Strict Liability of Banco Nacional for Internet Banking Fund TheftResponsabilidad objetiva del Banco Nacional por sustracción de fondos vía Internet Banking

NOTIFICATIONS NOTIFICATIONS 1) BAHÍA PEZ VELA ADMINISTRACIÓN S.A. FAX 2253-39-82 2) BANCO NACIONAL DE COSTA RICA FAX 2233-2385 2222-38-78 FILE No.: 10-001716-1027-CA MATTER: ORDINARY PROCEEDING DECLARED PURELY ON LEGAL GROUNDS PLAINTIFF: BAHIA PEZ VELA ADMINISTRATION S.A.

DEFENDANT: BANCO NACIONAL DE COSTA RICA No. 32-2011-VI.

ADMINISTRATIVE LITIGATION COURT, SIXTH SECTION, SECOND JUDICIAL CIRCUIT OF SAN JOSÉ. Goicoechea, at eleven hours thirty minutes on February fourth, two thousand eleven.

Ordinary proceeding declared purely on legal grounds brought by BAHIA PEZ VELA ADMINISTRATION S.A., represented by Nombre142961, of legal age, single, businessman, holder of identity card number CED112275, resident of Guanacaste (folio 74), against BANCO NACIONAL DE COSTA RICA, represented by Nombre24322, of legal age, married, attorney, holder of identity card number CED89651, resident of Escazú, in his capacity as General Judicial Attorney-in-Fact (folio 78).

WHEREAS:

1.- On June 14, 2010, the representative of the plaintiff company filed the complaint that gave rise to this proceeding, requesting that the judgment order, claims that were confirmed at the preliminary hearing: "...the STRICT LIABILITY of BANCO NACIONAL DE COSTA RICA and that it be ordered to reimburse the stolen sum of FORTY THOUSAND DOLLARS, with interest, from the date of the theft until its effective payment. As well as both costs of this proceeding." (Folios 15 and 16 of the main file).

2.- Once the lawful transfer was granted, the General Judicial Attorney-in-Fact of the defendant bank responded negatively. He raised the preliminary defenses of expiration and, on the merits, Lack of Right, Act of a Third Party, and Contributory Negligence of the Victim. (Folios 81 to 95 of the main file).

3.- At the preliminary hearing held on November 23, 2010, the defendant raised the defense of Expiration. By resolution No. 4381-2010 of 14 hours 05 minutes on that date, the procedural judge ordered: "THEREFORE: The preliminary defense of expiration raised by Banco Nacional de Costa Rica is hereby dismissed." (Folio 99 verso of the judicial file - see detail at 14 hours 01 minutes of the recording of the preliminary hearing. Minute sheet found on folio 99 of the main file).

4.- The preliminary hearing established in article 90 of the Code of Administrative Litigation Procedure, which is recorded in the digital system of this Office, was held starting at 13 hours 54 minutes on November 23, 2010, with the attendance of both parties. As there was no evidence to be produced, this matter was declared as purely on legal grounds and closing arguments were given. The respective file was sent to this collegiate body for issuance of the relevant ruling on January 14, 2010, as recorded in the transfer stamp visible on folio 99 verso of the judicial file.

5.- In the proceedings before this Court, no nullities requiring correction have been observed, and the judgment is issued within the fifteen-business-day period established for that purpose by article 82.4 of the Autonomous Regulation on Organization and Service of the Administrative Litigation and Civil Treasury Jurisdiction.

Drafted by Judge Giusti Soto, with the affirmative vote of Judge Abarca Gómez and Judge Garita Navarro;

WHEREAS.

I.- Proven facts. The following are relevant for purposes of this proceeding: 1) That on March 14, 2008, Mr. Nombre142961 asked Banco Nacional de Costa Rica to investigate the transactions carried out on the accounts of his represented party between March 10 and 14 of that year. (Folio 18 of the main file). 2) On March 14, 2008, Mr. Nombre142961 filed complaint No. 013-08-00456 before the Judicial Investigation Agency (Organismo de Investigación Judicial) of Liberia Guanacaste, in which he stated that on Monday, March 14, the company's accountant used the internet to make some transfers, noticing that the password had been changed; she immediately requested a new password and discovered the theft of thirty-nine thousand dollars, which were deposited into other accounts belonging to other unknown persons. (Folio 20 of the main file). 3) The Security Supervisor of Guanacaste-Puntarenas Regional Banking, Lic. Gilberth Marchena Viales, in official letter No. BRGP-005-2008 of April 7, 2008, addressed to the Regional Director of Banco Nacional de Costa Rica, Nombre142962, informed him about the investigation conducted at the request of the representative of the company Bahía Pez Vela Administration S.A. regarding debits made to its accounts, concluding that the transactional record of Internet Banking Personal for each of the reported suspicious transfers includes the data identifying the account holder as the author of the same, which reflects that what happened is not due to a breach of the bank's security systems, but rather a fault of the user. (Folios 1 to 4 of the administrative file). 4) That by official letter BRGP-142-2008 dated April 9, 2008, the Regional Director of Guanacaste Puntarenas Regional Banking of Banco Nacional de Costa Rica notified Mr. Nombre142961 about the investigation carried out in the case he reported, informing him of the result of the investigation by the Security Directorate; he was also given the list of all transactions and that the amount totaled the sum of ¢19,500,000; that it had been possible to detain Nombre142963 when he appeared at the Heredia office, who was placed at the disposal of the Judicial Investigation Agency (Organismo de Investigación Judicial). He also informed him that the sum of ¢498,311.50 was blocked in the account of the suspect Nombre142964, pending coordination with the Public Ministry for the respective reimbursement; that the transactions were not carried out from any machine related to the Bank and that according to the IP addresses from where they were executed, they are services provided by ICE, Racsa, Cable Amnet, and Cable Tica, so it is not due to a breach of the bank's security systems, but a fault of the user. Therefore, they notified him of the rejection of all aspects of the claim filed. (Folios 5 to 7 of the administrative file). 5) On April 22, 2008, the representative of the company Bahía Pez Vela Administration S.A. filed before Guanacaste-Puntarenas Regional Banking a motion for reversal and a subsidiary appeal against the decision in official letter BRGP-142-2008, alleging that the company was the object of an action by third parties who, abusing the electronic fund management system that Banco Nacional has, stole the sum of ¢19,500,000 from two accounts, and therefore the bank has strict liability because the electronic page is a service provided by the entity, over which it must verify all security measures so that unrelated third parties do not carry out electronic transfers to the detriment of current account holders, and considering the authorization of transfers exceeding the permitted daily limits, this evidences a failure in the controls of the technological systems. (Folio 11 to 20 of the administrative file). 6) The Regional Director of Guanacaste-Puntarenas Regional Banking of Banco Nacional de Costa Rica, in official letter BRGP-163-2008 of April 30, 2008, rejects the motion for reversal filed, considering that in the terms presented, no new evidentiary elements are added to what was originally raised. He informed him that he was referring the matter to the General Board of Directors for the purpose of deeming the administrative remedy exhausted. (Folio 21 of the administrative file). 7) By unnumbered official letter dated September 1, 2008 and signed by Mr. Nombre142965, General Secretary of the Board of Directors of Banco Nacional de Costa Rica, they notify Mr. Nombre142961 that the Board of Directors, in article 10 of session No. 11,497 of August 26, 2008, reviewed the appeal filed against official letter BRGP-142-2008, informing him that it was decided to uphold in all its aspects opinion DJ.1482-2008 of the previous August 7 from the Legal Directorate, therefore the appeal is dismissed, arguing that the economic damage caused did not occur due to conduct carried out by the Bank, but due to negligent conduct by a representative or authorized person on the account, who revealed data necessary for accessing the account, which led to the transfer of money from the accounts to several persons, for which the Bank has no liability. (Folio 23 front and back of the administrative file). 8) That on August 13, 2009, the representative of the company Bahía Pez Vela Administration S.A. filed an administrative claim before the Liberia branch of Banco Nacional de Costa Rica, requesting the recognition of the $40,000 that were stolen from its accounts between March 10 and 14, 2008, by means of electronic transfers that were not authorized by his represented party. (Folio 40 and 41 of the main file). 9) That on January 8, 2010, Mr. Nombre142961 requested the Liberia Branch of Banco Nacional de Costa Rica to respond to his request of August 13, 2009 regarding his administrative claim, warning that if they did not, he would resort to the corresponding legal avenue. (Folio 73 of the main file).

II.Unproven facts. The following is treated as such for purposes of this proceeding: That the Liberia branch of Banco Nacional de Costa Rica had provided any response or resolution to the claim for recognition of the money stolen from the accounts of its client Bahía Pez Vela Administration S.A, filed by the representative of said company, Mr. Nombre142961, on August 13, 2009, and reaffirmed on January 8, 2010. (This situation is not accredited).

III.- Object of the proceeding. Arguments of the parties. After analyzing the allegations and petitions of the parties involved in this conflict, the object of the proceeding is determined to be the compensation to the plaintiff company for the sum of $40,000 stolen from its accounts between March 10 and 14, 2008, alleging a lack of controls by the defendant Bank when using the Internet Banking service.

IV.- Arguments of the parties. The plaintiff argues that its represented party had a commercial relationship with Banco Nacional de Costa Rica through current account number 100-01-015-006077-5 in colones and number 100-02-015-600387-8 in dollars. That in the week of March 10 to 14, 2008, unauthorized persons stole the sum of forty thousand dollars from its electronic accounts. That on March 10, 2008, when reviewing the accounts, the company's accountant noticed the shortfall, so on March 14, 2008, a note was sent to Banco Nacional to initiate the respective investigation into the transactions made via internet on its represented party's account, and also, on the same date, it proceeded to file a complaint before the Judicial Investigation Agency (Organismo de Investigación Judicial) of Liberia Guanacaste. It indicates that on the following April 8, the Liberia Branch of the Bank informed it that the entity determined that during the week of March 10 to 14, 2008, several money transfers were made via Internet Banking from account 100-02-015-600387-8 in dollars and 100-01-015-6077-5 in colones, registered in the company's name, to different accounts, carrying out a total of 39 transactions, some of which had as recipients Messrs. Nombre142963 and Nombre142964, and they informed it that the incident was not the bank's responsibility as it had resulted from a fault of the company. It states that on April 21, 2008, it filed a motion for reversal with appeal before the Regional Director of Guanacaste against that decision, which were themselves rejected on the following April 30, thereby exhausting the administrative remedy. It alleges that it again filed an administrative claim on July 28, 2009, requesting the application of article 190 of the General Law on Public Administration and 158 of the Code of Administrative Litigation Procedure. It indicates that given the omission, on January 8 it again urged a response, which had no effect. It denies that there was negligence on the part of its represented party, since the transactions were not carried out by employees or by machines of the company, as can be corroborated from the IP addresses from which the illicit transactions were made. It then develops the theory of strict liability contained in the General Law on Public Administration, indicating that the liability in this specific case derives from the lack of controls by the Bank through the use of a service provided to its company via Internet Banking, which finds support in the Consumer Protection Law, as the Court has indicated, so that deriving from the contractual nature of its represented party with the banking institution and the duty of compensation in accordance with the citation it makes of judgment 116-08 of 14 hours on September 26, 2008, from which it concludes that since it was not the company's responsibility that unscrupulous persons entered due to the bank's lack of security and that its money was stolen, this entails the institution's duty to assume responsibility for the damage caused, that is, the loss of forty thousand dollars. It alleges the application of articles 31, 34, and 35 of the Competition Promotion Law, by virtue of the service provided. It also indicates that moreover, the liability of banks in matters of electronic fraud has already been addressed by the First Chamber of the Supreme Court of Justice in several judgments, among which it mentions No. 300-F-S1-2009 of 11:25 hours on March 26, 2009, and No. 394-F-S1-2009 of 10:23 hours on April 23, 2009.

V.- For its part, the representation of the defendant bank indicates that indeed the company Bahía Pez Vela Administration S.A. is the holder of bank accounts numbers 100-02-015-600387-8 in dollars and 100-01-015-006077-5 in colones. That in report BRGP-005-2008 of April 7, 2008, signed by the Security Supervisor of the Bank's Regional Office in Guanacaste, it was determined that the transfers via Internet Banking made between March 10 and 14, 2008, totaled ¢19,500,000, a report which highlights that the analysis of the transactions shows they were made with the customer's user code (full name and identity card number), that the Bank's computer systems were not breached, that in the investigated transactions, no IP addresses assigned and used by Banco Nacional were located, that the money was withdrawn through different ATMs, and that upon receiving notice, the accounts used were closed and their holders were coded. It states that after the restriction of the accounts, the arrest of Nombre142966 was achieved when he appeared at the Heredia Branch, who was placed at the order of the Judicial Investigation Agency (Organismo de Investigación Judicial), and that the sum of ¢498,311.50 from the transfer made to the account of Nombre142964 is being withheld. It states that the Personnel of the IT Security Directorate verified the reported facts and the control and security elements associated with the electronic services of Banco Nacional, determining that the IP address numbers from which the transactions were made are of Costa Rican origin, indicating that the password created by the client to register in the Internet Banking System and access electronic services is secret, known only to the interested party, and is non-transferable, and that password was the one used for the investigated transactions, and that no IP addresses assigned or used by Banco Nacional were used, which led to the conclusion that it was not due to a breach of the bank's security systems, but a fault of the user, with all of which it was recommended to decline the administrative claim filed. Regarding the investigation request presented by the company, it indicates that it culminated with report BRGP-005-2008 of April 7, 2008, and based on this, the Director of Banco Regional Guanacaste, in official letter BRGP-142-2008 of the following April 9, rejected the filed claim, explaining the aspects that arose. That the motions for reversal with subsidiary appeal were filed against the decision, the first being rejected by official letter BRGP-163-2008 signed by the Director of Banco Regional Guanacaste, elevating the matter to the General Board of Directors, which resolved the appeal, rejecting it according to article 10 of session No. 11,497 of August 26, 2008, notified on the following September 3, a moment from which, it indicates, the one-year period provided in the Code of Administrative Litigation Procedure begins to run. That the affected company again filed an administrative claim on August 13, 2009, at the branch of Banco Nacional in Liberia, almost a year after the matter had been firmly resolved even by the institution's Board of Directors, which indicates that the action was absolutely improper, as the facts had already been extensively reviewed and resolved by the Bank, and it indicates that this claim was presented to disguise the evident expiration of the action. On the subject of fraud by means of Internet Banking, it cites judgment 1496-2010 of the Court, from which it considers it can be extrapolated that the correct analysis of this type of case must start from four aspects: a) that the plaintiff must credibly demonstrate having observed adequate behavioral patterns to protect its sensitive data, including the non-disclosure of its password and its pin, which are the client's personal creation; b) That it is impossible to explain how a third party can access the data without the concurrence of the account holder himself, whether by action or omission, as the first party obligated to adequately safeguard the data is the client, and if he did not do so diligently, then third parties could access it; c) that the bank has taken the necessary measures for private data to be recorded on different media, some completely distinct from others and some even uniquely and exclusively created by the client himself; and d) that it is not possible to ignore that the only possible way for the alleged fraud to have occurred is through the carelessness of the client who allowed, by his action or omission, the leak of his data. Thus, it considers that in this case, the exemptions that break the causal link are applicable (contributory negligence of the victim and act of a third party), for which it requests that the complaint be dismissed in all its aspects. Moreover, regarding the preliminary defense of expiration of the action, it indicates that the plaintiff lacks any legal basis to judicially bring action against the Bank, since its administrative claims were resolved even by the institution's Board of Directors, whose resolution was notified to it on September 3, 2008, nearly two years ago, so the provisions of articles 31 and 39 of the Code of Administrative Litigation Procedure are applicable, evidencing the expiration for filing this proceeding, requesting that the complaint be declared inadmissible. Finally, it raised the substantive defenses of Lack of Right, Act of a Third Party, and Contributory Negligence of the Victim.

VI.- On the fundamental rights of consumers. Constitutional and legal regulation. For this case, it is necessary to briefly reference the constitutional and legal framework that specifies the set of rights applicable to consumers in relationships for the acquisition of goods and/or services. This is relevant considering that current account contracts (including electronic ones), as well as the generality of financial and banking offers, are part of that type of commercial relationship in which the recipient of the service or goods constitutes a consumer, a category for which, due to the dynamics of commerce, rights and obligations have been enshrined. This topic has already been subject to examination by this Court, in judgments number 1112-2009 of 13 hours 30 minutes on June 15, 2009, number 602-2010 of sixteen hours thirty minutes on February nineteenth, two thousand ten, number 2758-2010 of eleven hours forty-five minutes on July twenty-eighth, two thousand ten, and number 3699-2010 of eleven hours fifty-seven minutes on September thirtieth, two thousand ten. In said precedents, this Sixth Section has established that this type of relationship falls within the category of consumer relationships. From this plane, canon 46, fifth paragraph, of the Political Constitution establishes the set of rights that assist consumers, in most cases, as the weaker party in the commercial relationship. In this line, the cited numeral stipulates: "Article 46.- (…) Consumers and users have the right to the protection of their health, environment, safety, and economic interests; to receive adequate and truthful information; to freedom of choice, and to equitable treatment. The State will support the organizations they establish for the defense of their rights. The Law shall regulate these matters." It is necessary to specify that the right to equitable treatment supposes, in any case, the duty of the merchant or provider to treat the consumer in an attentive and respectful manner in the face of simple claims, or in the protection of their rights, both in administrative and judicial venues. Now, it is clear that the application of these principles and their interpretation should be oriented towards the protection and safeguarding of the weaker party in the relationship. This is how the Constitutional Chamber has understood it, among others, in judgment number 2002-0857, in which, on the topic under discussion, it stated: "It is well known that the consumer is at the extreme end of the chain formed by the production, distribution, and marketing of consumer goods that he needs to acquire for his personal satisfaction, and his participation in that process does not respond to technical or professional reasons, but rather in the constant execution of contracts on a personal basis. Therefore, his relationship in that commercial sequence is one of inferiority and requires special protection against the providers of goods and services, so that prior to expressing his contractual consent, he has all the necessary elements of judgment that allow him to express it with complete freedom, and this implies full knowledge of the goods and services offered. Thus, in a harmonious mix, several constitutional principles are included: the state's concern in favor of the broadest sectors of the population when they act as consumers, the reaffirmation of individual freedom by facilitating individuals' free disposition of their assets with the aid of the greatest possible knowledge of the good or service to be acquired, the protection of health which is involved, the ordering and systematization of reciprocal relations between the interested parties, the harmonization of international commercial practices with the domestic system, and finally, the greater protection of the inhabitant's functioning in the means of subsistence." From the foregoing, it can be deduced that in the consumer relationship between the merchant or provider and the consumer, there exists, due to the natural dynamics of commerce, an inequality between both, and the consumer, in most cases, in this natural relationship, is the weaker party. Hence, the Political Constitution balances the dynamic of burdens of that consumer relationship, granting the consumer a series of fundamental rights that protect him from his natural inequality with the merchant or provider. As a derivation of this, the interpretation and application of the rules, in case of doubt, in conflicts of this nature, must favor the weaker party, that is, in principle, the consumer. Hence, in such cases, the merchant or provider has an obligation to demonstrate that he has fulfilled his obligations in the consumer relationship and that he has respected the fundamental rights of the consumer; otherwise, he must answer for the infringement of these rules as determined by the infra-constitutional rules. Now, as constitutional article 46 states, it is the Law that will be responsible for regulating these rights, which is materialized in the Competition Promotion and Effective Consumer Protection Law (Ley de Promoción de la Competencia y Defensa Efectiva del Consumidor), No. 7472. Said legal body establishes, broadly speaking, the rights assisting the consumer, a topic developed in canon 32, as well as the duties of the merchant, established in canon 34. It is clear, therefore, that the infringement of the merchant's duties generates, as a direct effect and as a natural and logical consequence, the violation of the consumer's rights, protected constitutionally and legally in the terms already described. This then entails the emergence of a system of liability of the merchant or provider towards the consumer, to repair the damages and losses caused to the latter. Consequently, if there is a violation of the constitutional and legal rights of the consumer by the merchant or provider, the latter must repair the harmful effect caused to the consumer, under the strict liability regime that will be explained in detail and precisely in the following Whereas clause of this judgment.

VII.- On the legal regime of liability applicable to electronic commerce relationships of a banking nature. A relevant aspect within this proceeding is the determination of the legal regime applicable to this type of commercial linkage such as the one that has occurred between the parties. Regarding legal regulations that the Commerce Code establishes for the current account contract, this Court has been clear, a thesis it upholds as no legal arguments have been provided that justify a variation in this position; being that current account contracts with internet banking electronic services are a further variation of economic consumer relationships, in this case, of banking and financial services, the liability rules set by the Competition Promotion and Effective Consumer Protection Law (Ley de Promoción de la Competencia y Defensa Efectiva del Consumidor) are fully and entirely applicable. Even considering that in the current context, electronic accounts presuppose, as a basic criterion, the existence of a current account contract, thus being considered an additional service to the latter, or an updated variation thereof, the fact of the matter is that in the conceptual context developed in article 2 of Law No. 7472, this linkage fits fully within consumer relationships insofar as it involves a party who is a merchant or provider of financial or banking services, which are acquired by a client who constitutes the final recipient of that market offer. It is a commercial adhesion contract whose object is the offer of banking services for the administration of funds through a current account, by virtue of which the Bank receives funds or other creditable values immediately or as a deposit, or granting of credit, to be drawn against it. It is evident that when the account permits electronic transfers, as a derivation of technological modernity, the reference to the concept of checks (as a physical document) does not apply. Precisely, the application of dematerialized mechanisms in commerce for the availability of those funds and accounts, dispensing with the issuance of physical documents, is nowadays an additional offer within the aforementioned current account contract, which is highly attractive for the consumer, given the agility and simplification of transactions, which demands security mechanisms for monetary transactions to concretize the duty of efficient and diligent custody of the client's funds. From this angle of examination, the rules referring to the contractual typology of the bond neither diminish nor eliminate the fact that it is a consumer relationship, therefore additionally regulated by the provisions of Law No. 7472. Hence, there is no doubt that the legal liability regime applicable to the present matter is article 35 of the cited Competition Promotion and Effective Consumer Protection Law (Ley de Promoción de la Competencia y Defensa Efectiva del Consumidor). Thus, as a reference, this Section has set it forth in ruling No.

2758-2010 cited above, in which, on the specific subject, it was stated: "From these resolutions, the unanimous criterion can be extracted that the strict liability (régimen de responsabilidad objetiva) regime that must be applied in matters such as the present one is that provided in Articles 31 and 35 of the Law for the Promotion of Competition and Effective Consumer Defense (Ley de Promoción de la Competencia y de Defensa Efectiva del Consumidor), this because we are in the presence of a commercial consumer relationship, in which the Banco Nacional de Costa Rica, despite being a public administration, provides a commercial Internet Banking service, which is classified as a private commercial service, for which reason said banking institution is not acting within its administrative powers, but rather as a subject of private law and must be regulated by the respective regulations, such as the Law for the Promotion of Competition and Effective Consumer Defense. Likewise, the plaintiff company acts in its capacity as a client of the defendant bank, thus configuring the essential elements for the existence of a commercial consumer relationship governed by the rules of the cited Consumer Protection Law (Ley de Protección al Consumidor). (...) Furthermore, based on what this same Contentious-Administrative Tribunal has stated, this jurisdictional body considers that the Consumer Promotion and Defense Law (Ley de Promoción y Defensa del Consumidor) regulates a special legal regime, which must be applied over the general legal regime, as would be the case here with the commercial regulations on current accounts, or on contractual matters, so from this simple perspective, the rules of strict liability regulated by the cited Consumer Protection Law must be applied. Likewise, and under the same arguments indicated above, this Tribunal does not agree with the allegation of the defendant party to the effect that the rules of the Commercial Code (Código de Comercio) should be applied, specifically concerning current account contracts, since as has been stated, the consumer protection regulations constitute a special regime that supersedes the general one of the Commercial Code." VI II.- Background of the First Chamber (Sala Primera) of the Supreme Court of Justice in similar cases. Having stated the above, it is worth bringing up what was decided by the First Chamber in judgment number 300-2009 at eleven hours twenty-five minutes on March twenty-six, two thousand nine, analyzing the subject under dispute, it stated: "III.- Strict liability for risk in consumer matters. Regarding liability, two main branches can be located, one subjective, in which the concurrence and consequent demonstration of intentional misconduct (dolo) or fault (culpa) by the perpetrator of the harmful act is required (e.g., article 1045 of the Civil Code), and another objective, which is characterized, essentially, by disregarding these elements, with the imputation of the damage being the central axis upon which the duty to repair is built. An example of the foregoing is found in article 35 of the Law of Effective Consumer Defense (Ley de Defensa Efectiva del Consumidor), where the merchant, producer, or provider shall be liable for those damages derived from the traded goods and services provided, even when negligence, imprudence, lack of skill, or intentional misconduct are not detected in their actions. Also, it is important to consider, due to its influence on evidentiary matters, that the determining elements for the emergence of civil liability, whether subjective or objective, are: a harmful conduct (which may be active or passive, legitimate or illegitimate), the existence of damage (that is, an injury to a protected legal right), a causal link connecting the two previous elements, and in most cases the verification of an attribution criterion, which will depend on the specific legal regime. Regarding causation, it is necessary to indicate that it is a case-by-case assessment made by the judge in which, based on the facts, they determine the existence of a relationship between the claimed damage and the conduct displayed by the economic agent. Although various theories exist on the matter, the one considered most consistent with the Costa Rican regime is that of adequate causation, according to which there is a link between damage and conduct when the former originates, if not necessarily, at least with a high probability according to the specific circumstances affecting the matter, from the latter (in this regard, see, among others, resolutions 467-F-2008 at 14 hours 25 minutes on July 4, 20085, or 1008-F-2006 at 9 hours 30 minutes on December 21, 2006). At this point, it is important to clarify that the verification of exempting causes (fault of the victim, an act of a third party, or force majeure), acts upon the causal link, ruling out that the conduct attributed to the defendant was the producer of the injury suffered. Regarding the different attribution criteria, for the purposes of the present case, the theory of created risk is of interest, which was expressly included in the Consumer Defense Law. The objective scheme for which the law opts, as well as the application of the cited attribution criterion, are evident from a simple reading of the rule in question, which stipulates (...) Carrying out a detailed analysis of the rule just transcribed, a series of conditioning elements for its application emerge. First, from the perspective of the subjects, that is, who causes the damage and who suffers it, the application of this liability regime is contingent upon certain qualifications concurring in them. Thus, regarding the first, it is required that they be a producer, provider, or merchant, whether natural or legal persons. For its part, regarding the second, the injury must be inflicted on someone who participates in a legal relationship where they are positioned as a consumer, in the terms defined in the referenced legal body and developed by this Chamber. It is required, then, that both parties form a consumer relationship, whose object is the potential acquisition, enjoyment, or use of a good or service by the consumer. The Bank acts in the exercise of its private law capacity, as a true public enterprise, and in that condition, offers a service to its clients, so that, a consumer relationship existing, the specific case must be analyzed under the scope of coverage of article 35 under discussion. Likewise, from the precept under study, it emerges, secondly, that the legislator established a series of attribution criteria based on which the strict liability that this article regulates can be imputed, among which is the aforementioned theory of risk. Thus, this serves as a factor to attribute liability to the subjects referred to. In essence, this theory postulates that whoever creates, exercises, or benefits from a lawful lucrative activity that presents potentially dangerous elements for others, must also bear its inconveniences (ubi emolumentum, ubi onus, which can be translated as where the emolument is, there is the burden). From the foregoing statement, two characteristics can be deduced: on the one hand, that the risk comes from an exploitative activity; and on the other, being carried out by a human being, so-called acts of nature are excluded. Concomitantly, it is important to make some clarifications regarding the risks suitable for generating liability, since not every risk implies the automatic emergence thereof. Currently, life in society offers countless risks, of different degrees and scopes, to the point that it can be affirmed that it is impossible to find a daily activity that is exempt from them. In this line, the interpretation of the rules cannot start from an absolute and total aversion to risk, which, as indicated, forms an integral part of societal coexistence and the technological advances integrated into it. The foregoing leads to the affirmation that, for the emergence of the duty to repair, the risk associated with the activity must present a degree of abnormality, that is, it must exceed the margin of tolerance that is admissible according to the rules of experience, which must be analyzed, on a case-by-case basis, by the judge. The second point that requires some sort of comment concerns the subject who becomes obligated by virtue of an activity considered dangerous. As already indicated, the attribution criterion is, precisely, the created risk, which supposes that the person to whom the damage is attributed must be in a position of control regarding it, that is, they must be the one who carries out the activity or assumes the possible associated negative consequences, receiving a benefit from it. This benefit may be direct, which can be identified, among others, with the income or emoluments obtained as consideration, or indirect, when the advantageous situation occurs in a reflected manner, which could be the case of alternative mechanisms aimed at attracting consumers, and consequently, resulting in an economic benefit for the offeror. It is important to mention that in an activity, different degrees of risk can be found, which must be managed by that subject who benefits from it, a circumstance that exerts a direct influence on the evidentiary duty incumbent upon them, as it is relevant for determining attribution in the specific case. The foregoing, together with the existence of exempting causes, demonstrates that the legislation under discussion does not constitute an automatic patrimonial transfer." IX.- Scope of the liability regime regulated in Law No. 7472. It is clear then that the liability rule applicable to the case is the aforementioned Article 35 of Law No. 7472, which literally states: "ARTICLE 35.- Liability regime. The producer, the provider, and the merchant must respond concurrently and independently of the existence of fault, if the consumer is harmed because of the good or service, due to inadequate or insufficient information about them or their use and risks./ One is only released if they prove they were unrelated to the damage./ The legal representatives of commercial establishments or, where appropriate, the business managers are responsible for their own acts or deeds or for those of their employees or assistants. Technicians, those in charge of production and control are jointly and severally liable, when appropriate, for violations of this Law to the detriment of the consumer." The correct understanding of this rule allows concluding on the objective nature of this liability regime, which, as such, disregards the consideration of subjective factors, such as intentional misconduct or gross negligence. Second, it is necessary to prove the existence of harmful conduct, active or omissive, which means that a violation of the consumer's rights or their obligations must occur by the merchant or provider. It is clear that for the imputation of liability to be possible, the existence of effective, evaluable, and individualizable damage, which is a consequence of the merchant's (alleged responsible party's) conduct, must be demonstrated. This implies proving a causal link between that injury and the behavior of the service or goods provider. Now, in the context of the legal regime applicable to this type of consumer relationship, Article 35 of Law No. 7472 establishes the possible release from liability for whoever proves they were unrelated to the damage. By supplementary application of Article 190 of the General Law of Public Administration (Ley General de la Administración Pública) (pursuant to the remission established by canon 71 of the Law of Promotion of Competition and Effective Consumer Protection (Ley de Promoción de la Competencia y Protección Efectiva del Consumidor)), the exempting causes of liability provided for therein are fully applicable to this matter. Of course, in line with the dynamic burden of proof, it corresponds to whoever seeks to be freed from an obligation, to prove the liberating, impeditive, or modifying facts of the right sought to be exercised against them. On the subject of the burden of proof in this type of proceeding, see Considerando IV of judgment 300-2009 of the First Chamber of the Supreme Court of Justice. Thus, it is decisive to establish in this proceeding, the convergence of the various referred assumptions that allow the strict liability of the banking entity to arise, as the plaintiff alleges, or if, on the contrary, some of the exempting causes of that liability have been configured that allow the Bank to be considered unrelated to the damage claimed in this venue.

X - Analysis of the specific case. Regarding the strict liability of Banco Nacional. Proof of damage and causal link. In this case, it has been proven that the company Bahía Pez Vela Administration S.A. has two current accounts with Banco Nacional de Costa Rica, number 100-01-015-006077-5 in colones and number 100-02-015-600387-8 in dollars, and that in these, during the period between March 10 and 14, 2008, a series of debits were made via electronic transfers, for a total of forty-two transfers in favor of several accounts belonging to other clients of the same defendant Bank (see detail of the report of the Security Supervisor of the defendant Bank visible on folios 1 to 4 of the administrative file), for a total, according to said report, of ¢19,500,000.00 (nineteen million five hundred thousand colones). As indicated, the debits were made from IP addresses within the Country, on machines not linked to the defendant Bank itself, and that, the plaintiff party denies had their consent, since both before the same banking institution, and before the Judicial Investigation Organization (Organismo de Investigación Judicial), it stated that it was the company's accountant who noticed the missing funds when consulting the internet system for the purpose of carrying out some operations, for which reason on that same March 14, 2008, they proceeded to report it to the Bank, requesting the respective investigation. As a result of the complaint filed by the representative of the affected company, the Security Supervisor of the Banco Regional Guanacaste-Puntarenas, in official letter BRGP-005-2008 of April 7, 2008, among his conclusions stated: "... given that in the transactional record identifying the account holder as the author of the reported suspicious transfers, the data identifying the account holder as the author thereof appear. Which (sic) reflects that what occurred is not due to a violation of the bank's security systems, but to a user failure. Therefore it is recommended, subject to your better judgment, to dismiss the present administrative claim, rejecting in all its terms the request for reimbursement of funds..." (folio 1 of the administrative file). Based on this, the Regional Banking Director of Guanacaste-Puntarenas of Banco Nacional de Costa Rica, through official letter BRGP-142-2008 dated April 9, 2008, informed Mr. Nombre142961 about the investigation carried out in the reported case, and among other things indicated that the movements were not made from any machine related to the Bank and that according to the IP addresses from which they were executed, they are services provided by ICE, Racsa, Cable Amnet, and Cable Tica, so it is not due to a violation of the bank's security systems, but to a user failure, for which reason the claim was rejected (Folios 5 to 7 of the administrative file). Faced with this, the representative of the company Bahía Pez Vela Administration S.A. filed, on April 22, 2008, revocation and appeal motions in subsidy against what was resolved in official letter BRGP-142-2008, alleging that the company was the object of an action by third parties who, abusing the electronic fund management system that Banco Nacional has (Folio 11 to 20 of the administrative file). Both motions were rejected, the revocation motion in official letter BRGP-163-2008 of April 30, 2008, and the appeal motion by the General Board of Directors in article 10, of Session No. 11,497 of August 26, 2008, arguing that the patrimonial damage caused did not occur because of conduct displayed by the Bank, but because of the negligence of a representative or authorized person on the account, who must have revealed the necessary data to access the account and make the money transfers from the accounts to various persons, (Folios 21 and 23 respectively of the administrative file). Notwithstanding the exhaustion of the administrative channel, the representative of the affected company, on July 28, 2009, refiled the administrative claim before the Liberia branch of Banco Nacional de Costa Rica, requesting payment of $40,000 which he indicated were withdrawn from his accounts (Folio 40 and 41 of the main file), and that given the omission of a resolution, on January 8, 2010 (Folio 73 of the main file), the Bank was urged to issue the respective resolution on his claim, without obtaining a result. From the factual picture described above, this Tribunal clearly extracts that a consumer relationship existed between Banco Nacional and the plaintiff company, whereby the provisions of Article 35 of Law No. 7472 are applicable to the case, as has been indicated. Furthermore, damage to consumer rights has been verified, which materializes through the risk produced by the use of the technological platform of the internet banking service offered by the banking entity, with damage occurring in the plaintiff's patrimonial sphere, consisting of the unauthorized withdrawal of money from their accounts, as determined in the study carried out by the Bank on the occasion of the transfers made between March 10 and 14, 2008 from the dollar and colon accounts of the plaintiff company here. Although the defendant Bank tries to indicate that the responsibility is not theirs, the truth is that the injury suffered must be considered as a consequence of the lack of implementation of adequate security mechanisms for the use of the electronic transfer services enabled in internet banking, a service that Banco Nacional de Costa Rica offers, as in this case, to the company Bahía Pez Vela Administration S.A. Thus, the causal link that is necessary to impute liability in this type of situation is manifest. As indicated, it should be highlighted that the representative of the affected company, once aware of the withdrawals, proceeded to report it both to the Bank that provided the services, and to the police authorities, in this case the Judicial Investigation Organization, both on March 14, 2008, it being the case that the operations improperly carried out on their accounts occurred between March 10 and 14 of that year, which demonstrates the prompt attention of the affected party.

XI.- Analysis on the existence of exempting causes in the case. As indicated in previous lines, it is the provider or marketer of the Internet Banking service, in this case Banco Nacional de Costa Rica, which could free itself from its strict liability derived from the application of Article 35 of Law 7472, only when it proves (as it is its evidentiary burden) non-involvement in the harmful result, that is, whether fault of the victim, an act of a third party, or force majeure intervened in the case. The Bank alleged, even as a substantive defense, the concurrence of fault of the victim, and as a consequence thereof, the participation of third persons. Indeed, the position assumed by the Bank upon answering the complaint is supported by the dissenting opinion of Judge Palacios Garcia to judgment 910-2010 of Section IV of this Tribunal, in which, among other aspects, it determines that regarding the obtaining of the keys and passwords necessary to carry out the transactions, it is necessary to determine whether this was due to the lack of skill of the bank or its officials; or that a third party used computer means to directly obtain from the client the necessary data in order to access the system. However, this panel of the Tribunal maintains its position that the burden of proof in this type of case remains with the banking institution, hence, if it maintains, as it does in this case, the idea of the existence of a suppression of its liability either by the client's own intervention who carelessly left their data in the hands of third parties, or that the bank itself was not responsible, these are aspects that, for exoneration purposes, it must prove in the case file. In this regard, it must be indicated that the answer to the complaint does not delve into the issue and refers to the investigation report prepared on the occasion of the incident that occurred to the plaintiff company, making it necessary to analyze what was provided therein. Thus, in official letter BRGP-005-2008 of April 7, 2008, Mr. Gilberth Marchena Viales, Security Supervisor of Banco Nacional de Costa Rica, when analyzing the case, refers to the fact that in the internal regulations of the institution and in the signed contract, the client agreed to safeguard their identification documents such as the key (password), the user code, and other personal data necessary to access the computer system, but the truth is that at no time is any reason, circumstance, or other data identified so that consistently, concretely, and specifically, it can be concluded that employees or representatives of the affected company effectively committed, through action or omission, careless use of the identification documentation to use the system; they only start from a supposition, this derived, in their understanding, from the fact that the transactions did not occur from any Bank machine, nor its employees, and that the IP addresses used correspond to subjects unrelated to the institution. This derivation cannot be taken into account in a case like the one before us to transfer responsibility to the client or a third party, since the data with which the unauthorized transfers were made could well have been obtained from the bank's own records due to a lack of controls in the computer system, which is not ruled out at any time by what is indicated in the aforementioned investigation report, as it is well known that so-called "hackers" could perfectly have entered the systems and obtained from there the necessary data to have made the transactions that finally affected the accounts that the company Bahía Pez Vela maintains with the financial institution. In fact, as indicated, the report is not conclusive in that sense, but rather starts from assumptions; even when resolving the filed appeal in this case, the General Board of Directors of Banco Nacional de Costa Rica maintained the conjecture for, in Article Ten of session 11497 of August 23, 2008, it asserted that: "...the patrimonial damage caused to the appellant did not occur because of conduct displayed by Banco Nacional de Costa Rica, but because of negligent conduct carried out by a representative or authorized person for access to the account, which ultimately led to the transfer of money to the accounts of various persons..." That is, without any proof, the Bank, in order to free itself from liability, asserts that it was the representatives or workers of the affected company who through "negligence" revealed the data. We insist, the Bank cannot merely indicate that it has managed the data well internally and without greater proof simply indicate that if it was not the institution, the client must be responsible, an argument that is totally devoid of probative force and therefore must be dismissed as an element to be taken into account in the possible exoneration from the strict liability that derives from these cases, since what is indicated in that way would not have the merit to be taken as reliable proof of its computer-related actions without vulnerability, much less to impute a fault to others without having support to do so. Indeed, a thorough analysis of the various pieces of evidence in the case file does not allow concluding on imprudent or negligent conduct on the part of the current account holder that would allow supposing that they made known relevant information for access to their accounts to third persons. Moreover, from the technical investigation that was added to the file, there is no proof that the plaintiff had ceded their sensitive data for carrying out the transfers under dispute. Therefore, in this case, the concurrence of fault of the victim cannot be inferred for not having been diligent in safeguarding the access means to the Internet Banking tool (sensitive data in their possession), and furthermore, the Bank could not prove in this proceeding that the damage was unrelated to its scope of action and precautions. Nor has it been possible to prove that the bank's security systems functioned adequately or that there was no failure in the security systems of the defendant banking entity. On the other hand, the necessary convincing elements to prove the act of a third party as a cause for excluding the Bank's liability were not provided. While it is detected that the transfers were made from IP addresses located within the country, the truth of the matter is that at its core, it is reiterated, the defendant entity did not prove that its security systems had not been breached such that a level of security and minimum risk from the use of electronic services existed. It could not be maintained that the burden of proof regarding the vulnerability of those mechanisms or the computer security system rests on the plaintiff, because on the contrary, their evidentiary burden must be directed at demonstrating the existence of one or several circumstances that prevent the emergence of the oft-mentioned civil liability, which by law rests on that banking institution. Thus, it would be unthinkable to attempt to shift that burden of proof, so that the user of the banking services offered by Banco Nacional de Costa Rica would be the one who must know in detail all the security systems of that bank, and from there, also demonstrate the existence of some fissure. Such a position does not imply the impossibility of proving the existence of fault of the victim or the act of a third party within the framework of banking electronic commerce. It should be noted that it is the defendant who designs and conditions access to the systems used within the framework of the tool called Internet Banking, which is why it has the possibility of establishing as many security systems as it deems appropriate, in order to guarantee that the transactions are made by its client, and not just by someone who has at their disposal sensitive data of that user. In this sense, it is the banking entity, which profits from the financial services offered, that must ensure the use of computer and administrative systems that, from a legal standpoint, allow with certainty the proof of the physical identity of the user, for example, the mandatory establishment of OTP devices, or even assessing, within the framework of its administrative autonomy, establishing the use of devices that reduce risks and prove the client's identity with a higher degree of certainty, such as biometric tools, this in order to have systems that allow the pre-constitution of proof. In this direction, the First Chamber of the Supreme Court of Justice has considered: "Notwithstanding the foregoing, the defendant financial entity must bear in mind that its essential function is financial intermediation, which includes the capture of funds from the public's savings, a concept that implicitly carries their custody, both from a physical point of view and from the corresponding electronic record. There is no doubt that it is subject to an unavoidable obligation to guarantee the security of the transactions carried out, whether at the teller window or through any other means made available to clients, which must necessarily encompass the use of all those available mechanisms that allow it to have a greater degree of certainty regarding the identification of the persons who are authorized to carry out electronic transactions from the accounts. The liability that was imputed to the Bank is based, not on the theft of the money by a third party, but on the existence of a risk, according to what was set forth in Considerando III, in the proper functioning of the service it offers, which allows imputing the origin of the damage to the functioning of the service. The foregoing, despite having mechanisms that allow greater security. (...) Ultimately, banks, without the defendant being the exception, guard and administer, among other things, someone else's property; and not just any property, but public funds. Thus, they are liable not only for the strength of their internal systems, but also for the security of those who, to get there, use the only possible channels that the Bank itself knows and recognizes as risky. And they are liable not as unrelated, but insofar as it constitutes the means they directly avail themselves of for the provision of the service." As prescribed by numeral 35 of the Consumer Protection Law (Ley de Protección al Consumidor), there has been an injured party due to the service, which when used (and in view of its risky nature) produced a significant injury to the party appearing in the proceedings as plaintiff. (...) The means to access the Bank's platform is not, therefore, an external source of risk, but rather an instrument consubstantial to the service it provides; it is, if you will, an intrinsic part of the activity, which, although ancillary to the intermediary's activity, is indispensable. Hence, the guarantee mechanisms for the client –user– must be provided not only within the Bank's own computer walls, but also on the access path to it as part of the service. It is not in vain that the Financial System has generally focused on implementing double identification mechanisms, improving passwords, and, in general, using recent systems such as the use of tokens, changing passwords, keys with special devices, among others." (Resolution No. 300-2009 cited above) Said reference makes it clear that the vulnerability of the system is not a matter that the account holder must prove; on the contrary, given the activity it carries out, the profit it obtains from that commercial line of business and as it constitutes a means that allows for the streamlining of transactions derived from the checking account, a contract that implies the custody of public funds, it is the financial entity that must prove that its security systems have an acceptable degree of security and that, in each specific case, they were not breached. In the present case, it was precisely the failure of security mechanisms that led to the materialization of damage against the plaintiff company, consisting of the withdrawal of a sum of money, which has been recognized by the Bank as ¢19,500,000.00 (nineteen million five hundred thousand colones), but for the plaintiff is $40,000.00 (forty thousand dollars), the product of several transactions made in favor of other account holders of the same Banco Nacional de Costa Rica. This constitutes damage from which the banking entity has not managed to disassociate itself, having failed to prove its lack of connection with the damage or the concurrence of any of the exempting causes that would allow it to be released from that strict liability that prevails in matters of consumer relations.

XII.Regarding material damage in the specific case. Based on the foregoing considerations, the strict liability (responsabilidad objetiva) of Banco Nacional must be declared for the damage suffered by the company Bahía Pez Vela Administration S.A. as a result of the forty-two transactions carried out in the period between the tenth and fourteenth of March, both of the year 2008, by virtue of which funds were withdrawn from the accounts, both in colones and in dollars, of the affected company, account numbers 100-01-015-006077-5 (colones) and 100-02-015-600387-8 (dollars). It should be noted that the only document in which the operations are determined is official communication BRGP-005-2008 issued by the Banco Regional Guanacaste-Puntarenas of Banco Nacional de Costa Rica, visible on pages 1 to 4 of the administrative file, according to which the institution accepts that the transfers made were as follows:

Document Suspicious ID Amount Account Number IP Address Date 15691068 Name142967 1-1241-203 $1,015.74 200-01-000-733339-0 201.192.103.17. CR 10-03-08 15691088 Name142968 1-1101-659 $1,015.74 200-01-053-37793-8 201.192.103.17. CR 10-03-08 15691117 Name142969 1-874-052 $1,015.74 200-01-053-37796-2 201.192.103.17. CR 10-03-08 15691147 Name142970 .

1-538-870 $1,015.74 200-01-095-27326-7 201.192.103.17. CR 10-03-08 15691171 Name142971 1-1317-370 $1,015.74 200-01-130-7669-2 201.192.103.17. CR 10-03-08 15691420 Name142972 1-664-373 $1,015.74 200-01-157-8843-9 201.192.103.17. CR 10-03-08 15692310 Name142973 2-572-440 $1,015.74 200-01-095-11918-7 201.192.57.194.CR 10-03-08 15692499 Name142973 2-572-440 $1,015.74 200-01-095-11918-7 201.192.57.194.CR 10-03-08 15692533 Name142968 1-1101-659 $1,015.74 200-01-053-37793-8 201.192.57.194.CR 10-03-08 15692560 Name142970 . Name142970 1-538-870 $1,015.74 200-01-095-27326-7 201.192.57.194.CR 10-03-08 15728923 Name142970 .

1-538-870 $1,015.74 200-01-095-27326-7 190.10.29.23.CR 11-03-08 15728936 Name142968 1-1101-659 $1,015.74 200-01-053-37793-8 190.10.29.23.CR 11-03-08 15728952 Name142969 1-874-052 $1,015.74 200-01-053-37796-2 190.10.29.23.CR 11-03-08 15728964 Name142971 1-1317-370 $1,015.74 200-01-130-7669-2 190.10.29.23.CR 11-03-08 15728974 Name142972 1-664-373 $1,015.74 200-01-130-7669-2 190.10.29.23.CR 11-03-08 15729112 Name142973 2-572-440 $1,015.74 200-01-095-11918-7 201.192.57.194.CR 11-03-08 15729324 Name142973 2-572-440 $1,015.74 200-01-095-11918-7 201.192.57.194.CR 11-03-08 15729398 Name142974 1-1429-431 $1,015.74 200-01-000-709577-5 201.192.57.194.CR 11-03-08 15729807 Name142963 . Name142963 2-625-993 $1,015.74 200-01-053-33101-6 201.192.57.194.CR 11-03-08 15729844 Name142963 .

2-625-993 $6.09 200-01-053-33101-6 201.192.57.194.CR 11-03-08 15730005 Name142963 .

2-625-993 $1,005.59 200-01-053-33101-6 201.192.57.194.CR 11-03-081 15730021 Name142963 .

2-625-993

4:06 (sic)

200-01-053-33101-6 201.192.57.194.CR 11-03-08 15764332 Transfer between accounts From the Client ¢3,251.77 From dollars to colones 201.237.15.114.CR 12-03-08 15765289 Name90398 1-1005-991 $1,017.81 200-01-000-691558-2 201.192.9.110.CR 12-03-08 15765404 Name142969 1-874-052 $1,017.81 200-01-053-37796-2 201.192.9.110.CR 12-03-08 15765415 Name142971 1-1317-370 $1,017.81 200-01-130-7669-2 201.192.9.110.CR 12-03-08 15765430 Name142972 1-664-373 $1,017.81 200-01-130-7669-2 201.192.9.110.CR 12-03-08 15765449 Name142970 . Name142970 1-538-870 $1,017.81 200-01-095-27326-7 201.192.9.110.CR 12-03-08 15765465 Name142968 1-1101-659 $1,017.81 200-01-053-37793-8 201.192.9.110.CR 12-03-08 15765714 Name90398 1-1005-991 $1,017.81 200-01-000-691558-2 201.192.57.194.CR 12-03-08 15766318 Name142963 .

2-625-993 $1,017.81 200-01-053-33101-6 201.192.57.194.CR 12-03-08 15815479 Name142968 1-1101-659 $1,017.81 200-01-053-37793-8 201.192.57.194.CR 13-03-08 15815513 Name142970 .

1-538-870 $1,017.81 200-01-095-27326-7 201.192.57.194.CR 13-03-08 15815530 Name142969 1-874-052 $1,017.81 200-01-053-37796-2 201.192.57.194.CR 13-03-08 15815551 Name142971 1-1317-370 $1,017.81 200-01-130-7669-2 201.192.57.194.CR 13-03-08 15816501 Name90398 1-1005-991 $1,017.81 200-01-000-691558-2 201.192.57.194.CR 13-03-08 15765859 Name142964 4-186-284 ¢500,000 200-01-004-94827-9 201.192.57.194.CR 12-03-08 15766428 Name142974 1-1429-431 ¢500,000 200-01-000-709577-5 201.192.57.194.CR 12-03-08 15815568 Name142972 1-664-373 $1,017.81 200-01-130-7669-2 201.192.57.194.CR 14-03-08 15815588 Name142964 4-186-284 ¢500,000 200-01-004-94827-9 201.192.57.194.CR 14-03-08 15816527 Name142975 4-196-146 ¢500,000 200-01-124-16528-3 201.192.57.194.CR 14-03-08 15816827 Name142975 4-196-146 ¢500,000 200-01-124-16528-3 201.192.57.194.CR 14-03-08 As a result of this, most of the amounts withdrawn have been able to be extracted, of which, for greater clarity and given the discrepancy between what was requested by the plaintiff, who sets it entirely in dollars, and on the other hand, the defendant bank establishes it in colones, the truth is that from the analysis of the transcribed table, the amounts of the transfers must be indicated separately both in dollars and in colones, so we would have thus: in dollars the sum of $30,497.12 (thirty thousand four hundred ninety-seven dollars and twelve cents), and in colones ¢2,503,251.77 (two million five hundred fifty-one thousand colones with seventy-seven cents). However, it must also be taken into account that in said table, there is an amount which has not been able to be clearly determined, corresponding to transaction number 22 appearing in the previous table, said to be from document number 15730021, transferred to the account of Mr. Name142963 . Name142963 . ID number CED112276, to account number 200-01-053-33101-6, from the IP address 201.192.57.194.CR on March 11, 2008, which appears for an amount of (4:06) without indicating its currency and without knowing if the numbers consigned correspond to the true amount of that withdrawal, which is why this will remain to be proven in the sentence enforcement stage and included in the total amount. Therefore, Banco Nacional must pay to the plaintiff the total of the transfers, and on those items, the legal interest that numeral 497 of the Commercial Code (Código de Comercio) sets for operations in foreign currency must be recognized as financial loss (article 706 of the Civil Code), namely, interest according to the prime rate, and for those in colones (article 497 of the Commercial Code) the basic passive rate (tasa básica pasiva) of the Central Bank of Costa Rica (Banco Central de Costa Rica). Said interest must be calculated on each item withdrawn from the date on which each of the aforementioned unauthorized debit transactions was made, that is, from the time each harmful event occurred, until its effective payment, items to be liquidated in the sentence enforcement phase. The granting of the cited financial loss implies, implicitly, the updating of the economic value of the obligation (indexation), for the purposes of canon 123 of the Code of Administrative Procedure (Código Procesal Contencioso Administrativo).

XIII.- Analysis of the defenses opposed. The representation of Banco Nacional de Costa Rica formulated the preliminary defense of Statute of Limitations (Caducidad), which was analyzed in the preliminary hearing held on November 23, 2010, by resolution No. 4381-2010 at 14 hours 05 minutes of that date, the procedural judge ordered: "POR TANTO: The preliminary defense of statute of limitations filed by Banco Nacional de Costa Rica is hereby dismissed." As for the defenses on the merits, the representation of the defendant bank opposed the defense of lack of right, which must be rejected, since the origin of the plaintiff's right to obtain compensatory redress for the damages caused through withdrawals from its bank accounts, against which the Bank did not prove lack of connection or exonerating causes, has been established. In that order, the allegations of act of a third party and fault of the victim alleged by the defendant entity must also be rejected, for the reasons already noted above. Consequently, the lawsuit filed by the representative of the company Bahía Pez Vela Administration S.A. against Banco Nacional de Costa Rica must be declared with merit in the following terms: - Banco Nacional de Costa Rica is ordered to reimburse to the plaintiff the sums debited in an unauthorized manner, product of forty-two transfers in favor of several accounts of clients of the defendant bank, carried out between the days tenth to fourteenth of March, both of the year 2008, for an amount in dollars of $30,497.12 (thirty thousand four hundred ninety-seven dollars with twelve cents), and in colones ¢2,503,251.77 (two million five hundred fifty-one thousand colones with seventy-seven cents) plus the amount corresponding to the transaction whose document number is 15730021, transferred to the account of Mr. Name142963 . . ID number CED112276, to account number 200-01-053-33101-6, from the IP address 201.192.57.194.CR on March 11, 2008, for which an amount is not correctly consigned, thus remaining to be proven in the sentence enforcement stage and included in the total amount. 2) On the sums that finally result, Banco Nacional de Costa Rica is ordered to pay legal interest, from the moment each of the unauthorized debits was made until the effective payment. Said interest shall be calculated according to the prime rate for operations in foreign currency, and regarding national ones, the basic passive rate of the Central Bank of Costa Rica shall apply, in accordance with the provisions of numeral 497 of the Commercial Code. The granting of that financial loss implicitly implies the economic updating of the obligation for the purposes of ordinal 123 of the Code of Administrative Procedure. These sums must be liquidated in the enforcement phase of this judgment.

XIV.- Costs. In accordance with numeral 193 of the Code of Administrative Procedure, procedural and personal costs constitute a burden imposed on the losing party by the fact of being so. The exemption from this judgment is only viable when there has been, in the Court's judgment, sufficient reason to litigate, or when the judgment is issued by virtue of evidence whose existence was unknown to the opposing party. In this case, this collegiate body finds no reason to apply the exceptions set by the applicable regulations and break the postulate of judgment to the losing party. Therefore, both costs are imposed on the defendant banking entity.

POR TANTO.

The defense of lack of right is rejected, as well as those of "Fault of the Victim and Act of a Third Party" opposed by Banco Nacional de Costa Rica. Consequently, the lawsuit filed by Bahía Pez Vela Administration S.A. against Banco Nacional de Costa Rica is declared with merit in the following terms: 1) Banco Nacional de Costa Rica is ordered to reimburse to the plaintiff the sums debited in an unauthorized manner, product of forty-two transfers in favor of several accounts of clients of the defendant bank, carried out between the days tenth to fourteenth of March, both of the year 2008, for an amount in dollars of $30,497.12 (thirty thousand four hundred ninety-seven dollars with twelve cents), and in colones ¢2,503,251.77 (two million five hundred fifty-one thousand colones with seventy-seven cents), plus the amount corresponding to the transaction whose document number is 15730021, transferred to the account of Mr. Name142963 . Name142963 . ID number CED112276, to account number 200-01-053-33101-6, from the IP address 201.192.57.194.CR on March 11, 2008, for which an amount is not correctly consigned, thus remaining to be proven in the sentence enforcement stage and included in the total amount. 2) On the sums that finally result, Banco Nacional de Costa Rica is ordered to pay legal interest, from the moment each of the unauthorized debits was made until the effective payment. Said interest shall be calculated according to the prime rate for operations in foreign currency, and regarding national ones, the basic passive rate of the Central Bank of Costa Rica shall apply, in accordance with the provisions of numeral 497 of the Commercial Code. The granting of that financial loss implicitly implies the economic updating of the obligation for the purposes of ordinal 123 of the Code of Administrative Procedure. These sums must be liquidated in the enforcement phase of this judgment. 3) Both costs are borne by the defendant entity.

Juan Luis Giusti Soto Cinthia Abarca Gómez Roberto Garita Navarro ASUNTO: PROCESO DE CONOCIMIENTO DECLARADO DE PURO DERECHO ACTOR: Bahía Pez vela Administration S.A.

DEMANDADOS: Banco Nacional de Costa Rica.

for debits made to their accounts, concluding that the transactional record of Personal Internet Banking for each of the reported suspicious transfers shows the data identifying the account holder as the author thereof, reflecting that what occurred is not due to a breach of the bank's security systems, but rather to a fault of the user. (Folios 1 a 4 of the administrative file). **4)** That by official letter BRGP-142-2008 dated April 9, 2008, the Regional Director of Banca Regional Guanacaste Puntarenas of the Banco Nacional de Costa Rica notified Mr. Nombre142961 of the investigation conducted in the case he reported, informing him of the result of the investigation by the Dirección de Seguridad; in addition, the list of all transactions was indicated to him and that the amount totaled the sum of ¢19,5000,000; that it had been possible to detain Nombre142963 when he appeared at the Heredia office, who was placed at the disposal of the Organismo de Investigación Judicial. Likewise, he was informed that the sum of ¢498,311.50 was blocked in the account of the suspect Nombre142964, pending coordination with the Ministerio Público for the respective reimbursement; that the movements were not made from any machine related to the Bank and that, according to the IP addresses from which they were executed, they are services provided by ICE, Racsa, Cable Amnet, and Cable Tica, and therefore it is not due to a breach of the bank's security systems, but rather to a failure of the user. For this reason, they notified him of the rejection of all aspects of the claim filed. (Folios 5 to 7 of the administrative file). **5)** On April 22, 2008, the representative of the company Bahía Pez Vela Administration S.A. filed before Banca Regional Guanacaste-Puntarenas an appeal for revocation (recurso de revocatoria) and subsidiary appeal (apelación en subsidio) against the decision in official letter BRGP-142-2008, alleging that the company was the object of an action by third parties who, abusing the electronic fund management system held by Banco Nacional, withdrew the sum of ¢19,500,000 from two accounts, and therefore there is objective liability (responsabilidad objetiva) on the part of the bank because the electronic page is a service provided by the entity, over which it must verify all security measures so that unauthorized third parties do not make electronic transfers to the detriment of account holders, and considering the authorization of transfers exceeding the permitted daily limits, this evidences the failure of controls in the technological systems. (Folio 11 to 20 of the administrative file). **6)** The Regional Director of Banca Regional Guanacaste-Puntarenas of the Banco Nacional de Costa Rica, in official letter BRGP-163-2008 of April 30, 2008, rejected the appeal for revocation (recurso de revocatoria) filed, considering that in the stated terms no new elements of judgment were added to what was originally raised. He informed him that the matter was being referred to the Junta Directiva General for consideration so that the administrative channel (vía administrativa) would be exhausted (Folio 21 of the administrative file). **7)** By means of an unnumbered official letter, dated September 1, 2008, and signed by Mr. Nombre142965, Secretario General of the Junta Directiva of the Banco Nacional de Costa Rica, they notified Mr. Nombre142961 that the Junta Directiva, in article 10 of session No. 11,497 of August 26, 2008, considered the appeal filed against official letter BRGP-142-2008, indicating to him that it was decided to accept in its entirety dictamen DJ.1482-2008 of August 7 of the Dirección Jurídica, therefore the appeal is declared without merit (sin lugar), arguing that the patrimonial damage caused did not occur due to conduct exhibited by the Bank, but rather due to negligent conduct carried out by a representative or authorized person on the account, who revealed data necessary for accessing the account, which led to the transfer of money from the accounts to various persons, and therefore the Bank is not liable.

(Folio 23 front and back of the administrative file). **8)** That on August 13, 2009, the representative of the company Bahía Pez Vela Administration S.A. filed an administrative claim (reclamo administrativo) before the Liberia branch of the Banco Nacional de Costa Rica, requesting recognition of the $40,000 that were withdrawn from its accounts between March 10 and 14, 2008, by means of electronic transfers that were not authorized by his represented company. (Folio 40 and 41 of the main file). **9)** That on January 8, 2010, Mr. Nombre142961 requested the Liberia Branch of the Banco Nacional de Costa Rica to respond to his request of August 13, 2009, regarding his administrative claim, warning that failure to do so would result in him resorting to the appropriate channel (vía correspondiente). (Folio 73 of the main file).

**II. Unproven Facts.** Of relevance for the purposes of this proceeding, the following is considered as such: That the Liberia branch of the Banco Nacional de Costa Rica had provided any response or resolution to the claim for recognition of the money withdrawn from the accounts of its client Bahía Pez Vela Administration S.A., filed by the representative of said company, Mr. Nombre142961, on August 13, 2009, and reaffirmed on January 8, 2010. (This situation is not accredited).

**III.- Object of the Proceeding. Arguments of the Parties.** Having analyzed the allegations and petitions of the parties involved in this conflict, the object of the proceeding is determined to be the compensation to the plaintiff company for the sum of $40,000 withdrawn from its accounts between March 10 and 14, 2008, alleging a lack of controls on the part of the defendant Bank when using the Internet Banking service.

**IV.- Arguments of the Parties.** The **plaintiff (accionante)** alleges that their represented company had a commercial relationship with Banco Nacional de Costa Rica through checking account number 100-01-015-006077-5 in colones and number 100-02-015-600387-8 in dollars. That in the week of March 10 to 14, 2008, unauthorized persons withdrew the sum of forty thousand dollars from its electronic accounts. That on March 10, 2008, the company's accountant, upon reviewing the accounts, could notice the missing amount, and therefore on March 14, 2008, a note was sent to Banco Nacional to initiate the respective investigation into the transactions made via internet in the account of his represented company, and also, on the same date, he proceeded to file a complaint (denuncia) before the Organismo de Investigación Judicial of Liberia Guanacaste. He indicates that the Liberia Bank Branch on the following April 8 informed him that the entity determined that during the week of March 10 to 14, 2008, several money transfers were made via Internet Banking from account 100-02-015-600387-8 in dollars and 100-01-015-6077-5 in colones in the name of the company to different accounts, making a total of 39 operations, some of which had as recipients Mr. Nombre142963 and Nombre142964, and they indicated that the incident was not the bank's responsibility as it had occurred due to a fault of the company. He states that he filed an appeal for revocation with subsidiary appeal (recurso de revocatoria con apelación) against that decision before the Regional Director of Guanacaste on April 21, 2008, which were rejected on the following April 30, and the administrative channel (vía administrativa) was thereby exhausted. He alleges that he again filed an administrative claim on July 28, 2009, requesting the application of article 190 of the Ley General de la Administración Pública and 158 of the Código Procesal Contencioso. He indicates that given the omission, on January 8 he again urged a response, which had no effect. He denies that it was due to negligence on the part of his represented company, since the transactions were not carried out by employees or by machines of the company, as can be corroborated from the IP addresses from where the illicit transactions were made. He then develops the theory of objective liability (responsabilidad objetiva) embedded in the Ley General de la Administración Pública, indicating that the liability in the specific case derives from the lack of controls of the Bank through the use of a service provided to his company via Internet Banking, which finds support in the Consumer Protection Law (Ley de Protección al Consumidor), as the Tribunal has indicated, and therefore derived from the contractual nature of his represented party with the banking institution and the duty of compensation in accordance with the citation he makes of judgment 116-08 of 2:00 p.m. on September 26, 2008, from which he infers that since it was not the company's responsibility that unscrupulous persons entered due to the bank's lack of security and that its money was withdrawn, this entails the institution's duty to take responsibility for the damage caused, that is, the loss of forty thousand dollars. He alleges the application of articles 31, 34, and 35 of the Ley de Promoción de la Competencia, by virtue of the service provided. He further indicates that, for greater abundance, the liability of banks in matters of electronic fraud has already been addressed by the Sala Primera de la Corte Suprema de Justicia in several judgments, among which he mentions No. 300-F-S1-2009 of 11:25 a.m. on March 26, 2009, and No. 394-F-S1-2009 of 10:23 a.m. on April 23, 2009.

**V.-** For its part, the representation of the **defendant** bank indicates that the company Bahía Pez Vela Administration S.A. is indeed the holder of bank accounts numbers 100-02-015-600387-8 in dollars and 100-01-015-006077-5 in colones. That in report BRGP-005-2008 of April 7, 2008, signed by the Security Supervisor of the Bank's Regional Office in Guanacaste, it was determined that the transfers made via Internet Banking between March 10 and 14, 2008, were for a total amount of ¢19,500,000, in which report it is highlighted that the analysis of the transactions showed they were made with the client's user code (full name and identification number), that the Bank's computer systems were not breached, that in the investigated transactions no IP addresses assigned and used by Banco Nacional were located, that the funds were withdrawn through various ATMs, and that upon receiving the notice, the accounts used were closed and their holders were encoded. He expresses that after the restriction of the accounts, the detention of Nombre142966 was achieved when he appeared at the Heredia Branch, who was placed at the order of the Organismo de Investigación Judicial, and that the sum of ¢498,311.50 from the transfer made to the account of Nombre142964 is retained. He states that the Staff of the Dirección de Seguridad Informática carried out a verification of the reported facts and of the control and security elements associated with the electronic services of Banco Nacional, determining that the numbers of the IP addresses from which the transactions were made are of Costa Rican origin, indicating that the password created by the client to register in the Internet Banking System and access electronic services is secret, is only known by the interested party and is non-transferable, and that password was the one used for the investigated transactions, and that no IP addresses assigned or used by Banco Nacional were used, concluding therefore that it was not due to a breach of the bank's security systems, but rather to a fault of the user, with all of which it was recommended to decline the administrative claim filed. Regarding the request for investigation filed by the company, he indicates that it culminated with report BRGP-005-2008 of April 7, 2008, and based on this, the Director of Banco Regional Guanacaste in official letter BRGP-142-2008 of the following April 9, rejected the claim filed, explaining the aspects that arose. That the appeals for revocation with subsidiary appeal were filed against the decision, the first being rejected by official letter BRGP-163-2008 signed by the Director of Banco Regional Guanacaste, elevating the matter to the Junta Directiva General, which resolved the appeal, rejecting it according to article 10 of session No. 11,497 of August 26, 2008, notified on the following September 3, a moment from which, he indicates, the one-year period provided in the Código Procesal Contencioso Administrativo begins to run. That the affected company again filed an administrative claim on August 13, 2009, at the Liberia branch of Banco Nacional, that is, practically one year after the matter had been firmly resolved, even by the institution's Junta Directiva, which indicates that the action was absolutely improper, as the facts had already been widely known and resolved by the Bank, and he indicates that this claim was filed to disguise the evident expiration of the action (caducidad de la acción). On the topic of fraud via Internet Banking, he cites judgment 1496-2010 of the Tribunal, from which he considers it can be extracted that the correct analysis of these types of cases must start from four aspects: a) that the plaintiff credibly demonstrates having observed adequate behavioral patterns to protect their sensitive data, including the non-disclosure of their password and pin, which are the client's personal creation; b) That it is impossible to explain how a third party can access the data without the concurrence of the account holder themselves, whether by action or omission, since the first party obliged to adequately safeguard the data is the client, and if they did not do so diligently, then third parties could access it; c) that the bank has taken the necessary means so that private data are recorded in different media, some completely distinct from others and some even of the client's own unique and exclusive creation; and d) that it is not possible to ignore that the only possible way for the alleged fraud to have occurred is through the carelessness of the client who allowed, by their action or omission, the leakage of their data. Thus, he considers that in the present case, the exemptions from liability (eximentes) that break the causal link (nexo causal) are applicable (fault of the victim (culpa de la víctima) and act of a third party (hecho de un tercero)), and therefore he requests that the lawsuit be declared without merit in all its aspects. On the other hand, regarding the preliminary defense of expiration of the action (caducidad de la acción), he indicates that the plaintiff lacks any legal basis to bring judicial action against the Bank, since his administrative claims were resolved even by the institution's Junta Directiva, whose resolution was notified to him on September 3, 2008, that is, almost two years ago, and therefore the provisions of articles 31 and 39 of the Código Procesal Contencioso Administrativo apply, evidencing the expiration for filing this proceeding, and he requests that the lawsuit be declared inadmissible. Finally, he raised the substantive defenses (defensas de fondo) of Lack of Right (Falta de Derecho), Act of a Third Party (Hecho de un Tercero), and Fault of the Victim (Culpa de la Víctima).

**VI.- On the fundamental rights of consumers. Constitutional and legal regulation.** For this case, it is necessary to make a brief reference to the constitutional and legal framework that specifies the set of rights applicable to consumers in relationships for the acquisition of goods and/or services. This is relevant when considering that checking account contracts (including electronic ones), as well as the generality of financial and banking offerings, form part of that type of commercial relationship in which the recipient of the service or goods constitutes a consumer, a category for which, due to the dynamics of commerce, rights and obligations have been enshrined. This topic has already been the subject of examination by this Tribunal, in judgments numbers 1112-2009 of 1:30 p.m. on June 15, 2009, number 602-2010 of 4:30 p.m. on February 19, 2010, number 2758-2010 of 11:45 a.m. on July 28, 2010, and number 3699-2010 of 11:57 a.m. on September 30, 2010. In these precedents, this Sección Sexta has established that this type of relationship participates in the category of consumer relationships. From this standpoint, canon 46, fifth paragraph of the Constitución Política establishes the set of rights that attend consumers, in most cases, as the weaker party (parte débil) of the commercial relationship. In this vein, the cited numeral stipulates: *"Article 46.- (...) Consumers and users have the right to the protection of their health, environment, safety, and economic interests; to receive adequate and truthful information; to freedom of choice, and to equitable treatment. The State shall support the organizations they constitute for the defense of their rights. The Law shall regulate these matters".* It is worth specifying that the right to equitable treatment implies in any event, the duty of the merchant or supplier to treat the consumer in an attentive and respectful manner in the face of their simple claims, or in the protection of their rights in both administrative and judicial venues (sede). Now, it is clear that the application of these principles and their interpretation must be oriented towards the protection and safeguarding of the weaker party of the relationship. This is how the Sala Constitucional has understood it, among others, in judgment number 2002-0857, in which, on the topic under comment, it stated: *"It is notorious that the consumer is at the end of the chain formed by the production, distribution, and commercialization of consumer goods that they need to acquire for their personal satisfaction, and their participation in that process does not respond to technical or professional reasons, but rather to the constant conclusion of contracts on a personal basis. Therefore, their relationship in that commercial sequence is one of inferiority and requires special protection against the suppliers of goods and services, so that prior to expressing their contractual consent, they have all the necessary elements of judgment that allow them to express it with complete freedom, and this implies full knowledge of the goods and services offered. Included in the foregoing, in a harmonious mix, are various constitutional principles, such as the state's concern in favor of the broadest sectors of the population when they act as consumers, the reaffirmation of individual freedom by facilitating the private individual's free disposition of their assets with the greatest possible knowledge of the good or service to be acquired, the protection of health as is involved, the ordering and systematization of reciprocal relations among the interested parties, the homologation of international commercial practices to the internal system, and finally, the greater protection of the inhabitant's functioning in the means of subsistence."* From the foregoing, it is inferred that in the consumer relationship between the merchant or supplier and the consumer, there exists, due to the natural dynamics of commerce, an inequality between both, and the consumer, in most cases, in this natural relationship, is the weaker party. Hence, the Constitución Política balances the dynamic of burdens of that consumer relationship, granting the consumer a series of fundamental rights that protect them from their natural inequality with the merchant or supplier. As a derivation of this, the interpretation and application of the norms, in case of doubt, in conflicts of this nature, must favor the weaker party, that is, in principle, the consumer. Hence, in such cases, the merchant or supplier has an obligation to demonstrate that they have fulfilled their obligations in the consumer relationship and that they have respected the fundamental rights of the consumer; otherwise, they must respond for the infringement of these rules as determined by the infra-constitutional norms. Now, as article 46 of the Constitution states, it is the Law that must regulate those rights, which is materialized in the Ley de Promoción de la Competencia y Defensa Efectiva del Consumidor, No. 7472. Said legal body establishes, broadly speaking, the rights attending the consumer, a topic developed in canon 32, as well as the duties of the merchant, established in canon 34. It is therefore clear that the infringement of the merchant's duties generates, by direct effect and as a natural and logical consequence, the violation of the consumer's rights, protected constitutionally and legally in the terms already set forth. This then implies the emergence of a liability system of the merchant or supplier towards the consumer, to repair the damages and losses caused to the latter.

Consequently, if there is a violation of the consumer's constitutional and legal rights by the merchant or supplier, the latter must repair the harmful effect caused to the consumer, under the strict liability (responsabilidad objetiva) regime that will be explained in detail and with precision in the following recital of this judgment.

**VII.- On the legal liability regime applicable to electronic commerce relationships of a banking nature.** A relevant aspect within this proceeding is the determination of the legal regime applicable to this type of commercial relationship, such as that which has occurred between the parties. Regarding the legal regulations that the Commercial Code establishes for the checking account contract, this Court has been clear, a thesis it upholds as no arguments of law have been presented to justify a variation in this position. Checking account contracts with electronic internet banking services being simply another variation of economic consumer relationships, in this case, of banking and financial services, the liability rules established by the Ley de Promoción de la Competencia y Defensa Efectiva del Consumidor are fully and completely applicable. Even considering that, in the current context, electronic accounts assume as a basic criterion the existence of a checking account contract, thereby being considered an additional service to the latter, or an updated variation thereof, the truth of the matter is that, within the conceptual context developed in Article 2 of Law No. 7472, this relationship fully fits within consumer relationships insofar as it involves a party that is a merchant or supplier of financial or banking services, which are acquired by a client who constitutes the final recipient of that market offer. It is a commercial adhesion contract whose object is the offer of banking fund administration services through a checking account, by virtue of which the Bank receives from the client funds or other creditable securities immediately or as a deposit, or by granting credit, against which to draw. It is evident that when the account allows electronic transfers, as a derivation of technological modernity, the reference to the concept of checks (as a physical document) does not apply. Precisely, the application of dematerialized mechanisms in commerce for the availability of those funds and accounts, dispensing with the issuance of physical documents, is nowadays one more offer within said checking account contract, which is highly attractive to the consumer, given the agility and simplification of transactions, which demands security mechanisms for monetary movements to fulfill the duty of efficient and diligent custody of the client's funds. From this perspective of examination, the rules referring to the contractual typology of the relationship neither diminish nor eliminate the fact that it is a consumer relationship, regulated therefore, additionally, by the provisions of Law No. 7472. Hence, there is no doubt that the legal liability regime applicable to this matter is Article 35 of the cited Ley de Promoción de la Competencia y Defensa Efectiva del Consumidor. Thus, by way of reference, this Section stated so in the aforementioned judgment No. 2758-2010, in which, on the specific issue, it noted: *"From those resolutions, the unanimous criterion can be extracted that the strict liability (responsabilidad objetiva) regime that must be applied in matters such as the present one is that provided in Articles 31 and 35 of the Ley de Promoción de la Competencia y de Defensa Efectiva del Consumidor, this because we are in the presence of a commercial consumer relationship, in which the Banco Nacional de Costa Rica, despite being a public administration, provides a commercial Internet Banking service, which is classified as a private commercial service, for which reason said banking institution is not acting within its administrative powers, but as a subject of private law and must be regulated by the respective regulations, such as the Ley de Promoción de la Competencia y de Defensa Efectiva del Consumidor. Likewise, the plaintiff company comes in its capacity as a client of the defendant bank, so the essential elements for the existence of a commercial consumer relationship are configured, which is governed by the rules of the cited Consumer Protection Law. (...) Furthermore, from what has been said by this same Administrative Litigation Court, this jurisdictional body considers that the Ley de Promoción y Defensa del Consumidor regulates a special legal regime, which must be applied over the general legal regime, as would be, in this case, the commercial regulations on checking accounts, or on contractual matters, so from this simple perspective, the rules of strict liability (responsabilidad objetiva) regulated by the cited Consumer Protection Law must be applied. Likewise, and under the same arguments indicated previously, this Court does not agree with the defendant's argument to the effect that the rules of the Commercial Code be applied, specifically regarding checking account contracts, since, as has been stated, the consumer protection regulations constitute a special regime that prevails over the general one of the Commercial Code."* **VIII.- Precedents of the First Chamber of the Supreme Court of Justice in similar cases.** With the foregoing, it is pertinent to bring up what was resolved by the First Chamber in judgment number 300-2009 of eleven hours twenty-five minutes on March twenty-six, two thousand nine, analyzing the subject matter of the controversy, which stated: *"**III.- Strict liability (Responsabilidad objetiva) for risk in consumer matters.** With regard to liability, two main branches can be identified: one subjective, in which the concurrence, and consequent demonstration, of intent or fault on the part of the perpetrator of the harmful act is required (e.g., Article 1045 of the Civil Code), and another objective, which is characterized, essentially, by dispensing with said elements, with the imputation of damage being the central axis upon which the duty to repair is erected. An example of the foregoing is found in Article 35 of the Ley de Defensa Efectiva del Consumidor, where the merchant, producer, or supplier shall be liable for those damages derived from the goods traded and the services rendered, even when no negligence, imprudence, lack of skill, or intent is detected in their actions. Likewise, it is important to consider, due to its influence on evidentiary matters, that the determining elements for the emergence of civil liability, be it subjective or objective, are: a harmful conduct (which may be active or passive, legitimate or illegitimate), the existence of damage (i.e., an injury to a protected legal right), a causal link connecting the two previous elements, and in most cases the verification of an attribution criterion, which will depend on the specific legal regime. Regarding causality, it is necessary to indicate that it is a case-by-case assessment made by the judge in which, based on the facts, they determine the existence of a relationship between the claimed damage and the conduct displayed by the economic agent. Although various theories exist on the matter, the one considered most in accordance with the Costa Rican regime is that of adequate causation, according to which a link exists between damage and conduct when the former originates, if not necessarily, at least with a high probability according to the specific circumstances affecting the matter, from the latter (in this regard, see, among others, resolutions 467-F-2008 of 14 hours 25 minutes on July 4, 2008, or 1008-F-2006 of 9 hours 30 minutes on December 21, 2006). At this point, it is important to clarify that the verification of exonerating causes (fault of the victim, an act of a third party, or force majeure) acts upon the causal link, discarding that the conduct attributed to the defendant was the producer of the injury suffered. Regarding the different attribution criteria, for the effects of this case, the theory of created risk is of interest, which was expressly included in the Ley de Defensa del Consumidor. The objective scheme adopted by the law, as well as the application of the cited attribution criterion, are deduced from a simple reading of the norm in question, which stipulates (...) Conducting a detailed analysis of the norm just transcribed, a series of conditioning elements for its application emerge. Firstly, and from the perspective of the subjects, that is, who causes the damage and who suffers it, the application of this liability regime is contingent upon certain qualifications concurring in them. Thus, regarding the former, it is required that they be a producer, supplier, or merchant, whether natural or legal persons. For its part, regarding the latter, the injury must be inflicted upon someone participating in a legal relationship where they are situated as a consumer, in the terms defined in the referenced legal body and developed by this Chamber. It is required, then, that both parties form a consumer relationship, the object of which is the potential acquisition, enjoyment, or use of a good or service by the consumer. The Bank acts in the exercise of its private law capacity, as a true public enterprise, and in that condition, offers a service to its clients, therefore, since a consumer relationship exists, the particular case must be analyzed under the scope of coverage of Article 35 under consideration. Likewise, from the precept under study, it emerges, secondly, that the legislator established a series of attribution criteria based on which the strict liability (responsabilidad objetiva) regulated by this Article can be imputed, among which is the already cited theory of risk. Thus, this serves as a factor to attribute liability to the subjects referred to. In essence, this theory postulates that whoever creates, exercises, or benefits from a lawful lucrative activity that presents potentially dangerous elements for others, must also bear its inconveniences (ubi emolumentum, ubi onus, which can be translated as where the emolument is, there is the burden). Two characteristics can be deduced from the previous statement: on one hand, that the risk comes from an exploitation activity; and on the other, since it is carried out by a human being, so-called acts of nature are excluded. Concomitantly, it is important to make some clarifications regarding the risks suitable for the generation of liability, since not every risk implies the automatic emergence thereof. Currently, life in society offers a countless number of risks, of different degrees and scopes, to the point that it can be affirmed that it is impossible to find a daily activity that is exempt from them. In this line, the interpretation of the rules cannot start from an absolute and total aversion to risk, which, as indicated, forms an integral part of societal coexistence and the technological advances integrated into it. The foregoing leads to affirming that, for the duty to repair to arise, the risk associated with the activity must present a degree of abnormality, that is, it must exceed the margin of tolerance that is admissible according to the rules of experience, which must be analyzed on a case-by-case basis by the judge. The second point that requires some kind of commentary concerns the subject who becomes obligated by virtue of an activity considered dangerous. As already indicated, the attribution criterion is precisely the created risk, which presumes that the person to whom the damage is attributed must be in a position of control over it, that is, they must be the one who develops the activity or assumes the possible associated negative consequences, receiving a benefit from it. This benefit may be direct, which can be identified, among others, with the income or emoluments obtained as consideration, or indirect, when the advantageous situation occurs in a reflected manner, which could be the case of alternative mechanisms that tend to attract consumers and, consequently, derive an economic benefit for its offeror. It is important to mention that in an activity it is possible to find different degrees of risk, which must be managed by that subject who benefits from it, a circumstance that exerts a direct influence on the evidentiary duty incumbent upon them, as it is relevant for determining the attribution in the specific case. The foregoing, together with the existence of exonerating causes, demonstrates that the legislation under discussion does not constitute an automatic patrimonial transfer."*.

**IX.- Scope of the liability regime regulated in Law No. 7472.** It is clear, then, that the liability norm applicable to the case is the aforementioned Article 35 of Law No. 7472, which to the letter states: "*ARTÍCULO 35.- Liability regime. The producer, the supplier, and the merchant must respond concurrently and independently of the existence of fault, if the consumer is harmed by reason of the good or service, of inadequate or insufficient information about them, or of their use and risks./ Only one who demonstrates that they were unrelated to the damage is released from liability./ The legal representatives of commercial establishments or, as the case may be, those in charge of the business are responsible for their own acts or facts or for those of their dependents or auxiliaries. The technicians, those in charge of preparation and control, respond jointly and severally, when it corresponds, for violations of this Law to the detriment of the consumer.*" The correct understanding of the norm allows concluding on the objective nature of this liability regime, which, as such, dispenses with the consideration of subjective factors, such as intent or gross negligence. Second, it is necessary to prove the existence of harmful conduct, whether by act or omission; this means that a violation of the consumer's rights or of their obligations must be presented by the merchant or supplier. It is clear that for the attribution of liability to be possible, the existence of effective, assessable, and individualizable damage must be demonstrated, which is a consequence of the merchant's (the alleged responsible party's) conduct. This implies the proof of a causal link between that injury and the behavior of the service or goods supplier.

Now then, in the context of the legal regime applicable to the case of this type of consumer relationship, Article 35 of Law No. 7472 establishes the possible release from liability for one who demonstrates their lack of connection with the damage. By supplementary application of Article 190 of the Ley General de la Administración Pública (in accordance with the reference established by Canon 71 of the Ley de Promoción de la Competencia y Protección Efectiva del Consumidor), the exonerating causes of liability provided for therein are fully applicable to this matter. Of course, in tune with the dynamic burden of proof, it corresponds to the party seeking to be released from an obligation to prove the liberating, impeding, or modifying facts of the right sought to be exercised against them. On the issue of the burden of proof in this type of proceeding, see recital IV of judgment 300-2009 of the First Chamber of the Supreme Court of Justice. This being the case, it is decisive to establish in this proceeding the convergence of the various referenced assumptions that give rise to the strict liability (responsabilidad objetiva) of the banking entity, as the claimant alleges, or if, on the contrary, some of the exonerating causes of that liability have been configured that would allow the Bank to be considered unrelated to the damage claimed in this venue.

**X.- Analysis of the specific case. On the strict liability (responsabilidad objetiva) of the Banco Nacional. Proof of damage and causal link.** In the case at hand, it has been established that the company Bahía Pez Vela Administration S.A. has two checking accounts with the Banco Nacional de Costa Rica, account number 100-01-015-006077-5 in colones and account number 100-02-015-600387-8 in dollars, and that in those accounts, during the period between March 10 and 14, 2008, a series of debits were made via electronic transfers, for a total of forty-two transfers in favor of several accounts belonging to other clients of the same defendant Bank (see detail in the report of the Security Supervisor of the sued Bank, visible on folios 1 to 4 of the administrative file), for a total, according to said report, of ¢19,500,000.00 (nineteen million five hundred thousand colones). As indicated, the debits were made from IP addresses within the Country, on machines not linked to the defendant Bank itself, and the plaintiff party denies having consented to them, since both before the same banking institution and before the Organismo de Investigación Judicial, it stated that it was the company's accountant who noticed the missing funds when consulting the internet system for the purpose of carrying out some operations, for which reason, on that same March 14, 2008, they proceeded to notify the Bank, requesting the respective investigation. As an effect of the complaint filed by the representative of the affected company, the Security Supervisor of Banco Regional Guanacaste-Puntarenas, in official letter BRGP-005-2008 of April 7, 2008, among his conclusions indicated: *"... given that in the transactional record identifying the account holder as the author of the reported suspicious transfers, the data identifying the account holder as the author thereof appears. Which reflects that what occurred is not due to a breach of the bank's security systems, but rather to a user failure. Therefore, it is recommended, subject to your better judgment, to decline the present administrative claim, rejecting in all its aspects the pretension for reimbursement of the funds..."* (folio 1 of the administrative file). Based on that, the Director of Banca Regional Guanacaste-Puntarenas of the Banco Nacional de Costa Rica, through official letter BRGP-142-2008 dated April 9, 2008, communicated to Mr. Nombre142961 regarding the investigation carried out in the reported case, among other things, he indicated that the movements were not made from any machine related to the Bank and that according to the IP addresses from which they were executed, they are services provided by ICE, Racsa, Cable Amnet, and Cable Tica, therefore it is not due to a breach of the bank's security systems, but rather a user failure, for which reason the claim was rejected (Folios 5 to 7 of the administrative file). In response to this, the representative of the company Bahía Pez Vela Administration S.A. filed, on April 22, 2008, appeals for reconsideration and subsidiary appeal against what was resolved in official letter BRGP-142-2008, arguing that the company was the object of an action by third parties who, abusing the electronic fund management system that the Banco Nacional has (Folio 11 to 20 of the administrative file). Both appeals were rejected, the reconsideration in official letter BRGP-163-2008 of April 30, 2008, and the appeal by the Junta Directiva General in Article 10, of session No. 11,497 of August 26, 2008, alleging that the patrimonial damage caused did not occur through conduct displayed by the Bank, but through the negligence of a representative or authorized person on the account, who must have revealed the necessary data to access the account and make the money transfers from the accounts to various persons (Folios 21 and 23 respectively of the administrative file). Despite the exhaustion of administrative remedies, the representative of the affected company, on July 28, 2009, again presented the administrative claim before the Liberia branch of the Banco Nacional de Costa Rica, requesting the payment of $40,000 which he indicated were subtracted from his accounts (Folio 40 and 41 of the main file), and that given the lack of a resolution, on January 8, 2010 (Folio 73 of the main file), the Bank was urged to issue the respective resolution on his claim, without obtaining a result. From the factual picture described above, this Court clearly extracts that a consumer relationship has existed between the Banco Nacional and the plaintiff company, whereby the provisions of Article 35 of Law No. 7472 are applicable to the case, as has been indicated. Furthermore, it has been possible to verify damage to the consumer's rights, which materializes through the risk produced by the use of the technological platform of the internet banking service offered by the banking entity, damage occurring in the patrimonial sphere of the claimant, consisting of the unauthorized subtraction of money from their accounts, as determined in the study carried out by the Bank on the occasion of the transfers made between March 10 and 14, 2008 from the dollar and colones accounts of the plaintiff company here. Although the defendant Bank attempts to indicate that the responsibility is not theirs, the truth is that the injury suffered must be considered a consequence of the lack of implementation of adequate security mechanisms for the use of the electronic transfer services enabled in internet banking, a service offered by the Banco Nacional de Costa Rica, as in this case, to the company Bahía Pez Vela Administration S.A. Thus, the causal link necessary to attribute liability in this type of situation is manifest. As indicated, it is worth highlighting that the representative of the affected company, once aware of the subtractions, proceeded to report it both to the Bank that provided the services, and to the police authorities, in this case to the Organismo de Investigación Judicial, both on March 14, 2008, considering that the operations improperly made in their accounts occurred between the 10th and the 14th of March of that year, which demonstrates the prompt attention of the affected party.

XI.- Analysis of the existence of exempting causes in the case. As indicated in previous lines, it is the provider or marketer of the Internet Banking service, in this case the Banco Nacional de Costa Rica, that could be released from its strict liability (responsabilidad objetiva) derived from the application of Article 35 of Ley 7472, only when it proves (as it is its evidentiary burden) the external nature of the harmful result, meaning that in the case there was fault of the victim, act of a third party, or force majeure. The bank alleged, even as a substantive defense (excepción de fondo), the concurrence of fault of the victim, and as a consequence of this, the participation of third persons. Indeed, the position assumed by the Bank when answering the claim is supported by the dissenting vote of Judge Palacios Garcia to judgment 910-2010 of Section IV of this Court, in which, among other aspects, it is determined that regarding the obtaining of the keys and passwords necessary to carry out the transactions, it is necessary to determine whether this was due to the lack of skill of the bank or its employees; or whether a third party used computer means to directly obtain the necessary data from the client in order to access the system. However, this integration of the Court maintains its position that the burden of proof in this type of case continues to rest with the banking institution; hence, if it maintains, as it does in this case, the idea of the existence of a suppression of its liability either by the client's own intervention who carelessly left their data in the hands of third parties, or that the bank itself had no liability, these are aspects that, for the purposes of its exemption, it must prove in the case file.

In this regard, it should be noted that the answer to the claim does not delve into the issue, and refers to the investigation report carried out on the occasion of the vicissitude that occurred to the plaintiff company, which is why it is necessary to analyze what is provided therein.

Thus, in official communication BRGP-005-2008 of April 7, 2008, Mr. Gilberth Marchena Viales, Security Supervisor of the Banco Nacional de Costa Rica, when analyzing the case, refers to the fact that in the internal regulations of the institution and in the signed contract, the client undertook to keep their identification documents such as the password (clave), the user code, and other personal data necessary to access the computer system, but the truth is that at no time is any reason, circumstance, or other data identified so that consequently, concretely, and specifically, it can be concluded that employees or representatives of the affected company effectively committed, by action or omission, careless use of the identification documentation to use the system; they only start from an assumption, derived, in their understanding, from the fact that the transactions did not originate from any machine of the Bank, nor from its employees, and that the IP addresses used correspond to subjects external to the institution. This derivation cannot be taken into account in a case like the one before us to transfer liability to the client or a third party, since the data with which the unauthorized transfers were made could well have been obtained from the bank records themselves due to a lack of controls in the computer system, which is not ruled out at any time by what is indicated in the aforementioned investigation report, as it is well known that so-called "hackers" could perfectly have infiltrated the systems and obtained from there the necessary data to have carried out the transactions that ultimately affected the accounts that the company Bahía Pez Vela maintains with the financial institution.

In fact, as indicated, the report is not conclusive in that sense, but rather starts from assumptions; even when resolving the appeal filed in this case, the General Board of Directors of the Banco Nacional de Costa Rica maintained the conjecture, since in Article Ten of session 11497 of August 23, 2008, it asserted that: "...the patrimonial damage caused to the appellant did not occur due to conduct deployed by the Banco Nacional de Costa Rica, but rather due to negligent conduct carried out by a representative or person authorized to access the account, which ultimately implied the transfer of money to the accounts of several persons...". That is to say, without any proof, the Bank, in order to free itself from liability, asserts that it was the representatives or workers of the affected company who through "negligence" revealed the data.

It is insisted, the Bank cannot merely indicate that it has handled the data well internally and, without greater proof, simply indicate that if it was not the institution, it must be the client who is responsible, an argument that is totally devoid of probative force and must therefore be dismissed as a factor to be taken into account in the possible exemption from the strict liability (responsabilidad objetiva) that derives from these cases, since what is indicated in that way would not have the merit to be taken as reliable proof of its computer actions being without vulnerability, much less to attribute a fault to others without having support for it.

Indeed, an in-depth analysis of the various pieces of evidence in the case file does not allow concluding imprudent or negligent conduct on the part of the account holder that would allow assuming they made relevant information for accessing their accounts known to third parties. Furthermore, from the technical investigation that was added to the file, there is no accreditation that the plaintiff had given up their sensitive data for carrying out the transfers in dispute. Therefore, in this specific case, the concurrence of fault of the victim cannot be inferred for not having been diligent in the custody of the means of access to the Internet Banking tool (sensitive data in their possession), and moreover, the Bank could not demonstrate in this process that the damage was outside its scope of action and precautions. Nor has it been accredited that the bank's security systems functioned adequately or that there was no failure in the security systems of the defendant banking entity. On the other hand, the necessary elements of conviction to prove the act of a third party as a cause for exclusion of the Bank's liability were not provided. Although it is detected that the transfers were made from IP addresses located in the country, the crux of the matter is, it is insisted, that the defendant entity did not prove that its security systems had not been breached in a way that ensured a level of security and minimum risk from the use of electronic services. It could not be sustained that the burden of proof regarding the vulnerability of those mechanisms or the computer security system falls on the plaintiff, since conversely, their evidentiary burden must be directed at demonstrating the existence of one or several circumstances that prevent the emergence of the repeatedly mentioned civil liability, which by law rests with that banking institution. This being the case, it would be unthinkable to intend to shift that burden of proof, so that the user of the banking services offered by the Banco Nacional de Costa Rica is the one who must know in detail all the security systems of that bank, and from there, also prove the existence of some breach. Such a position does not imply the impossibility of proving the existence of fault of the victim or the act of a third party, within the framework of electronic banking commerce. It should be highlighted that the defendant is the one who designs and conditions the access to the systems used within the framework of the tool called Internet Banking, which is why it has the possibility of establishing as many security systems as it deems appropriate, in order to guarantee that the transactions are made by its client, and not just by someone who has the sensitive data of that user at their disposal. In this sense, it is the banking entity, which profits from the financial services offered, that must ensure the use of computer and administrative systems that, from a legal point of view, allow for the certain accreditation of the user's physical identity, for example, the mandatory establishment of OTP devices, or even, to consider within the framework of its administrative autonomy, establishing the use of devices that reduce risks and accredit the client's identity with a higher degree of certainty, such as biometric tools, this in order to have systems that allow for the pre-constitution of evidence. In this direction, the First Chamber (Sala Primera) of the Supreme Court of Justice has considered: "Notwithstanding the foregoing, the defendant financial entity must take into account that its essential function is financial intermediation, which includes the raising of funds from public savings, a concept that implicitly entails their custody, both from a physical point of view and from the corresponding electronic record. There is no doubt that it is subject to an unavoidable obligation to guarantee the security of the transactions carried out, whether at the window or through any other means made available to clients, which must necessarily encompass the use of all those available mechanisms that allow it to have a greater degree of certainty regarding the identification of the persons who are authorized to carry out electronic transactions from the accounts. The liability attributed to the Bank is based not on the theft of money by a third party, but on the existence of a risk, as stated in Considerando III, in the very functioning of the service it offers, which allows the origin of the damage to be attributed to the functioning of the service. The foregoing, despite having mechanisms that allow greater security. (...) Ultimately, banks, and the defendant is no exception, safeguard and administer, among other things, a property belonging to another; and not just any property, but funds from the public. Thus, they are liable not only for the strength of their internal systems, but also for the security of the person who, to reach there, uses the only possible channels that the Bank itself knows and recognizes as risky. And they are liable not as external elements, but to the extent that this constitutes the means they directly avail themselves of for providing the service. As stipulated in numeral 35 of the Law for Consumer Protection, there has been an injured party due to the service, which upon being used (and in view of its risky nature) produced a significant injury to the party acting as plaintiff in the process. (...) The means to access the Bank's platform is not, therefore, an external source of risk, but rather an instrument inherent to the service it provides; if you will, it forms an intrinsic part of the activity, which, although accessory to the intermediary's activity, is essential. Hence, the guarantee mechanisms for the client –user– must be provided not only within the Bank's own computer walls, but also on the access path to it as part of the service. Not in vain has the Financial System, in general, undertaken the implementation of double-identification mechanisms, the improvement of passwords and, in general, the use of recent systems such as the use of tokens, changing keys, keys with special devices, among others." (Resolution No. 300-2009 cited above) This reference highlights that the vulnerability of the system is not a matter that the account holder must prove; on the contrary, given the activity it carries out, the profit it obtains from that commercial line of business, and because it constitutes a means that allows the streamlining of transactions derived from the checking account, a contract that involves the custody of public funds, it is the financial entity that must prove that its security systems have an acceptable degree of security and that, in each specific case, they were not breached. In this specific case, it was precisely the deficiency of security mechanisms that generated the materialization of a damage against the plaintiff company, consisting of the theft of an amount of money, which has been recognized by the Bank as ₡19,500,000.00 (nineteen million five hundred thousand colones), but for the plaintiff it is $40,000.00 (forty thousand dollars), as a result of several transactions carried out in favor of other account holders of the same Banco Nacional de Costa Rica. This implies a damage from which the banking entity has not managed to dissociate itself, as neither the external nature of the damage nor the concurrence of any exempting causes that would allow it to free itself from that strict liability (responsabilidad objetiva) that prevails in matters of consumer relations has been proven.

XII.Regarding the material damage in the specific case. Based on the foregoing considerations, the strict liability (responsabilidad objetiva) of the Banco Nacional must be declared for the damage suffered by the company Bahía Pez Vela Administration S.A. as a result of the forty-two transactions carried out in the period between March tenth and fourteenth, both in the year 2008, by virtue of which funds were stolen from the accounts, both in colones and in dollars, of the affected company, account numbers 100-01-015-006077-5 (colones) and 100-02-015-600387-8 (dollars). It should be noted that the only document in which the operations are determined is official communication BRGP-005-2008 issued by Banco Regional Guanacaste-Puntarenas of the Banco Nacional de Costa Rica, visible at folios 1 to 4 of the administrative file, according to which the institution accepts that the transfers made were as follows:

CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">10-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15691420</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142972 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">1-664-373</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1.015.74</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-157-8843-9</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.103.17. CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">10-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15692310</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142973 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">2-572-440</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1.015.74</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-095-11918-7</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">10-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15692499</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142973 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">2-572-440</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1.015.74</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-095-11918-7</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">10-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15692533</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142968</span><span style="font-family:Arial; -aw-import:spaces">&#xa0; </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">1-1101-659</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1.015.74</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-053-37793-8</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">10-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15692560</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142970 . Nombre142970</span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">1-538-870</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1.015.74</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-095-27326-7</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">10-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15728923</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142970 . </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">1-538-870</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1.015.74</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-095-27326-7</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">190.10.29.23.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">11-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15728936</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142968</span><span style="font-family:Arial; -aw-import:spaces">&#xa0; </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">1-1101-659</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1.015.74</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-053-37793-8</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">190.10.29.23.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">11-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15728952</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142969 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">1-874-052</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1.015.74</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-053-37796-2</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">190.10.29.23.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">11-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15728964</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142971 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">1-1317-370</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1.015.74</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-130-7669-2</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">190.10.29.23.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">11-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15728974</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142972 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">1-664-373</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1.015.74</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-130-7669-2</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">190.10.29.23.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">11-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15729112</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142973 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">2-572-440</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1.015.74</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-095-11918-7</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">11-03-08</span></p></td></tr><tr style="height:14.25pt"><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15729324</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142973 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">2-572-440</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1.015.74</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-095-11918-7</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">11-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15729398</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142974 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">1-1429-431</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1.015.74</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-000-709577-5</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">11-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15729807</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142963 . Nombre142963</span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">2-625-993</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1.015.74</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-053-33101-6</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">11-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15729844</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142963 .

</span></p></td><td style=\"width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">1-538-870</span></p></td><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">$1.017.81</span></p></td><td style=\"width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">200-01-095-27326-7</span></p></td><td style=\"width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">201.192.57.194.CR</span></p></td><td style=\"width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">13-03-08</span></p></td></tr></table> | 15815530 | Nombre142969 | 1-874-052 | $1,017.81 | 200-01-053-37796-2 | 201.192.57.194.CR | 13-03-08 | | 15815551 | Nombre142971 | 1-1317-370 | $1,017.81 | 200-01-130-7669-2 | 201.192.57.194.CR | 13-03-08 | | 15816501 | Nombre90398 | 1-1005-991 | $1,017.81 | 200-01-000-691558-2 | 201.192.57.194.CR | 13-03-08 | | 15765859 | Nombre142964 | 4-186-284 | ¢500.000 | 200-01-004-94827-9 | 201.192.57.194.CR | 12-03-08 | | 15766428 | Nombre142974 | 1-1429-431 | ¢500.000 | 200-01-000-709577-5 | 201.192.57.194.CR | 12-03-08 | | 15815568 | Nombre142972 | 1-664-373 | $1,017.81 | 200-01-130-7669-2 | 201.192.57.194.CR | 14-03-08 | | 15815588 | Nombre142964 | 4-186-284 | ¢500.000 | 200-01-004-94827-9 | 201.192.57.194.CR | 14-03-08 | | 15816527 | Nombre142975 | 4-196-146 | ¢500.000 | 200-01-124-16528-3 | 201.192.57.194.CR | 14-03-08 | | 15816827 | Nombre142975 | 4-196-146 | ¢500.000 | 200-01-124-16528-3 | 201.192.57.194.CR | 14-03-08 | As a result, most of the amounts withdrawn have been able to be extracted, and for greater clarity and given the disjuncture between what the plaintiff requests, which presents everything entirely in dollars, and, on the other hand, what the defendant bank establishes in colones, the fact is that from the analysis of the transcribed table, the amounts of the transfers must be indicated separately both in dollars and in colones, so we would have the following: in dollars the sum of $30,497.12 (thirty thousand four hundred ninety-seven dollars and twelve cents), and in colones ¢2,503,251.77 (two million five hundred three thousand two hundred fifty-one colones and seventy-seven céntimos). However, it must also be taken into account that in said table, there is an amount that has not been able to be clearly determined, and which corresponds to transaction number 22 that appears in the previous table, which is stated to be for document number 15730021, transferred to the account of Mr. Nombre142963. Nombre142963. identity card CED112276, to account number 200-01-053-33101-6, from IP address 201.192.57.194.CR on March 11, 2008, which appears for an amount of (4:06) without its currency being indicated and without knowing whether the numbers recorded correspond to the true amount of that withdrawal, for which reason this shall remain to be proven in the execution of judgment (ejecución de sentencia) stage and included in the total amount. Therefore, Banco Nacional must pay the plaintiff the total of the transfers, and on these items, as financial damages (perjuicio financiero) (Article 706 of the Civil Code), the legal interest that Article 497 of the Commercial Code sets for foreign currency operations must be recognized, namely, interest at the prime rate, and for those in colones (Article 497 of the Commercial Code) the basic passive rate (tasa básica pasiva) of the Banco Central de Costa Rica. Said interest shall be calculated on each item withdrawn from the date on which each of the unauthorized debit transactions already mentioned was made, that is, from when each harmful event occurred, until its effective payment, items to be settled in the execution of judgment phase. The granting of the cited financial damages implicitly entails the updating of the economic value of the obligation (indexation), for the purposes of canon 123 of the Contentious Administrative Procedure Code.

**XIII.- Analysis of the defenses raised.** The representative of Banco Nacional de Costa Rica raised the preliminary defense of Expiration (Caducidad), which was analyzed at the preliminary hearing held on November 23, 2010, by ruling No. 4381-2010 at 2:05 p.m. on that date, the procedural judge ordered: *"POR TANTO: The preliminary defense of expiration (caducidad) filed by Banco Nacional de Costa Rica is declared without merit."* Regarding the substantive defenses, the representative of the defendant bank raised the defense of lack of right, which must be rejected as the plaintiff's right to obtain compensatory retribution for the damages caused through the withdrawals from its bank accounts was proven, against which the Bank did not prove non-involvement or exonerating causes. In that regard, the allegations of act of a third party (hecho de tercero) and fault of the victim (culpa de la víctima) alleged by the defendant entity must also be rejected, for the reasons already indicated above. Consequently, the claim filed by the representative of the company Bahía Pez Vela Administration S.A. against Banco Nacional de Costa Rica must be granted in the following terms: - Banco Nacional de Costa Rica is ordered to reimburse the plaintiff the sums debited without authorization, resulting from forty-two transfers to the benefit of various client accounts of the defendant bank, made between the tenth and fourteenth of March, both of the year 2008, for an amount in dollars of $30,497.12 (thirty thousand four hundred ninety-seven dollars and twelve cents), and in colones ¢CED112277 (two million five hundred three thousand two hundred fifty-one colones and seventy-seven céntimos) plus the amount corresponding to the transaction whose document number is 15730021, transferred to the account of Mr. Nombre142963. identity card CED112276, to account number 200-01-053-33101-6, from IP address 201.192.57.194.CR on March 11, 2008, for which an amount is not correctly recorded, so it remains to be proven in the execution of judgment stage and included in the total amount. **2)** On the sums that ultimately result, Banco Nacional de Costa Rica is ordered to pay legal interest, from the moment each of the unauthorized debits was made until effective payment. Said interest shall be calculated at the prime rate for foreign currency transactions, and for domestic ones, the basic passive rate of the Banco Central de Costa Rica shall apply, in accordance with the provisions of Article 497 of the Commercial Code. The granting of that financial damages implicitly entails the economic updating of the obligation for the purposes of Article 123 of the Contentious Administrative Procedure Code. These sums shall be settled in the execution phase of this judgment.

**XIV.- Costs.** In accordance with Article 193 of the Contentious Administrative Procedure Code, procedural and personal costs (costas procesales y personales) constitute a burden imposed on the losing party by virtue of being so. Dispensation from this award is only viable when, in the Court's judgment, there was sufficient reason to litigate or when the judgment is rendered by virtue of evidence whose existence was unknown to the opposing party. In the present case, this collegiate body finds no reason to apply the exceptions set forth in the applicable rules and to break the principle of awarding costs against the losing party. Therefore, both costs are imposed on the defendant banking entity.

**POR TANTO.** The defense of lack of right is rejected, as well as those of "Fault of the Victim (Falta de la Víctima) and Act of a Third Party (Hecho de un tercero)" raised by Banco Nacional de Costa Rica. Consequently, the claim filed by Bahía Pez Vela Administration S.A. is granted in full.

against Banco Nacional de Costa Rica in the following terms: 1) Banco Nacional de Costa Rica is ordered to reimburse the plaintiff for the unauthorized debited sums, resulting from forty-two transfers to various client accounts of the defendant bank, carried out between the tenth and the fourteenth of March, both in 2008, for an amount in dollars of $30,497.12 (thirty thousand four hundred ninety-seven dollars and twelve cents), and in colones of ¢2,503,251.77 (two million five hundred three thousand two hundred fifty-one colones and seventy-seven céntimos), plus the amount corresponding to the transaction with document number 15730021, transferred to the account of Mr. Nombre142963. Nombre142963. identity card number CED112276, to account number 200-01-053-33101-6, from the IP address 201.192.57.194.CR on March 11, 2008, for which an amount is not correctly recorded, and is therefore left to be proven in the execution of judgment stage and included in the total amount. 2) On the sums finally resulting, Banco Nacional de Costa Rica is ordered to pay legal interest, from the moment each of the unauthorized debits was made until effective payment. Said interest shall be calculated at the prime rate for transactions in foreign currency and, for national currency transactions, the basic passive rate of the Banco Central de Costa Rica shall be applied, in accordance with the provisions of Article 497 of the Commerce Code. The granting of this financial harm implicitly entails the economic adjustment of the obligation for the purposes of Article 123 of the Contentious-Administrative Procedural Code. These sums shall be liquidated in the enforcement phase of this judgment. 3) Both costs are to be borne by the defendant entity.

Juan Luis Giusti Soto Cinthia Abarca Gómez Roberto Garita Navarro ASUNTO: PROCESO DE CONOCIMIENTO DECLARADO DE PURO DERECHO ACTOR: Bahía Pez vela Administration S.A.

DEMANDADOS: Banco Nacional de Costa Rica.

This matter has already been the subject of examination by this Court, in judgments number 1112-2009 of 13 hours and 30 minutes of June 15, 2009, number 602-2010 of sixteen hours thirty minutes of February nineteenth, two thousand ten, number 2758-2010 of eleven hours and forty-five minutes of July twenty-eighth, two thousand ten, and number 3699-2010 of eleven hours and fifty-seven minutes of September thirtieth, two thousand ten. In said precedents, this Sixth Section has established that this type of relationship partakes of the category of consumer relationships. From this standpoint, canon 46, paragraph five of the Political Constitution establishes the set of rights that assist consumers, in the majority of cases, as the weaker party in the commercial relationship. Along those lines, the cited numeral provides: *“Article 46.- (…)* *Consumers and users have the right to the protection of their health, environment, security, and economic interests; to receive adequate and truthful information; to freedom of choice, and to equitable treatment. The State shall support the organizations they form for the defense of their rights. The Law shall regulate these matters”.* It is worth clarifying that the right to equitable treatment presupposes, in any case, the duty of the merchant or provider to treat the consumer in an attentive and respectful manner in the face of their simple claims, or in the protection of their rights both in administrative and judicial venues. Now then, it is clear that the application of these principles and their interpretation must be oriented towards the protection and safeguarding of the weaker party in the relationship. This is how the Constitutional Chamber has understood it, among others, in judgment number 2002-0857, in which, regarding the topic under comment, it stated: *“It is notorious that the consumer finds themself at the extreme end of the chain formed by the production, distribution, and commercialization of the consumer goods they need to acquire for their personal satisfaction, and their participation in that process does not respond to technical or professional reasons, but rather to the constant celebration of contracts in a personal capacity. Therefore, their relationship in that commercial sequence is one of inferiority and requires special protection against the providers of goods and services, so that prior to expressing their contractual consent they may have all the necessary elements of judgment that allow them to express it with complete freedom, and this implies full knowledge of the goods and services offered. Included by what has been expressed, in a harmonious blend, are several constitutional principles, such as the State's concern in favor of the broadest sectors of the population when they act as consumers, the reaffirmation of individual freedom by facilitating for private parties the free disposition of their assets with the assistance of the greatest possible knowledge of the good or service to be acquired, the protection of health when it is involved, the ordering and systematization of reciprocal relationships among the interested parties, the homologation of international commercial practices to the domestic system, and finally, the greater protection of the inhabitant's functioning in the means of subsistence.”* From the foregoing, it is inferred that in the consumer relationship between the merchant or provider and the consumer, there exists, due to the natural dynamics of commerce, an inequality between the two, and the consumer, in the majority of cases, in this natural relationship, is the weaker party. Hence, the Political Constitution balances the dynamic of burdens in that consumer relationship, granting the consumer a series of fundamental rights that protect them from their natural inequality with the merchant or provider. As a derivation of this, the interpretation and application of norms, in case of doubt, in conflicts of this nature, must favor the weaker party, that is, in principle, the consumer. Hence, in such cases, the merchant or provider has an obligation to demonstrate that they have fulfilled their obligations in the consumer relationship and that they have respected the fundamental rights of the consumer; otherwise, they must answer for the infraction of these rules as determined by infra-constitutional norms. Now, as Article 46 of the Constitution states, it is the Law that is responsible for regulating those rights, which is concretized in the Law for the Promotion of Competition and Effective Defense of the Consumer, No. 7472. Said legal body establishes, broadly speaking, the rights that assist the consumer, a topic developed in canon 32, as well as the duties of the merchant, established in canon 34. It is clear, therefore, that the infraction of the merchant’s duties generates, as a direct effect and as a natural and logical consequence, the breach of the consumer’s rights, protected constitutionally and legally in the terms already set forth. This then presupposes the emergence of a system of liability of the merchant or provider towards the consumer, to repair the damages and losses caused to the latter. Consequently, if there is a violation of the consumer's constitutional and legal rights by the merchant or provider, the latter must repair the damaging effect caused to the consumer, under the strict liability (responsabilidad objetiva) regime that will be explained in detail and with precision in the following recital (considerando) of this judgment.

**VII.- On the legal regime of liability applicable to electronic banking commerce relationships.** A relevant aspect within this process is the determination of the legal regime applicable to this type of commercial linkage such as the one that has arisen between the parties. Regarding the legal regulations that the Commerce Code establishes for the current account contract, this Court has been clear, a thesis it upholds as no legal arguments have been provided that justify a variation in this posture. Being that current account contracts with internet banking electronic services are a further variation of economic consumer relationships, in this case, of banking and financial services, the liability rules established by the Law for the Promotion of Competition and Effective Defense of the Consumer are of total and full application. Even considering that in the current context, electronic accounts presuppose, as a basic criterion, the existence of a current account contract, thus being considered an additional service to the latter, or indeed, an updated variation, the truth of the matter is that in the conceptual context developed in Article 2 of Law No. 7472, this linkage fits fully within consumer relationships insofar as it involves a party that is a merchant or provider of financial or banking services, which are acquired by a client who constitutes the final recipient of that market offer. It is a commercial adhesion contract whose purpose is the offer of banking services for the administration of funds through a current account, by virtue of which the Bank receives funds or other creditable values from the client immediately or as a deposit, or indeed, the granting of credit, to draw against it. It is evident that when the account permits electronic transfers, as a derivation of technological modernity, the reference to the concept of checks (as a physical document) is not applicable. Precisely, the application of dematerialized mechanisms in commerce for the availability of those funds and accounts, dispensing with the issuance of physical documents, is today one more offer within the cited current account contract, which is highly attractive to the consumer, given the agility and simplification of transactions, which demands security mechanisms for monetary movements to fulfill the duty of efficient and diligent custody of the client’s funds. From this angle of examination, the rules that refer to the contractual typology of the link do not diminish or eliminate the fact that it is a consumer relationship, regulated, therefore, also, by the provisions of Law No. 7472. Hence, there is no doubt that the legal liability regime applicable to the present matter is numeral 35 of the cited Law for the Promotion of Competition and Effective Defense of the Consumer. Thus, as a reference, this Section has set it forth in the aforementioned ruling No. 2758-2010, in which, on the specific topic, it was stated: *“From those resolutions, one can extract the unanimous criterion that the strict liability regime that must be applied in matters such as the present one is that provided in Articles 31 and 35 of the Law for the Promotion of Competition and Effective Defense of the Consumer, this because we are in the presence of a commercial consumer relationship, in which the Banco Nacional de Costa Rica, despite being a public administration, provides a commercial Internet Banking service, which is qualified as a private mercantile service, for which reason said banking institution is not acting within its administrative powers, but rather as a subject of private law and must be regulated by the respective regulations, such as the Law for the Promotion of Competition and Effective Defense of the Consumer. Likewise, the plaintiff company comes in its capacity as a client of the defendant bank, thus configuring the essential elements for the existence of a commercial consumer relationship governed by the rules of the cited Consumer Protection Law. (...) Furthermore, from what has been said by this very Contentious-Administrative Court, this jurisdictional body considers that the Law for the Promotion and Defense of the Consumer regulates a special legal regime, which must be applied over the general legal regime, as would be in this case the commercial regulations on current accounts, or on contractual matters, so from this simple perspective, the strict liability rules regulated by the cited Consumer Protection Law must be applied. Likewise, and under the same arguments indicated previously, this Court does not agree with the allegation of the defendant party to the effect that the rules of the Commerce Code should be applied, specifically concerning current account contracts, since, as has been set forth, consumer protection regulations are a special regime that prevails over the general one of the Commerce Code.”* **VIII.- Antecedents of the First Chamber of the Supreme Court of Justice in similar cases.** With what has been stated, it is worth bringing up what was resolved by the First Chamber in judgment number 300-2009 of eleven hours twenty-five minutes of March twenty-sixth, two thousand nine, analyzing the topic under controversy, it indicated: *“**III.- Strict liability for risk in consumer matters.** In what refers to liability, two broad aspects can be located: a subjective one, in which the concurrence, and consequent demonstration, of willful misconduct (dolo) or fault (culpa) on the part of the author of the harmful act is required (e.g., cardinal 1045 of the Civil Code), and another objective one, which is characterized, essentially, by dispensing with said elements, with the imputation of the damage being the central axis upon which the duty to repair is erected. As an example of the foregoing, there is numeral 35 of the Law for Effective Defense of the Consumer, where the merchant, producer, or provider shall be liable for those damages derived from the traded goods and the services provided, even when negligence, imprudence, lack of skill, or willful misconduct is not detected in their actions. Likewise, it is important to consider, due to its influence on the evidentiary matter, that the determining elements for the emergence of civil liability, be it subjective or objective, are: harmful conduct (which can be active or passive, legitimate or illegitimate), the existence of damage (that is, an injury to a protected legal interest), a causal link that connects the two previous elements, and in the majority of cases, the verification of a criterion of attribution, which will depend on the specific legal regime. Regarding causality, it is necessary to indicate that it involves a casuistic assessment made by the judge in which, based on the facts, they determine the existence of a relationship between the claimed damage and the conduct displayed by the economic agent. Although there are various theories on the matter, the one considered most consistent with the Costa Rican regime is that of adequate causality, according to which there is a link between damage and conduct when the former originates, if not necessarily, at least with a high probability according to the specific circumstances affecting the matter, from the latter (in this sense, one may see, among others, resolutions 467-F-2008 of 14 hours 25 minutes of July 4, 2008, or 1008-F-2006 of 9 hours 30 minutes of December 21, 2006). On this point, it is important to clarify that the verification of exempting causes (fault of the victim, an act of a third party, or force majeure), acts upon the causal link, discarding that the conduct attributed to the defendant party was the producer of the injury suffered. In what refers to the distinct criteria of imputation, for the purposes of the present case, the theory of created risk is of interest, which was included, expressly, in the Consumer Defense Law. The objective scheme opted for by the law, as well as the application of the cited criterion of imputation, are inferred from the simple reading of the norm in question, which stipulates (...) Carrying out a detailed analysis of the norm just transcribed, a series of conditioning elements for its application emerge. First, and from the perspective of the subjects, that is, who causes the damage and who suffers it, the application of this liability regime is contingent upon certain qualifications concurring in them. Thus, regarding the former, it is required that they be a producer, provider, or merchant, be they natural or legal persons. For its part, regarding the latter, the injury must be inflicted upon someone who participates in a legal relationship where they are positioned as a consumer, in the terms defined in the legal body of reference and developed by this Chamber. It is required, then, that both parties form a consumer relationship, the object of which is the potential acquisition, enjoyment, or use of a good or service by the consumer. The Bank acts in the exercise of its capacity under private law, as a true public enterprise, and in that condition, offers a service to its clients, such that, with the existence of a consumer relationship, the particular case must be analyzed under the scope of coverage of numeral 35 under commentary. Likewise, from the precept under study it emerges, secondly, that the legislator set a series of criteria of attribution based on which the strict liability regulated by this cardinal can be imputed, within which is found the already cited theory of risk. Thus, this serves as a factor to assign liability to the subjects referred to. In essence, said theory postulates that whoever creates, exercises, or takes advantage of a lawful lucrative activity that presents elements potentially dangerous for others, must also bear its inconveniences (*ubi emolumentum, ibi onus*, which can be translated as where the emolument is, there is the burden). From the foregoing affirmation, two characteristics can be inferred: on the one hand, that the risk comes from an activity of exploitation; and on the other, since it is carried out by the human being, so-called acts of nature are excluded. Concomitantly, it is important to make some clarifications regarding the risks suitable for the generation of liability, since not every risk implies the emergence, automatically, of such liability. At present, life in society offers a countless number of risks, of different degrees and scopes, to the point that it can be affirmed that it is impossible to find a daily activity that is exempt from them. Along these lines, the interpretation of norms cannot start from an absolute and total aversion to risk, which, as indicated, forms an integral part of societal coexistence and of the technological advances that are integrated into it. The foregoing leads to the affirmation that, for the emergence of the duty to repair, the risk associated with the activity must present a degree of abnormality, that is, that it exceeds the margin of tolerance that is admissible according to the rules of experience, which must be analyzed, on a casuistic basis, by the judge. The second point that requires some type of commentary is regarding the subject who becomes obligated by virtue of an activity considered dangerous. As already indicated, the criterion of imputation is, precisely, the created risk, which suggests that the person to whom the damage is imputed must be in a position of control regarding that risk, that is, they must be the one who develops the activity or assumes the possible negative consequences associated therewith, receiving a benefit from it. This benefit can be direct, which can be identified, among others, with the income or emoluments obtained as a consideration, or indirect, when the advantageous situation occurs in a reflexive manner, which could be the case of alternative mechanisms that tend to attract consumers, and consequently, result in an economic benefit for its offeror. It is important to mention that in an activity, it is feasible to find different degrees of risk, which must be managed by that subject who benefits from it, a circumstance that exerts a direct influence on the evidentiary duty incumbent upon them, since it is relevant for determining imputation in the specific case. The foregoing, coupled with the existence of exempting causes, demonstrates that the legislation under commentary does not constitute an automatic transfer of assets.”* .

**IX.- Scope of the liability regime regulated in Law No. 7472.** It is clear then that the applicable liability norm to the case at hand is the aforementioned ordinal 35 of Law No. 7472, which literally states: *“ARTICLE 35.- Liability regime. The producer, the provider, and the merchant must answer concurrently and independently of the existence of fault, if the consumer is harmed by reason of the good or service, by inadequate or insufficient information about them, or by their use and risks./ One is only released if one demonstrates that one was unrelated to the damage./ The legal representatives of commercial establishments or, as the case may be, the managers of the business are responsible for their own acts or deeds or for those of their dependents or auxiliaries. Technicians, those in charge of production, and controllers are jointly and severally liable, when applicable, for violations of this Law to the detriment of the consumer.”* The correct understanding of the norm allows one to conclude on the strict liability nature of this liability regime, which, as such, dispenses with the consideration of subjective factors, such as willful misconduct or gross negligence. Second, it is necessary to prove the existence of harmful conduct, active or omissive; this means that a violation of the consumer's rights or of their obligations must be presented by the merchant or provider. It is clear that for the imputation of liability to be possible, the existence of effective, assessable, and individualizable damage must be demonstrated, which is a consequence of the merchant's (presumed responsible party's) conduct. This implies the accreditation of a causal link (nexo de causalidad) between that injury and the behavior of the provider of services or goods. Now then, in the context of the legal regime applicable to the case of this type of consumer relationship, numeral 35 of Law No. 7472 establishes the possible release from liability for whoever demonstrates their lack of involvement with the damage. By supplementary application of Article 190 of the General Law of Public Administration (conforming to the referral established by canon 71 of the Law for the Promotion of Competition and Effective Protection of the Consumer), the exempting causes of liability provided therein are of full application to that matter. Of course, in keeping with the dynamic burden of proof, it corresponds to whoever seeks to release themself from an obligation to prove the liberating, impeditive, or modifying facts of the right that is sought to be exercised against them. On the topic of the burden of proof in this type of process, one may see recital (considerando) IV of judgment 300-2009 of the First Chamber of the Supreme Court of Justice. Thus, it is determinant to establish in this process the convergence of the various referred assumptions that allow the strict liability of the banking entity to arise, as the plaintiff alleges, or if, on the contrary, some of the exempting causes of that liability have been configured that allow the Bank to be considered uninvolved in the damage claimed in this venue.

**X.- Analysis of the specific case. On the strict liability of Banco Nacional. Accreditation of damage and causal link.** In the case at hand, it has been proven that the company Bahía Pez Vela Administration S.A. has two current accounts with Banco Nacional de Costa Rica, number 100-01-015-006077-5 in colones and number 100-02-015-600387-8 in dollars, and that in these, in the period between March 10 and 14, 2008, a series of debits were made through electronic transfers, for a total of forty-two transfers in favor of various accounts belonging to other clients of the same defendant Bank (see detail of the report of the Security Supervisor of the sued Bank visible at folios 1 to 4 of the administrative file), for a total, according to said report, of ¢19,500,000.00 (nineteen million five hundred thousand colones). As indicated, the debits were made from IP addresses within the Country, on machines not linked with the defendant Bank itself, and that the plaintiff party denies had their consent, since both before the banking institution itself and before the Judicial Investigation Agency, they stated that it was the company’s accountant who realized the missing funds when consulting the internet system for the purpose of carrying out some operations, which is why on that same March 14, 2008, they proceeded to report it to the Bank, requesting the respective investigation. As an effect of the complaint filed by the representative of the affected company, the Security Supervisor of Banco Regional Guanacaste-Puntarenas, in official letter BRGP-005-2008 of April 7, 2008, among his conclusions indicated: *“... given that in the transactional record that identifies the account holder as the author of the reported suspicious transfers, the data identifying the account holder as the author thereof appears. Which reflects that what occurred is not due to a violation of the bank’s security systems, but rather to a failure on the part of the user. Therefore, it is recommended, subject to your better judgment, to decline the present administrative claim, rejecting in all its aspects the request for reimbursement of the funds...”* (folio 1 of the administrative file). Based on that, the Director of Banca Regional Guanacaste-Puntarenas of Banco Nacional de Costa Rica, through official letter BRGP-142-2008 dated April 9, 2008, communicated to Mr. Brenes Cabalceta regarding the investigation carried out in the reported case, among other things indicating that the movements were not made from any machine related to the Bank and that according to the IP addresses from which they were executed, they are services provided by ICE, Racsa, Cable Amnet, and Cable Tica, therefore it was not due to the violation of the bank’s security systems, but rather to a failure on the part of the user, which is why the claim was rejected (Folios 5 to 7 of the administrative file). Before which the representative of the company Bahía Pez Vela Administration S.A.

on April 22, 2008, filed motions for reconsideration (recursos de revocatoria) and a subsidiary appeal (apelación en subsidio) against the decision in official communication BRGP-142-2008, alleging that the company was the victim of an action by third parties who abused the electronic fund management system used by the Banco Nacional (Folios 11 to 20 of the administrative file). Both motions were rejected; the motion for reconsideration in official communication BRGP-163-2008 of April 30, 2008, and the appeal by the Junta Directiva General in Article 10 of Session No. 11,497 of August 26, 2008, arguing that the patrimonial damage caused did not occur due to conduct on the part of the Bank, but rather due to the negligence of a representative or authorized signatory on the account, who must have revealed the data necessary to access the account and make the money transfers from the accounts to several persons (Folios 21 and 23 respectively of the administrative file). Despite the exhaustion of administrative remedies, the representative of the affected company, on July 28, 2009, again filed the administrative claim before the Liberia branch of the Banco Nacional de Costa Rica, requesting payment of $40,000 which he indicated were withdrawn from his accounts (Folios 40 and 41 of the main file), and given the omission of a resolution, on January 8, 2010 (Folio 73 of the main file), the Bank was urged to issue the respective resolution on its claim, without result. From the factual scenario described above, this Court clearly extracts that a consumer relationship has existed between the Banco Nacional and the plaintiff company, with which the provisions of Article 35 of Law No. 7472 are applicable to the case, as has been indicated. Furthermore, it has been possible to verify damage to the consumer's rights, which materializes through the risk produced by the use of the technological platform of the internet banking service offered by the banking entity, with damage occurring in the plaintiff's patrimonial sphere, consisting of the unauthorized withdrawal of money from its accounts, as determined in the study carried out by the Bank on the occasion of the transfers made between March 10 and 14, 2008, from the dollar and colón accounts of the company acting here as plaintiff. Although the defendant Bank attempts to indicate that it is not responsible, the truth is that the injury suffered must be considered a consequence of the lack of implementation of adequate security mechanisms for the use of electronic transfer services made possible through internet banking, a service offered by the Banco Nacional de Costa Rica, as in this case, to the company Bahía Pez Vela Administration S.A. Thus, the causal link (nexo causal) that is necessary to attribute liability in this type of situation is manifest. As indicated, it is worth highlighting that the representative of the affected company, once aware of the withdrawals, proceeded to report them both to the Bank that provided the services and to the police authorities, in this case the Judicial Investigation Organization (Organismo de Investigación Judicial), both on March 14, 2008, given that the operations improperly carried out on its accounts occurred between March 10 and 14 of that year, which demonstrates the prompt attention of the affected party.

**XI.- Analysis of the existence of exempting causes in the case.** As indicated in previous lines, it is the provider or marketer of the Internet Banking service, in this case the Banco Nacional de Costa Rica, who could be freed from its strict liability (responsabilidad objetiva) derived from the application of Article 35 of Law 7472, only when it proves (as the burden of proof is its responsibility) the externality (ajenidad) of the harmful result, meaning that the case involved the fault of the victim, an act of a third party, or force majeure. The bank alleged, even as a substantive defense, the concurrence of the victim's fault, and as a consequence thereof, the participation of third persons. Indeed, the position assumed by the Bank when answering the complaint is sustained by the dissenting vote of Judge Palacios Garcia to ruling 910-2010 of Section IV of this Court, in which, among other aspects, it is determined that regarding the obtaining of the keys and passwords necessary to carry out the transactions, it is necessary to determine whether this was due to the incompetence of the bank or its officials; or whether a third party used computer means to directly obtain from the client the necessary data to access the system. However, this panel of the Court maintains its stance that the burden of proof in this type of case remains with the banking institution; hence, if it maintains, as it does in this case, the idea of the existence of a suppression of its liability, either by the client's own intervention who carelessly left their data in the hands of third parties, or that the bank itself had no liability, these are aspects that, for the purposes of its exemption, it must prove in the case file. In this regard, it must be noted that the response to the complaint does not delve into the subject, and refers to the investigation report carried out on the occasion of the vicissitude experienced by the plaintiff company, making it necessary to analyze what is stated therein. Thus, in official communication BRGP-005-2008 of April 7, 2008, Mr. Gilberth Marchena Viales, Security Supervisor of the Banco Nacional de Costa Rica, when analyzing the case, refers to the fact that in the institution's internal regulations and in the signed contract, the client agreed to keep their identification documents such as the password (pasword), the user code, and other personal data necessary to access the computer system; but the truth is that at no time is any reason, circumstance, or other piece of data identified so that, consequently, concretely, and determinately, it can be concluded that employees or officers of the affected company effectively committed, by action or omission, careless use of the identification documentation to use the system; they merely proceed from an assumption, derived, in their understanding, from the fact that the transactions did not originate from any Bank machine, nor from its employees, and that the IP addresses used correspond to subjects outside the institution. This derivation cannot be taken into account in a case such as the one before us to transfer liability to the client or a third party, since the data with which the unauthorized transfers were carried out could perfectly well have been obtained from the bank records themselves due to a lack of controls in the computer system, which is not ruled out at any time by what is indicated in the aforementioned investigation report, as it is well known that so-called "hackers" could have perfectly penetrated the systems and obtained from there the necessary data to have carried out the transactions that ultimately affected the accounts that the company Bahía Pez Vela maintains with the financial institution. In fact, as indicated, the report is not conclusive in that sense, but rather proceeds from assumptions; even when resolving the appeal filed in this case, the Junta Directiva General of the Banco Nacional de Costa Rica maintained the conjecture, as in Article Ten of Session 11497 of August 23, 2008, it asserted that: "...the patrimonial damage caused to the appellant did not occur due to conduct on the part of the Banco Nacional de Costa Rica, but rather due to negligent conduct on the part of a representative or person authorized to access the account, which ultimately resulted in the transfer of money to the accounts of several persons..." That is, without any proof, the Bank, in an effort to free itself from liability, asserts that it was the officers or employees of the affected company who, through "negligence," revealed the data. We insist, the Bank cannot merely indicate that it has managed the data well internally and, without further evidence, simply indicate that if it was not the institution, the client must be responsible—an argument that is totally devoid of probative force and therefore must be dismissed as an element to be taken into account in the possible exemption from the strict liability that derives from these cases, as what is indicated in that manner would not have the merit to be taken as reliable proof of its computer system operating without breach, much less to impute a fault on others without having support for it. Indeed, a thorough analysis of the various pieces of evidence in the case file does not allow for conclusions about imprudent or negligent conduct by the account holder that would allow for the assumption that they made relevant information for accessing their accounts known to third parties. Furthermore, from the technical investigation that was added to the file, there is no accreditation that the plaintiff had ceded their sensitive data for carrying out the transfers under dispute. Therefore, the concurrence of the victim's fault cannot be inferred in this case for not having been diligent in safeguarding the means of access to the Internet Banking tool (sensitive data in their possession); and furthermore, the Bank could not demonstrate in this proceeding that the damage was extraneous to its scope of action and precautions. Nor has it been possible to prove that the bank's security systems functioned adequately or that there was no failure in the security systems of the defendant banking entity. On the other hand, the necessary elements of conviction were not provided to prove the act of a third party as a cause for excluding the Bank's liability. Although it is detected that the transfers were made from IP addresses located within the country, the truth of the matter is that, at the core, we insist, the defendant entity did not prove that its security systems had not been breached in such a way that a level of security and minimal risk for the use of electronic services was maintained. It could not be sustained that the burden of proof regarding the vulnerability of those computer security mechanisms or systems falls on the plaintiff, as, on the contrary, its evidentiary burden must be directed at demonstrating the existence of one or several circumstances that prevent the emergence of the repeatedly mentioned civil liability, which by law weighs upon that banking institution. Thus, it would be unthinkable to attempt to shift that burden of proof so that the user of the banking services offered by the Banco Nacional de Costa Rica is the one who must know in detail all of that bank's security systems, and from there, also demonstrate the existence of some fissure. Such a position does not imply the impossibility of proving the existence of fault on the part of the victim or the act of a third party within the framework of electronic banking commerce. It is worth noting that it is the defendant who designs and conditions access to the systems used within the framework of the tool called Internet Banking, which is why it has the possibility of establishing as many security systems as it deems appropriate to guarantee that transactions are made by its client, and not only by someone who has sensitive data of that user at their disposal. In this sense, it is the banking entity, which profits from the financial services offered, that must ensure the use of computer and administrative systems that, from a legal point of view, allow for the certain accreditation of the physical identity of the user—for example, the mandatory establishment of OTP devices, or even, within the framework of its administrative autonomy, considering establishing the use of devices that reduce risks and prove the client's identity with a higher degree of certainty, such as biometric tools, this in order to have systems that allow for the pre-constitution of evidence. In this direction, Sala Primera of la Corte Suprema de Justicia has considered: "Notwithstanding the foregoing, the defendant financial entity must take into account that its essential function is financial intermediation, which includes the raising of funds from public savings, a concept that implicitly carries their custody, both from a physical point of view and from the corresponding electronic record. There is no doubt that it is subject to an unavoidable obligation to guarantee the security of transactions carried out, whether at the teller window or through any other means made available to clients, which must necessarily encompass the use of all those available mechanisms that allow it to have a greater degree of certainty regarding the identification of the persons who are authorized to carry out electronic transactions from the accounts. The liability attributed to the Bank is founded not on the withdrawal of money by a third party, but on the existence of a risk, according to what was stated in Considerando III, inherent in the very operation of the service it offers, which allows the origin of the damage to be attributed to the operation of the service. The foregoing, despite having mechanisms that allow for greater security. (...) After all, banks, without the defendant being the exception, custody and administer, among other things, someone else's property; and not just any property, but funds from the public. Thus, it responds not only for the strength of its internal systems but also for the security of the person who, to get there, uses the only possible channels that the Bank itself knows and recognizes as risky. And it responds not insofar as they are extraneous, but to the extent that they constitute the means it directly relies upon to provide the service. As stipulated by Article 35 of the Consumer Protection Law (Ley de Protección al Consumidor), there has been an injured party by reason of the service, which, upon being used (and given its risky nature), produced a significant injury to the party appearing in the proceeding as the plaintiff. (...) The means to access the Bank's platform is not, therefore, an isolated source of risk, but rather an instrument inherent to the service it provides; one might say, it forms an intrinsic part of the activity, which, although accessory to the intermediary's activity, is essential. Hence, the guarantee mechanisms to the client-user must be provided not only within the informatic walls of the Bank itself, but also on the access path to it as part of the service. Not in vain, the Financial System has, in general, focused on implementing double identification mechanisms, improving passwords, and, in general, the use of recent systems such as the use of tokens, changing passwords, keys with special devices, among others." (Resolution No. 300-2009 cited above). Said reference highlights that the vulnerability of the system is not a matter that the account holder (cuentahabiente) must prove; on the contrary, given the activity it carries out, the profit it obtains from that commercial line, and since it constitutes a means that allows for the streamlining of transactions derived from the checking account—a contract that implies custody of public funds—it is the financial entity that must prove that its security systems have an acceptable degree of security and that in each specific case, they were not breached. In the present case, it was precisely the deficiency of security mechanisms that led to the materialization of damage against the plaintiff company, consisting of the withdrawal of a sum of money, which has been acknowledged by the Bank as ₡19,500,000.00 (nineteen million five hundred thousand colones), but for the plaintiff, it is $40,000.00 (forty thousand dollars), a product of several transactions carried out in favor of other account holders of the same Banco Nacional de Costa Rica. This represents damage from which the banking entity has not managed to disassociate itself, as neither the externality (ajenidad) to the damage nor the concurrence of any of the exempting causes that would allow it to be freed from that strict liability that prevails in consumer relations has been proven." The respective case file was referred to this collegiate body for issuance of the pertinent ruling on January 14, 2010, as recorded in the referral stamp visible on folio 99 verso of the judicial file.

5.- In the proceedings before this Court, no nullities have been observed that must be remedied, and the judgment is issued within the fifteen-business-day period established for this purpose by article 82.4 of the Reglamento Autónomo de Organización y Servicio de la Jurisdicción Contencioso Administrativa y Civil de Hacienda.

Written by Judge Giusti Soto with the affirmative vote of Judge Abarca Gómez and Judge Garita Navarro;

CONSIDERANDO.

I.- Proven facts. Of relevance for the purposes of this proceeding, the following are established: 1) That on March 14, 2008, Mr. Nombre142961 requested Banco Nacional de Costa Rica to investigate the transactions made to his represented party's accounts between March 10 and 14 of that year. (Folio 18 of the main file). 2) On March 14, 2008, Mr. Nombre142961 filed complaint No. 013-08-00456 before the Organismo de Investigación Judicial of Liberia Guanacaste, in which he stated that the company's accountant used the internet on Monday, March 14, to make some transfers, noticing that the password had been changed; she immediately requested a new password and became aware of the theft of thirty-nine thousand dollars, which were deposited into other accounts of other persons unknown to them. (Folio 20 of the main file). 3) The Security Supervisor of Banca Regional Guanacaste-Puntarenas, Lic. Gilberth Marchena Viales, in official letter No. BRGP-005-2008 of April 7, 2008, addressed to the Regional Director of Banco Nacional de Costa Rica, Nombre142962, informed him about the investigation conducted at the request of the representative of the company Bahía Pez Vela Administration S.A. regarding debits made to its accounts, concluding that the transactional record of Internet Banking Personal for each of the reported suspicious transfers shows the data identifying the account holder as the author of the same, which reflects that what occurred was not due to a breach of the bank's security systems, but rather to a fault of the user. (Folios 1 to 4 of the administrative file). 4) That through official letter BRGP-142-2008 dated April 9, 2008, the Regional Director of Banca Regional Guanacaste Puntarenas of Banco Nacional de Costa Rica communicated to Mr. Nombre142961 about the investigation carried out in the case he reported, making known to him the result of the investigation by the Dirección de Seguridad; additionally, he was informed of the list of all transactions and that the amount totaled the sum of ¢19,500,000; that Nombre142963 had been detained when he appeared at the Heredia office and was placed under the orders of the Organismo de Investigación Judicial. Likewise, he was informed that the sum of ¢498,311.50 was blocked in the account of the suspect Nombre142964, pending coordination with the Ministerio Público for the respective refund; that the transactions were not made from any machine related to the Bank and that according to the IP addresses from which they were executed, they are services provided by ICE, Racsa, Cable Amnet, and Cable Tica, so it was not due to a breach of the bank's security systems, but rather to a failure of the user. Therefore, they communicated the rejection of all aspects of the claim filed. (Folios 5 through 7 of the administrative file). 5) On April 22, 2008, the representative of the company Bahía Pez Vela Administration S.A. filed, before Banca Regional Guanacaste-Puntarenas, a motion for reconsideration (recurso de revocatoria) and a subsidiary appeal (apelación en subsidio) against the decision in official letter BRGP-142-2008, alleging that the company was the object of an action by third parties who, abusing the electronic fund management system of Banco Nacional, stole the sum of ¢19,500,000 from two accounts; therefore, there is strict liability (responsabilidad objetiva) on the part of the bank because the electronic page is a service provided by the entity, over which it must verify all security measures so that unrelated third parties do not make electronic transfers to the detriment of the checking account holders, and considering the authorization of transfers exceeding the permitted daily limits, this demonstrates a failure in the controls of the technological systems. (Folio 11 through 20 of the administrative file). 6) The Regional Director of Banca Regional Guanacaste-Puntarenas of Banco Nacional de Costa Rica, in official letter BRGP-163-2008 of April 30, 2008, rejected the motion for reconsideration (recurso de revocatoria) filed, considering that no new elements of judgment were added in the terms presented to what was originally raised. He informed him that the matter was being remitted to the knowledge of the Junta Directiva General for the purpose of exhausting the administrative channel (vía administrativa) (Folio 21 of the administrative file). 7) Through an unnumbered official letter, dated September 1, 2008, and signed by Mr. Nombre142965, Secretario General of the Junta Directiva of Banco Nacional de Costa Rica, they communicated to Mr. Nombre142961 that the Junta Directiva, in article 10 of session No. 11,497 of August 26, 2008, heard the appeal (apelación) filed against official letter BRGP-142-2008, informing him that it was decided to fully uphold the legal opinion DJ.1482-2008 of August 7, previously issued by the Dirección Jurídica, thereby declaring the appeal without merit, arguing that the pecuniary damage caused did not occur due to conduct deployed by the Bank, but rather due to negligent conduct by a representative or authorized party on the account, who revealed data necessary for accessing the account, which led to the transfer of money from the accounts to several persons, for which the Bank is not liable. (Folio 23 front and back of the administrative file). 8) That on August 13, 2009, the representative of the company Bahía Pez Vela Administration S.A. filed an administrative claim (reclamo administrativo) before the Liberia branch of Banco Nacional de Costa Rica, requesting acknowledgment of the $40,000 that were stolen from its accounts between March 10 and 14, 2008, through electronic transfers that were not authorized by his represented party. (Folio 40 and 41 of the main file). 9) That on January 8, 2010, Mr. Nombre142961 requested the Liberia Branch of Banco Nacional de Costa Rica to respond to his request of August 13, 2009, regarding his administrative claim (reclamo administrativo), warning that if it was not done, he would resort to the corresponding legal channel. (Folio 73 of the main file).

II.Unproven facts. Of relevance for the purposes of this proceeding, the following is established as such: That the Liberia branch of Banco Nacional de Costa Rica had provided any response or resolution to the claim for acknowledgment of the money stolen from the accounts of its client Bahía Pez Vela Administration S.A., filed by the representative of said company, Mr. Nombre142961, on August 13, 2009, and reaffirmed on January 8, 2010. (This situation is not accredited).

III.- Object of the proceeding. Arguments of the parties. Having analyzed the allegations and petitions of the parties involved in this conflict, the object of the proceeding is determined to be the compensation to the plaintiff company for the sum of $40,000 stolen from its accounts between March 10 and 14, 2008, alleging a lack of controls by the defendant Bank in the use of the Internet Banking service.

IV.- Arguments of the parties. The plaintiff argues that its represented party had a commercial relationship with Banco Nacional de Costa Rica through checking account number 100-01-015-006077-5 in colones and number 100-02-015-600387-8 in dollars. That during the week of March 10 to 14, 2008, outside persons stole the sum of forty thousand dollars from its electronic accounts. That on March 10, 2008, the company's accountant, upon reviewing the accounts, was able to notice the shortfall; therefore, on March 14, 2008, a note was sent to Banco Nacional to initiate the respective investigation regarding the transactions made via the internet in its represented party's account, and additionally, on the same date, it proceeded to file a complaint (denuncia) before the Organismo de Investigación Judicial of Liberia Guanacaste. It indicates that the Banco Liberia Branch, on the following April 8, informed it that the entity had determined that during the week of March 10 to 14, 2008, several money transfers were made via Internet Banking from account 100-02-015-600387-8 in dollars and 100-01-015-6077-5 in colones in the company's name to different accounts, executing a total of 39 operations, some of which had as recipients the individuals Nombre142963 and Nombre142964, and they indicated that the incident was not the bank's responsibility since it had occurred due to a fault of the company. It states that it filed against that decision a motion for reconsideration with a subsidiary appeal (recurso de revocatoria con apelación) before the Regional Director of Guanacaste on April 21, 2008, the same being rejected on the following April 30, and the administrative channel (vía administrativa) was deemed exhausted. It alleges that it again filed an administrative claim (reclamo administrativo) on July 28, 2009, requesting the application of article 190 of the Ley General de la Administración Pública and 158 of the Código Procesal Contencioso. It indicates that given the omission, on January 8, it again urged a response, which had no effect. It denies that it was due to negligence on the part of its represented party, since the transactions were not carried out by employees or by the company's machines, as can be corroborated from the IP addresses from which the illicit transactions were made. It then develops the theory of strict liability (responsabilidad objetiva) contained in the Ley General de la Administración Pública, indicating that liability in the specific case derives from the Bank's lack of controls through the use of a service provided to its company via Internet Banking, which finds support in the Ley de Protección al Consumidor, as indicated by the Court, for which reason, derived from the contractual nature of its represented party's relationship with the banking institution and the duty to indemnify in accordance with the citation it makes of judgment 116-08 of 2:00 p.m. on September 26, 2008, from which it infers that since it was not the company's responsibility that unscrupulous persons entered through the bank's lack of security and that its money was stolen, this entails the institution's duty to assume liability for the damage caused, that is, the loss of forty thousand dollars. It alleges the application of articles 31, 34, and 35 of the Ley de Promoción de la Competencia, by virtue of the service provided. It further indicates that, more abundantly, the liability of banks in matters of electronic fraud has already been heard by the Sala Primera of the Corte Suprema de Justicia in several judgments, mentioning among them No. 300-F-S1-2009 of 11:25 a.m. on March 26, 2009, and No. 394-F-S1-2009 of 10:23 a.m. on April 23, 2009.

V.- For its part, the representative of the defendant bank indicates that indeed the company Bahía Pez Vela Administration S.A. is the holder of bank accounts numbers 100-02-015-600387-8 in dollars and 100-01-015-006077-5 in colones. That in report BRGP-005-2008 of April 7, 2008, signed by the Security Supervisor of the Bank's Regional Office in Guanacaste, it was determined that the transfers made via Internet Banking between March 10 and 14, 2008, were for a total amount of ¢19,500,000; the report highlights that the analysis of the transactions shows they were made with the client's user code (full name and ID number), that the Bank's computer systems were not breached, that in the investigated transactions no IP addresses assigned and used by Banco Nacional were located, that the funds were withdrawn through different ATMs, and that upon receiving the notice, the accounts used were closed and their holders were coded. It states that after the restriction of the accounts, Nombre142966 was detained when he appeared at the Heredia Branch and was placed under the order of the Organismo de Investigación Judicial, and that the sum of ¢498,311.50 from the transfer made to the account of Nombre142964 is being withheld. It manifests that the Personnel of the Dirección de Seguridad Informática conducted a verification of the reported facts and the control and security elements associated with Banco Nacional's electronic services, determining that the IP address numbers from which the transactions were made are of Costa Rican origin, indicating that the password created by the client to register in the Internet Banking System and access electronic services is secret, is only known by the interested party, and is non-transferable, and that password was the one used for the investigated transactions, and that no IP addresses assigned or used by Banco Nacional were used, for which reason it was concluded that it was not due to a breach of the bank's security systems, but rather to a fault of the user; with all of which it was recommended to decline the administrative claim (reclamo administrativo) filed. Regarding the investigation request submitted by the company, it indicates that it culminated in report BRGP-005-2008 of April 7, 2008, and based on this, the Director of Banco Regional Guanacaste, in official letter BRGP-142-2008 of the following April 9, rejected the claim filed, explaining the aspects that arose. That against this decision, motions for reconsideration with a subsidiary appeal (recursos de revocatoria con apelación en subsidio) were filed, the first being rejected through official letter BRGP-163-2008 signed by the Director of Banco Regional Guanacaste, elevating the matter to the Junta Directiva General, which resolved the appeal (apelación) by rejecting it according to article 10 of session No. 11,497 of August 26, 2008, notified on the following September 3, a moment from which it indicates the one-year period provided in the Código Procesal Contencioso Administrativo begins to run. That the affected company again filed an administrative claim (reclamo administrativo) on August 13, 2009, at the branch of Banco Nacional de Liberia, practically one year after the matter had been definitively resolved even by the institution's Junta Directiva, which indicates that the action was absolutely improper, as the facts had already been widely heard and resolved by the Bank, and it indicates that this claim was filed to disguise the evident expiration of the action (caducidad de la acción). Regarding the issue of Internet Banking fraud, it cites judgment 1496-2010 of the Court, from which it considers it can be extracted that the correct analysis of this type of case must start from four aspects: a) that the plaintiff must reliably prove having observed appropriate behavior patterns to protect their sensitive data, including the non-disclosure of their password and PIN, which are the client's personal creation; b) that it is impossible to explain how a third party can access the data without the concurrence of the account holder themselves, whether by action or omission, since the primary party obliged to adequately safeguard the data is the client, and if they did not do so diligently, then third parties could access it; c) that the bank has taken the necessary means so that private data are recorded on different media, some completely distinct from others, and some even of the client's unique and exclusive creation; and d) that it is not possible to ignore that the only possible way for the alleged fraud to have occurred is through the client's carelessness, which allowed, through their action or omission, the leak of their data. Thus, it considers that in this case, the exemptions that break the causal link (fault of the victim and act of a third party) are applicable, for which reason it requests that the lawsuit be declared without merit in all its aspects. On the other hand, regarding the prior defense of the expiration of the action (caducidad de la acción), it indicates that the plaintiff lacks all legal basis to bring legal action against the Bank, since its administrative claims were resolved even by the institution's Junta Directiva, whose resolution was notified on September 3, 2008, that is, almost two years ago, so the provisions of articles 31 and 39 of the Código Procesal Contencioso Administrativo are applicable, evidencing the expiration of the period to file this proceeding, and it requests that the lawsuit be declared inadmissible. Finally, it raised the substantive defenses of Lack of Right, Act of a Third Party, and Fault of the Victim.

VI.- On the fundamental rights of consumers. Constitutional and legal regulation. For this case, it is necessary to make a brief reference to the constitutional and legal framework that specifies the set of rights applicable to consumers in relationships for the acquisition of goods and/or services. This is relevant when considering that checking account contracts (including electronic ones), as well as the generality of financial and banking offerings, form part of that type of commercial relationship in which the recipient of the service or goods constitutes themselves as a consumer, a category for which, due to the dynamics of commerce, rights and obligations have been enshrined.

This matter has already been the subject of examination by this Court, in judgments number 1112-2009 of thirteen hours and thirty minutes on June 15, 2009, number 602-2010 of sixteen hours and thirty minutes on February 19, two thousand ten, number 2758-2010 of eleven hours and forty-five minutes on July 28, two thousand ten, and number 3699-2010 of eleven hours and fifty-seven minutes on September 30, two thousand ten. In said precedents, this Sixth Section has established that this type of relationship falls under the category of consumer relationships. From this perspective, canon 46, fifth paragraph, of the Political Constitution establishes the set of rights that assist consumers, in most cases, as the weaker party in the commercial relationship. Along these lines, the cited provision stipulates: "Article 46.- (...) Consumers and users have the right to the protection of their health, environment, safety, and economic interests; to receive adequate and truthful information; to freedom of choice, and to equitable treatment. The State shall support the organizations they form for the defense of their rights. The Law shall regulate these matters." It should be noted that the right to equitable treatment presupposes in any case the duty of the merchant or provider to treat the consumer in an attentive and respectful manner in response to simple claims, or in the protection of their rights both in administrative and judicial venues. Now then, it is clear that the application of these principles and their interpretation must be oriented towards the protection and safeguarding of the weaker party in the relationship. This is how the Constitutional Chamber has understood it, among others, in judgment number 2002-0857, in which, on the subject under discussion, it stated: "It is notorious that the consumer finds themselves at the end of the chain formed by the production, distribution, and commercialization of consumer goods they need to acquire for their personal satisfaction, and their participation in that process does not respond to technical or professional reasons, but to the constant execution of contracts in a personal capacity. Therefore, their relationship in that commercial sequence is one of inferiority and requires special protection against the providers of goods and services, so that before expressing their contractual consent, they have all the necessary elements of judgment that allow them to express it with complete freedom, and this implies thorough knowledge of the goods and services offered. Included in the foregoing, in a harmonious mix, are several constitutional principles, such as the State's concern for the broadest sectors of the population when they act as consumers, the reaffirmation of individual freedom by facilitating private individuals' free disposition of their assets with the greatest possible knowledge of the good or service to be acquired, the protection of the health that is involved, the ordering and systematization of reciprocal relationships between the interested parties, the integration of international commercial practices into the internal system, and finally, the greater protection of the inhabitant's functioning in their means of subsistence." From the foregoing, it follows that in the consumer relationship between the merchant or provider and the consumer, there exists, due to the natural dynamics of commerce, an inequality between the two, and the consumer, in most cases, in this natural relationship, is the weaker party. Hence, the Political Constitution balances the dynamic of burdens in that consumer relationship, granting the consumer a series of fundamental rights that protect them from their natural inequality with the merchant or provider. As a derivation of this, the interpretation and application of the rules, in case of doubt, in conflicts of this nature, must favor the weaker party, that is, in principle, the consumer. Hence, in such cases, the merchant or provider has an obligation to demonstrate that they have fulfilled their obligations in the consumer relationship and that they have respected the consumer's fundamental rights; otherwise, they must answer for the violation of these rules as determined by infra-constitutional norms. Now, as Article 46 of the Constitution states, it is the Law that is responsible for regulating those rights, which is materialized in the Law for the Promotion of Competition and Effective Defense of the Consumer, No. 7472. Said legal body establishes, broadly speaking, the rights that assist the consumer, a topic developed in canon 32, as well as the duties of the merchant, established in canon 34. It is clear, therefore, that the violation of the merchant’s duties generates, as a direct effect and as a natural and logical consequence, the impairment of the consumer's rights, protected constitutionally and legally in the terms already set forth. This implies, then, the emergence of a system of liability of the merchant or provider towards the consumer, to repair the damages and losses caused to the latter. Consequently, if there is a violation of the consumer's constitutional and legal rights by the merchant or provider, the latter must repair the harmful effect caused to the consumer, under the strict liability (responsabilidad objetiva) regime that will be explained in detail and with precision in the following recital of this judgment.

**VII.- On the legal liability regime applicable to electronic banking commerce relationships.** A relevant aspect within this process is the determination of the legal regime applicable to this type of commercial relationship, such as the one that has arisen between the parties. Regarding legal regulations that the Commerce Code establishes for the current account contract, this Court has been clear, a thesis it upholds as no legal arguments have been provided to justify a variation in this stance; since current account contracts with electronic internet banking services are one more variation of economic consumer relationships, in this case, of banking and financial services, the liability rules set forth by the Law for the Promotion of Competition and Effective Defense of the Consumer are fully and completely applicable. Even considering that in the current context, electronic accounts presuppose as a basic criterion the existence of a current account contract, thereby being considered an additional service to the latter, or else, an updated variation thereof, the fact remains that in the conceptual context developed in Article 2 of Law No. 7472, that relationship fits fully within consumer relationships insofar as it involves a merchant or provider party of financial or banking services, which are acquired by a client who constitutes the final recipient of that market offer. It is a commercial adhesion contract (contrato comercial por adhesión) whose purpose is the offering of banking services for fund administration through a current account, by virtue of which the Bank receives from the client funds or other creditable values immediately or as a deposit or, alternatively, the granting of credit, to draw against it. It is evident that when the account permits electronic transfers, as a derivation of technological modernity, the reference to the concept of checks (as a physical document) does not apply. Precisely the application of dematerialized mechanisms in commerce for the availability of those funds and accounts, dispensing with the issuance of physical documents, is today one more offering within said current account contract, which is highly attractive to the consumer, given the agility and simplification of transactions, which demands security mechanisms for monetary movements to fulfill the duty of efficient and diligent custody of the client's funds. From this perspective of examination, the rules referring to the contractual typology of the bond do not diminish or eliminate the fact that it is a consumer relationship, therefore also regulated by the provisions of Law No. 7472. Hence, there is no doubt that the legal liability regime applicable to the present matter is provision 35 of the cited Law for the Promotion of Competition and Effective Defense of the Consumer. Thus, as a reference, this Section stated this in the aforementioned ruling No. 2758-2010, in which, on the specific topic, it was noted: *"From those resolutions, the unanimous criterion can be extracted that the strict liability regime that must be applied in matters such as the present one is that provided for in articles 31 and 35 of the Law for the Promotion of Competition and Effective Defense of the Consumer, this because we are in the presence of a commercial consumer relationship, in which the Banco Nacional de Costa Rica, despite being a public administration, provides a commercial Internet Banking service, which qualifies as a private commercial service, and therefore said banking institution is not acting within its administrative powers, but rather as a subject of private law and must be regulated by the respective regulations, such as the Law for the Promotion of Competition and Effective Defense of the Consumer. Likewise, the plaintiff company comes in its capacity as a client of the defendant bank, thereby configuring the essential elements for the existence of a commercial consumer relationship governed by the rules of the cited Consumer Protection Law. (...) Furthermore, based on what has been said by this very Contentious-Administrative Court, this jurisdictional body considers that the Law for the Promotion and Defense of the Consumer regulates a special legal regime, which must be applied over the general legal regime, as would be the case here with commercial regulations on current accounts or on contractual matters, so from this simple perspective, the strict liability rules regulated by the cited Consumer Protection Law must be applied. Likewise, and under the same arguments previously indicated, this Court does not agree with the claim of the defendant party in the sense that the rules of the Commerce Code should be applied, specifically concerning current account contracts, since as has been set forth, the consumer protection regulations are a special regime that prevails over the general one of the Commerce Code."* **VIII.- Precedents of the First Chamber of the Supreme Court of Justice in similar cases.** With what has been stated, it is worth bringing up what was resolved by the First Chamber in judgment number 300-2009 of eleven hours and twenty-five minutes on March 26, two thousand nine, analyzing the topic under dispute, it stated: *"**III.- Strict liability (Responsabilidad objetiva) for risk in consumer matters.** Regarding liability, two major aspects can be identified: one subjective, in which the concurrence, and consequent demonstration, of willful misconduct (dolo) or fault (culpa) on the part of the author of the harmful act is required (e.g., cardinal 1045 of the Civil Code), and another objective, characterized, essentially, by dispensing with said elements, with the imputation of the damage being the central axis upon which the duty to repair is built. As an example of the foregoing, we find provision 35 of the Law for the Effective Defense of the Consumer, wherein the merchant, producer, or provider shall be liable for those damages derived from the goods traded and the services provided, even if no negligence, imprudence, lack of skill (impericia), or willful misconduct is detected in their actions. Likewise, it is important to consider, due to its influence on evidentiary matters, that the determining elements for the emergence of civil liability, whether subjective or objective, are: a harmful conduct (which can be active or passive, legitimate or illegitimate), the existence of a damage (that is, an injury to a protected legal interest), a causal link (nexo de causalidad) connecting the two above, and in most cases the verification of an attribution criterion, which will depend on the specific legal regime. Regarding causality, it is necessary to indicate that it is a case-by-case assessment carried out by the judge, in which, based on the facts, they determine the existence of a relationship between the claimed damage and the conduct carried out by the economic agent. While there are various theories on the matter, the one considered most consistent with the Costa Rican regime is that of adequate causality, according to which there is a link between damage and conduct when the former originates, if not necessarily, at least with a high probability according to the specific circumstances affecting the matter, from the latter (in this sense, see, among others, resolutions 467-F-2008 of 14 hours 25 minutes on July 4, 2008, or 1008-F-2006 of 9 hours 30 minutes on December 21, 2006). At this point, it is important to clarify that the verification of exempting causes (fault of the victim, an act of a third party, or force majeure), acts upon the causal link, ruling out that the conduct attributed to the defendant was the producer of the injury suffered. Regarding the different attribution criteria, for the purposes of the present case, the theory of created risk is of interest, which was expressly included in the Law for the Defense of the Consumer. The objective scheme for which the law opts, as well as the application of the cited attribution criterion, are derived from a simple reading of the rule in question, which stipulates (...) Carrying out a detailed analysis of the rule just transcribed, a series of conditioning elements for its application are derived. In the first place, and from the level of subjects, that is, who causes the damage and who suffers it, the application of this liability regime is subject to certain qualifications being present in them. Thus, regarding the first, it is required that they be a producer, provider, or merchant, whether natural or legal persons. On the other hand, regarding the second, the injury must be inflicted on someone who participates in a legal relationship where they are situated as a consumer, in the terms defined in the reference legal body and developed by this Chamber. It is required, therefore, that both parties form a consumer relationship, whose object is the potential acquisition, enjoyment, or use of a good or service by the consumer. The Bank acts in the exercise of its private legal capacity, as a true public company, and in that capacity, offers a service to its clients; therefore, given the existence of a consumer relationship, the particular case must be analyzed under the scope of coverage of provision 35 under discussion. Likewise, from the precept under study, it follows, secondly, that the legislator established a series of attribution criteria based on which the strict liability regulated by this cardinal can be imputed, among which is the already cited theory of risk. Thus, this serves as a factor for assigning liability to the subjects referred to. In essence, said theory postulates that whoever creates, exercises, or benefits from a lawful lucrative activity that presents potentially dangerous elements for others, must also bear its inconveniences (ubi emolumentum, ubi onus, which can be translated as where the benefit is, there the burden lies). From the previous statement, two characteristics can be inferred: on the one hand, that the risk comes from an exploitation activity; and on the other, as it is performed by human beings, so-called acts of nature are excluded. Concomitantly, it is important to make some clarifications regarding the risks suitable for generating liability, since not every risk implies the automatic emergence thereof. Currently, life in society offers countless risks, of varying degrees and scopes, to the point that it can be affirmed that it is impossible to find a daily activity that is exempt from them. In this line, the interpretation of the rules cannot start from an absolute and total aversion to risk, which, as indicated, forms an integral part of societal coexistence and of the technological advances integrated into it. The foregoing leads to the assertion that, for the duty to repair to arise, the risk associated with the activity must present a degree of abnormality, that is, it must exceed the margin of tolerance that is admissible according to the rules of experience, which must be analyzed, on a case-by-case basis, by the judge. The second point that requires some comment concerns the subject who becomes obligated by virtue of an activity considered dangerous. As already indicated, the attribution criterion is, precisely, the created risk, which suggests that the person to whom the damage is imputed must be in a position of mastery over that risk, that is, they must be the one who develops the activity or assumes the possible negative consequences associated, receiving a benefit from it. This can be direct, which can be identified, among others, with the income or emoluments obtained as consideration, or indirect, when the advantageous situation occurs in a reflected manner, which could be the case of alternative mechanisms that tend to attract consumers, and consequently, result in an economic advantage for their offeror. It is important to mention that in an activity, it is possible to find different degrees of risk, which must be managed by that subject who benefits from it, a circumstance that exercises a direct influence on the evidentiary duty that falls upon them, since it is relevant for determining imputation in the specific case. The foregoing, coupled with the existence of exempting causes, demonstrates that the legislation under discussion does not constitute an automatic transfer of assets."* **IX.- Scope of the liability regime regulated in Law No. 7472.** It is clear, then, that the liability rule applicable to the case is the aforementioned provision 35 of Law No. 7472, which literally states: *"ARTICLE 35.- Liability regime. The producer, the provider, and the merchant must respond concurrently and independently of the existence of fault (culpa), if the consumer is harmed by reason of the good or service, by inadequate or insufficient information about them, or by their use and risks. / Only one who demonstrates that they were unrelated to the damage is released. / The legal representatives of commercial establishments or, where applicable, the managers of the business are liable for their own acts or facts or for those of their employees or assistants. Technicians, those in charge of production, and control personnel are jointly and severally liable, when appropriate, for violations of this Law to the detriment of the consumer."* The correct understanding of the rule allows one to conclude the objective nature of this liability regime, which, as such, dispenses with the consideration of subjective factors, such as willful misconduct or gross fault. Second, it is necessary to prove the existence of a harmful conduct, active or by omission; this means that a violation of the consumer's rights or of their obligations must occur on the part of the merchant or provider. It is clear that for the imputation of liability to be possible, the existence of an effective, assessable, and individualizable damage must be demonstrated, which is a consequence of the conduct of the merchant (alleged responsible party). This implies the proof of a causal link between that injury and the behavior of the service or goods provider. Now then, in the context of the legal regime applicable to the case of this type of consumer relationships, provision 35 of Law No. 7472 establishes the possible release from liability for anyone who demonstrates their lack of connection to the damage. By supplementary application of article 190 of the General Law of Public Administration (in accordance with the referral established by canon 71 of the Law for the Promotion of Competition and Effective Protection of the Consumer), the exempting causes of liability provided for therein are fully applicable to this matter. Of course, in line with the dynamic burden of proof (carga dinámica de la prueba), it is incumbent upon whoever seeks to be released from an obligation to prove the liberating, impeding, or modifying facts of the right that is intended to be exercised against them. On the subject of the burden of proof in this type of process, see recital IV of judgment 300-2009 of the First Chamber of the Supreme Court of Justice. Thus, it is decisive in this process to establish the convergence of the various referred assumptions that allow the strict liability of the banking entity to arise, as the plaintiff alleges, or if, on the contrary, some of the exempting causes of that liability have been configured that allow the Bank to be considered unrelated to the damage claimed in this venue.

**X.- Analysis of the specific case. On the strict liability of the Banco Nacional. Proof of damage and causal link.** In the case at hand, it has been proven that the company Bahía Pez Vela Administration S.A. has two current accounts with the Banco Nacional de Costa Rica, number 100-01-015-006077-5 in colones and number 100-02-015-600387-8 in dollars, and that in these, during the period between March 10 and 14, 2008, a series of debits were made via electronic transfers, for a total of forty-two transfers in favor of various accounts belonging to other clients of the same defendant Bank (see detail from the Security Supervisor's report of the defendant Bank visible on folios 1 to 4 of the administrative file), for a total, according to said report, of ¢19,500,000.00 (nineteen million five hundred thousand colones). As indicated, the debits were made from IP addresses belonging to the Country, on machines not linked to the defendant Bank itself, and the plaintiff party denies having consented to them, since both before the same banking institution and before the Judicial Investigation Agency, it stated that it was the company's accountant who realized the shortages when consulting the internet system for the purpose of carrying out some operations, which is why on the same March 14, 2008, they proceeded to report it to the Bank, requesting the respective investigation. As a result of the complaint filed by the representative of the affected company, the Security Supervisor of Banco Regional Guanacaste-Puntarenas, in official communication BRGP-005-2008 of April 7, 2008, among his conclusions stated: *"... given that in the transactional record that identifies the account holder as the author of the reported suspicious transfers, the data that identifies the account holder as the author thereof appears. Which reflects that what occurred is not due to a violation of the bank's security systems, but rather to a user failure. Therefore, it is recommended, subject to your better judgment, to decline the present administrative claim, rejecting in all its extremes the claim for reimbursement of the funds..."* (folio 1 of the administrative file).

Based on that, the Director of the Guanacaste-Puntarenas Regional Banking Division of the Banco Nacional de Costa Rica, through official communication BRGP-142-2008 dated April 9, 2008, informed Mr. Nombre142961 about the investigation conducted in the reported case, and among other things, indicated that the transactions (movimientos) were not carried out from any machine related to the Bank and that according to the IP addresses from which they were executed, they are services provided by ICE, Racsa, Cable Amnet, and Cable Tica, therefore it does not constitute a violation of the bank's security systems, but rather a user failure, which is why the claim was rejected (Folios 5 through 7 of the administrative file). In response, the representative of the company Bahía Pez Vela Administration S.A. filed, on April 22, 2008, motions for reconsideration (recursos de revocatoria) and a subsidiary appeal (apelación en subsidio) against what was resolved in official communication BRGP-142-2008, arguing that the company was the object of an action by third parties who abused the electronic fund management system of the Banco Nacional (Folio 11 through 20 of the administrative file). Both motions were rejected; the motion for reconsideration in official communication BRGP-163-2008 of April 30, 2008, and the appeal by the General Board of Directors in Article 10 of Session No. 11,497 of August 26, 2008, arguing that the patrimonial damage caused did not occur due to conduct carried out by the Bank, but due to the negligence of a representative or authorized person on the account, who must have revealed the data necessary to access the account and make the money transfers from the accounts to various persons (Folios 21 and 23, respectively, of the administrative file). Despite the exhaustion of the administrative channel, the representative of the affected company, on July 28, 2009, again filed the administrative claim before the Liberia branch of the Banco Nacional de Costa Rica, requesting payment of $40,000 that he indicated was withdrawn from his accounts (Folio 40 and 41 of the main file), and because of the failure to issue a resolution, on January 8, 2010 (Folio 73 of the main file), the Bank was urged to issue the respective resolution on his claim, without obtaining a result.

From the factual scenario described above, this Court clearly extracts that a consumer relationship has existed between the Banco Nacional and the plaintiff company, thereby making the provisions of Article 35 of Law No. 7472 applicable to the case, as has been indicated. Furthermore, it has been possible to verify damage to the consumer's rights, which materializes through the risk produced by the use of the technological platform of the internet banking service offered by the banking entity, causing damage to the plaintiff's patrimonial sphere, consisting of the unauthorized withdrawal of money from its accounts, as determined in the study conducted by the Bank on the occasion of the transfers made between March 10 and 14, 2008, from the dollar and colón accounts of the plaintiff company here. Although the defendant Bank attempts to indicate that the responsibility is not its own, the truth is that the injury suffered must be considered a consequence of the lack of implementation of adequate security mechanisms for the use of the electronic transfer services enabled in internet banking, a service offered by the Banco Nacional de Costa Rica, as in this case, to the company Bahía Pez Vela Administration S.A.

Thus, the causal link (nexo causal) required to be able to attribute liability in this type of situation is evident. As indicated, it is worth highlighting that the representative of the affected company, once he became aware of the withdrawals, proceeded to report them both to the Bank providing the services and to the police authorities, in this case to the Judicial Investigation Organization (Organismo de Investigación Judicial), both on March 14, 2008, since the operations improperly carried out on his accounts occurred between the 10th and the 14th of March of that year, which demonstrates the prompt attention of the affected party.

**XII.- Analysis of the existence of exonerating causes (causas eximentes) in the case.** As indicated in previous lines, it is the provider or marketer of the Internet Banking service, in this case the Banco Nacional de Costa Rica, that could free itself from its strict liability (responsabilidad objetiva) derived from the application of Article 35 of Law 7472, only when it proves (as it is its evidentiary burden) the non-attribution of the harmful result, meaning that the case involved the fault of the victim, an act of a third party, or force majeure (fuerza mayor). The bank alleged, even as a substantive defense (excepción de fondo), the concurrence of the victim's fault, and as a consequence thereof, the participation of third persons. Indeed, the position taken by the Bank when answering the lawsuit is supported by the dissenting vote of Judge Palacios Garcia to ruling 910-2010 of Section IV of this Court, in which, among other aspects, it is determined that regarding the obtaining of the keys and passwords necessary to carry out the transactions, it is necessary to determine whether this was due to the lack of skill of the bank or its officials, or whether a third party used computer means to directly obtain the necessary data from the client in order to access the system. However, this panel of the Court maintains its position that the burden of proof in this type of case continues to lie with the banking institution; hence, if it maintains, as it does in this case, the idea of the existence of a suppression of its liability, whether by the client's own intervention who carelessly left their data in the hands of third parties, or that the bank itself had no responsibility, these are aspects that, for purposes of its exemption, it must prove in the case file.

In this regard, it must be noted that the answer to the lawsuit does not delve into the issue and refers to the investigation report prepared on the occasion of the vicissitude experienced by the plaintiff company, making it necessary to analyze what is set forth therein. Thus, in official communication BRGP-005-2008 of April 7, 2008, Mr. Gilberth Marchena Viales, Security Supervisor of the Banco Nacional de Costa Rica, when analyzing the case, refers to the fact that in the institution's internal regulations and in the signed contract, the client committed to keeping their identification documents such as the password (clave), the user code, and other personal data necessary to access the computer system, but the truth is that at no time is any reason, circumstance, or other data identified so that, consequently, concretely, and specifically, it can be concluded that employees or representatives of the affected company effectively committed, by action or omission, a careless use of the identification documentation for using the system; they only start from an assumption, derived, in their understanding, from the fact that the transactions did not originate from any machine of the Bank or its employees, and that the IP addresses used correspond to subjects unconnected to the institution. This derivation cannot be taken into account in a case such as the one before us to transfer liability to the client or a third party, because the data with which the unauthorized transfers were made could well have been obtained from the bank's own records due to a lack of controls in the computer system, which is not ruled out at any time by what is indicated in the mentioned investigation report, since it is well known that so-called "hackers" could have perfectly accessed the systems and obtained from there the data necessary to have carried out the transactions that ultimately affected the accounts that the company Bahía Pez Vela maintains with the financial institution.

In fact, as indicated, the report is not conclusive in this sense but rather starts from assumptions; even when the filed appeal was resolved in this case, the General Board of Directors of the Banco Nacional de Costa Rica maintained the conjecture, as in Article ten of session 11497 of August 23, 2008, it asserted that; "...*the patrimonial damage caused to the appellant did not occur due to conduct carried out by the Banco Nacional de Costa Rica, but due to negligent conduct carried out by a representative or person authorized to access the account, which ultimately led to the transfer of money to the accounts of several persons*..." That is to say, without any proof, the Bank, in order to free itself from its liability, asserts that it was the representatives or employees of the affected company who, through "negligence," revealed the data.

We insist, the Bank cannot merely indicate that it has handled data well internally and, without further evidence, simply indicate that if it was not the institution, the client must be responsible—an argument that is completely devoid of probative force and therefore must be dismissed as an element to be taken into account in the possible exoneration of the strict liability (responsabilidad objetiva) that derives from these cases, because what is indicated in that manner would not have the merit to be taken as reliable proof of its uncompromised computer actions, nor much less to impute a fault to others without having support for it.

In effect, a thorough analysis of the various pieces of evidence contained in the case file does not allow for concluding imprudent or negligent conduct by the account holder (cuentacorrentista) that would allow one to suppose that she placed information relevant to accessing her accounts in the knowledge of third persons. Furthermore, from the technical investigation that was added to the file, there is no accreditation that the plaintiff had ceded her sensitive data for carrying out the transactions subject to the dispute. Therefore, the concurrence of the victim's fault cannot be inferred in this case for not having been diligent in the custody of the means of access to the Internet Banking tool (sensitive data in her possession), and moreover, the Bank could not demonstrate in this process that the damage was unrelated to its scope of action and precautions. Nor has it been possible to prove that the bank's security systems functioned adequately or that there was no failure in the security systems of the defendant banking entity. On the other hand, the necessary elements of conviction were not provided to prove the act of a third party as a cause for excluding the Bank's liability. Although it is detected that the transfers were made from IP addresses located within the country, the truth of the matter is that, in essence, we reiterate, the defendant entity did not prove that its security systems had not been breached in a way that ensures a level of security and minimal risk from the use of the electronic services. It could not be sustained that the burden of proof regarding the vulnerability of those computer security mechanisms or systems falls on the plaintiff, because on the contrary, his evidentiary burden must be directed at demonstrating the existence of one or several circumstances that prevent the emergence of the so-often-mentioned civil liability (responsabilidad civil), which by law weighs upon that banking institution. Thus, it would be unthinkable to try to shift that burden of proof so that the user of the banking services offered by the Banco Nacional de Costa Rica is the one who must know in detail all the security systems of that bank, and from there, also demonstrate the existence of some fissure. Such a position does not imply the impossibility of proving the existence of the victim's fault or the act of a third party within the framework of electronic banking commerce. It should be noted, it is the defendant who designs and conditions access to the systems used within the framework of the tool called Internet Banking, for which reason it has the possibility of establishing as many security systems as it deems appropriate in order to guarantee that the transactions are made by its client, and not just by someone who has the sensitive data of that user at their disposal. In this sense, it is the banking entity, which profits from the financial services offered, that must ensure the use of computer and administrative systems which, from a legal point of view, allow for the certainty of proving the physical identity of the user, for example, the mandatory establishment of OTP devices, or even assessing, within the framework of its administrative autonomy, the establishment of the use of devices that reduce risks and prove the client's identity with a higher degree of certainty, such as biometric tools, all with the aim of having systems that allow for the pre-constitution of proof. In this direction, the First Chamber of the Supreme Court of Justice has considered: *"Notwithstanding the foregoing, the defendant financial entity must take into account that its essential function is financial intermediation, which includes the raising of funds from public savings, a concept that implicitly carries their custody, both from a physical point of view and from the corresponding electronic record. There is no doubt that it is subject to an unavoidable obligation to guarantee the security of the transactions carried out, either at the window or through any other means made available to clients, which must necessarily encompass the use of all those available mechanisms that allow it to have a greater degree of certainty regarding the identification of persons who are authorized to carry out electronic transactions from the accounts. The liability imputed to the Bank is based, not on the withdrawal of money by a third party, but on the existence of a risk, as stated in Considerando III, in the very operation of the service it offers, which makes it possible to attribute the origin of the damage to the operation of the service. This, despite having mechanisms that allow for greater security. (...) After all, banks, and the defendant is no exception, safeguard and administer, among other things, a good belonging to another; and not just any good, but public funds. Thus, it responds not only for the strength of its internal systems but also for the security of the person who, to reach it, uses the only possible channels that the Bank itself knows and recognizes as risky. And it responds not as to something external, but to the extent that it constitutes the means it uses, directly, for the provision of the service. As stipulated by numeral 35 of the Consumer Protection Law (Ley de Protección al Consumidor), there has been a person harmed by reason of the service, which, when used (and in view of its risky nature), produced a significant injury to the person appearing in the process as the plaintiff. (...) The means to access the Bank's platform is not, therefore, an external focus of risk, but an instrument inherent to the service it provides; if one wishes, it forms an intrinsic part of the activity, which, although accessory to the intermediary's activity, is essential. Hence, the guarantee mechanisms for the client–user– must occur not only within the Bank's own computer walls but also on the access path to it as part of the service. It is not in vain that the Financial System has, in general, turned to the implementation of double identification mechanisms, the improvement of passwords, and, in general, the use of recent systems such as the use of tokens, changing passwords, keys with special devices, among others."* (Resolution No. 300-2009 cited above) Said reference makes it evident that the vulnerability of the system is not a matter that the account holder (cuentahabiente) must prove; on the contrary, given the activity it carries out, the profit it obtains from that commercial line of business, and as it constitutes a means that enables the streamlining of transactions derived from the checking account, a contract that presupposes the custody of public funds, it is the financial entity that must prove that its security systems possess an acceptable degree of security and that, in each specific case, they were not breached. In this case, it was precisely the deficiency of security mechanisms that generated the materialization of damage against the plaintiff company, consisting of the withdrawal of a sum of money, which has been recognized by the Bank as ₡19,500,000.00 (nineteen million five hundred thousand colones), but for the plaintiff it is $40,000.00 (forty thousand dollars), resulting from various transactions made in favor of other account holders of the same Banco Nacional de Costa Rica. This constitutes damage from which the banking entity has not managed to dissociate itself, as neither the non-attribution of the damage nor the concurrence of any of the exonerating causes (causas eximentes) that would allow it to free itself from that strict liability (responsabilidad objetiva) prevailing in matters of consumer relations has been proven.

**XII. On the material damage in the specific case.** Based on the foregoing considerations, the strict liability (responsabilidad objetiva) of the Banco Nacional must be declared for the damage suffered by the company Bahía Pez Vela Administration S.A. as a result of the forty-two transactions carried out in the period between the tenth and fourteenth of March, both in 2008, by virtue of which funds were withdrawn from the accounts in both colones and dollars of the affected company, account numbers 100-01-015-006077-5 (colones) and 100-02-015-600387-8 (dollars). It must be noted that the only document in which the operations are determined is official communication BRGP-005-2008 issued by the Guanacaste-Puntarenas Regional Banking Division of the Banco Nacional de Costa Rica, visible at folios 1 through 4 of the administrative file, according to which the institution accepts that the transfers made were as follows:

| 15691088 | Nombre142968 | 1-1101-659 | $1,015.74 | 200-01-053-37793-8 | 201.192.103.17.

CR</span></p></td><td style=\"width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">10-03-08</span></p></td></tr><tr><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">15691117</span></p></td><td style=\"width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">Nombre142969 </span></p></td><td style=\"width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">1-874-052</span></p></td><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">$1.015.74</span></p></td><td style=\"width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">200-01-053-37796-2</span></p></td><td style=\"width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">201.192.103.17. CR</span></p></td><td style=\"width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">10-03-08</span></p></td></tr><tr><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">15691147</span></p></td><td style=\"width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">Nombre142970 . </span></p></td><td style=\"width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">1-538-870</span></p></td><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">$1.015.74</span></p></td><td style=\"width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">200-01-095-27326-7</span></p></td><td style=\"width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">201.192.103.17. CR</span></p></td><td style=\"width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">10-03-08</span></p></td></tr><tr><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">15691171</span></p></td><td style=\"width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">Nombre142971 </span></p></td><td style=\"width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">1-1317-370</span></p></td><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">$1.015.74</span></p></td><td style=\"width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">200-01-130-7669-2</span></p></td><td style=\"width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">201.192.103.17. CR</span></p></td><td style=\"width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">10-03-08</span></p></td></tr><tr><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">15691420</span></p></td><td style=\"width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">Nombre142972 </span></p></td><td style=\"width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">1-664-373</span></p></td><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">$1.015.74</span></p></td><td style=\"width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">200-01-157-8843-9</span></p></td><td style=\"width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">201.192.103.17. CR</span></p></td><td style=\"width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">10-03-08</span></p></td></tr><tr><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">15692310</span></p></td><td style=\"width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">Nombre142973 </span></p></td><td style=\"width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">2-572-440</span></p></td><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">$1.015.74</span></p></td><td style=\"width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">200-01-095-11918-7</span></p></td><td style=\"width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">201.192.57.194.CR</span></p></td><td style=\"width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">10-03-08</span></p></td></tr><tr><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">15692499</span></p></td><td style=\"width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">Nombre142973 </span></p></td><td style=\"width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">2-572-440</span></p></td><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">$1.015.74</span></p></td><td style=\"width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">200-01-095-11918-7</span></p></td><td style=\"width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">201.192.57.194.CR</span></p></td><td style=\"width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">10-03-08</span></p></td></tr><tr><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">15692533</span></p></td><td style=\"width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">Nombre142968</span><span style=\"font-family:Arial; -aw-import:spaces\">&#xa0; </span></p></td><td style=\"width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">1-1101-659</span></p></td><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">$1.015.74</span></p></td><td style=\"width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">200-01-053-37793-8</span></p></td><td style=\"width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">201.192.57.194.CR</span></p></td><td style=\"width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">10-03-08</span></p></td></tr><tr><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">15692560</span></p></td><td style=\"width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">Nombre142970 . Nombre142970</span></p></td><td style=\"width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">1-538-870</span></p></td><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">$1.015.74</span></p></td><td style=\"width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">200-01-095-27326-7</span></p></td><td style=\"width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">201.192.57.194.CR</span></p></td><td style=\"width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">10-03-08</span></p></td></tr><tr><td style=\"width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">15728923</span></p></td><td style=\"width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top\"><p style=\"margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt\"><span style=\"font-family:Arial\">Nombre142970 .

</span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">2-625-993</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$4.06</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-053-33101-6</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">11-03-08</span></p></td></tr></tbody></table> </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">1-538-870</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1.017.81</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-095-27326-7</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">13-03-08</span></p></td></tr></tbody></table></div> </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">1-538-870</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1,017.81</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-095-27326-7</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">13-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15815530</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142969 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">1-874-052</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1,017.81</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-053-37796-2</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">13-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15815551</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142971 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">1-1317-370</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1,017.81</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-130-7669-2</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">13-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15816501</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre90398 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">1-1005-991</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1,017.81</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-000-691558-2</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">13-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15765859</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142964 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">4-186-284</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">¢500,000</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-004-94827-9</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">12-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15766428</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142974 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">1-1429-431</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">¢500,000</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-000-709577-5</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">12-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15815568</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142972 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">1-664-373</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">$1,017.81</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-130-7669-2</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">14-03-08</span></p></td></tr><tr style="height:15pt"><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15815588</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142964 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">4-186-284</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">¢500,000</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-004-94827-9</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">14-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15816527</span></p></td><td style="width:69pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142975 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">4-196-146</span></p></td><td style="width:48pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">¢500,000</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-124-16528-3</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; border-bottom:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">14-03-08</span></p></td></tr><tr><td style="width:48pt; border-right:1pt solid #010101; padding:2.25pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">15816827</span></p></td><td style="width:69pt; border-right:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">Nombre142975 </span></p></td><td style="width:44.25pt; border-right:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">4-196-146</span></p></td><td style="width:48pt; border-right:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">¢500,000</span></p></td><td style="width:79.5pt; border-right:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">200-01-124-16528-3</span></p></td><td style="width:77.25pt; border-right:1pt solid #010101; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">201.192.57.194.CR</span></p></td><td style="width:38.25pt; padding:2.25pt 2.25pt 2.25pt 2.5pt; vertical-align:top"><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%; font-size:8pt"><span style="font-family:Arial">14-03-08</span></p></td></tr></table><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%"><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial"> </span></p><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%"><span style="font-family:Arial">Derivado de lo cual, se han podido extraer la mayoría de los montos sustraídos, de los que para mayor claridad y ante la disyuntiva entre lo pedido por la parte actora que lo dispone en su totalidad en dólares y por otra parte, el banco demandado lo establece en colones, lo cierto es que del análisis del cuadro transcrito,</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial"> se deben indicar los montos de las transferencias por separado tanto en dólares, como en colones, por lo que tendríamos así:</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial"> en dólares la suma de $30.497.12 (treinta mil cuatrocientos noventa y siete dólares con doce centavos), y en colones ¢2.503.251.77 (dos millones quinientos cincuenta y un mil colones con setenta y siete céntimos). No obstante,</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial"> debe tomarse en cuenta además que, en dicho cuadro,</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial"> existe un monto el cual no se ha podido determinar con claridad y el que corresponde a la transacción número 22 que aparece en la tabla anterior que dice ser la del documento número 15730021, trasladado a la cuenta del señor Nombre142963 . Nombre142963 . cédula de identidad CED112276, a la cuenta número 200-01-053-33101-6, desde la dirección de IP 201.192.57.194.CR el día 11 de marzo de 2008, la cual aparece por un monto de (4:06) sin que se indique su moneda y sin saber si los números consignados corresponden al verdadero monto de esa sustracción, razón por la cual este quedará para ser probado en la etapa de ejecución de sentencia e incluido en el monto total.</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial"> Por ende, debe el Banco Nacional cancelar a l a demandante el total de l as transferencias y s obre es as partidas debe reconocerse a título de perjuicio financiero (artículo 706 del Código Civil) el interés legal que para operaciones en moneda extranjera fija el numeral 497 del Código de Comercio, a saber, rédito según la tasa prime rate, y en las de colones (artículo 497 del Código de Comercio) la </span><span style="font-family:Arial; color:#010101">tasa básica pasiva del Banco Central de Costa Rica</span><span style="font-family:Arial"> . Dichos intereses deberán calcularse sobre cada partida sustraída desde la fecha en que se realizó cada una de las transacciones de débito no autorizadas ya aludidas, sea, desde que se produjo cada hecho dañoso, hasta su efectivo pago, partidas a liquidarse en fase de ejecución de sentencia. El otorgamiento del citado perjuicio financiero supone, de manera implícita, la actualización del valor económico de la obligación (indexación), para los efectos del canon 123 del Código Procesal Contencioso Administrativo. </span></p><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%"><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">XIII.-</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold"> Analysis of the defenses raised.</span><span style="font-family:Arial"> The representation of Banco Nacional de Costa Rica raised the preliminary defense of Expiration of the Action (Caducidad), which was analyzed at the preliminary hearing held on November 23, 2010, by resolution No. 4381-2010 at 2:05 p.m. on that date, the procedural judge ordered: </span><span style="font-family:Arial; font-style:italic">\"</span><span style="font-family:Arial; font-weight:bold; font-style:italic">POR TANTO:</span><span style="font-family:Arial; font-style:italic"> Se declara sin lugar la defensa previa de caducidad incoada por el banco Nacional de Costa Rica.\"</span><span style="font-family:Arial"> Regarding the substantive defenses, the representation of the defendant bank raised the defense of lack of right, which must be rejected as the validity of the plaintiff's right to obtain compensatory redress for the damages caused by the withdrawals from its bank accounts has been proven, against which the Bank did not prove non-involvement or exonerating causes. In that regard, the allegations of act of a third party (hecho de tercero) and fault of the victim (culpa de la víctima) alleged by the defendant entity must also be rejected, for the reasons already noted above. Consequently, the claim filed by the representative of the company Bahía Pez Vela Administration S.A.</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial"> against Banco Nacional de Costa Rica must be granted in the following terms: - Banco Nacional de Costa Rica is ordered to reimburse the plaintiff the sums debited without authorization, resulting from forty-two transfers to various client accounts of the defendant bank, carried out between the tenth and fourteenth of March, both days of the year 2008, for an amount in dollars of $30,497.12 (thirty thousand four hundred ninety-seven dollars and twelve cents), and in colones ¢CED112277 (two million five hundred fifty-one thousand colones and seventy-seven céntimos) plus the amount corresponding to the transaction whose document number is 15730021, transferred to the account of Mr. Nombre142963 .</span><span style="font-family:Arial; -aw-import:spaces">&#xa0; </span><span style="font-family:Arial">. identification card number CED112276, to account number 200-01-053-33101-6, from the IP address 201.192.57.194.CR on March 11, 2008, for which an amount is not correctly stated, therefore it remains to be proven in the enforcement of judgment (ejecución de sentencia) stage and included in the total amount. </span><span style="font-family:Arial; font-weight:bold">2)</span><span style="font-family:Arial"> On the sums that are finally determined, Banco Nacional de Costa Rica is ordered to pay legal interest, from the moment each of the unauthorized debits was made until effective payment. Said interest shall be calculated according to the prime rate for foreign currency transactions, and for domestic ones the basic passive rate (tasa básica pasiva) of the Banco Central de Costa Rica shall apply, all in accordance with the provisions of numeral 497 of the Código de Comercio. The granting of this financial loss implicitly entails the economic updating of the obligation for the purposes of article 123 of the Código Procesal Contencioso Administrativo. These sums shall be liquidated in the enforcement phase of this ruling.</span></p><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%"><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">&#xa0;</span><span style="font-family:Arial; font-weight:bold">XIV.- Costs (Costas). </span><span style="font-family:Arial">In accordance with numeral 193 of the Código Procesal Contencioso Administrativo, procedural and personal costs (costas procesales y personales) constitute a burden imposed on the losing party by virtue of their having lost. Waiver of this award is only viable when there is, in the Court's opinion, sufficient reason to litigate, or when the judgment is handed down by virtue of evidence the existence of which was unknown to the opposing party. In this case, this collegiate body does not find reason to apply the exceptions established by the applicable regulations and break the principle of awarding costs against the losing party. Therefore, both costs are imposed on the defendant banking entity. </span></p><p style="margin-top:0pt; margin-bottom:0pt; text-align:center; line-height:150%"><span style="font-family:Arial; font-weight:bold">POR TANTO.</span></p><p style="margin-top:0pt; margin-bottom:0pt; line-height:150%"><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial">&#xa0;</span><span style="font-family:Arial"> The defense of lack of right is rejected, as well as those of "Fault of the Victim and Act of a Third Party" raised by Banco Nacional de Costa Rica. Consequently, the claim filed by Bahía Pez Vela Administration S.A. is granted.</span></p> against Banco Nacional de Costa Rica in the following terms: **1)** Banco Nacional de Costa Rica is ordered to reimburse the plaintiff for the sums debited without authorization, resulting from forty-two transfers to various client accounts of the defendant bank, carried out between the tenth and the fourteenth of March, both in 2008, for an amount in dollars of $30,497.12 (thirty thousand four hundred ninety-seven dollars and twelve cents), and in colones of ¢2,503,251.77 (two million five hundred fifty-one thousand colones and seventy-seven céntimos), plus the amount corresponding to the transaction with document number 15730021, transferred to the account of Mr. Nombre142963. Nombre142963. identity card CED112276, to account number 200-01-053-33101-6, from the IP address 201.192.57.194.CR on March 11, 2008, for which an amount is not correctly recorded, and therefore remains to be proven in the sentence execution stage and included in the total amount. **2)** On the sums that are ultimately determined, Banco Nacional de Costa Rica is ordered to pay legal interest, from the moment each of the unauthorized debits was made until their effective payment. Such interest shall be calculated at the prime rate for transactions in foreign currency, and for those in national currency, the basic passive rate of the Banco Central de Costa Rica shall apply, in accordance with the provisions of numeral 497 of the Código de Comercio. The awarding of this financial loss implicitly entails the monetary correction (actualización económica) of the obligation for the purposes of ordinal 123 of the Código Procesal Contencioso Administrativo. These sums shall be liquidated in the execution stage of this judgment. **3)** Both costs (costas) are to be borne by the defendant entity.

**Juan Luis Giusti Soto** **Cinthia Abarca Gómez** **Roberto Garita Navarro** ASUNTO: PROCESO DE CONOCIMIENTO DECLARADO DE PURO DERECHO ACTOR: Bahía Pez vela Administration S.A. DEMANDADOS: Banco Nacional de Costa Rica.

NOTIFICACIONES NOTIFICACIONES 1) BAHÍA PEZ VELA ADMINISTRACIÓN S.A. FAX 2253-39-82 2) BANCO NACIONAL DE COSTA RICA FAX 2233-2385 2222-38-78 ASUNTO: PROCESO DE CONOCIMIENTO DECLARADO DE PURO DERECHO ACTOR: BAHIA PEZ VELA ADMINISTRATION S.A.

DEMANDADO: BANCO NACIONAL DE COSTA RICA No. 32-2011-VI.

TRIBUNAL CONTENCIOSO ADMINISTRATIVO, SECCIÓN SEXTA, SEGUNDO CIRCUITO JUDICIAL DE SAN JOSÉ. Goicoechea, a las once horas treinta minutos del cuatro de febrero de dos mil once.

Proceso de conocimiento declarado de puro derecho establecido por BAHIA PEZ VELA ADMINISTRATION S.A., representada por Nombre142961 , mayor, soltero, empresario, portador de la cédula de identidad número CED112275, vecino de Guanacaste (folio 74), contra el BANCO NACIONAL DE COSTA RICA, representado por Nombre24322 , mayor, casado, abogado, portador de la cédula de identidad número CED89651, vecino de Escazú, en su caracter de Apoderado General Judicial (folio 78).

RESULTANDO:

1.- En fecha 14 de junio de 2010, el representante de la empresa actora formula la demanda que ha dado origen al presente proceso para que en sentencia se disponga, pretensiones que fueron confirmadas en audiencia preliminar: "...la RESPONSABILIDAD OBJETIVA del BANCO NACIONAL DE COSTA RICA y se le condene al reintegró (sic) de la suma sustraída CUARENTA MIL DÓLARES, con sus intereses, desde la fecha de la sustracción y hasta su efectivo pago. Así como ambas costas de este proceso." (Folios 15 y 16 del expediente principal).

2.- Otorgado el traslado de ley, el Apoderado General Judicial del banco accionado contestó de manera negativa. Opuso las defensas previas de caducidad y de fondo Falta de Derecho, Hecho de un tercero y Culpa de la Víctima. (Folios 81 a 95 del expediente principal).

3.- En la audiencia preliminar celebrada el 23 de noviembre de 2010, la demandada formuló las defensa de Caducidad. Mediante resolución No. 4381-2010 de las 14 horas 05 minutos de esa fecha, el juzgador de trámite dispuso: "POR TANTO: Se declara sin lugar la defensa previa de caducidad incoada por el Banco Nacional de Costa Rica." (Folio 99 vuelto del legajo judicial- ver detalle de las 14 horas 01 minutos de la grabación de la audiencia preliminar. Minuta que corre a folio 99 del expediente principal).

4.- La audiencia preliminar establecida en el ordinal 90 del Código Procesal Contencioso Administrativo, que se encuentra grabada en el sistema digital de este Despacho, fue celebrada a partir de las 13 horas 54 minutos del 23 de noviembre de 2010, con la asistencia de ambas partes. Al no existir prueba que evacuar, el presente asunto fue declarado como de puro derecho y se rindieron conclusiones. El expediente respectivo fue remitido a este órgano colegiado para la emisión del fallo pertinente en fecha 14 de enero de 2010, según consta en sello de pase visible a folio 99 vuelto del expediente judicial.

5.- En los procedimientos ante este Tribunal no se han observado nulidades que deban ser subsanadas y la sentencia se dicta dentro del plazo de quince días hábiles establecido al efecto por el artículo 82.4 del Reglamento Autónomo de Organización y Servicio de la Jurisdicción Contencioso Administrativa y Civil de Hacienda.

Redacta el juez Giusti Soto con el voto afirmativo de la juzgadora Abarca Gómez y el Juzgador Garita Navarro;

CONSIDERANDO.

I.- Hechos probados. De relevancia para efectos del presente proceso se tienen los siguientes: 1) Que el 14 de marzo de 2008, el señor Nombre142961 le solicitó al Banco Nacional de Costa Rica realizar investigación de las transacciones realizadas a las cuentas de su representada entre los días 10 y 14 de marzo de ese año. (Folio 18 del expediente principal). 2) El día 14 de marzo de 2008, el señor Nombre142961 presentó denuncia N° 013-08-00456 ante el Organismo de Investigación Judicial de Liberia Guanacaste, en la que indicó que la contadora de la empresa el lunes 14 de marzo utilizó internet para hacer unas transferencias percatándose que la clave había sido cambiada, de inmediato solicitó una nueva clave y se dio cuenta de la sustracción de treinta y nueve mil dólares, los que fueron depositados en otras cuentas de otras personas de las que no conocen. (Folio 20 del expediente principal). 3) El Supervisor de Seguridad de Banca Regional Guanacaste-Puntarenas, el Lic.Gilberth Marchena Viales, en oficio N° BRGP-005-2008 del 7 de abril de 2008, dirigido al Director Regional del Banco Nacional de Costa Rica, Nombre142962 , le informó acerca de la investigación realizada ante solicitud del representante de la empresa Bahía Pez Vela Administration S.A. por débitos realizados a sus cuentas, concluyendo que el registro transaccional de Internet Banking Personal para cada una de las transferencias sospechosas reportadas, figuran los datos que identifican al titular de la cuenta, como autor de las mismas, lo que refleja que lo ocurrido no obedece a una violación de los sistemas de seguridad del banco, sino a una falta del usuario. (Folios 1 a 4 del expediente administrativo). 4) Que mediante oficio BRGP-142-2008 fechado 9 de abril de 2008, el Director Regional de Banca Regional Guanacaste Puntarenas del Banco Nacional de Costa Rica, le comunicó al señor Nombre142961 acerca de la investigación realizada en el caso por él denunciado, haciéndole de conocimiento el resultado de lo investigado por la Dirección de Seguridad, además se le indicó el listado de todas las transacciones y que el monto ascendía a la suma de ¢19.5000.000; que se había podido detener a Nombre142963 cuando se presentó a la oficina de Heredia quien fue dejado a las órdenes del Organismo de Investigación Judicial. Asimismo le indicó que la suma de ¢498.311.50 fue bloqueada en la cuenta de la sospechosa Nombre142964 , de lo cual se está a la espera de coordinar con el Ministerio Público para el respectivo reintegro; que los movimientos no fueron realizados desde ninguna máquina relacionada con el Banco y que de acuerdo a las direcciones IP de donde se ejecutaron son servicios que brinda el ICE, Racsa, Cable Amnet y Cable Tica, por lo que no obedece a la violación de los sistemas de seguridad del banco, sino a una falla del usuario. Por ello le comunicaron el rechazo de todos los extremos del reclamo presentado. (Folios del 5 al 7 del expediente administrativo). 5) El representante de la empresa Bahía Pez Vela Administration S.A. el 22 de abril de 2008, planteó ante la Banca Regional Guanacaste-Puntarenas, recurso de revocatoria y apelación en subsidio contra lo resuelto en oficio BRGP-142-2008, alegando que la empresa fue objeto de una acción de terceros que abusando del sistema de manejo electrónico de fondos que tiene el Banco Nacional, le sustarjeron de dos cuentas la suma de ¢19.500.000, por lo que existe responsabilidad objetiva por parte del banco por ser la página electrónica un servicio brindado por la entidad, sobre el cual debe verificar todas las medidas de seguridad para que terceros ajenos no realicen transferencias electrónicas en perjuicio de los cuenta corrientistas, y tomando en cuenta la autorización de transferencias superiores a los límites diarios permitidos, evidencia la falla en los controles en los sistemas tecnológicos. (Folio 11 al 20 del expediente administrativo). 6) El Director Regional de Banca Regional Guanacaste-Puntarenas del Banco Nacional de Costa Rica, en oficio BRGP-163-2008 de 30 de abril de 2008, rechaza el recurso de revocatoria presentado al considerar que en los terminos expuestos no se agregan elementos nuevos de juicio a lo originalmente planteado. Le informó que remitía el asunto a conocimiento de la Junta Directiva General a los efectos de que de por agotada la vía administrativa (Folio 21 del expediente administrativo). 7) Mediante oficio sin número, fechado 1 de setiembre de 2008 y rubricado por el señor Nombre142965 , Secretario General de la Junta Directiva del Banco Nacional de Costa Rica, le comunican al señor Nombre142961 que la Junta Directiva en artículo 10, de la sesión N° 11.497 del 26 de agosto de 2008, conoció de la apelación presentada contra el oficio BRGP-142-2008, indicándole que se decidió acoger en todos sus extremos el dictamen DJ.1482-2008 del 7 de agosto anterior de la Dirección Jurídica, por lo que se declara sin lugar el recurso, aduciendo que el daño patrimonial ocasionado no ocurrió por una conducta desplegada por el Banco, sino por una conducta negligente realizada por un representante o autorizado en la cuenta, quien reveló datos necesarios para el acceso a la cuenta lo que implicó la transferencia de dinero de la cuentas a varias personas, por lo que el Banco no tiene responsabilidad. (Folio 23 frente y vuelto del expediente administrativo). 8) Que el 13 de agosto de 2009 el representante de la empresa Bahía Pez Vela Administration S.A. planteó reclamo administrativo ante la sucursal de Liberia del banco Nacional de Costa Rica, solicitando el reconocimiento de los $40.000 que fueron sustraídos de sus cuentas entre el 10 al 14 de marzo de 2008, por medio de transferencias electrónicas que no fueron autorizados por su representada. (Folio 40 y 41 del expediente principal). 9) Que el 8 de enero de 2010, el señor Nombre142961 solicitó a la Sucursal de Liberia del Banco Nacional de Costa Rica, se diera respuesta a su solicitud de 13 de agosto de 2009 respecto a su reclamo administrativo, advirtiendo que de no hacerlo acudiría a la vía correspondiente. (Folio 73 del expediente principal).

II.Hechos no probados. De relevancia para efectos del presente proceso se tiene como tal: Que la sucursal de Liberia del Banco Nacional de Costa RIca hubiera dado respuesta o resolución alguna al reclamo de reconocimiento del dinero sustraído a las cuentas de su cliente Bahía Pez Vela Administration S.A, presentado por el representante de dicha empresa el señor Nombre142961 el día 13 de agosto de 2009 y reafirmado el 8 de enero de 2010. (No se acredita tal situación).

III.- Objeto del proceso. Alegatos de las partes. Analizadas las alegaciones y peticiones de las partes involucradas en este conflicto, se determina como objeto del proceso la indemnización a la empresa actora por la suma de $40.000 sustraídos de sus cuentas entre el 10 y el 14 de marzo de 2008, alegándose la falta de controles del Banco demandado al utilizar el servicio de Internet Banking.

IV.- Alegatos de las partes. El accionante aduce que su representada tenía una relación comercial con el Banco Nacional de Costa Rica mediante la cuenta corriente número 100-01-015-006077-5 en colones y la número 100-02-015-600387-8 en dólares. Que en la semana del 10 al 14 de marzo de 2008, personas ajenas sustrajeros de sus cuentas electrónicas la suma de cuarenta mil dólares. Que el 10 de marzo de 2008 la contadora de la empresa al revisar las cuentas pudo notar el faltante, por lo que el 14 de marzo de 2008 se remitió nota al Banco Nacional para que iniciara la investigación respectiva en torno a las transacciones realizadas por medio de internet en la cuenta de su representada y además, en la misma fecha procedió a formular denuncia ante el Organismo de Investigación Judicial de Liberia Gunacaste. Indica que la Sucursal del Banco de Liberia el 8 de abril siguiente le indicó que por parte de la entidad determinaron que en la semana del 10 al 14 de marzo de 2008 se realizaron varios traslados de dinero vía Internet Banking de la cuenta 100-02-015-600387-8 en dólares y 100-01-015-6077-5 en colones a nombre de la empresa a diferentes cuentas, realizando un total de 39 operaciones algunas de las cuales tenían como destinatarios los señores Nombre142963 y Nombre142964 , y le indicaron que el incidente no era responsabilidad del banco pues se había dado por una falta de la empresa. Expresa que planteó contra esa decisión recurso de revocatoria con apelación ante el Director Regional de Guanacaste el día 21 de abril de 2008, siendo los mismos rechazados el 30 de abril siguientes, dándose por agotada la vía administrativa. Alega que nuevamente formuló reclamo administrativo el 28 de julio de 2009, solicitando se aplicara el artículo 190 de la Ley General de la Administración Pública y 158 del Código Procesal Contencioso. Indica que ante la omisión, el 8 de enero volvió instar la respuesta lo que no surtió efecto. Niega que haya sido por negligencia de parte de su representada, ya que las transacciones no fueron realizadas ni por empleados, ni por máquinas de la empresa, tal y como puede corroborarse de las direcciones IP de donde se hicieron las transacciones ilícitas. De seguido desarrolla la teoría de la responsabilidad objetiva insertada en la Ley General de la Administración pública, indicando que la responsabilidad en el caso concreto deriva de la falta de controles del Banco por medio de la utilización de un servicio brindado a su empresa mediante Internet Banking, lo que encuentra sustento en la Ley de Protección al Consumidor, tal y como lo ha indicado el Tribunal, por lo que derivado de la naturaleza contractual de su representada con la institución bancaria y el deber de indemnización de conformidad con la cita que hace de la sentencia 116-08 de las 14 horas del 26 de setiembre de 2008, de lo cual colige que al no haber sido responsabilidad de la empresa el que personas inescrupulosas entraran por la falta de seguridad del banco y que su dinero fuera sustraído, conlleva el deber de la institución de responsabilizarse por el daño causado, sea la perdida de cuarenta mil dólares. Alega la aplicación de los artículos 31, 34 y 35 de la Ley de Promoción de la Competencia, en virtud del servicio prestado. Indica además que a mayor abundamiento, la responsabilidad de los bancos en materia de fraude electrónico ya fue conocido por la Sala Primera de la Corte Suprema de Justicia en varias sentencias, entre ellas menciona la N° 300-F-S1-2009 de las 11:25 horas del 26 de marzo de 2009 y la N° 394-F-S1-2009 de las 10:23 horas del 23 de abril de 2009.

V.- Por su parte, la representación del banco demandado indica que efectivamente la empresa Bahía Pez vela Administration S.A. es titular de las cuantas bancarias números 100-02-015-600387-8 en dólares y la 100-01-015-006077-5 en colones. Que en el informe BRGP-005-2008 de 7 de abril de 2008 suscrito por el Supervisor de Seguridad de la Regional del Banco en Guanacaste, se determinó que las transferencias mediante Internet Banking realizadas entre los días 10 al 14 de marzo de 2008 lo fue por un monto total de ¢19.500.000, en cuyo informe se destaca que del análisis de las transacciones fueron realizadas con el código del usuario del ciente (nombre completo y número de cédula), que los sistemas informáticos del Banco no fueron vulnerados, que en las transacciones investigadas no se localizaron direcciones IP asignadas y utilizadas por el Banco Nacional, que los dineros fueron retirados por medio de distintos cajeros automáticos y que al darse el aviso se procedió a cerrar las cuentas utilizadas y se codificó a sus titulares. Expresa que posterior a la restricción de la cuentas se logró al detención de Nombre142966 cuando se presentó a la Sucursal de Heredia, el cual fue dejado a la orden del Organismo de Investigación Judicial y que existe retenida la suma de ¢498.311.50 de la transferencia realizada a la cuenta de Nombre142964 . Manifiesta que el Personal de la Dirección de Seguridad Informática realizó una verificación de los hechos reportados y sobre los elementos de control y seguridad asociados a los servicios electrónicos del Banco Nacional, determinando que los números de las direcciones IP de donde se realizaron las transacciones son de origen costarricense, indicando que la clave (password) creada por el cliente para registrarse en el Sistema de Internet Banking y acceder a los servicios electrónicos es secreta, solamente es conocida por el interesado y es intransferible y esa clave fue la utilizada para las transacciones investigadas, y que no se utilizaron direcciones IP asignadas o utilizadas por el Banco Nacional, por lo que se concluyó que no obedeció a una violación de los sistemas de seguridad del banco, sino a una falta del usuario, con todo lo cual se recomendó declinar el reclamo administrativo presentado. Respecto de la solicitud de investigación presentada por la empresa, indica que culminó con el informe BRGP-005-2008 del 7 de abril de 2008 y basado en éste, el Director del Banco Regional Guanacaste en oficio BRGP-142-2008 de 9 de abril siguiente, rechazó el reclamo planteado explicándole los aspectos suscitados. Que contra lo resuelto se plantearon los recursos de revocatoria con apelación en subsidio, siendo rechazado el primero mediante oficio BRGP-163-2008 suscrito por el Director del Banco Regional Guanacaste, elevando el asunto a la Junta Directiva General, la que resolvió la apelación rechazándola según artículo 10 de la sesión N° 11.497 del 26 de agosto de 2008, notificado el 3 de setiembre siguiente, momento que indica a partir del cual empieza a correr el plazo de un año previsto en el Código Procesal Contencioso Administrativo. Que la empresa afectada nuevamente presentó reclamo administrativo el 13 de agosto de 2009 en la sucursal del Banco Nacional de Liberia, sea prácticamente una año después de que el asunto había sido resuelto en firme incluso por la Junta Directiva de la institución, lo que indica que la gestión era absolutamente improcedente, pues los hechos ya habían sido ampliamente conocidos y resueltos por el Banco, e indica que ese reclamo se presentó para disimular la evidente caducidad de la acción. Sobre el tema de los fraudes mediante Internet Banking, cita la sentencia 1496-2010 del Tribunal, de lo cual considera se puede extraer que el correcto análisis de este tipo de casos debe partir de cuatro aspectos: a) que el actor acredite de manera fehaciente que haya observado patrones de comportamiento adecuados para proteger sus datos sensibles, incluyendo la no divulgación de su clave y su pin que son creación personal del cliente, b) Que resulta imposible explicar como un tercero puede accesar a los datos sin el concurso del propio titular de la cuenta ya sea por acción u omisión, pues el primer obligado a custodiar adecuadamente los datos es el cliente, y si no lo hizo en forma diligente entonces terceros podrían accesarla; c) que el banco ha tomado los medios necesarios para que los datos privados queden consignados en distintos medios, unos completamente distintos de otros y algunos incluso de creación única y exclusiva del propio cliente; y d) que no es posible obviar de que la única forma posible para que haya ocurrido el supuesto fraude es por medio del descuido del cliente que permitió por su acción u omisión la fuga de sus datos. Así, considera que que en la especie son aplicables los eximentes que rompen el nexo causal (culpa de la víctima y hecho de un tercero), por lo que solicita declarar sin lugar la demanda en todos sus extremos. Por otra parte, en cuanto a la defensa previa de caducidad de la acción, indica que el actor carece de todo sustento jurídico para accionar judicialmente en contra del Banco, por cuanto sus reclamos administrativos fueron resueltos incluso por la Junta Directiva de la institución, cuya resolución le fue notificada el 3 de setiembre de 2008, sea hace casi dos años, por lo que es aplicable lo dispuesto en los artículos 31 y 39 del Código Procesal Contencioso Administrativo, evidenciando la caducidad para interponer el presente proceso, solicitando se declare inadmisible la demanda. Finalmente, opuso las defensas de fondo de Falta de Derecho, Hecho de un Tercero y Culpa de la víctima.

VI.- Sobre los derechos fundamentales de los consumidores. Regulación constitucional y legal. Para este caso, se hace necesario hacer una breve referencia al ordenamiento constitucional y legal que precisa el conjunto de derechos que le resultan aplicables a los consumidores en las relaciones de adquisición de bienes y/o servicios. Esto es relevante al considerar que los contratos de cuenta corriente (incluso la electrónica), así como la generalidad de la oferta financiera y bancaria, forman parte de ese tipo de relaciones comerciales en las cuales, el destinatario del servicio o bienes se constituye como consumidor, categoría a la cual, en razón de la dinámica del comercio, se han consagrado derechos y obligaciones. Este tema ha sido ya objeto de examen por parte de este Tribunal , en las sentencias números 1112-2009 de las 13 horas con 30 minutos del 15 de junio de 2009, número 602-2010 de las dieciséis horas treinta minutos del diecinueve de febrero del dos mil diez , número 2758-2010 de las once horas con cuarenta y cinco minutos del veintiocho de julio del dos mil diez y la número 3699-2010 de las once horas con cincuenta y siete minutso del treinta de setiembre de dos mil diez . En dichos precedentes, esta Sección Sexta ha establecido que este tipo de relaciones participa de la categoría de relaciones de consumo. Desde este plano, el canon 46 párrafo quinto de la C onstitución Política establece el conjunto de derechos que acuden a los consumidores, en la mayoría de las ocasiones, como parte débil de la relación comercial. En esa línea, estatuye el citado numeral: “Artículo 46.- (…) Los consumidores y usuarios tienen derecho a la protección de su salud, ambiente, seguridad e intereses económicos; a recibir información adecuada y veraz; a la libertad elección, y a un trato equitativo. El Estado apoyará los organismos que ellos constituyan para la defensa de sus derechos. La Ley regulará esas materias”. Cabe precisar que el derecho a un trato equitativo supone en cualquier supuesto, el deber del comerciante o proveedor, de tratar al consumidor de manera atenta y respetuosa frente a sus simples reclamos, o en la tutela de sus derechos tanto en sede administrativa y judicial. Ahora bien, es claro que la aplicación de estos principios y su interpretación, debe orientarse hacia la tutela y resguardo de la parte más débil de la relación. Así lo ha entendido la Sala Constitucional, entre otros, en la sentencia número 2002-0 857, en l a cual, sobre el tema objeto de comentario señaló: “Es notorio que el consumidor se encuentra en el extremo de la cadena formada por la producción, distribución y comercialización de los bienes de consumo que requiere adquirir para su satisfacción personal, y su participación en ese proceso, no responde a razones técnicas ni profesionales, sino en la celebración constante de contratos a título personal. Por ello su relación en esa secuencia comercial es de inferioridad y requiere de una especial protección frente a los proveedores de los bienes y servicios, a los efectos de que previo a externar su consentimiento contractual cuente con todos los elementos de juicio necesarios, que le permitan expresarlo con toda libertad y ello implica el conocimiento cabal de los bienes y servicios ofrecidos. Van incluidos por lo expresado, en una mezcla armónica, varios principios constitucionales, como la preocupación estatal a favor de los más amplios sectores de la población cuando actúan como consumidores, la reafirmación de la libertad individual al facilitar a los particulares la libre disposición del patrimonio con el concurso del mayor posible conocimiento del bien o servicio a adquirir, la protección de la salud cual está involucrada, el ordenamiento y la sistematización de las relaciones recíprocas entre los interesados, la homologación de las prácticas comerciales internacionales al sistema interno y en fin, la mayor protección del funcionamiento del habitante en los medios de subsistencia” De lo expuesto se colige, en la relación de consumo entre el comerciante o proveedor y el consumidor, existe por la dinámica natural del comercio, una desigualdad entre ambos, y el consumidor, en la mayoría de las ocasiones, en esta relación natural, es la parte más débil. De ahí que la Constitución Política equilibre la dinámica de cargas de esa relación de consumo, otorgándole al consumidor una serie de derechos fundamentales que lo protegen de su desigualdad natural con el comerciante o proveedor. Como derivación de ello, la interpretación y la aplicación de las normas, en caso de duda, en los conflictos de esta naturaleza, deben favorecer al más débil, es decir, en tesis de principio, al consumidor. De ahí que en esos supuestos, el comerciante o proveedor, tiene una obligación de demostrar que ha cumplido con sus obligaciones en la relación de consumo y que ha respetado los derechos fundamentales del consumidor, en caso contrario, deberá responder por la infracción a estas reglas como lo determine las normas infra constitucionales. Ahora, como lo dice el artículo 46 constitucional, es a la Ley a la que le corresponderá regular esos derechos, lo que se concreta en la Ley de Promoción de la Competencia y Defensa Efectiva del Consumidor, No. 7472. Dicho cuerpo legal establece, grosso modo, los derechos que acuden al consumidor, tema desarrollado en el canon 32, así como los deberes del comerciante, establecidos en el canon 34. Es claro por ende, la infracción a los deberes del comerciante, genera por efecto directo y como consecuencia natural y lógica, el quebranto de los derechos del consumidor, tutelados constitucional y legalmente en los términos ya expuestos. Ello supone entonces, el surgimiento de un sistema de responsabilidad del comerciante o proveedor hacía el consumidor, de reparar los daños y perjuicios que se le ocasionen a este último. En consecuencia, si existe una violación a los derechos constitucionales y legales del consumidor, por parte del comerciante o proveedor, éste debe reparar el efecto dañoso que se le haya causado al consumidor, bajo el régimen de responsabilidad objetiva que en el siguiente considerando de esta sentencia se explicará con detalle y precisión.

V II .- Sobre el régimen jurídico de responsabilidad aplicable a las relaciones de comercio electrónico de índole bancario. Aspecto relevante dentro de este proceso es la determinación del régimen jurídico aplicable a este tipo de vinculaciones comerciales como la que se ha presentado entre las partes. Sobre regulaciones legales que d el contrato de cuenta corriente establece el Código de Comercio, este Tribunal ha sido claro, tesis que sostiene al no aportarse argumentos de derecho que justifiquen una variación en esta postura, siendo los contratos de cuenta corriente con servicios electrónicos de internet bankin g una variación más de las relaciones económicas de consumo, en este caso, de servicios bancarios y financieros, son de total y plena aplicación las normas de responsabilidad fijadas por la Ley de Promoción de la Competencia y Defensa Efectiva del Consumidor. Aún considerando que en el contexto actual, las cuentas electrónicas suponen como criterio de base la existencia de un contrato de cuenta corriente, considerándose por ende en un servicio adicional a este último, o bien, una variación actualizada, lo cierto del caso es que en el contexto conceptual desarrollado en el artículo 2 de la Ley No. 7472, esa vinculación encaja a plenitud dentro de las relaciones de consumo en tanto se trata de una parte comerciante o proveedora de servicios financieros o bancarios, que son adquiridos por un cliente que constituye el destinatario final de esa oferta de mercado. Se trata de un contrato comercial por adhesión que tiene por objeto la oferta de servicios bancarios de administración de fondos mediante una cuenta corriente, en virtud del cual el Banco recibe del cliente fondos u otros valores acreditables de manera inmediata o en calidad de depósito o bien, otorgamiento de crédito, para girar contra él. Resulta evidente que cuando la cuenta permita transferencias electrónicas, como derivación de la modernidad tecnológica, no resulta de aplicación la referencia al concepto de cheques (como documento físico). Precisamente la aplicación de mecanismos desmaterializados en el comercio para la disponibilidad de esos fondos y cuentas prescindiendo de emisión de documentos físicos, es hoy en día una oferta más dentro del citado contrato de cuenta corriente, que resulta altamente atractiva para el consumidor, dada la agilidad y simplificación de las transacciones, lo que exige, mecanismos de seguridad de movimientos monetarios para concretar el deber de eficiente y diligente custodia de los fondos del cliente. Desde esa arista de examen, las normas que refieren a la tipología contractual del vínculo no desmejora ni elimina que se trate de una relación de consumo, regulada por ende, además, por las disposiciones de la Ley No. 7472. De ahí que no exista duda en que el régimen jurídico de responsabilidad aplicable al presente asunto es el numeral 35 de la citada Ley de Promoción de la Competencia y Defensa Efectiva del Consumidor. Así, a modo de referencia lo ha expuesto esta Sección en el fallo No. 2758-2010 precitado, en el cual, sobre el tema en concreto se señaló: "De esas resoluciones, se puede extraer el criterio unánime de que el régimen de responsabilidad objetiva que debe aplicarse en asuntos como el presente, es el dispuesto en los artículos 31 y 35 de la Ley de Promoción de la Competencia y de Defensa Efectiva del Consumidor, esto debido a que estamos en presencia de una relación comercial de consumo, en la cual el Banco Nacional de Costa Rica, pese a que es una administración pública, brinda un servicio comercial de Internet Bankin, el cual se califica como un servicio mercantil privado, por lo que dicha institución bancaria no está actuando dentro de sus potestades administrativas, sino como un sujeto de derecho privado y debe regularse por la normativa respectiva, como lo es la Ley de Promoción de la Competencia y de Defensa Efectiva del Consumidor. Asimismo, la empresa actora viene en su calidad de cliente del banco demandado, por lo que se configuran los elementos esenciales para la existencia de una relación comercial de consumo que se rige por las reglas de la citada Ley de Protección al Consumidor. (...) Además, de lo dicho por este mismo Tribunal Contencioso Administrativo, este órgano jurisdiccional considera que la Ley de Promoción y Defensa del Consumidor, regula un régimen jurídico especial, que debe ser aplicado sobre el régimen jurídico general, como sería en este caso la normativa comercial sobre cuentas corrientes, o sobre la materia contractual, por lo que desde esta simple óptica, debe aplicarse las reglas de la responsabilidad objetiva que regula la citada Ley de Protección del Consumidor. Asimismo, y bajo los mismos argumentos indicados anteriormente, este Tribunal no está de acuerdo con el alegato de la parte demandada en el sentido de que se apliquen las normas del Código de Comercio, específicamente en lo concerniente a los contratos de cuentas corrientes, ya que como ha quedado expuesto, la normativa de protección al consumidor es un régimen especial que se encuentra sobre el general del Código de Comercio." VI II .- Antecedentes de la Sala Primera de la Corte Suprema de Justicia en casos similares. Ya con lo expuesto, merece traerse a colación lo resuelto por la Sala Primera en la sentencia número 300-20 0 9 de las once horas veinticinco minutos del veintiséis de marzo del dos mil nueve, analizando el tema objeto de controversia, señaló: "III.- Responsabilidad objetiva por riesgo en materia del consumidor. En lo que se refiere a la responsabilidad, se pueden ubicar dos grandes vertientes, una subjetiva, en la cual se requiere la concurrencia, y consecuente demostración, del dolo o culpa por parte del autor del hecho dañoso (v.gr. el cardinal 1045 del Código Civil), y otra objetiva, que se caracteriza, en lo esencial, por prescindir de dichos elementos, siendo la imputación del daño el eje central sobre el cual se erige el deber de reparar. Como ejemplo de lo anterior, se encuentra el numeral 35 de la Ley de Defensa Efectiva del Consumidor, en donde el comerciante, productor o proveedor, responderá por aquellos daños derivados de los bienes transados y los servicios prestados, aún y cuando en su actuar no se detecte negligencia, imprudencia, impericia o dolo. Asimismo, es importante considerar, por su influencia en el tema probatorio, que los elementos determinantes para el surgimiento de la responsabilidad civil, sea esta subjetiva u objetiva, son: una conducta lesiva (la cual puede ser activa o pasiva, legítima o ilegítima), la existencia de un daño (es decir, una lesión a un bien jurídico tutelado), un nexo de causalidad que vincule los dos anteriores, y en la mayoría de los casos la verificación de un criterio de atribución, que dependerá del régimen legal específico. En cuanto a la causalidad, es menester indicar que se trata de una valoración casuística realizada por el juzgador en la cual, con base en los hechos, determina la existencia de relación entre el daño reclamado y la conducta desplegada por el agente económico. Si bien existen diversas teorías sobre la materia, la que se ha considerado más acorde con el régimen costarricense es la de causalidad adecuada, según la cual existe una vinculación entre daño y conducta cuando el primero se origine, si no necesariamente, al menos con una alta probabilidad según las circunstancias específicas que incidan en la materia, de la segunda (en este sentido, pueden verse, entre otras, las resoluciones 467-F-2008 de las 14 horas 25 minutos del 4 de julio de 20085, o la 1008-F-2006 de las 9 horas 30 minutos del 21 de diciembre de 2006). En este punto, es importante aclarar que la comprobación de las causas eximentes (culpa de la víctima, de un hecho de tercero o la fuerza mayor), actúa sobre el nexo de causalidad, descartando que la conducta atribuida a la parte demandada fuera la productora de la lesión sufrida. En lo que se refiere a los distintos criterios de imputación, para los efectos del presente caso, interesa la teoría del riesgo creado, la cual fue incluida, en forma expresa, en la Ley de Defensa del Consumidor. El esquema objetivo por el que se decanta la ley, así como la aplicación del criterio de imputación citado, se desprenden de la simple lectura de la norma en cuestión, la cual estipula (...) Realizando un análisis detallado de la norma recién trascrita, se desprenden una serie de elementos condicionantes de su aplicación. En primer lugar, y desde el plano de los sujetos, esto es, quien causa el daño y quien lo sufre, la aplicación de este régimen de responsabilidad se encuentra supeditada a que en ellos concurran determinadas calificaciones. Así, en cuanto al primero, se exige que sea un productor, proveedor o comerciante, sean estas personas físicas o jurídicas. Por su parte, en cuanto al segundo, la lesión debe ser irrogada a quien participe de una relación jurídica en donde se ubique como consumidor, en los términos definidos en el cuerpo legal de referencia y desarrollados por esta Sala. Se requiere, entonces, que ambas partes integren una relación de consumo, cuyo objeto sea la potencial adquisición, disfrute o utilización de un bien o servicio por parte del consumidor. El Banco actúa en ejercicio de su capacidad de derecho privado, como una verdadera empresa pública, y en dicha condición, ofrece a sus clientes un servicio, por lo que, al existir una relación de consumo, el caso particular debe ser analizado bajo el ámbito de cobertura del numeral 35 en comentario. Asimismo, del precepto bajo estudio se desprende, en segundo lugar, que el legislador fijó una serie de criterios de atribución con base en los cuales se puede imputar la responsabilidad objetiva que regula este cardinal, dentro de los que se encuentra la ya citada teoría del riesgo. Así, este sirve como factor para endilgarle la responsabilidad a los sujetos a que se hace referencia. En esencia, dicha teoría postula que, quien crea, ejerza o se aprovecha de una actividad lucrativa lícita que presenta elementos potencialmente peligrosos para los demás, debe también soportar sus inconvenientes (ubi emolumentum, ubi onus, el cual puede ser traducido como donde está el emolumento, está la carga). De la anterior afirmación se pueden colegir dos características: por un lado, que el riesgo proviene de una actividad de explotación; y por el otro, al ser realizada por el ser humano, se excluyen los denominados hechos de la naturaleza. Concomitantemente, importa realizar algunas precisiones en cuanto a los riesgos aptos para la generación de la responsabilidad, ya que no todo riesgo implica el surgimiento, en forma automática, de esta. En la actualidad, la vida en sociedad ofrece un sinnúmero de riesgos, de distintos grados y alcances, al punto que se puede afirmar que es imposible encontrar una actividad cotidiana que se encuentre exenta de ellos. En esta línea, la interpretación de las normas no puede partir de una aversión absoluta y total al riesgo, el cual, como se indicó, forma parte integral de la convivencia societaria y de los avances tecnológicos que se integran a esta. Lo anterior lleva a afirmar que, para el surgimiento del deber de reparación, el riesgo asociado con la actividad debe presentar un grado de anormalidad, esto es, que exceda el margen de tolerancia que resulta admisible de acuerdo a las reglas de la experiencia, lo cual debe ser analizado, de manera casuística, por el juez. El segundo punto que requiere algún tipo de comentario es en cuanto al sujeto que deviene obligado en virtud de una actividad considerada como peligrosa. Como ya se indicó, el criterio de imputación es, precisamente, el riesgo creado, lo que hace suponer que la persona a quien se le imputa el daño debe estar en una posición de dominio respecto de aquel, es decir, debe ser quien desarrolla la actividad o asume las posibles consecuencias negativas asociadas, recibiendo un beneficio de ello. Este puede ser directo, el cual se puede identificar, entre otros, con los ingresos o emolumentos obtenidos a título de contraprestación, o bien indirectos, cuando la situación de ventaja se da en forma refleja, que podría ser el caso de mecanismos alternos que tiendan a atraer a los consumidores, y en consecuencia, deriven en un provecho económico para su oferente. Es importante mencionar que en una actividad es dable encontrar distintos grados de riesgo, los cuales deben ser administrados por aquel sujeto que se beneficia de esta, circunstancia que ejerce una influencia directa en el deber probatorio que le compete, ya que resulta relevante para determinar la imputación en el caso concreto. Lo anterior, aunado a la existencia de causales eximentes demuestra que la legislación en comentario no constituye una transferencia patrimonial automática." .

I X .- Alcances del régimen de responsabilidad regulado en la Ley No. 7472. Resulta claro entonces que la norma de responsabilidad aplicable a la especie es el precitado ordinal 35 de la Ley No. 7472, que a su tenor literal precisa: "ARTÍCULO 35.- Régimen de responsabilidad. El productor, el proveedor y el comerciante deben responder concurrente e independientemente de la existencia de culpa, si el consumidor resulta perjudicado por razón del bien o el servicio, de informaciones inadecuadas o insuficientes sobre ellos o de su utilización y riesgos./ Sólo se libera quien demuestre que ha sido ajeno al daño./ Los representantes legales de los establecimientos mercantiles o, en su caso, los encargados del negocio son responsables por los actos o los hechos propios o por los de sus dependientes o auxiliares. Los técnicos, los encargados de la elaboración y el control responden solidariamente, cuando así corresponda, por las violaciones a esta Ley en perjuicio del consumidor." La correcta comprensión de la norma permite concluir sobre la naturaleza objetiva de este régimen de responsabilidad, que por tal, prescinde de la consideración de factores subjetivos, como el dolo o la culpa grave. Segundo, es necesario acreditar la existencia de una conducta lesiva, activa u omisiva, esto significa que debe presentarse por parte del comerciante o proveedor una violación de los derechos del consumidor o bien de sus obligaciones. Es claro que para que sea posible la imputación de responsabilidad, debe demostrarse la existencia de un daño efectivo, evaluable e individualizable, que sea consecuencia de las conductas del comerciante (presunto responsable). Esto implica, la acreditación de un nexo de causalidad entre esa lesión y el comportamiento del proveedor de servicios o bienes. Ahora bien, en el contexto del régimen jurídico aplicable al caso de este tipo de relaciones de consumo, el numeral 35 de la Ley No. 7472 establece la posible liberación de responsabilidad a quien demuestre la ajenidad con el daño. Por aplicación supletoria del artículo 190 de la Ley General de la Administración Pública (conforme a la remisión que estatuye el canon 71 de la Ley de Promoción de la Competencia y Protección Efectiva del Consumidor), las causas eximentes de responsabilidad allí previstas, son de plena aplicación a esa materia. Desde luego que a tono con la carga dinámica de la prueba, corresponde a quien pretende liberarse de una obligación, acreditar lo hechos liberatorios, impeditivos o modificativos del derecho que se pretende ejercer en su contra. Sobre el tema de carga de la prueba en este tipo de procesos, puede verse el considerando IV de la sentencia 300-2009 de la Sala Primera de la Corte Suprema de Justicia. Así las cosas, resulta determinante establecer en este proceso, la convergencia de los diversos supuestos referidos que permiten hacer surgir la responsabilidad objetiva del ente bancario, como lo alega el accionante, o si por el contrario, se ha configurado algunas de las causas eximentes de esa responsabilidad que permita tener al Banco como ajeno al daño que se reclama en esta sede .

X - Análisis del caso concreto. Sobre la responsabilidad objetiva del Banco Nacional. Acreditación del daño y nexo causal. En la especie, se ha tenido por acreditado, que la empresa Bahía Pez Vela Administration S.A. tiene dos cuenta s corriente con el Banco Nacional de Costa Rica, la número 100-01-015-006077-5 en colones y la número 100-02-015-600387-8 en dólares, siendo que en esas , en el período comprendido entre el 10 y el 14 de marzo de 2008 , se realizaron una serie de débitos por transferencias electrónicas, para un total de cuarenta y dos transferencias a favor de varias cuentas pertenecientes a otros clientes del mismo Banco demandado ( ver detalle del informe del Supervisor de Seguridad del Banco accionado visible a folios 1 al 4 del expediente administrativo ), por un total , según dicho informe de ¢19.500.000.00 ( diecinueve millones quinientos mil colones ). Según se indicó, l os débitos fueron realizados desde direcciones IP propias del País, en máquinas no vinculadas con el propio Banco demandado y que, la parte actora niega contaran con su anuencia, pues tanto ante la misma institución bancaria, como ante el Organismo de Investigación Judicial, manifestó que fue la contadora de la empresa la que se dio cuenta de los faltantes al consultar el sistema de internet a los efectos de realizar algunas operaciones, razón por la cual el mismo 14 de marzo de 2008 procedió a dar parte al Banco, solicitando la investigación respectiva. Como efecto de la denuncia presentada por el representante de la empresa afectada, el Supervisor de Seguridad del Banco Regional Guanacaste-Puntarenas en oficio BRGP-005-2008 de 7 de abril de 2008, entre sus conclusiones indicó : "... dado que en el registro transaccional que identifican al titular de la cuenta, como autor de las transferencias sospechosas reportadas, figuran los datos que identifican al titular de la cuenta, como autor de las mismas. Lo cual que (sic) refleja que lo ocurrido no obedece a una violación de los sistemas de seguridad del banco, si no a una falla del ususario. Por lo tanto se recomienda, salvo mejor criterio de su parte declinar el presente reclamo administrativo, rechazando en todos sus extremos la pretensión de reintegro de los fondos... " (folio 1 del expediente administrativo) . Sustentado en ello, el Director de Banca Regional Guanacaste-Puntarenas del Banco Nacional de Costa Rica, mediante oficio BRGP-142-2008 fechado 9 de abril de 2008, le comunicó al señor Nombre142961 sobre la investigación realizada en el caso denunciado, entre otras cosas le indicó que los movimientos no fueron realizados desde ninguna máquina relacionada con el Banco y que de acuerdo a las direcciones IP de donde se ejecutaron son servicios que brinda el ICE, Racsa, Cable Amnet y Cable Tica, por lo que no obedece a la violación de los sistemas de seguridad del banco, sino a una falla del usuario, razón por la cual se rechazaba el reclamo (Folios del 5 al 7 del expediente administrativo). Ante lo cual el representante de la empresa Bahía Pez Vela Administration S.A. , planteó el 22 de abril de 2008 recursos de revocatoria y apelación en subsidio contra lo resuelto en oficio BRGP-142-2008, alegando que la empresa fue objeto de una acción de terceros que abusando del sistema de manejo electrónico de fondos que tiene el Banco Nacional (Folio 11 al 20 del expediente administrativo). Ambos recursos le fueron rechazados, el de revocatoria en oficio BRGP-163-2008 de 30 de abril de 2008, y el de apelación por parte de la Junta Directiva General en artículo 10, de la sesión N° 11.497 del 26 de agosto de 2008, aduciendo que el daño patrimonial ocasionado no ocurrió por una conducta desplegada por el Banco, sino por la negligencia de un representante o autorizado en la cuenta, quien debió revelar los datos necesarios para tener acceso a la cuenta y realizar las transferencias de dinero de la cuentas a varias personas, (Folios 21 y 23 respectivamente del expediente administrativo). No obstante haberse dado el agotamiento de la vía administrativa, el representante de la empresa afectada, el 28 de julio de 2009 presentó nuevamente el reclamo administrativo ante la sucursal de Liberia del Banco Nacional de Costa Rica, solicitando el pago de $40.000 que indicó fueron sustraídos de sus cuentas (Folio 40 y 41 del expediente principal), y que ante la omisión de resolución, el día 8 de enero de 2010 (Folio 73 del expediente principal), se instó al Banco emitir la resolución respectiva de su reclamo, sin obtener resultado. Del cuadro fáctico anteriormente descrito, este Tribunal extrae con claridad que ha exist ido una relación de consumo entre el Banco Nacional y l a empresa accionante, con lo cual le es aplicable al caso lo dispuesto en el artículo 35 de la Ley No. 7472 , tal y como se ha indicado. A demás, se ha podido constatar un daño a los d erechos del consumidor que se concreta por el riesgo producido por la utilización de la plataforma tecnológica del servicio de internet bankin g ofrecido por el ente bancario , ocurriendo un daño en la esfera patrimonial del accionante, consistente en la sustracción no autorizada de dinero de sus cuentas, según se determina en el estudio que realizó el Banco con ocasión de las transferencias realizadas entre los días 10 al 14 de marzo de 2008 de las cuentas en dólares y colones de la empresa aquí actora . Si Bien el Banco demandado intenta indicar que no es suya la responsabilidad, lo cierto es que la lesión sufrida debe considera rse como consecuencia de la falta de implementación de mecanismos de seguridad adecuada para la utilización de los servicios de transferencias electrónicas que se posibilitan en internet bankin g, servicio que ofrece el Banco Nacional de Costa Rica, como en este caso, a la empresa Bahía Pez Vela Administration S.A. Así las cosas, es manifiesto el nexo nexo causal que es debido para poder imputar la responsabilidad en este tipo de situaciones. C omo se indicó, c abe resaltar que el representante de la empresa afectada, una vez conocido de las sustracciones procedió a denunciarlo tanto ante el Banco que le ofrecía los servicios, así como a las autoridades de polícía, en este caso al Organismo de Investigación Judicial, ambas en fecha 14 de marzo de 2008, siendo que las operaciones realizadas indebidamente a sus cuentas lo fueron entre el 10 y el día 14 de marzo de ese año, lo que evidencia la atención pronta del afectado.

X I .- Análisis sobre la existencia de causas eximentes en el caso . C omo se indicó en líneas anteriores, es el proveedor o comercializador del servicio de internet Banking, en este caso el Banco Nacional de Costa Rica, el que podría librarse de su reponsabilidad objetiva derivada de la aplicación del artículo 35 de la Ley 7472, solo cuando acredite (pues es su carga probatoria) la ajenidad del resultado lesivo, sea que en el caso medió la c ulpa de la víctima, hecho de tercero o bien, la fuerza mayor. El banco aleg ó, incluso como excepción de fondo, la concurrencia de culpa de la víctima, y como consecuencia de ello la participación de terceras personas. En efecto, la posición asumida por el Banco al contestar la demanda, lo es sustentado en el voto salvado del Juez Palacios Garcia a la sentencia 910-2010 de la Sección IV de este Tribunal, en el cual entre otros aspectos se detemina que en cuanto a la obtención de las claves y contraseñas necesarias para realizar las transacciones, se hace necesario determinar, ya sea que ello obedeciera a la impericia del banco o de sus funcionarios; o que un tecero haya utilizado medios informáticos para obtener de forma directa del cliente los datos necesarios a fin de accesar al sistema. No obstante, esta integración del Tribunal, mantiene su postura en cuanto a que la carga de la prueba en este tipo de casos, sigue siendo de la institución bancaria, de allí que, si ésta mantiene, como lo hace en este caso, la idea de la existencia de una supresión de su responsabilidad ya sea por la propia intervención del cliente que con descuido dejó sus datos en manos de terceros, o que el banco mismo no tuviera responsabilidad, son aspectos que, a efectos de su exención, deberá comprobar en los autos. Al respecto, se debe indicar que en la contestación a la demanda no se ahonda en el tema, y hace referencia al informe de investigación realizado con ocasión de la vicisitud acaecida a la empresa actora, por lo que se hace necesario analizar lo allí dispuesto. Así, en oficio BRGP-005-2008 de 7 de abril de 2008, el señor Gilberth Marchena Viales, Supervisor de Seguridad del Banco Nacional de Costa Rica, al analizar el caso, hace referencia a que en la normativa interna de la institución y en el contrato suscrito, el cliente se comprometió a conservar sus documentos de identificacción como clave (pasword), el código de usuario y otros datos personales necesarios para acceder al sistema informático, pero lo cierto es que en ningún momento se identifica algún motivo, circunstancia u otro dato para que de forma consecuente, concreta y determinada, se pueda concluir que efectivamente empleados o personeros de la empresa afectada cometieran por acción u omisión un descuidado uso de la documentación de identificación para usar el sistema, solamente parten de una suposición, ello derivado, a su entender, de que las transacciones no se dieron desde ninguna máquina del Banco, ni sus empleados, y que las direcciones IP utilizadas corresponden a sujetos ajenos a la instiución. Esta derivación no puede ser tomada en cuenta en un caso como el que nos ocupa para trasladar la responsabilidad al cliente o un tercero, pues los datos con los que se cometieron las transferencias no autorizadas, bien pudieron haber obtenidos de los mismos registros bancarios por la falta de controles en el sistema informático, lo que no se descarta en ningún momento con lo indicado en el informe de investigación mencionado, pues bien es sabido que, los llamados "hackers" podrían perfectamente haber incursionado en los sistemas y haber obtenido de allí los datos necesarios para haber realizado las transacciones que afectaron finalmente las cuentas que la empresa Bahía Pez Vela mantiene con la institución financiera. De hecho, como se indicó, en informe no es contundente en ese sentido, sino que parte de supuestos, incluso, al resolverse en este caso la apelación planteada, la Junta Directiva General del Banco Nacional de Costa Rica, mantuvo la conjetura, pues en el artículo décimo de la sesión 11497 del 23 de agosto de 2008, aseguró que; "...el daño patrimonial ocasionado a la recurente, no ocurrió por una conducta desplegada por el Banco Nacional de Costa Rica, sino por una conducta negligente realizada por un representante o autorizado para el acceso a la cuenta, lo que a la postre implicó la transferencia de dinero a las cuentas de varias personas..." Sea que, sin ninguna prueba, el Banco en aras de librar su responsabilidad, asevera que fueron los personeros o trabajadores de la empresa afectada la que por "negligencia" revelaron los datos. Se insiste, el Banco no puede solamente indicar que ha manejado bien los datos a lo interno y sin mayor probanza simplemente indicar que si no fue la institución debe ser el cliente el responsable, argumento que resulta totalmente desprovisto de fuerza probatoria y por ende debe ser desechado como elemento a toma en cuenta en la posible eximenta de la responsabilidad objetiva que de estos casos deriva, pues lo indicado de esa forma no tendría el mérito para ser tomado como prueba fehaciente de su accionar informático sin vulneración, ni mucho menos imputar una falta a otros sin contar con respaldo para ello. En efecto , un análisis a fondo de las diversas pruebas que constan en autos, no permiten concluir sobre conductas imprudentes o negligentes de l a cuentacorrentista que permitan supone r que puso en conocimiento de terceras personas, información relevante para el acceso a sus cuentas. Además, de la investigación técnic a que fue agregad a al expediente, no existe acreditación de que el actor hubiera cedido sus datos sensibles para la realización de las transferencias objeto de conflicto. Por lo que n o puede desprenderse en la especie la concurrencia de culpa de la víctima al no haber sido diligente en la custodia de los medios de acceso a la herramienta Internet Bankin g (datos sensibles en su poder) , y además, e l Banco no pudo demostrar en este proceso que el daño fuera ajeno a su marco de acción y previsiones. Tampoco se ha logrado acreditar que los sistemas de seguridad del banco hayan funcionado de forma adecuada o que no haya existido una falla en los sistemas de seguridad de la entidad bancaria demandada. Por otra parte, no fueron aportados elementos de convicción necesarios para acreditar el hecho de un tercero como causa de exclusión de la responsabilidad del Banco. Si bien se detecta que las transferencias fueron realizadas desde direcciones IP localizadas en el país , lo cierto del caso es que en lo medular, se insiste, el ente accionado no acreditó que sus sistemas de seguridad no hubieran sido vulnerados de manera que un nivel de seguridad y mínimo riesgo por el uso de los servicios electrónicos. No podría sostenerse que la carga de la prueba respecto de la vulnerabilidad de esos mecanismos o sistema de seguridad informática pese sobre el actor, pues en sentido contrario, su carga probatoria debe estar dirigida a la demostración de la existencia de una o varias circunstancias que impidan el surgimiento de la tantas veces mencionada responsabilidad civil, la cual por ley pesa sobre esa institución bancaria. Así las cosas, sería impensable pretender desplazar esa carga de la prueba, a fin de que el usuario de los servicios bancarios ofrecidos por el Banco Nacional de Costa Rica, sea quien deba conocer en detalle todos los sistemas de seguridad de ese banco, y a partir de ahí, demostrar además la existencia de alguna fisura. Tal posición no implica la imposibilidad de demostrar la existencia de una culpa de la víctima o el hecho de un tercero, en el marco del comercio electrónico bancario. Cabe destacar, es el demandado quien diseña y condiciona el acceso a los sistemas utilizados en el marco de la herramienta denominada Internet Bankin g , razón por la cual, cuenta con la posibilidad de establecer cuantos sistemas de seguridad estime oportunos, a fin de garantizar que las transacciones sean hechas por su cliente, y no sólo por alguien que tenga a su disposición datos sensibles de ese usuario. En este sentido, es el ente bancario, que lucra con los servicios financieros ofrecidos, quien ha de asegurarse la utilización de sistemas informáticos y administrativos, que desde el punto de vista jurídico, permitan con certeza, la acreditación de la identidad física del usuario, verbigracia, el establecimiento con carácter de obligatorio de los dispositivos OTP, o incluso, valorar en el marco de su autonomía administrativa, el establecer la utilización de dispositivos que reduzcan los riesgos y acrediten con un mayor grado de certeza la identidad del cliente, tales como las herramientas biométricas, esto a fin de contar con sistemas que permitan la pre constitución de prueba. En esta dirección ha considerado la Sala Primera de la Corte Suprema de Justicia:"No obstante lo anterior, debe tomar en cuenta la entidad financiera demandada que su función esencial es la intermediación financiera, que incluye la captación de fondos provenientes del ahorro del público, concepto que lleva implícita su custodia, tanto desde el punto de vista físico, como del registro electrónico correspondiente. No cabe duda que se encuentra sometida a una ineludible obligación de garantizar la seguridad de las transacciones realizadas, ya sea en ventanilla o mediante cualquier otro medio puesto a disposición de los clientes, la cual debe abarcar, necesariamente, el uso de todos aquellos mecanismos disponibles que le permitan contar con un mayor grado de certeza en cuanto a la identificación de las personas que se encuentran facultadas para realizar transacciones electrónicas desde las cuentas. La responsabilidad que le fue imputada al Banco se fundamenta, no en la sustracción del dinero por un tercero, sino en la existencia de un riesgo, según lo expuesto en el considerando III, en el funcionamiento propio del servicio que ofrece, lo que permite imputar el origen del daño al funcionamiento del servicio. Lo anterior, a pesar de disponer de mecanismos que permiten mayor seguridad. (...) Al fin y al cabo, los bancos, sin que el demandado sea la excepción, custodian y administran, entre otros, un bien ajeno; y no cualquier bien, sino fondos del público. Así las cosas, no solo responde por la fortaleza de sus sistemas internos, sino también por la seguridad de quien, para llegar allí, utiliza los únicos canales posibles que el propio Banco conoce y reconoce como riesgosos. Y responde no en cuanto ajenos, sino en la medida en que constituye el medio del que se prevalece, directamente, para la prestación del servicio. Tal y como lo preceptúa el numeral 35 de la Ley de Protección al Consumidor, ha habido un perjudicado en razón del servicio, que al ser utilizado (y en vista de su carácter riesgoso) produjo una lesión importante a quien figura en el proceso como parte actora. (...) El medio para acceder a la plataforma del Banco no se trata, por ende, de un foco ajeno de riesgo, sino de un instrumento consustancial al servicio que presta; si se quiere, forma parte intrínseca de la actividad, que si bien es accesorio a la actividad del intermediario, resulta imprescindible. De allí que los mecanismos de garantía al cliente –usuario-, deben darse no solo dentro de los muros informáticos del propio Banco, sino también en el camino de acceso a él como parte del servicio. No en vano, el Sistema Financiero se ha abocado, en general, a la implementación de mecanismos de doble identificación, al mejoramiento de las claves y, en general, el uso de sistemas recientes como la utilización de tockens, claves cambiantes, llaves con dispositivos especiales, entre otros." (Resolución No. 300-2009 precitada) Dicha referencia pone en evidencia que la vulnerabilidad del sistema no es un asunto que deba acreditar el cuentahabiente, por el contrario, dada la actividad que realiza, el lucro que obtiene por ese giro comercial y al constituirse un medio que permite la agilización de las transacciones derivadas de la cuenta corriente, contrato que supone una custodia de fondos del público, es el ente financiero quien debe acreditar que sus sistemas de seguridad cuentan con el grado de seguridad aceptable y que en cada caso concreto, no fueron vulnerados. En la especie, fue precisamente la falencia de mecanismos de seguridad la que generaron la concreción de un daño en contra de l a empresa actor a , consistente en la sustracción de un monto de dinero, el cual ha sido reconocido por el Banco en ¢19.500.000,00 ( diecinueve millones quinientos mil colones ) , pero para la demandanete es de $40.000.00 (cuarente mil dólares), producto de v arias transacciones realizadas a favor de otros cuentacorrentistas del mismo Banco Nacional de Costa Rica. Ello supone un daño del cual, el ente bancario no ha logrado desvincularse al no haberse acreditado la ajenidad con el daño ni la concurrencia de alguna de las causas eximentes que le permitirían liberarse de esa responsabilidad objetiva que impera en materia de relaciones de consumo.

XII.Sobre el daño material en el caso concreto. Con fundamento en las anteriores consideraciones, debe declararse la responsabilidad objetiva del Banco Nacional por el daño padecido por l a empresa Bahía Pez Vela Administration S.A. a raíz de las cuarenta y dos transacciones realizadas en el período comprendido entre el diez y el catorce de marzo, ambas del año de 2008 , en virtud de las cuales se sustrajeron fondos de la s cuenta s tanto en colones como en dólares de l a compañia afectada , cuenta s número s 100-01-015-006077-5 (colones) y 100-02-015-600387-8 (dólares), se debe indicar que el único documento en el cual se determinan las operaciones es el oficio BRGP-005-2008 emitido por el Banco Regional Guanacaste-Puntarenas del Banco Nacional de Costa Rica visible a folios 1 al 4 del expediente administrativo, según el cual la institución acepta que las transferencias realizadas lo fueron así:

Documento Sospechoso cédula Monto Número de Cuenta Dirección IP Fecha 15691068 Nombre142967 1-1241-203 $1.015.74 200-01-000-733339-0 201.192.103.17. CR 10-03-08 15691088 Nombre142968 1-1101-659 $1.015.74 200-01-053-37793-8 201.192.103.17. CR 10-03-08 15691117 Nombre142969 1-874-052 $1.015.74 200-01-053-37796-2 201.192.103.17. CR 10-03-08 15691147 Nombre142970 .

1-538-870 $1.015.74 200-01-095-27326-7 201.192.103.17. CR 10-03-08 15691171 Nombre142971 1-1317-370 $1.015.74 200-01-130-7669-2 201.192.103.17. CR 10-03-08 15691420 Nombre142972 1-664-373 $1.015.74 200-01-157-8843-9 201.192.103.17. CR 10-03-08 15692310 Nombre142973 2-572-440 $1.015.74 200-01-095-11918-7 201.192.57.194.CR 10-03-08 15692499 Nombre142973 2-572-440 $1.015.74 200-01-095-11918-7 201.192.57.194.CR 10-03-08 15692533 Nombre142968 1-1101-659 $1.015.74 200-01-053-37793-8 201.192.57.194.CR 10-03-08 15692560 Nombre142970 . Nombre142970 1-538-870 $1.015.74 200-01-095-27326-7 201.192.57.194.CR 10-03-08 15728923 Nombre142970 .

1-538-870 $1.015.74 200-01-095-27326-7 190.10.29.23.CR 11-03-08 15728936 Nombre142968 1-1101-659 $1.015.74 200-01-053-37793-8 190.10.29.23.CR 11-03-08 15728952 Nombre142969 1-874-052 $1.015.74 200-01-053-37796-2 190.10.29.23.CR 11-03-08 15728964 Nombre142971 1-1317-370 $1.015.74 200-01-130-7669-2 190.10.29.23.CR 11-03-08 15728974 Nombre142972 1-664-373 $1.015.74 200-01-130-7669-2 190.10.29.23.CR 11-03-08 15729112 Nombre142973 2-572-440 $1.015.74 200-01-095-11918-7 201.192.57.194.CR 11-03-08 15729324 Nombre142973 2-572-440 $1.015.74 200-01-095-11918-7 201.192.57.194.CR 11-03-08 15729398 Nombre142974 1-1429-431 $1.015.74 200-01-000-709577-5 201.192.57.194.CR 11-03-08 15729807 Nombre142963 . Nombre142963 2-625-993 $1.015.74 200-01-053-33101-6 201.192.57.194.CR 11-03-08 15729844 Nombre142963 .

2-625-993 $6.09 200-01-053-33101-6 201.192.57.194.CR 11-03-08 15730005 Nombre142963 .

2-625-993 $1.005.59 200-01-053-33101-6 201.192.57.194.CR 11-03-081 15730021 Nombre142963 .

2-625-993

4:06 (sic)

200-01-053-33101-6 201.192.57.194.CR 11-03-08 15764332 Tranf.cuentas Del Cliente ¢3.251.77 De dólares a colones 201.237.15.114.CR 12-03-08 15765289 Nombre90398 1-1005-991 $1.017.81 200-01-000-691558-2 201.192.9.110.CR 12-03-08 15765404 Nombre142969 1-874-052 $1.017.81 200-01-053-37796-2 201.192.9.110.CR 12-03-08 15765415 Nombre142971 1-1317-370 $1.017.81 200-01-130-7669-2 201.192.9.110.CR 12-03-08 15765430 Nombre142972 1-664-373 $1.017.81 200-01-130-7669-2 201.192.9.110.CR 12-03-08 15765449 Nombre142970 . Nombre142970 1-538-870 $1.017.81 200-01-095-27326-7 201.192.9.110.CR 12-03-08 15765465 Nombre142968 1-1101-659 $1.017.81 200-01-053-37793-8 201.192.9.110.CR 12-03-08 15765714 Nombre90398 1-1005-991 $1.017.81 200-01-000-691558-2 201.192.57.194.CR 12-03-08 15766318 Nombre142963 .

2-625-993 $1.017.81 200-01-053-33101-6 201.192.57.194.CR 12-03-08 15815479 Nombre142968 1-1101-659 $1.017.81 200-01-053-37793-8 201.192.57.194.CR 13-03-08 15815513 Nombre142970 .

1-538-870 $1.017.81 200-01-095-27326-7 201.192.57.194.CR 13-03-08 15815530 Nombre142969 1-874-052 $1.017.81 200-01-053-37796-2 201.192.57.194.CR 13-03-08 15815551 Nombre142971 1-1317-370 $1.017.81 200-01-130-7669-2 201.192.57.194.CR 13-03-08 15816501 Nombre90398 1-1005-991 $1.017.81 200-01-000-691558-2 201.192.57.194.CR 13-03-08 15765859 Nombre142964 4-186-284 ¢500.000 200-01-004-94827-9 201.192.57.194.CR 12-03-08 15766428 Nombre142974 1-1429-431 ¢500.000 200-01-000-709577-5 201.192.57.194.CR 12-03-08 15815568 Nombre142972 1-664-373 $1.017.81 200-01-130-7669-2 201.192.57.194.CR 14-03-08 15815588 Nombre142964 4-186-284 ¢500.000 200-01-004-94827-9 201.192.57.194.CR 14-03-08 15816527 Nombre142975 4-196-146 ¢500.000 200-01-124-16528-3 201.192.57.194.CR 14-03-08 15816827 Nombre142975 4-196-146 ¢500.000 200-01-124-16528-3 201.192.57.194.CR 14-03-08 Derivado de lo cual, se han podido extraer la mayoría de los montos sustraídos, de los que para mayor claridad y ante la disyuntiva entre lo pedido por la parte actora que lo dispone en su totalidad en dólares y por otra parte, el banco demandado lo establece en colones, lo cierto es que del análisis del cuadro transcrito, se deben indicar los montos de las transferencias por separado tanto en dólares, como en colones, por lo que tendríamos así: en dólares la suma de $30.497.12 (treinta mil cuatrocientos noventa y siete dólares con doce centavos), y en colones ¢2.503.251.77 (dos millones quinientos cincuenta y un mil colones con setenta y siete céntimos). No obstante, debe tomarse en cuenta además que, en dicho cuadro, existe un monto el cual no se ha podido determinar con claridad y el que corresponde a la transacción número 22 que aparece en la tabla anterior que dice ser la del documento número 15730021, trasladado a la cuenta del señor Nombre142963 . Nombre142963 . cédula de identidad CED112276, a la cuenta número 200-01-053-33101-6, desde la dirección de IP 201.192.57.194.CR el día 11 de marzo de 2008, la cual aparece por un monto de (4:06) sin que se indique su moneda y sin saber si los números consignados corresponden al verdadero monto de esa sustracción, razón por la cual este quedará para ser probado en la etapa de ejecución de sentencia e incluido en el monto total. Por ende, debe el Banco Nacional cancelar a l a demandante el total de l as transferencias y s obre es as partidas debe reconocerse a título de perjuicio financiero (artículo 706 del Código Civil) el interés legal que para operaciones en moneda extranjera fija el numeral 497 del Código de Comercio, a saber, rédito según la tasa prime rate, y en las de colones (artículo 497 del Código de Comercio) la tasa básica pasiva del Banco Central de Costa Rica . Dichos intereses deberán calcularse sobre cada partida sustraída desde la fecha en que se realizó cada una de las transacciones de débito no autorizadas ya aludidas, sea, desde que se produjo cada hecho dañoso, hasta su efectivo pago, partidas a liquidarse en fase de ejecución de sentencia. El otorgamiento del citado perjuicio financiero supone, de manera implícita, la actualización del valor económico de la obligación (indexación), para los efectos del canon 123 del Código Procesal Contencioso Administrativo.

XIII.- Análisis de las defensas opuestas. La representación del Banco Nacional de Costa Rica formuló la defensa previa de Caducidad, la que fue analizada en la audiencia preliminar celebrada el 23 de noviembre de 2010, por resolución No. 4381-2010 de las 14 horas 05 minutos de esa fecha, el juzgador de trámite dispuso: "POR TANTO: Se declara sin lugar la defensa previa de caducidad incoada por el banco Nacional de Costa Rica." En cuanto a las defensas de fondo, l a representación del banco demandado opuso la defensa de falta de derecho , la cual debe ser rechazada al haberse acreditado la procedencia del derecho del accionante de obtener retribución indemnizatoria por los daños irrogados merced de sustracciones a sus cuentas bancarias frente a las cuales, el Banco no acreditó ajenidad o bien causas liberatorias. En ese orden, también deben rechazarse los alegatos de hecho de tercero y culpa de la víctima alegados por el ente demandado, por las causas ya apuntadas anteriormente . En consecuencia, debe declararse con lugar la demanda formulada por el representante de la empresa Bahía Pez Vela Administration S.A. contra el Banco Nacional de Costa Rica en los siguientes términos: - Se condena al Banco Nacional de Costa Rica a reintegrar a l a actor a las sumas debitadas de manera no autorizada, producto de cuarenta y dos transferencias a favor de varias cu e ntas de cliente s del banco accionado, realizadas entre l os días diez al catorce de marzo ambas del año 2008 , por un monto en dólares de $30.497.12 (treinta mil cuatrocientos noventa y siete dólares con doce centavos), y en colones ¢CED112277 (dos millones quinientos cincuenta y un mil colones con setenta y siete céntimos) más el monto que corresponde a la transacción cuyo número de documento es el 15730021, trasladado a la cuenta del señor Nombre142963 . . cédula de identidad CED112276, a la cuenta número 200-01-053-33101-6, desde la dirección de IP 201.192.57.194.CR el día 11 de marzo de 2008, del cual no se consigna correctamente un monto por lo que queda para ser probado en la etapa de ejecución de sentencia e incluido en el monto total . 2) Sobre las sumas que resulten finalmente , se condena al Banco Nacional de Costa Rica al pago de intereses legales, desde el momento en que cada una de las debitaciones no autorizadas fue realizada hasta el efectivo pago. Dichos réditos deberán calcularse según la tasa prime rate para las operaciones en moneda extranjera y respecto de las nacionales se aplicará la tasa básica pasiva del Banco Central de Costa Rica , ello conforme a lo preceptuado por el numeral 497 del Código de Comercio. El otorgamiento de ese perjuicio financiero supone de manera implícita la actualización económica de la obligación para los efectos del ordinal 123 del Código Procesal Contencioso Administrativo. Estas sumas deberán liquidarse en fase de ejecución del presente fallo .

XIV.- Costas. De conformidad con el numeral 193 del Código Procesal Contencioso Administrativo, las costas procesales y personales constituyen una carga que se impone a la parte vencida por el hecho de serlo. La dispensa de esta condena solo es viable cuando hubiere, a juicio del Tribunal, motivo suficiente para litigar o bien, cuando la sentencia se dicte en virtud de pruebas cuya existencia desconociera la parte contraria. En la especie, no encuentra este órgano colegiado motivo para aplicar las excepciones que fija la normativa aplicable y quebrar el postulado de condena al vencido. Por ende, se imponen ambas costas al ente bancario demandado.

POR TANTO.

Se rechaza la defensa de falta de derecho , así como las de "Falta de la Víctima y Hecho de un tercero" opuesta por el Banco Nacional de Costa Rica. En consecuencia, se declara con lugar la demanda formulada por Bahía Pez Vela Administration S.A. contra el Banco Nacional de Costa Rica en los siguientes términos : 1) Se condena al Banco Nacional de Costa Rica a reintegrar a l a actor a las sumas debitadas de manera no autorizada, producto de cuarenta y dos transferencias a favor de varias cu e ntas de cliente s del banco accionado, realizadas entre l os días diez al catorce de marzo ambas del año 2008 , por un monto en dólares de $30.497.12 (treinta mil cuatrocientos noventa y siete dólares con doce centavos), y en colones ¢2.503.251.77 (dos millones quinientos cincuenta y un mil colones con setenta y siete céntimos), más el monto que corresponde a la transacción cuyo número de documento es el 15730021, trasladado a la cuenta del señor Nombre142963 . Nombre142963 . cédula de identidad CED112276, a la cuenta número 200-01-053-33101-6, desde la dirección de IP 201.192.57.194.CR el día 11 de marzo de 2008, del cual no se consigna correctamente un monto, por lo que queda para ser probado en la etapa de ejecución de sentenciae e incluido en el monto total . 2) Sobre las sumas que resulten finalmente , se condena al Banco Nacional de Costa Rica al pago de intereses legales, desde el momento en que cada una de las debitaciones no autorizadas fue realizada hasta el efectivo pago. Dichos réditos deberán calcularse según la tasa prime rate para las operaciones en moneda extranjera y respecto de las nacionales se aplicará la tasa básica pasiva del Banco Central de Costa Rica , ello conforme a lo preceptuado por el numeral 497 del Código de Comercio. El otorgamiento de ese perjuicio financiero supone de manera implícita la actualización económica de la obligación para los efectos del ordinal 123 del Código Procesal Contencioso Administrativo. Estas sumas deberán liquidarse en fase de ejecución del presente fallo . 3 ) Son ambas costas a cargo del ente accionado.

Juan Luis Giusti Soto Cinthia Abarca Gómez Roberto Garita Navarro ASUNTO: PROCESO DE CONOCIMIENTO DECLARADO DE PURO DERECHO ACTOR: Bahía Pez vela Administration S.A.

DEMANDADOS: Banco Nacional de Costa Rica.