Banking Board of Ecuador

RESOLUTION No. JB-2015-3411

THE BANKING BOARD

CONSIDERING:

THAT this appeal is resolved in accordance with the First Transitional Provision of the Organic Monetary and Financial Code, published in the Official Register Second Supplement No. 332, of September 12, 2014, whose text states that resolutions contained in the Codification of Resolutions of the Superintendence of Banks and Insurance and the Banking Board, and the norms issued by control bodies, will maintain their validity in all that does not oppose what is provided in the Organic Monetary and Financial Code, until the Monetary and Financial Policy and Regulation Board resolves what corresponds, according to the case; and with the second paragraph of the Third Transitional Provision, which states that the Banking Board will continue to act until it resolves all claims, appeals, and other administrative procedures it was hearing on the date of validity of the same, within a period of one hundred and eighty days, extendable at the discretion of the Monetary and Financial Policy and Regulation Board;

THAT by Resolution No. 054-2015-F, of March 5, 2015, published in the Official Register No. 467, of March 27, 2015, the aforementioned period has been extended by one hundred and eighty additional days;

THAT by means of a complaint form presented to the Superintendence of Banks and Insurance on November 13, 2013, Mr. José Guillermo Macías Morán filed a complaint against Banco de Guayaquil S.A., regarding an alleged electronic fraud, occurred on September 1, 2013, carried out through two electronic transfers from his savings account No. 11426390 to another "friendly" account of Banco de Guayaquil S.A., numbered 6128502 in the name of Ricardo Morán Querido, for the value of $180.00;

THAT by letter No. DAYEU-ISFP-REQ-2013-1606 of December 3, 2013, the Director of User Attention and Education of the Regional Intendancy of Guayaquil requested Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., to submit defenses and explanations regarding the complaint filed by Mr. José Guillermo Macías Morán;

THAT through letter No. UAC-SBS-2013-706 of December 10, 2013, received by this Superintendence of Banks and Insurance on December 20, 2013, in response to the request from the control body, the banking entity submitted copies of the documents held in the file of the complaint of Mr. José Guillermo Macías Morán;

THAT by letter No. IRG-DAYEU-V-R-2014-373 of May 8, 2014, the lawyer Humberto Moya González, Regional Intendant of Guayaquil, resolved to order Banco de Guayaquil S.A. to restore to Mr. José Guillermo Macías Morán the sum of USD $180.00 in the savings account No.

---

Resolution No. JB-2014-3411

Page 2

11426390, a value corresponding to the unauthorized transfers by the user via internet, and to send evidence of compliance with this resolution to the control body within eight days;

THAT through a communication received by this Superintendence on June 2, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., with the sponsorship of Dr. Rosa Tobar Reina, filed an appeal for reconsideration against the administrative act contained in letter No. IRG-DAYEU-V-R-2014-373 of May 8, 2014;

THAT by letter No. IRG-DAYEU-V-R-2014-674, of June 24, 2014, Dr. Faddul Mosquera Karam, Regional Intendant of Guayaquil (S), at that date, rejected the appeal for reconsideration, and ratified the content of letter No. IRG-DAYEU-V-R-2014-373 of May 8, 2014.

THAT through a communication received by this Superintendence on July 4, 2014, Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A., filed before the Banking Board an appeal for review against the administrative act contained in letter No. IRG-DAYEU-V-R-2014-674, of June 24, 2014;

THAT the appeal for review was accepted for processing by Licentiate Pablo Cobo Luna, Secretary of the Banking Board, through letter No. JB-2014-1775, of July 10, 2014;

THAT among the factual and legal grounds exposed by the appealing banking entity, the following stand out:

• That the coordinate card system, Bancontrol, increases the security of static passwords and represents an additional barrier against electronic fraud, a mechanism that provides random keys to give peace of mind to its clients, and in all matters involving fund movements, the use of this coordinate card is necessarily required, which is delivered to the client in a sealed envelope, meaning it is known only to them, whose custody is their absolute responsibility.

• That to use virtual banking from an unusual IP address, it must necessarily be authorized by the client through a security process; once the IP address is authorized, the client chooses whether to register it or not for future transactions.

• That the security system of the controlled entity does contemplate the registration of accounts to which transfers are desired. For the registration of such accounts, the system sends a security code to the email address registered by the client at the bank; this code must be entered on the Virtual Banking page prior to entering the coordinates, which are for the personal use of the client, therefore there is no

---

Resolution No. JB-2014-3411

Page 3

liability on the part of the bank in the execution of this type of transaction.

• That as a new element in the appeal for reconsideration, evidence of the security measures that allowed the client to be alerted about the transaction subject of their claim was attached, including logs and withdrawals of said transaction, where it was evidenced that the client did receive the messages and that the accounts were registered as beneficiaries; they also attached the Electronic Services-Bancontrol Card Assignment document.

• That the claimant was provided with truthful, reliable, and timely information about the card, with which the system validated the keys and coordinates correctly entered, through the instruments indicated by the controlled entity itself, such as: the electronic services-Bancontrol card assignment document and the current account contract signed by the claimant.

THAT Banco de Guayaquil S.A. highlights the observance and compliance with the corresponding norms regarding security measures in electronic channels, ATMs, point of sale, and electronic banking;

THAT Article 4, Chapter V, Title X, Book I "On Integrated Management and Risk Control," of the Codification of Resolutions of the Superintendence of Banks and Insurance and of the Banking Board, states:

"(...)

Article 4.- With the purpose of minimizing the probability of incurring financial losses attributable to operational risk, the following aspects, which interrelate with each other, must be adequately managed:

4.3.4.12 Controlled institutions that offer transfer and electronic transaction services must have information security policies and procedures that guarantee that operations can only be performed by duly authorized persons; that the communication channel used is secure, through information encryption techniques; that there are alternative mechanisms that guarantee the continuity of the offered service; and, that ensure the existence of audit trails.

4.3.8 Security measures in electronic channels.- With the object of guaranteeing that transactions carried out through electronic channels have the controls, measures, and security elements to prevent the commission of fraudulent events and guarantee the security and quality of user information as well as the assets

---

Resolution No. JB-2014-3411

Page 4

of clients under the care of controlled institutions, these must comply at minimum with the following:

4.3.8.8 Offer clients the necessary mechanisms so that they can personalize the conditions under which they wish to carry out their transactions through the different electronic channels and cards, within the conditions or maximum limits that each entity must establish.

Among the main personalization conditions for each type of electronic channel, there must be: registration of the accounts to which they wish to make transfers, registration of IP addresses of authorized computers or authorized mobile phone numbers, maximum amounts per daily, weekly, or monthly transaction.

(...);

THAT Banco de Guayaquil S.A. sent an internal report in which it evidenced that according to the ITREPORTS application, the client's movements on the date subject of the complaint, were processed through IP address 186.162.58.107, located in Lima-Peru, which is not a habitual IP for the claimant to make transfers nor registered by him, reaffirming that in report UAC-SBS-2013-706 of December 10, 2013, the same bank acknowledged phishing to the client, which denotes the vulnerability of the Bank's systems;

THAT the financial institution states that the only way to register or record both IP addresses and accounts is through Virtual Banking, which is only achieved with the validation of the key granted to its clients; therefore, if clients compromise this information, this frees the bank from responsibility for the mishandling of this key. However, in the case at hand, it is not evidenced that Mr. José Guillermo Macías Morán compromised his virtual banking access key at any time nor neglected the custody of the Bancontrol coordinate card delivered by the financial institution.

THAT among the main personalization conditions for each type of electronic channel, there must be: registration of the accounts to which they wish to make transfers, registration of IP addresses of authorized computers or authorized mobile phone numbers, maximum amounts per daily, weekly, or monthly transaction;

THAT paragraph a) of Article 51 of the General Law of Financial System Institutions, in force on the date of the complaint, states that banks are authorized to receive public resources in demand deposits, which are banking obligations, comprising monetary deposits payable upon presentation of checks or other payment mechanisms and registration;

---

Resolution No. JB-2014-3411

Page 5

THAT Banco de Guayaquil S.A. assumes the obligation to keep or safeguard deposited values with diligence and professional care; it is also responsible for the other services offered to its clients, such as transfers through different electronic channels, and is obligated to evaluate and demand the necessary securities as a depositary of the monies that its clients have entrusted to it;

THAT Article 3, Chapter I, Title X "On Risk Management and Administration," of the Codification of Resolutions of the Superintendence of Banks and Insurance and of the Banking Board, states that:

"Article 3.- Financial system institutions have the responsibility to manage their risks; to this effect, they must have formal integrated risk management processes that allow identifying, measuring, controlling, mitigating, and monitoring the risk exposures they are assuming".

THAT financial institutions have the responsibility to manage their risks comprehensively with formal management processes that allow them to identify, measure, control, mitigate, and monitor them, and therefore, must be aware of the risk exposures they are assuming, which in the particular case of Banco Guayaquil S.A. has not occurred. It is highlighted that the notification report is the only document that evidences whether the procedure established in the reforms corresponding to security measures in electronic channels, ATMs, point of sale, and electronic banking was fulfilled; however, the presentation of said documentation does not modify the circumstances under which the claimant, Mr. José Guillermo Macías Morán, challenged the transfers made from his savings account No. 11426390;

THAT Article 5 of Chapter IV, Title XX, Book I, "General Norms for the Application of the General Law of Financial System Institutions," of the Codification of Resolutions of the Superintendence of Banks and Insurance and of the Banking Board, provides:

"Article 5.- If the result of the analysis carried out by the Superintendence determines the need for the controlled institution to introduce corrective measures to regularize the situation that motivated the complaint, the Superintendent of Banks and Insurance or the official who holds the delegation of said authority will issue the corresponding disposition.

If the situation that motivated the complaint referred to in the previous paragraph originated in an incorrect procedure of the controlled institution, which caused harm to the claimant, the Superintendence of Banks and Insurance may order the return of the claimed values, in exercise of the functions and attributes contemplated in letters b) and o) of Article 180 of the General Law of Financial System Institutions, granting the legal representative of the entity a period that may

---

Resolution No. JB-2014-3411

Page 6

not exceed fifteen (15) days from the notification to send, under the legal warnings, the proof of compliance with the order issued".

THAT the aforementioned regulation empowers this control body to, in the exercise of its constitutional and legal functions and attributes, order the return of the values claimed by users of the financial system, provided that the situation object of the complaint originated in an incorrect procedure by the controlled institution, as has happened in the present case;

THAT the main ground exposed by the claimant is the existence of unauthorized bank transfers through virtual banking, evidenced in the defenses presented by Banco de Guayaquil S.A., through which the entity maintained that the mentioned transfers were carried out due to compromising personal information such as the personal key and the lack of care with the Bancontrol coordinate card, on the part of the claimant;

THAT Banco de Guayaquil S.A. intends to shift the risks to the organization and execution of the transfer service through electronic channels offered by the institution to the user, by holding them responsible for the alleged misuse of their virtual banking access key, as well as compromising the custody of their Bancontrol coordinate card, of which there is no record whatsoever in the file of the case at hand;

THAT in this sense, it is concluded that the "non-compliance" incurred by Banco de Guayaquil S.A. in the present case consists of the fact that it evidently does not have adequate security measures, which allowed the security policies and procedures that electronic transaction services must have to be violated, which the financial institution had, and which must guarantee said operations, and thus deliver to clients products and mechanisms that eliminate all types of technological risk;

THAT the National Legal Intendancy, through memorandum INJ-DNJ-SAL-2015-0014 of January 9, 2015, recommended to the Banking Board to reject the claim contained in the appeal for review filed;

AND, in exercise of its legal attributes,

RESOLVES:

SINGLE ARTICLE.- REJECT the claim contained in the appeal for review filed by Mr. Víctor Hugo Alcívar, Executive Vice President - General Manager of Banco de Guayaquil S.A.; and, consequently, CONFIRM letter No. IRG-DAYEU-V-R-2014-674, of June 24, 2014, through which the lawyer Humberto Moya González, Regional Intendant of Guayaquil, rejected the appeal for reconsideration, and ratified the content of letter No. IRG-

---

Resolution No. JB-2014-3411

Page 7

DAYEU-V-R-2014-373 of May 8, 2014, through which it resolved to order Banco de Guayaquil S.A. to proceed to restore to Mr. José Guillermo Macías Morán the sum of USD $180.00 in the savings account No. 11426390, a value corresponding to the unauthorized transfers by the user via internet.

NOTIFY.- Given at the Superintendence of Banks, in Quito, Metropolitan District, on May 13, two thousand fifteen.

Signature

Econ. Rodrigo Landeta Parra GENERAL INTENDANT, S PRESIDENT OF THE BANKING BOARD, E

I CERTIFY.- Quito, Metropolitan District, on May 13, two thousand fifteen.

Signature

Lcdo. Pablo Cobo Luna SECRETARY OF THE BANKING BOARD

---

Banking Board of Ecuador