Banking Board of Ecuador

RESOLUTION No. JB-2015-3468

THE BANKING BOARD

CONSIDERING:

THAT this appeal is resolved in accordance with the First Transitional Provision of the Organic Monetary and Financial Code, published in the Official Register Second Supplement No. 332, on September 12, 2014, whose text states that resolutions contained in the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, and the norms issued by the control bodies, will remain in effect in all that does not oppose what is established in the Organic Monetary and Financial Code, until the Monetary and Financial Policy and Regulation Board resolves what corresponds, according to the case; and with the second paragraph of the Third Transitional Provision, which states that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures it was handling on the date of entry into force of the same, within a period of one hundred and eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT by Resolution No. 054-2015-F, published in the Supplement of the Official Register No. 467, on March 26, 2015, the Monetary and Financial Policy and Regulation Board extended by one hundred and eighty (180) additional days the period for the Banking Board to continue acting and resolve all claims, appeals, and other administrative procedures within its competence;

THAT by communication entered into the Superintendence of Banks on August 22, 2013, Ms. Solange Katherine Anzules Cruz, filed her claim against Banco de Guayaquil S.A., requesting that the aforementioned bank be ordered to return the sum of US$ 465.00, debited from her savings account, basing her claim on: a) That on August 17, 2013, the total of US$ 465.00 was debited from her savings account No. 0011833289, through two transfers made for amounts of US$ 165.00 and US$ 300.00, in favor of Mr. Manuel Mayanza Cepeda and Mr. Rogger Javier Rojas Coronel; b) That on August 18 of the same year, she received a message on her cell phone where Banco de Guayaquil S.A. informed her that a password change had been requested, so she immediately checked her account statement in virtual banking and in her email; c) That by doing so, she noticed the debits that had been made to her for a total of US$ 465.00; d) That she went to the aforementioned entity to report what happened but was only told that they could not attend to her request; e) That she never received any message from Banco de Guayaquil S.A. with the code that must be entered to register the recipients of transfers; f) That according to documentation delivered by the mentioned banking institution and the emails informing her of the password change, the IP addresses from which the transactions were made are 186.5.75.211 and 64.209.30.85, none of which correspond to her computer's IP; g) That she did not make the transfers she challenges nor does she know the recipients of said transfers;

THAT the Intendancy of Guayaquil by letter No. DAYEU-ISFP-REQ-2013-1125, of September 25, 2013, admitted the claim presented by Ms. Solange Katherine Anzules Cruz to proceedings and transferred it to the knowledge

---

Resolution No. JB-2015-3468

Page No. 2

of Banco de Guayaquil S.A., and requested explanations and defenses regarding the case; and by letter No. UAC-SBS-2013-544, of October 4, 2013, Mr. Víctor Hugo Alcívar Álava, Executive Vice President – General Manager of Banco de Guayaquil S.A., presented the explanations and defenses related to the claim presented by Ms. Solange Katherine Anzules Cruz, basing his action, mainly, on the following:

"(...) Within the review carried out and according to what was stated by Mrs. Solange Katherine Anzules Cruz, it was determined that the client was a victim of computer fraud known as 'Phishing': which is the act of fraudulently acquiring, through deception, personal information such as passwords or other sensitive client information, consisting in the ability to maliciously duplicate bank web pages and indiscriminately send emails so that one accesses this page and the user provides the confidential and non-transferable access data to their bank.

The entity has an efficient fraud prevention system that includes an authentication process in Virtual Banking that begins with the creation of a user, and an alphanumeric key, the selection of a security image and the assignment of the name to the image, as well as answers to challenge questions (Credit Bureau) and of a personal nature, which constitutes the validation of the client's identification in this channel.

During the access process to the Virtual Banking of Banco de Guayaquil S.A., upon entering the user that identifies the client, the security image and the name assigned to it are displayed, factors that identify the authenticity of the bank's web page, prior to entering the password defined by the client.

This process includes the Bancontrol card, which is a coordinate card system, a tool that increases the security of static passwords and constitutes an additional barrier against electronic fraud; this mechanism provides random keys to give peace of mind to our clients, in transactions involving the movement of funds, the use of the Bancontrol coordinate card is mandatory.

Additionally, to make transfers through Virtual Banking, it is necessary to register the beneficiary account, a process in which the system sends a security code to the email registered by the client at the bank; this code must be entered on the Virtual Banking page, prior to entering the coordinates that are requested randomly, for the execution of the transaction, evidently, to access the client's email, the user must have the personal password.

The fund transfer was made through Virtual Banking, using coordinate card No. 3725, which was delivered to the client on June 18, 2012.

---

Resolution No. JB-2015-3468

Page No. 3

It is important to mention that our institution on its website: www.bancoguayaquil.com. shows its clients the following security message "Remember that Banco de Guayaquil does not send email or text message, requesting information on personal data, data coordinates of your Bancontrol card, user, password of your accounts or credit cards, do not access any link included within an unknown email (...)";

THAT Banco de Guayaquil S.A. to justify its denial presents documentary defenses, the main ones being the following: a) Report of the claim and letter of response delivered to the user; b) Payment Report New Virtual Banking, in which the transactions carried out through Virtual Banking, from May to August 2013, charged to savings account No. 0011833289, are evidenced; c) Movement of the aforementioned savings account, corresponding to the period from May to August 2013; d) Access logs, data update to electronic banking and notification of transaction messages; e) Card Inquiry Screen, in which it is observed that the Coordinate Card was delivered on June 18, 2012 and cancelled on August 19, 2013. It also states that the beneficiaries of the claimed transfers are Mr. Rogger Javier Rojas Coronel and Mr. Manuel Mayanza Cepeda, holders of Amigas Accounts No. 6461473 and 6461499, respectively;

THAT by letter No. IRG-DAYEU-V-R-2013-662, of December 27, 2013, the Intendancy of Guayaquil, favorably attended the claim presented by Ms. Solange Katherine Anzules Cruz, resolving to order the controlled financial institution to proceed to restore to the claimant the sum of US$ 465.00, in the savings account No. 0011833289 that she maintains in the aforementioned bank, a value that corresponds to the transfers not authorized by the user via internet;

THAT by communication entered on January 14, 2014, Banco de Guayaquil S.A., filed an appeal for reconsideration against the content of letter No. IRG-DAYEU-V-R-2013-662, of December 27, 2013 and with letter No. IRG-DAYEU-V-R-2014-461, of May 16, 2014, the Intendancy of Guayaquil resolved to reject the appeal for reconsideration and confirm the administrative act contained in letter No. IRG-DAYEU-V-R-2013-662, of December 27, 2013, for the motivation stated therein;

THAT by communication entered into the Superintendence of Banks on May 28, 2014, Mr. Víctor Hugo Alcívar Álava, Executive Vice President – General Manager of Banco de Guayaquil S.A., filed an appeal for review before the Banking Board against letter No. IRG-DAYEU-V-R-2014-461, of May 16, 2014, which ratifies the administrative act contained in letter No. IRG-DAYEU-V-R-2013-662, of December 27, 2013, while also rejecting the appeal for reconsideration filed; and, with letter No. JB-2014-1418, of June 3, 2014, the lawyer Juan Francisco Simone Lasso, Secretary of the Banking Board (S), accepted the appeal for review filed; and, with letter No. JB-2014-1419, of the same day, month, and year, Ms. Solange Katherine Anzules Cruz was notified of the acceptance of said appeal;

---

Resolution No. JB-2015-3468

Page No. 4

THAT the aforementioned appeal for review is based on arguing mainly that:

"(...) the transactions in question were correctly processed, because in them the system validated the client's key and coordinates, which are only known and safeguarded by him, without requiring any additional verification, and the beneficiary account registration procedure was also fulfilled, IP registration, and notifications on transactions carried out." and, "(...) that there was no error or incorrect procedure on the part of the Bank, and the authority has not demonstrated the contrary, but has considered imprecisely security measures that in its opinion would have been necessary, but that are not provided for in the applicable regulations." (sic);

THAT articles 52 and 66 numeral 25, of the Constitution of the Republic of Ecuador; and, numeral 2 of article 4 of the Organic Law of Consumer Defense, establish the right of persons to dispose of goods and services of optimal quality; in virtue of this, Banco de Guayaquil S.A., by offering various services to its clients, among which is the transfer of funds through its Virtual Banking, is obliged to evaluate and demand the necessary security measures in order to provide a service of optimal quality to its clients;

THAT regarding what was argued by Banco de Guayaquil S.A., in which it highlights the observance and compliance with the corresponding security measures in electronic channels, ATMs, points of sale, and electronic banking, article 4, chapter V.- "Of Operational Risk Management", title X.- "Of Risk Management and Administration", book I.- "General Norms for the application of the General Law of Institutions of the Financial System", of the Codification of Resolutions of the Superintendence of Banks and of the Banking Board, says:

ARTICLE 4.- With the purpose that the probability of incurring financial losses attributable to operational risk is minimized, the following aspects must be adequately managed, which are interrelated:

(...)

4.3 Information Technology.- Controlled institutions must have information technology that guarantees the capture, processing, storage, and transmission of information in a timely and reliable manner; avoid business interruptions and ensure that information, including that under the modality of services provided by third parties, is integral, confidential, and available for appropriate decision-making.

To consider the existence of an appropriate operational risk management environment, controlled institutions must formally define policies, processes, and procedures that ensure adequate planning and administration of information technology. These policies, processes, and procedures will refer to:

---

Resolution No. JB-2015-3468

Page No. 5

(...)

4.3.8 Security measures in electronic channels.- With the object of guaranteeing that transactions carried out through electronic channels have the controls, measures, and security elements to prevent the commission of fraudulent events and guarantee the security and quality of user information as well as the assets of clients in charge of controlled institutions, these must comply at minimum with the following:

(...) 4.3.8.8. Offer clients the necessary mechanisms so that they can personalize the conditions under which they wish to carry out their transactions through the different electronic channels and cards, within the conditions or maximum limits that each entity must establish.

Among the main conditions of personalization by each type of electronic channel, there must be: registration of the accounts to which they wish to make transfers, registration of authorized computer IP addresses, the authorized mobile phone number(s), maximum amounts per daily, weekly, and monthly transaction, among others (...)

THAT regarding this, Internal Report No. FR-I-2013-237, dated August 19, 2013, is in the file, which contains the review of the claim of Mrs. Solange Katherine Anzules Cruz, signed by the Unit of Losses and Frauds of Banco de Guayaquil S.A., in which the following is highlighted:

"(...) The client's account movements were reviewed in the ITREPORTS application, for the date corresponding to the transactions in the claim, observing that they were processed through IP address 186.5.75.211, which is located in Guayaquil, Ecuador. (...) 2. The maximum transfer value of the client through Virtual Banking was verified, which at the date of the transactions amounted to US$ 9,999.99 monthly. 3. The client filed the claim on August 19 of the current year; therefore, the Bancontrol coordinate card was blocked.

(...) CONCLUSION: Based on the background and the review of the claim presented by the client, it is concluded that it is IMPROPER because the client was probably a victim of computer fraud, which consists in the fraudulent obtaining of personal information, through fake web pages, emails that appear to come from the bank, through which the client provided information and coordinate keys";

THAT furthermore, Banco de Guayaquil S.A. itself in the aforementioned report No. FR-I-2013-237, of August 19, 2013, is acknowledging that in the present case

---

Resolution No. JB-2015-3468

Page No. 6

there was "computer fraud", with which it would implicitly be acknowledging the lack of security in its electronic channels; and, it is absolving the client of any responsibility;

THAT Banco de Guayaquil S.A. demonstrates through its defenses that the only way to register or record both IP addresses and accounts is through access to Virtual Banking, which is exclusively achieved with the validation of the key granted to its clients, therefore that clients compromise this information release the bank from any responsibility for the mishandling of this key; however, in the case at hand, it is not evidenced that Mrs. SOLANGE KATHERINE ANZULES CRUZ has compromised her virtual banking access key at any time nor deprived the custody of the "Bancontrol" coordinate card, granted by the controlled entity; on the contrary, from the review of the file, it is determined that the transactions have been carried out from IP address 186.5.75.211. The file contains the history of interbank transfer transactions, in which are the IP addresses from which Mrs. Solange Katherine Anzules Cruz has carried out operations through Virtual Banking, it can be appreciated that the transaction subject of the claim was carried out from an IP not habitual for the claimant to make transfers, nor registered by her for such purposes;

THAT integral risk management is one of the responsibilities attributed to institutions that are part of the Financial System, by virtue of that, the Codification of Resolutions of the Superintendence of Banks and of the Banking Board, in its book I "General Norms for the application of the General Law of Institutions of the Financial System", title X "Of risk management and administration", chapter I "Of integral risk management and control" establishes in its third article the following:

ARTICLE 3.- Financial system institutions have the responsibility to manage their risks, to which effect they must have formal integral risk management processes that allow identifying, measuring, controlling/mitigating, and monitoring the risk exposures they are assuming.

THAT the second paragraph of article 5 of chapter IV.- "Procedure for the attention of claims against Financial System Institutions", title XX.- "Of the Superintendence of Banks and Insurance", book I "General norms for the application of the General Law of Institutions of the Financial System" of the Codification of Resolutions of the Superintendence of Banks and of the Banking Board, provides:

**ARTICLE 5.- (...) If the situation that motivated the claim referred to in the previous paragraph, originated in an incorrect procedure of the controlled institution, which caused damage to the claimant, the Superintendence of Banks and Insurance may order the return of the claimed values, in exercise of the functions and attributes contemplated in letters b) and o) of article 180 of the General Law of Institutions of the Financial System, granting the legal representative of the entity a period that cannot exceed fifteen (15) days from the

---

Resolution No. JB-2015-3468

Page No. 7

notification to send, under the precautions of Law, the proof of compliance with the order issued.";

THAT the main foundation exposed by the claimant is the existence of unauthorized bank transfers, through virtual banking. These transfers are evidenced in the defenses presented by Banco de Guayaquil S.A., requested by letter No. DAYEU-ISFP-REQ-2013-1125, of September 25, 2013, through which the controlled entity maintained that the transfers in question were carried out by compromising personal information such as the virtual banking key and the lack of custody of the "Bancontrol" coordinate card, by the claimant. The banking institution intends to shift to the financial user the risks inherent to the organization and execution of the transfer service through electronic channels offered by the institution, by holding her responsible for the same due to the misuse of her virtual banking access key and the alleged compromise of the custody of her "Bancontrol" coordinate card, facts of which there is no record in the file of the case at hand, a foundation that also allowed, through the administrative act contained in letter No. IRG-DAYEU-V-R-2013-662 of December 27, 20143, to reject the claims of the appellant, insisting that it is not appropriate to place the responsibility for the possible lack of custody and care of the information of the "Bancontrol" coordinate card on the claimant and, therefore, the responsibility for said transactions carried out via internet;

THAT Banco de Guayaquil S.A. incurred in an incorrect procedure by not providing sufficient security measures aimed at preventing the commission of fraudulent events and guaranteeing the security and quality of user information; since they were violated, without it being evidenced or documented in the present case that the cardholder carried out the transactions or that there was negligence or mishandling of the debit card by the claimant;

THAT the National Legal Intendancy, by memorandum INJ-DNJ-SAL-2014-0981 of December 9, 2014, recommended to the Banking Board to reject the claim contained in the appeal for review filed; and,

IN exercise of its legal attributes,

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the appeal for review filed by Mr. Víctor Hugo Alcívar Álava, Executive Vice President – General Manager of Banco de Guayaquil S.A.; and, consequently, CONFIRM letter No. IRG-DAYEU-V-R-2014-461, of May 16, 2014, with which the Regional Intendancy of Guayaquil S.A. confirmed the administrative act contained in letter No. IRG-DAYEU-V-R-2013-662, of December 27, 2013, through which it ordered Banco de Guayaquil S.A. to "(...) proceed to restore to Mrs. SOLANGE KATHERINE ANZULES CRUZ the sum of FOUR HUNDRED SIXTY-FIVE 00/100 DOLLARS OF THE UNITED STATES OF AMERICA (US$ 465.00), in the savings account No.

---

Resolution No. JB-2015-3468

Page No. 8

11833289 that she maintains in the aforementioned bank, a value that corresponds to the unauthorized transfer by the user via internet (...)".

NOTIFY.- Given at the Superintendence of Banks, in Quito, Metropolitan District, on June 10, two thousand fifteen.

Econ. Rodrigo Landeta Parra GENERAL INTENDANT, S PRESIDENT OF THE BANKING BOARD, E

I CERTIFY.- Quito, Metropolitan District, on June 10, two thousand fifteen.

Lcdo. Pablo Gobo Luna SECRETARY OF THE BANKING BOARD