institutions of the Financial System", of the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, provides:

"Article 5.- If the result of the analysis carried out by the Superintendence determines the need for the controlled institution to introduce corrective measures to regularize the situation that motivated the claim, the Superintendent of Banks and Insurance or the official who has the delegation of said authority, will issue the corresponding disposition.

If the situation that motivated the claim referred to in the previous paragraph originated in an incorrect procedure of the controlled institution, which caused harm to the claimant, the Superintendence of Banks and Insurance may order the return of the claimed values, in exercise of the functions and attributes contemplated in letters b) and o) of Article 180 of the General Law of Institutions of the Financial System, granting the legal representative of the entity a period that may not exceed fifteen (15) days from the notification to send, under the legal warnings, the proof of compliance with the order issued.";

THAT the invoked norm empowers the control body to, in the exercise of its functions and attributes both constitutional and legal, dispose of the return of the values claimed by users of the financial system, provided that the situation object of the claim had originated in an incorrect procedure on the part of the controlled institution, as evidenced in the present case;

THAT the main ground exposed by the claimant is the existence of an unauthorized bank transfer through virtual banking, evidenced in the defenses presented by Banco de Guayaquil S.A., through which the entity maintained that the mentioned transfer was made due to compromising personal information such as the personal key and the lack of care with the Bancontrol coordinate card, at the expense of the claimant, of which there is no record whatsoever in the file of the case at hand;

THAT in this sense, it is determined that "the incorrect procedure" in which Banco de Guayaquil S.A. has incurred consists in not having implemented efficient security policies and procedures in electronic channels;

THAT the National Legal Intendancy, through memorandum INJ-DNJ-SAL-2015-0218 of March 16, 2015, recommended to the Banking Board to reject the claim contained in the appeal filed by the Executive Vice President - General Manager of Banco de Guayaquil S.A.; and,

Banking Board of Ecuador

Resolution No. JB-2015-3488 Page 5

IN exercise of its legal attributes,

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the appeal for review filed by Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A.; and, consequently, CONFIRM letter No. IRG-DAYEU-V-R-2014-853 of August 5, 2014, through which the lawyer Humberto Moya González, Regional Intendant of Guayaquil, rejected the appeal for reconsideration, and ratified the content of letter No. IRG-DAYEU-V-R-2014-434 of May 13, 2014, through which, it resolved to order Banco de Guayaquil S.A. to proceed to restore to Mr. Miguel Eusebio Merchán Cervantes the sum of USD $2,400.00 in checking account No. 2340089, a value corresponding to the unauthorized transfer by the user via internet.

NOTIFY.- Given at the Superintendence of Banks and Insurance, in Quito, Metropolitan District, on the seventeenth of June of the two thousand fifteen.

(Signature) Econ. Rodrigo Landeta Parra GENERAL INTENDANT (S) PRESIDENT OF THE BANKING BOARD SESSION (E)

I CERTIFY.- Quito, Metropolitan District, on the seventeenth of June of the two thousand fifteen.

(Signature) Lcdo. Pablo Cobo Luna SECRETARY OF THE BANKING BOARD