Banking Board of Ecuador

RESOLUTION No. JB-2015-3444

THE BANKING BOARD

CONSIDERING:

WHEREAS, according to the second clause of the Third Transitional Provision of the Organic Code of Monetary and Financial Affairs, it is determined that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures it was handling as of the effective date of this Code, within a period of one hundred eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

WHEREAS, through Resolution No. 054-2015-F, dated March 5, 2015, published in the Official Register No. 467, dated March 27, 2015, the aforementioned Board extended the period by an additional one hundred eighty days for the Banking Board to continue acting and resolve all claims, appeals, and other administrative procedures within its jurisdiction;

WHEREAS, through a communication received by this Superintendence on January 29, 2014, Mr. Nelson Ramiro Salme Molina filed an administrative claim regarding unauthorized debits made from his savings account No. 0110127596, during the period from January 8 to 24, 2014, due to the use of ATMs with debit card No. 6031600044007058, amounting to US$ 4,948.00, for which he requests: "...that I be fully refunded the money (4,948 dollars) that I was saving with great effort for my children's education." (sic);

WHEREAS, the Subdirectorate of User Attention, through letter No. DNAE-SAU-2014-01433 dated March 5, 2014, forwarded the aforementioned claim to the bank, so that it could present the pertinent explanations and documentary defenses, and through letter No. DNAE-SAU-2014-01432 of the same date, notified Mr. Nelson Ramiro Salme Molina of the matter;

WHEREAS, through letter No. 04196 dated April 1, 2014, the National Development Bank submitted information regarding the client's claim;

WHEREAS, the Subdirectorate of User Attention, based on the content of the claim and the review of the information submitted by the entity, through letter No. DNAE-SAU-2014-02681 dated April 29, 2014, directed the National Development Bank as follows:

"(...), you must refund the claimed amounts to your client, corresponding to the withdrawals recorded by ATMs..., and corresponding to the fifty-one transactions detailed in this administrative act. The amount to be credited to the claimant, Mr. Nelson Ramiro Salme Molina, is USD $4,966 plus the commission value generated for each transaction performed of USD $0.45 each, yielding a total value of USD $4,988.95..." (sic);

WHEREAS, through a communication received by the Superintendence on May 14, 2014, the National Development Bank filed an appeal for reconsideration against

---

Resolution No. JB-2015-3444

Page No. 2

the administrative act contained in letter No. DNAE-SAU-2014-02681 dated April 29, 2014;

WHEREAS, through letter No. DNAE-SAU-2014-04351 dated July 15, 2014, the Subdirectorate of User Attention resolved to reject the claim contained in the appeal for reconsideration filed by the aforementioned bank, and confirmed letter No. DNAE-SAU-2014-02681 dated April 29, 2014;

WHEREAS, through documents received by the Superintendence on July 29 and August 2, 2014, economist Freddy Monge Muñoz, General Manager of the National Development Bank, with the professional sponsorship of doctors Fabián Zapata Ozano, Fabián Gómez V., and doctor Johana Herrera Zambrano, filed a review appeal before the Banking Board against letter No. DNAE-SAU-2014-0004351 dated July 15, 2014, arguing primarily:

• That the Subdirector of User Attention resolved the filed claim and ordered the bank to refund Mr. Nelson Salme Molina the amount of USD 4,988.95 "...without considering the information and documentation provided by the BNF and despite expressly recognizing that the client who filed the administrative claim '...was a victim of alleged card cloning, since the withdrawal pattern matches the pattern used by criminals... since the information is obtained through skimming devices placed on ATMs...'";
• That the appeal for reconsideration, which was denied by the challenged administrative act, suffers from errors, as the Superintendence has an exclusively administrative scope that excludes it from resolving this case, which falls within the judicial criminal sphere; and, a lack of adequate motivation in the challenged administrative act, rendering it null according to the Constitution of the Republic;

WHEREAS, through letter No. JB-2014-2182 dated August 13, 2014, the Secretary of the Banking Board (S) accepted the review appeal for processing, and through letter No. JB-2014-2183 of the same date, forwarded a photocopy of the acceptance letter and the document through which the bank filed the review appeal to Mr. Nelson Ramiro Salme Molina;

WHEREAS, through a document received by this Superintendence on August 28, 2014, Mr. Nelson Ramiro Salme Molina presented his arguments and submitted additional documentation regarding the review appeal filed by the bank;

WHEREAS, the Bank Superintendence, as provided in Article 213 of the Constitution of the Republic, is the technical entity for surveillance, auditing, intervention, and control of the financial activities and services provided by public and private entities that are part of the national financial system, with the purpose of ensuring they comply with the legal framework and attend to the general interest, given that these activities constitute a matter of public order and have the fundamental purpose of preserving public deposits. In harmony with this fundamental norm, Article 1 of the General Law of Financial System Institutions, with an organic character, determines that it is the entity in charge of supervising and controlling the financial system;

---

Resolution No. JB-2015-3444

Page No. 3

WHEREAS, in that scope, Article 180, letter b) of the General Law of Financial System Institutions, obligates the Superintendence of Banks and Insurance to ensure the stability, solidity, and correct functioning of institutions under its control; and, in general, that they comply with the regulations governing their operation, attributions exercised within the administrative scope as provided in Article 140 of the aforementioned Law;

WHEREAS, according to Articles 52 and 66, numeral 25 of the Constitution of the Republic, which guarantee persons the right to dispose of goods and services of optimal quality and to access timely and adequate information about their content and characteristics, the National Development Bank, a financial entity controlled by this Superintendence and provider of various services to its clients, including fund withdrawals via ATMs, is obligated to evaluate and require the appropriate security measures in order to provide an optimal and efficient service to its clients, thereby guaranteeing their rights as financial users, since the bank is the custodian of the funds entrusted to it;

WHEREAS, Articles 1 and 3 of Section I, Chapter IV.- "Procedure for handling claims against financial system institutions", Title XX, Book I of the Compilation of Resolutions of the Bank Superintendence and Insurance and the Banking Board, establish:

ARTICLE 1.- The Superintendence... will receive and process claims filed by clients and users of the services provided by financial system institutions.

(...)

ARTICLE 3.- Once the claim is accepted for processing, the official delegated by the Superintendence... will issue a receipt within a maximum period of fifteen (15) days and indicate to the claimant that the claim has been forwarded to the controlled institution, so that it may present the explanations and defenses that may support it, and, if necessary, will extend the period for resolving the claim.";

WHEREAS, the appellant's argument that the claim was resolved without considering the information and documentation sent by the bank, despite recognizing that the client was a victim of alleged card cloning, and thereby disregarding this control body's competence to resolve the claim; is unfounded, since the Subdirectorate of User Attention, through the challenged letter No. DNAE-SAU-2014-004351, which resolved the appeal for reconsideration filed by the bank, evidenced non-compliance by the National Development Bank by explicitly stating: "(...) it is evident on the part of your represented entity or the responsible units, no analysis or argumentation whatsoever that demonstrates and proves that within what was precisely stated, it indicates which client failures would lead this Superintendence to assume

---

Resolution No. JB-2015-3444

Page No. 4

responsibility or negligence on the part of the claimant when it has been repeatedly stated through the resolution letter sent by your represented entity partial and incomplete information related to 'Annex 5' on one page, the transactional detail from January 10 to 25, 2014, when the claimed transactions correspond from January 08 to 24, 2014, and that it did not even deliver to this control body, as requested, the transactions from six months prior to measure said client habituality. However, it was evidenced that the claimant exclusively conducted transactions from the city of Sucúa, belonging to the province of Morona Santiago." (Underlining added);

WHEREAS, as indicated by the Subdirectorate of User Attention, aspects are observed regarding which the bank has not commented, since in the "customer service report", the Director of that Unit states that the user made a counter withdrawal with a passbook at 12:00 for the value of $600.00 dollars at the Sucúa branch on January 09, 2014, that upon reviewing the balance printed in his passbook, he could have evidenced a difference of $191.00 dollars missing from his account, and that upon noticing such a difference, he would have immediately informed the bank. Regarding this, as evidenced by the color copies of the savings passbook delivered by the claimant, said transaction was not recorded, and a subsequent one from January 09, 2014, is printed; this common practice entails a serious breach by the bank that did not allow the client to review his balances, in light of these and the breaches referred to in the challenged letter that relate to internal reports that the financial entity should validate. It was not possible to establish the point of compromise, considering the user's habituality, who only transacted from Sucúa;

WHEREAS, it is necessary to note that the insufficient implementation of security measures by the bank at the various ATMs used by clients, whether their own or from the BANRED network, generated economic harm to the financial user, since these devices in this case were susceptible to card cloning, with the bank failing to comply with numeral 4.3.6., Article 4, Chapter V.- On operational risk management, Title X, Book I of the Compilation of Resolutions of the Bank Superintendence and Insurance and the Banking Board, which states that in order to guarantee security in transactions performed through ATMs, financial system institutions must comply with the provisions of Article 40, Chapter I, Title II, Book I of the aforementioned compilation, specifically the one stated below:

"40.2 Protection against card cloning.- Possess electronic devices and/or physical elements that effectively prevent and detect the placement of false card readers, in order to avoid the cloning of debit or credit cards, in addition to the corresponding online monitoring mechanisms for alarms generated by electronic devices in case of unusual events occurring;";

WHEREAS, therefore, the control body, within the strict administrative scope, during the different stages of both the claim and the appeal for reconsideration, addressed and analyzed the arguments of the parties and defenses of the documentation submitted that forms the file, determining the indicated breaches, considering that security regarding the use of ATMs, whether own or from the network, is the responsibility of the entity and not the client, since this type of transactional channel was placed by the National Development Bank, custodian of the funds entrusted to it, who has the responsibility to implement the pertinent security procedures and controls, based on the respective agreement celebrated for such effects with the service providers of the ATMs network (BANRED); that the bank sent partial and incomplete information, in addition to asserting that it did not have all the defense elements and necessary information to perform a due analysis by the entities involved in the objected withdrawals and belonging to the network, a situation that relieves the client of responsibility regarding the lack of custody of his card and/or security key; as well as, the absence of arguments by the appellant, who has repeatedly replicated in the different appeal instances that the Superintendence is not competent to resolve this case, as it concerns a "card cloning";

WHEREAS, there are no documentary grounds demonstrating that the client was negligent or careless in handling his card and/or security key, however, the bank has not addressed the levels or standards of compliance and security related to quality, validation, and review of own and network ATMs within their different procedure stages until the transaction is qualified as successful, even more so considering that the entity does not have notification controls implemented to the client's registered cell phone and/or email, which would minimize risks for this type of fraud (cloning), as indicated in the defense letter 04196 received by this Superintendence on April 2, 2014;

WHEREAS, the lack of notification to the user regarding the claimed withdrawals allowed them to conclude successfully, as he did not receive the respective notifications, transactions that according to the detail in the customer service report, were carried out from January 8 to 24, 2014, not only in network ATMs, but in devices belonging to the entity itself, consequently, a lack of compliance by the entity with what is provided in Article 4 of Section II.- Operational Risk Factors, Chapter V.- On operational risk management, Title X.- On risk management and administration, Book I of the Compilation of Resolutions of the Bank Superintendence and Insurance and the Banking Board; which state:

"ARTICLE 4.- In order to minimize the probability of incurring financial losses attributable to operational risk, the following aspects must be adequately administered, which are interrelated:

(...) 4.3 Information technology.- The controlled institutions must possess information technology that guarantees the capture, processing, storage, and transmission of information in a timely and reliable manner; avoid business interruptions and ensure that

---

Resolution No. JB-2015-3444

Page No. 5

information, including that under the modality of services provided by third parties, is intact, confidential, and available for appropriate decision-making.";

WHEREAS, in Internal Audit Report No. 015-UAI-2014 dated July 25, 2014, a copy of which is in the file, the bank accepts regarding the "indicators of debit card cloning", not only in the claim in question but in other similar claims, by stating: "...the withdrawals were carried out by the same person and accomplices, who have been permanently carrying out withdrawals through cloned cards..." (sic). Adhering to, on page 6 of said report under the title: "Lack of integrity in the COBIS Transactional Register", the following:

"In the transactions carried out for Client Salme Molina Nelson Ramiro, there were three cases of withdrawal transactions through ATMs that were carried out on January 8, 2014 between 22:22:55 and 22:22:24 according to what is recorded in the COBIS System transactional register, they are registered on January 9, 2014 at 04:37:00, a situation that indicates a lack of integrity in the information processed through the COBIS system, therefore there is a risk that the information has been compromised.";

WHEREAS, the responsibility then falls on the National Development Bank, the entity holding the deposited funds under its custody, which has placed this service at the disposal of clients, who has the legal obligation that the ATM channel, whether own or third-party, provides to its clients the security that the case warrants, which does not lie solely in the correct and non-transferable use of the secret key but also in the expected inviolability of the delivered magnetic card, corresponding to it to adequately administer the risks related to ATM transactions, whether or not of the same entity, in compliance with what is provided in Article 5, Section III, Chapter V.- On risk management and administration, Title X, Book I, of the Compilation of Resolutions of the Bank Superintendence and Insurance and the Banking Board;

WHEREAS, what is affirmed by the appellant that the Superintendence is not competent to resolve the claim in question, as it concerns a fraud; is legally unfounded, since this control body, in attention to the constitutional and legal mandate contained in Articles 213 and 226 of the Constitution of the Republic and Articles 1 and 180 of the General Law of Financial System Institutions, being the technical body, of surveillance, auditing, intervention, and control of the financial activities and services provided by public and private entities, in order for them to comply with the regulations governing them in order to attend to the general interest, is compelled to act within the scope of its strict administrative competence. Likewise, in the case of determining incorrect procedures on the part of controlled entities that may have caused harm to a claimant, it corresponds to proceed according to the second clause of Article 5, Chapter IV "Procedure for handling claims against Financial System Institutions", Title XX, Book I of the aforementioned Compilation, ordering the restitution of the claimed amounts.

Nevertheless, it is specified that it is not the competence of this control body to determine and judge crimes, which based on the constitutional principle of Independence of the Judicial Function, is the exclusive faculty of judges and tribunals, according to the matters determined for them;

WHEREAS, regarding the lack of adequate motivation in the challenged administrative act that renders it null according to the Constitution, it is specified that letters Nos. DNAE-SAU-2014-02681 and DNAE-SAU-2014-04351 dated April 29 and July 15, 2014, respectively, through which the Subdirectorate of User Attention resolved the claim in question and subsequently the appeal for reconsideration filed, are motivated on real factual grounds and the regulatory norms applicable to the case, rendering the appellant's allegation that the administrative act contravenes what is provided in numeral 7 letter l) of Article 76 of the Constitution of the Republic, unfounded;

WHEREAS, from the preceding analysis, it is derived that the National Development Bank incurred an incorrect procedure determined in the preceding considerations, by not adopting and implementing basic security measures to avoid and/or minimize this type of events that inherently carry risks in transactions performed via ATMs, in the account delivered under its custody, and that according to the bank's own statement were the product of its card cloning, a situation that subsequently caused the security controls of the debit card issued by the bank to the user to be compromised, causing him economic harm; therefore, in this case, since what is provided in the second clause of the aforementioned Article 5 of Chapter IV, Title XX, Book I "General norms for the application of the General Law of Financial System Institutions" of the aforementioned Compilation has been fulfilled, it was appropriate for this control body to order the return of the amounts claimed by Mr. Nelson Ramiro Salme Molina;

WHEREAS, the National Legal Intendancy, through memorandum INJ-DNJ-SAL-2015-0142 dated February 9, 2015, recommended to the Banking Board to reject the claim contained in the review appeal filed; and,

In exercise of its legal attributions,

RESOLVES:

SOLE ARTICLE.- REJECT the claim contained in the review appeal filed by economist Freddy Monge Muñoz, General Manager of the National Development Bank, against letter No. DNAE-SAU-2014-04351 dated July 15, 2014; and, consequently, CONFIRM the administrative act contained in letter No. DNAE-SAU-2014-02681 dated April 29, 2014, with which the Subdirectorate of User Attention ordered the bank to refund the claimed transactions for USD $4,948.00 to Mr. Nelson Ramiro Salme Molina.

---

Resolution No. JB-2015-3444

Page No. 8

COMMUNICATE.- Given at the Superintendence of Banks, in Quito, Metropolitan District, on the twenty-seventh of May of two thousand fifteen.

Econ. Rodrigo Lándera Parra
GENERAL INTENDENT, S
PRESIDENT OF THE BANKING BOARD, E

I CERTIFY.- Quito, Metropolitan District, on the twenty-seventh of May of two thousand fifteen.

Lcdo. Pablo Cobo Luna
SECRETARY OF THE BANKING BOARD