MEASURING OPERATIONAL RISK IN MOBILE BANKING

A summer internship project report

submitted by

NERSU SURYA VENKATA ASHISH

011104144

in partial fulfillment of the requirement for the award of the degree of

MBA

DEPARTMENT OF MANAGEMENT STUDIES

July, 2014

Under the guidance of

Dr. V.N. SASTRY

to

INSTITUTE FOR DEVELOPMENT AND RESEARCH IN BANKING TECHNOLOGY

Road No.1, Castle Hills, Masab Tank

Hyderabad – 500 057.

July 18, 2014

PROJECT COMPLETION CERTIFICATE

Name of the Student: Nersu Surya Venkata Ashish

Roll Number: MS13A037

Project Period: 22 May 2014 – 18 July 2014

Project Title: Measuring Operational Risk In Mobile Banking

This is to certify that Mr. NERSU SURYA VENKATA ASHISH, a final year student of

MBA in Department of Management Studies, IIT Madras has successfully completed his

summer internship projectwork under my supervision.

The student has submitted the final report.

Name: V.N. Sastry

Designation: Professor

Organization:

Institute for Development and Research in Banking Technology

Road No.1, Castle Hills, Masab Tank

Hyderabad – 500 057, Telangana.

DECLARATION

I NERSU SURYA VENKATA ASHISH hereby declare that this project paper

entitled “MEASURING OPERATIONAL RISK IN MOBILE BANKING” submitted by

me under the guidance and supervision of Dr. V. N. Sastry, Professor, IDRBT, is a

bonafide work. I also declare that it has not been submitted previously in part or in full to

this University or other University or Institution for the award of any degree or diploma.

Date: Name: NERSU SURYA VENKATA ASHISH

Roll. No. MS13A037

Signature of the Student:

Acknowledgements

First and foremost I would like to thank my guide Dr. V.N. Sastry, who guided me throughout

the project. He gave this project to me based on my background and area of interest. He was

very much approachable to students. His ideas helped me in completing this project

successfully.

I would like to thank Placecom team, DOMS, IIT Madras for helping me to get my

internship in IDRBT.

I would thank my teachers in IIT Madras, for the knowledge I gained in the last one

year.

Finally I would like to thank my parents for their unconditional love and affection,

which is a great source of strength.

Nersu Surya Venkata Ashish

ABSTRACT:

Mobile banking usage in India is growing exponentially. Most of the banks are providing

mobile banking. So there is a need for banks providing mobile banking to measure the

operational loss occurring in their mobile banking portfolio for risk management purposes,

for regulatory compliances and also for risk mitigation purposes.

There are studies about how to measure operational risk but none of them

specifically addressed mobile banking. In this report, granular details of mobile banking are

considered to compute operational risk. The various types of transaction failures in

Immediate Payment Service (IMPS) and different channels (SMS, USSD and WAP) are

considered and an algorithm is proposed to compute the operational risk.

Table of Contents

Notations

1. Introduction ………………………………………………………………….1

1.1. Background…………………………………………………………….…1

1.2. Motivation…………………………………………………...……………1

1.3. Objectives……………………………………………...……………….…1

1.4. Mobile Banking…………………………………..………………….……2

1.4.1. IMPS…………………………………………………………….…2

1.4.2. Types of Transaction Failures in IMPS………...……………….....4

1.5. Operational Risk……………………………………………………….….6

1.5.1. Loss Distribution Approach………………………………….….....6

1.6. Thesis Organization……………………………………………............…..9

1.7. Conclusion……………………..………………………………………......9

2. Literature Survey……………………………...…………….......……….......10

3. Channel – wise risks……………………………………………..………..…..12

3.1. SMS Based Mobile Banking…………………………………...……….....12

3.1.1. Transaction flow for SMS Based Banking………………….…..…13

3.1.2. Transaction failure types in SMS channel……………………....….13

3.2. USSD Based Mobile Banking…………………………...……….……….14

3.2.1. Transaction flow for USSD Based Banking…………….…..….....14

3.2.2. Transaction failure types in USSD channel……….......………..…15

3.3. IVRS Based Mobile Banking………………………………....………..….15

3.3.1. Transaction flow for IVRS Based Banking………….……..……...15

3.3.2. Transaction failure types in IVRS channel….…….......……………16

3.4. WAP Based Mobile Banking………………………………....………..…..16

3.4.1. Transaction flow for WAP Based Banking………….……..……....16

3.4.2. Transaction failure types in WAP channel….…….......………….…16

3.5. Conclusion...………………………………………………….……...….….17

4. Algorithm for measuring Operational Risk…………………………....….…18

4.1. Notations……………….……………………………….........……....….…18

4.2. Algorithm…………………………………………….....……………….…20

4.3. Illustration………………………………………………………………....28

4.4. Conclusion………………………………………………………...….……35

5. Conclusion and Future work……………...……….…………………....……36

5.1. Conclusion………………………………..……….…………………….…36

5.2. Future work………………………………………….………….……...…..36

References…………….……………………………………….………….....….37

Appendix……………………………………………………………………..…38

Notations

CBS – Core Banking System

IMPS – Immediate Payment Service

IVRS – Interactive Voice Response System

LDA – Loss Distribution Approach

MLE - Maximum Likelihood Estimation

NPCI – National Payments Corporation of India

P2M – Person to Merchant

P2P – Person to Person

SMS – Short Message Service

USSD – Unstructured Supplementary Service Data

WAP – Wireless Access Protocol

1

Chapter 1: Introduction

This chapter gives an introduction about mobile banking in India, the transaction flow of

Immediate Payment Service (IMPS) and various types of transaction failures that can occur

in IMPS transactions. An introduction about how to measure operational risk is also given in

the chapter.

1.1 Background

Mobile phones are transforming the lives of people in India. India has the second largest

mobile phone user base in the world. More people own a mobile than a PC. This provides a

huge opportunity for banks to use it as an alternate channel for revenue. More banks are

offering mobile banking services to their customers. Immediate Payment Service (IMPS)

provides an easy way for an instant money transfer. The total amount of transactions done

through IMPS as of May 2014 is Rs. 25 billion (Source: NPCI website). Mobile banking is

provided through different channels like SMS, USSD, mobile applications.

1.2 Motivation

Operational Risk has to be computed by banks for risk management purposes as well as to

meet regulatory compliances. Under Advanced measurement approach, banks are allowed to

develop their own approach to measure operational risk capital provided they meet the

considerations specified by the regulatory authorities.

There are ways to measure operational risk capital, but there are no studies

about measuring operational risk in particular to mobile banking. This gave the motivation to

study mobile banking at a granular level, identify various types of transaction failures and

propose an algorithm to measure operational risk capital for the identified types.

1.3 Objectives

The objectives of the project report are to:

• Identify various types of transaction failures in IMPS transactions

• Propose an algorithm to measure operational loss capital based on the types.

• Identify various types of transaction failures based on the channels (like SMS based,

USSD based, mobile application based).

2

1.4 Mobile Banking

Mobile Banking isdoing financial transactions through mobile devices.Mobile banking

contains two sectors: financial sector (Banks, NPCI) and Telecom Sector (Mobile Network

Operators). In India, Immediate Payment Service (IMPS) facilitated real time fund transfer

through mobile devices.

1.4.1 Immediate Payment Service (IMPS)

Immediate Payment Service (IMPS) provides an instant, 24*7 fund transfer.IMPS is operated

by NPCI.

IMPS services are:

• Fund transfer fromPerson to Merchant (P2M)

• Fund transfer fromPerson to Person (P2P)

• IMPS fund transfer through Account number/ IFSC

(Source – NPCI website)

In this report, P2M transactions are explored in detail, and various types of transaction

failuresare identified. The transaction failures for other types are also similar.

IMPS Person to Merchant (P2M) transactions are of two types:

• P2M PUSH

• P2M PULL

3

Transaction flow for P2M PUSH:

1) Customer enters merchant MMID, merchant mobile number, payment reference,

amount and M-PIN either in his mobile application or through SMS.

2) Issuing Bank validates the customer account and debits his account.

3) Issuing Bank sends the information to NPCI.

4) NPCI identifies the acquiring bank through merchant MMID and mobile number and

forwards the information to acquiring bank.

5) Acquiring Bank identifies merchant account number through MMID and mobile

number.

6) Acquiring sends the payment reference and amount to merchant.

7) Merchant verifies payment reference and amount and sends acknowledgement to

acquiring bank.

8) Acquiring Bank credits merchant account and sends SMS to merchant mobile.

9) Acquiring Bank then sends the response to NPCI.

10) NPCI forwards the response to Issuing Bank.

11) Issuing Banks sends confirmation to customer through SMS.

12) Acquiring bank updates merchant back-end system.

4

Transaction flow for P2M PULL:

1) Customer enters his mobile number, MMID, amount and OTP in merchant

application. OTP is generated in customer mobile through SMS or mobile application.

2) Acquiring bank validates the merchant details through merchant MMID and mobile

number and forwards the information entered by customer to NPCI.

3) NPCI identifies the issuing bank through customer MMID and customer mobile

number and sends the information to Issuing Bank.

4) Issuing Bank identifies the customer account through customer MMID, customer

mobile number and OTP. The customer account is debited.

5) Issuing Bank sends the response to NPCI.

6) NPCI sends the response to acquiring bank.

7) Acquiring Bank credits the merchant account and sends response to merchant

application.

1.4.2 Types of Transaction failures in P2M PUSH:

Type 1: Acquiring Bank is not able to send payment reference to merchant.

Type 2: Merchant is not able to acknowledge the payment reference sent by acquiring bank.

Type 3: Errors from customer like errors in payment reference and amount, merchant MMID,

merchant mobile number, account validation, using P2M form for P2P transaction, using P2P

form for P2M transaction.

5

Time out scenarios

Type 4: Time out during debit between Issuing bank and its CBS.

Type 5: Time out after debit between NPCI and Acquiring Bank.

Type 6: Time out after debit between Acquiring Bank and its CBS.

Types of Transaction failures in P2M PULL:

Type 7: Rejection at Issuing Bank.

Type 8: Rejection at NPCI.

Communication failures

Type 9: Acquiring Bank is unable to forward to NPCI.

Type 10: NPCI is unable to forward to Issuing Bank.

Type 11: Issuing Bank is unable to forward to its CBS.

Type 12: Issuing Bank CBS is unable to respond to Issuing Bank.

Type 13: Issuing Bank is unable to respond to NPCI.

Type 14: NPCI is unable to respond to Acquiring Bank.

Type 15: Acquiring Bank is unable forward response to its CBS.

Type 16: Acquiring Bank CBS is does not respond to Acquiring Bank.

Type 17: Acquiring Bank is unable to respond to merchant.

Note: The above types of transaction failures can be due to causes like server not

responding, server overloading etc.

6

1.5 Operational Risk

Operational Risk is defined as "the risk of direct or indirect loss resulting from inadequate

orfailed internal processes, people and systems or from external events".(Source: BCBS

Consultative Document Operational Risk)

There are 3 approaches for measuring Operational risk Capital

1) Basic Indicator Approach (BIA)

2) Standardised Approach

3) Advanced Measurement Approach

Basic Indicator Approach (BIA): Operational risk capital that a bank must hold is equal to

15% of its average gross income of past three years.

Standardised Approach (SA): Bank’s operations are divided into eight business lines

(Corporate finance, Trading and sales, Retail banking, Commercial banking, Payment and

settlement, Agency services, Asset Management, Retail Brokerage). For each business line,

operational risk capital is a fixed percentage (called beta factor) of the average gross income

of past three years.

Advanced Measurement Approach (AMA): Banks are allowed to develop their own model.

The estimates must include internal loss data, external loss data, scenario analysis and

Business environment / internal control factor data.

Loss Distribution is a model to compute operational risk capital. This comes under AMA

approach.

1.5.1 Loss Distribution Approach (LDA):

Loss Distribution Approach (LDA) involves computing frequency of loss and severity of loss

and aggregating both of them to get total loss.

Frequency of loss:

Frequency of loss is the occurrence of each cause of the transaction failure type during a

period of one year.

To this data, a distribution like Poisson or Negative binomial is fitted.

The probability density function of a Poisson distribution is

7

where� ≥ 0 and λ> 0.

λcan be estimated using Maximum Likelihood Estimation (MLE). The maximum likelihood

estimator of λ is

�� = ∑ i/ n

wherexi is the observations used to compute frequency.

The Goodness of fit is computed using Chi-squared test. The Chi test statistic is given by

whereOi is the observered values and Eiis the expected values computed by the distribution.

These values are divided into n bins for computing. If the Chi test statistic is less than 5%

than the distribution is a bad fit.

Severity of loss:

Severity of loss is the impact of each cause on the loss due to transaction failures.

To the severity data, a distribution like lognormal or generalized pareto or weibull is fitted.

The probability density function of a Lognormal distribution is given by

8

µ is the mean and σ is the standard deviation.

The parameters µ and σare computed using Maximum Likelihood estimation and is given

below

The Goodness of fit is computed using Chi-squared test.

Aggregate Loss:

Aggregate Loss Distribution is computed by combining frequency of loss and severity of

loss. Monte Carlo simulation can be used to compute Aggregate Loss. In Monte Carlo

simulation, the frequency and severity are simulated from their distributions and

corresponding aggregate loss is estimated. This method is repeated like times (say 10000) to

get the empirical distribution.

The Operational value at risk (OpVaR) is computed at 99.9 percentile of the

aggregate loss distribution.

9

1.6 Thesis Organization:

Chapter 1 deals with the introduction to mobile banking and operational risk. It provides an

insight about mobile banking in India. It gives the transaction flow of IMPS. It identifies

various types of transaction failures that can occur in IMPS transactions. It also provides an

introduction about operational risk and various approaches to compute operational risk

capital. It details about Loss Distribution Approach which is used in this paper.

Chapter 2 deals with the literature survey in the development of operational risk and mobile

banking in India. It discusses some methods that can be used to measure operational risk. It

gives the regulatory compliances that need to be met. It also gives the risks and issues in

mobile banking.

Chapter 3 details the proposed algorithm to measure operational risk. It also gives an

illustration of the proposed algorithm.

Chapter 4 discusses various channels for mobile banking. The transaction flow of the

customer requests in the channels. It identifies the types of transaction failures that can occur

in these channels.

Chapter 5 presents the conclusion to the paper and provides the scope for future work in this

area.

1.7 Conclusion

To compute operational risk in mobile banking, the mobile banking transaction flow is to be

studied and various types of transaction failures are to be identified. Operational risk for the

identified types is computed using LDA approach.

10

Chapter 2: Literature Survey

This chapter gives the details of some of the works of measuring operational risk and mobile

banking.

[Operational Risk – Consultative Document, BCBS, 2001] discussed the three approaches for

measuring Operational Risk Capital namely, Basic Indicator Approach, Standardised

Approach and Internal Measurement Approach. In Internal Measurement Approach the

document suggested Loss Distribution Approach for measuring operational risk capital.

[Operational Risk – Supervisory guidelines by BCBS, June 2011] expected that AMA

method for calculating Operational loss to include four elements: internal loss data, external

data, scenario analysis and business environment and control factors (BECIFS).

[Marcelo Cruz, Rodney Coleman et al, 1998] proposed a method, similar to market risk and

credit risk, to measure operational risk using Extreme value theory [EVT] and determine

appropriate level of operational risk capital. This method is only for extreme events and

focussed on the tail of the distributions. This method modelled the database of a large British

bank.

[QIS 2 – Operational Risk Loss Data, 2001] has the appropriate form for the collection of

Operational loss data for banks. This was the survey organized by the BIS. Losses are

classified into 8 business line x 7 loss event categories matrix.

[A.Frachot et al, 2001] discussed loss distribution approach [LDA] for calculating operational

risk capital. The method used Value at Risk to arrive at the operational risk capital. The paper

discussed about computing frequency of loss, severity of loss and aggregate loss.

[Suhas Desai, 2011] discussed various security risks in USSD channel and proposed a four

phased approach for mitigating security risk.

[HYLMUN IZHAR, 2012] proposed a method to calculate High Frequency – Low Severity

(HF-LS) and Low Frequency – High Severity (LF-HS) types of operational risks. This paper

used Delta-Gamma Sensitivity analysis to measure HF-LS and EVT for LF-HS.

[Alexander Johenmark, 2012] studied different methods used for calculating the operational

risk capital that satisfy AMA requirements. The study suggested that Poisson distribution

fitted well for frequency, log-normal and generalized pareto fitted well for severity of loss.

11

[Vishal Goyal et al, June 2012] reviewed the current operating practices of m-banking in

India. The paper classified challenges of m-banking into economic, regulatory, rupee

transactions, existing account holders and demographic challenges. The paper outlined the

transactions model in India. This paper discussed various security issues faced in WAP and

SMS based mobile banking.

[IMPS Merchant Payments, 2012] discussed IMPS P2M (Person to Merchant) Push and P2M

Pull. It also discussed the types of transaction failures that occurred in P2M Push and P2M

Pull.

[Dr. Vinod Kumar Gupta et al, January 2013] identified the factors that influence mobile

banking adoption. The paper detailed the architecture of mobile banking channels like SMS,

WAP. The positive and negative impacts of mobile banking in Indian context are explained

by the paper.

[Mobile Banking, RBI, 2014] outlined Mobile Banking in India. It discussed about the

channels of Mobile banking (SMS, USSD, Application based), architecture, risks and issues

associated with them.

Conclusion:

Mobile banking adoption is growing in India and so it is important to measure Operational

risk associated with it. There are studies about how to measure operational risk but nothing

related to measuring operational risk in specific to Mobile banking. This paper aims to

measure operational risk in mobile banking.

12

Chapter 3: Channel-wise Risks

Mobile Banking in India is offered through various channels like SMS, USSD, GPRS etc.

While SMS channel is available to all the mobile device users, the channel is not very secure

as there is no end-to-end encryption. So there are limits to the amount that can be transferred.

USSD channel is menu-driven, session-oriented and interactive. This is not available to

CDMA users. There is no additional security other than the security available for GSM

channel. IVRS is also menu-driven, session-oriented and interactive. Service is offered in

multiple languages, voice prompts and numeric inputs by the customer. This channel is also

not end-to-end encrypted. WAP can be accessed by most of the customers but requires active

data connection.

3.1 SMS Based Mobile Banking

SMS is widely used channel and can be used in all mobile phones. Customers can avail SMS

banking services by sending a request with keyword, short code or long code. For example,

for Balance enquiry customers can send an SMS like BAL to the short code or the long code

specified by the bank.

Some of the limitations to SMS banking are customers need to know the

correct syntax, not end-to-end encrypted, transaction limit of Rs. 5000 set by RBI. Also SMS

remains as plain text in ‘Sent Items’, so if the mobile custody is with someone else there is a

loss of confidential information.

To reduce the above risks, Sim Tool Kit (STK) application on the SIM

provided by the operator is proposed. This application is interactive, menu-driven, user-

friendly. STK encrypts the SMS before sending.

13

3.1.1 Tranaction flow for SMS Based Banking

The SMS based services are hosted on SMS gateway. The SMS gateway connects to the SMS

centre of the Mobile Service Provider.

3.1.2 Transaction failure types in SMS channel

• Failures between Mobile Service Centre and SMS Centre

• Failures between SMS Centre and SMS Gateway

• Failures between SMS Gateway and Internet

• Failures between Internet and Bank

14

3.2USSD Based Mobile Banking

USSD services are real time, session-oriented and menu driven. It allows two way interaction

of data. For using USSD services, Dial *99# for using USSD services. It asks for MMID

number. After authenticating, it shows a menu of options like IMPS, Enquiry, Change mpin,

mobile top up etc. USSD works on all GSM mobile devices. It is more secure than SMS

channel and enables transactions in local languages.

The common USSD Gateway is proposed by NPCI. This enabled banks to

overcome the challenges of tying up with each Mobile Network Provider separately.

3.2.1 Tranaction flow for USSD Based Banking

Customer dials *99# in his mobile. The customer then enters his MMID in the prompt

obtained. NPCI forwards to the respective bank based on the MMID. Customer gets a menu

of options from the banking services of the bank. Customer responds appropriately and

completes the transaction.

15

3.2.2 Transaction failure types in USSD channel

• Failures between Mobile Service Centre and Telco USSD Gateway

• Failures between Telco USSD Gateway and NPCI USSD Gateway

• Failures between NPCI USSD Gateway and Internet

• Failures between Internet and Bank

3.3IVRS Based Mobile Banking

Interactive Voice Response System (IVRS) involves customers call to the IVR number. The

customers are greeted by the stored electronic message and it is followed by a menu of

options. Customers respond by pressing appropriate keys based on their requirements.

3.3.1 Tranaction flow for IVRS Based Banking

The IVRS Gateway is the access point between the Mobile Service Centre and NPCI.

16

3.4.2 Transaction failure types in IVRS channel

• Failures between Mobile Service Centre and IVRS Gateway

• Failures between IVRS Gateway and NPCI

• Failures between NPCI and Bank

3.4WAP Based Mobile Banking

WAP bridges the gap between mobile and internet. A WAP site is maintained by banks and

customers access this site through WAP compatible browser on their mobiles. Customer can

have anytime, anywhere access to a more secure channel.

3.4.1 Tranaction flow for WAP Based Banking

The Bank site is accessed through WAP Gateway by the mobile users for carrying out

transactions. The WAP Gateway is the access point from the mobile network to the Internet.

The WAP server stores the forms that are displayed in the displayed in the mobile.

3.4.2 Transaction failure types in WAP channel

• Failures between Mobile Service Centre and WAP Gateway

• Failures between WAP Gateway and Internet

• Failures between Internet and WAP Server

17

3.5 Conclusion

Mobile Banking is done through various channels like SMS, USSD, WAP etc. In the

transaction flow, a Gateway connects Mobile Service Centre to the Internet and which is

connected to the Bank. The transaction failure occurs if the connection fails between any two

entities due to any cause.

18

Chapter 4: Algorithm for measuring Operational

Risk

Here an algorithm is proposed to compute operational risk in mobile banking. The algorithm

uses a type/cause matrix. A transaction failure type is due to many causes like server not

responding, server over loading.

This algorithm used Poisson distribution for frequency and Lognormal for severity. More

distributions like Negative Binomial for frequency and Weibull for severity can also be used

depending on which ever is the better fit.

4.1 Notations

m: number of types of transaction failures

Ti :ith

type of transaction failurewhere i∈ {1,2,3….m}

Ci : number of causes for transaction failure of type Ti.

Cij:jth

cause of ith

type of transaction failure where j ∈ {1,2, …,Ci}

n :Total number of Causes identified

l denotes the day in the year. l∈ {1,2,3,….,365}

aij= �1, ���������ℎ����������������������, �0, ��ℎ������ �, ∀i = 1 to m and j =

1 to n.

dijl : number of times cause Cij occurred on lth

day of the year.

nijl : the number of transactions failed due to cause j and lthday of the year.

Lijl:cost of any other losses (in Rs.)like repair costs, incurring due to cause

Ci,j.

C : loss due to each transaction failure

19

Sijl : severity of loss for type Tiand cause Ci,j.

ALi,jdenote the Aggregate loss of Cause Ci,j.

AL= ∑!"i,j,∀ i = 1 to m and j = 1 to n

The algorithm uses a type/cause matrix like the one shown below

For example,

Cause

Type

Cause 1 Cause 2 ………………… Cause n

Type 1 0 0 0

Type 2 1 1 1

Type 3 1 0 0

Type 4 0 0 0

.

.

.

Type m 1 0 1

If a type is caused by a particular cause a value of ‘1’ is assigned to the corresponding cell.

The data is inputted as shown below for each Cause Cij.

Days

Type Ti

Number of times Cause Cij occurred (dijl)

Number of

transactions failed due to Cause Cij

(nijl)

Other costs like repair costs (Lijl)

Day 1

Day 2

Day 3

Day 4

Day 5

Day 6

20

Objectives:To compute Operational Loss Capital for all the Types of Transaction failures.

Assumptions:

1)The Type/Cause matrix shown above is constructed which is helpful while giving input.

2) The data for dijl , nijl and Lijl is already known and they needed to be given as input.

3) Poisson and Lognormal distributions gives a good fit to the given data. If not other

distributions can be used by the model to compute remains same.

4.2 Algorithm

Step 1: Call Initialization( )

/*Upon calling the Initialization module the algorithm takes all the required inputs

and initializes the algorithm */

Step 2:Call TypeCauseMatrix( )

/* Check if type Ti can be caused by cause Ci,j and if yesproceed to Step 3 */

Step 3:Call Fit_PoissonDistribution( )

/*For computing Frequency of losses. Upon calling the above function it fits the

Poisson distribution for frequency using Maximum Likelihood Estimation (MLE) and checks

the Goodness of fit using Chi-Squared test */

Step 4:Call Severity( )

/*For computing Severity of loss based on the daily transaction failures */

Step 5:Call Fit_LogNormalDistribution( )

/*Fits a Lognormal distribution for severityusing Maximum Likelihood Estimation

(MLE) and checks the Goodness of fit using Chi-Squared test */

Step 6:Call AggLossi,j( )

21

/*Calculate Aggregate Loss for Type T1 and Cause C1,1 using Monte-Carlo Simulation */

Step 7:AggregateLoss = AggregateLoss + AggLossi,j

/*For computing Total Aggregate loss due to all the types and causes */

Module 1:

Initialization( )

{

m = input( ) /* give the input value of m*/

n = input( ) /* give the input value of n*/

fori =1 to m /* for all types*/

for j = 1 to n /* for all causes */

aij = input( )/* give the input value of aij */

end for

end for

fori =1 to m /* for all types*/

for j = 1 to n /* for all causes */

for l = 1 to 365 /* for all days in the year */

dijl = input( )/* give the input value of dijl*/

nijl = input( ) /* give the input value of nijl */

Lijl = input( ) /* give the input value of Lijl*/end for

end for

end for

end for

22

go to Step 2

}

Module 2:

TypeCauseMatrix( )

{

fori =1 to m /* for all types*/

for j = 1 to n /* for all causes */

if aij = 1 /*if type i is due to the cause j*/

go to Step 3

end for

end for

}

Module 3:

Fit_PoissonDistribution( )

{

λ = 0

max = 0

for l = 1 to 365

λ = dijl / 365 /* Max Likelihood Estimation of λ*/

end for

for l = 1 to 365

if dijl >max

max = dijl /* max value*/

23

end if

if dijl < min

min = dijl

end if

end for

bininterval = round { (max – min +1)/6 } /* bin interval value is rounded*/

b[x] = [min, min + bininterval, …….., min + 5 x bininterval] /* bin range*/

for x = 1 to 5

Expect_value[x-1] = ROUND ( 365 *( poisson.dist(b[x] , λ) - poisson.dist(b[x-1], λ)

) ) /* Expected Values using in-built Poisson distribution function of the software used*/

end for

Expect_value[5] = ROUND ( 1 - poisson.dist(b[5]-1 , λ))

obs_value = go to Observedvalues (dijl,b)/* calling Observedvalues module and giving inputs

dijl and bin values b which is [ b[0], b[1], b[2], b[3], b[4],b[5] ] */

fitPoisson = go to Goodness_Of_Fit(obs_value, Expect_value)

go to Step 4

}

Module 4:

Observedvalues (pijl , bin)/*pijltakes the values sent with in the

arguments when calling it and bin contains bin values sent*/

for l = 1 to 365

switch ( xijl) /* observed values*/

24

Case 1 (xijl<b[1])

obs_value [0] = obs_value [0] +1

Case 2 (b[1] < = xijl< b[2])

obs_value [1] = obs_value [1] +1

Case 3 (b[2] < = xijl< b[3])

obs_value [2] = obs_value [2] +1

Case 4 (b[3] < = xijl< b[4])

obs_value [3] = obs_value [3] +1

Case 5 (b[4] < = xijl< b[5])

obs_value [4] = obs_value [4] +1

Case 6

obs_value [5] = obs_value [5] +1

end for

returnobs_value/* returns the array of values of obs_value*/

}

Module 5:

Goodness_Of_Fit (observed value, expected value)

{

chi = chitest(observed value, expected value) /* in-built function for chi-test statistic*/

if chi < .05

return 0 /* return bad fit*/

end if

25

ifchitest> .05

return 1 /* return good fit */

end if

}

Module 6:

Severity( )

{

for l = 1 to 365 /* for all days in a year*/

Sijl = nijl x c + Lijl /* Severity of loss*/

end for

go to Step 5

}

Module 7:

Fit_LogNormalDistribution( )

{

mean = 0

sigma = 0

max = 0

min = 0

for l = 1 to 365

mean = mean + (ln Sijl ) / 365 /* MLE for mean*/

26

end for

for l = 1 to 365

sigma = sigma + ( ln Sijl - mean ) / 365 /* MLE for sigma*/

end for

for l = 1 to 365

if Sijl >max

max = Sijl /* max value */

end if

if Sijl != 0

if Sijl < min

min = Sijl /* Take a min value other than zero*/

end if

end if

end for

bininterval = ROUND ( (max – min +1)/6 ) /* Rounded value of Bin interval*/

b[i] = [min, min + bininterval, …….., min + 5 x bininterval] /* bin range*/

for x = 1 to 5

Expect_value[x-1] = ROUND ( 365 *( lognorm.dist(b[i] – 1, mean, sigma) -

poisson.dist(b[i-1], mean, sigma) ) ) /* Expected Values */

end for

27

Expect_value[5] = ROUND ( 1 - lognorm.dist (b[5]-1 , mean, sigma) )

obs_value = go to Observedvalues (Sijl, b)

fitLogNormal = go to Goodness_Of_Fit(obs_value, Expect_value)

go to Step 6

}

Module 8:

AggLossi,j( )

{

for simulation = 0 to 9999 // simulation 10000 times

AggLoss[x] = AggLoss(λ, mean, sigma)

end for

AggLossi,j= percentile(AggLoss,0.999) /* Operational Value at Risk */

go to Step 7

}

Module 9:

AggLoss(λ, mean, sigma)

{

nLoss = PoisRV(λ)

aggLoss = 0

For x = 1 to nLoss

sumLoss = sumLoss + LogInv(Rand, mu, sigma)

end for

AggLoss = sumLoss

28

}

Module 10:

PoisRV(λ)

{

m = exp( - λ)

prob = 1

a = 0

Do while prob> = m

prob = prob * Rand

a = a + 1

Loop

PoisRV = a – 1

}

4.3 Illustration:

For the purpose of illustration, consider the below types of IMPS P2M PUSH mentioned in

Chapter 1.

Type 1: Acquiring Bank is not able to send payment reference to merchant.

Type 2: Time out during debit between Issuing bank and its CBS.

Consider the below causes

Cause 1: Server overloading at merchant.

Cause 2: Disk failure at merchant.

Cause 3: Merchant transaction logs filled up

29

Cause 4: System crash at Issuing Bank CBS

Cause 5: Issuing Bank transaction logs got corrupt

This type of failure can be caused due to causes or errors like server overloading at merchant,

system crash at merchant, disk failure at merchant, merchant not responding.

Cause

Type

Cause 1 Cause 2 Cause 3 Cause 4 Cause 2

Type 1 1 1 1 0 0

Type 2 0 0 1 1 1

Illustration is done for Type 1 and Cause 1 for the purpose of ease.

Step 1: Call Initialization( )/* Calls the Initialization( ) as shown below */

Initialization( )

{

m = input( ) = 2

n = input( ) = 5/* give the input value of n*/

a11 =1

a12 = 1

a13 = 1

a14 = 1

Similarly till a25 = 1

d111 = 1

d112 = 2

Similarly till d11(365) = 8/* Data is given in Appendix. Data is givenonly for Cause C11*/

n111 = 83

n112 = 76

30

Similarly till L11(365) = 35

L111 = 0

L112 = 0 /* Other costs is zero */

Similarly till L11(365) = 0

}

Step 2:Call TypeCauseMatrix( )

TypeCauseMatrix( )

{

a11 =1

go to Step 3 /* From Step 3, illustration is done only for a11 =1. For others it is similar

*/

a12 =1

go to Step 3

a13 =1

go to Step 3

a14 =0

go to Step 3

a15 =0

Similarly till a25 =0

}

Step 3:Call Fit_PoissonDistribution( )

Fit_PoissonDistribution()

{

31

λ = 0

max = 0

λ = 5.07/* λ remains same throughout the program till it gets over ridden */

max = 10

min = 1

bininterval = round{ (10 – 1 +1)/6} = 2

b[i] = [1, 3, 5, 7, 9, 11] // bin range

Expect_value[0] = 44

Expect_value[1] = 122

Expect_value[2] = 100

Expect_value[3] = 94

Expect_value[4] = 10

Expect_value[5] = 2

obs_value = go to Observedvalues (dijl, b)= [38, 124, 85, 103, 15, 0] /* Observedvalues (dijl,

b) is shown below this module */

fitPoisson = go to Goodness_Of_Fit(obs_value, Expect_value) = 1

go to Step 4

}

Observedvalues (pijl , bin)/* Called in the above module */

{

obs_value [0] = 38

32

obs_value [1] = 124

obs_value [2] = 85

obs_value [3] = 103

obs_value [4] = 15

obs_value [5] = 0

returnobs_value

}

Goodness_Of_Fit (observed value, expected value)/* Called in the Fit_PoissonDistribution(

) module */

{

chi = chitest(observed value, expected value) = 0.14

return 1

}

Step 4:Call Severity( )

Severity( )

{

S111 = 44 x 4.75 + 0 = 394.25/* loss due to each transaction failure = 4.75 */

Similarly till /* Calculation for getting 4.75 is given in appendix and Lijl is

zero */

S11(365) = 35 x 4.75 + 0 = 166.25

go to Step 5

}

Step 5: Call Fit_LogNormalDistribution( )

33

mean = ( ln S111 + ln S112 +ln S113 +….+ ln S11(365) ) / 365 = 5.66

sigma = [ ( ln S111 - mean ) + ( ln S112 - mean ) +……+ ( ln S11(365) - mean ) ] / 365

= 0.34

max = 475

min = 142.5

bininterval = ROUND( (475 – 142.5 + 1) / 6 ) = 56

b[i] = [ 143, 199, 255, 311, 367, 423 ]

Expect_value[0] = 45

Expect_value[1] = 70

Expect_value[2] = 80

Expect_value[3] = 70

Expect_value[4] = 59

Expect_value[5] = 48

obs_value = go to Observedvalues (Sijl, b) = [55, 61, 77, 59, 54, 59]

fitLogNormal = go to Goodness_Of_Fit(obs_value, Expect_value) = 1

go to Step 6

}

Observedvalues (pijl , bin)

{

obs_value [0] = 55

obs_value [1] = 61

obs_value [2] = 77

34

obs_value [3] = 59

obs_value [4] = 54

obs_value [5] = 59

returnobs_value

}

Goodness_Of_Fit (observed value, expected value)

{

chi = chitest(observed value, expected value) = 0.15

return 1

}

Step 6:Call AggLoss1,1( )

AggLoss1,1( )

{

AggLoss[0] = AggLoss(5.07, 5.66, 0.34) = 1330

AggLoss[1] = AggLoss(5.07, 5.66, 0.34) = 2242

Similarly

AggLoss[9999] = AggLoss(5.07, 5.66, 0.34) = 2480

AggLoss1,1= percentile(AggLoss,0.999) = 3797.82/* OpVaR at 99.99 percentile */

}

AggLoss(λ, mean, sigma)

{

nLoss = PoisRV(5.10) = 5

aggLoss = 0

35

For x = 1 to 41

sumloss = sumloss + LogInv(Rand, 5.22, 0.15)

end for

AggLoss = sumloss

}

PoisRV(5.56)

{

m = exp( - 36.5) = 1.41E-16

prob = 1

a = 0

prob = prob * Rand = 0.0026

a = 6 // loop is executed 42 times

PoisRV = a – 1 = 5

}

4.4 Conclusion

The type/ cause matrix is used for measuring operational risk. Loss Distribution Approach

(LDA) approach is followed for computing operational risk in the algorithm. The proposed

algorithm used Poisson and Lognormal distributions for calculating frequency and severity of

losses. Monte-Carlo simulation is used for calculating aggregate loss. The OpVaR

(Operational Value at Risk) is taken as 99.9 percentile.

36

Chapter Five

Conclusion and Future Work

5.1 Conclusion

In the proposed algorithm for calculating operational loss capital, the transaction flow of

mobile banking is studied. In this report, transaction flow of IMPS and channels (SMS,

USSD, IVRS and WAP) are studied. Various types of transaction failures are identified from

the transaction flow. The associated causes for these transaction failure types are identified. A

type/ cause matrix is formed based on the types and causes of the transaction failures.

Loss Distribution Approach (LDA) is used in computing operational loss

capital. In this approach, the losses are classified as frequency of losses and severity of losses.

Frequency and severity are aggregated to get the Aggregate Loss.

In frequency of losses, the occurrence of each cause of failure is determined

for a period of one year. A Poisson distribution is plotted for the observed values. The

parameters of the distribution are determined using Maximum Likelihood estimation and the

Goodness of Fit is estimated using Chi-squared distribution.

In severity of losses, the daily capital loss due to transaction failures of each

type is identified. A lognormal distribution is plotted for the observed values. The parameters

of the distribution are determined using Maximum Likelihood estimation and the Goodness

of Fit is estimated using Chi-squared distribution.

For computing aggregate loss, Monte-Carlo simulation is used. The aggregate

loss of individual types is added to get the overall operational loss.

5.2 Future work

• The causes of failure need to be identified by taking real-time data from any bank or

NPCI.

• Operational risk mitigation measures have to be suggested by using real-time data.

37

References

• Basel Committee on Banking Supervision: Operational Risk, Consultative Document,

Bank for International Settlement, May 2001

(http://www.bis.org/publ/bcbsca07.pdf)

• Frachot, O. Moudoulaud and T. Roncalli, "Loss Distribution Approach in

Practice." The Basel Handbook: A Guide for Financial Practitioners. London: Risk

Books, December 2003.

• Nigel Da Costa Lewis. Operational Risk with Excel and VBA: Applied Statistical

Methods for Risk Management. New Jersey: John Wiley & Sons, Inc., 2004.

• Andreas A. Jobst, “Consistent Quantitative Operational Risk Measurement and

Regulation: Challenges of Model Specification, Data Collection, and Loss

Reporting,” Working Paper, Monetary and Capital Markets Department, International

Monetary Fund, November 2007.

• Bank Frontier Associates, “Managing the Risk of Mobile Banking,” Fin Mark Trust,

28 March 2008.

• Basel Committee on Banking Supervision: Results from the 2008 Loss Data

Collection Exercise for Operational Risk. Bank for International Settlement, July

2009.

(http://www.bis.org/publ/bcbs160a.htm)

• Mo Chaudhury, “A review of the key issues in operational risk capital modeling,” The

Journal of Operational Risk, Volume 5/Number 3, Fall 2010

• Basel Committee on Banking Supervision: Operational Risk – Supervisory Guidelines

for the Advanced Measurement Approaches, Bank for International Settlement, June

2011.

(http://www.bis.org/publ/bcbs184.htm)

• Vishal Goyal, Dr.U.S.Pandey, Sanjay Batra, “Mobile Banking in India:

Practices,Challenges and Security Issues,” International Journal of Advanced Trends

in Computer Science and Engineering, Volume 1/Number 2, June 2012.

• Vinod Kumar Gupta, RenuBagoria, Neha Bagoria, “Mobile Banking Services as

Adoption and Challenges: A Case of M-Banking in India (Positive and Negative

Impacts, Mobile Growth in India, Adaption Models and Mobile Technology),”

38

International Journal of Scientific and Research Publications, Volume 3/Issue 1,

January 2013.

• B Sambamurthy, Rahul Joshi et.al., “ Mobile Banking – Report of the Technical

Committee,” Reserve Bank of India, January 2014.

39

Appendix

Sample data for the above illustration

Loss per transaction failure for Issuing Bank

Charge per transaction to customer 5

NPCI charge 0.25

Refund from Acquiring bank 0

Refund from NPCI 0

Any Other costs(like repair costs, legal costs etc) 0

Net Loss to Issuing Bank 4.75

Days

Type 1

Number of times

Cause 1

occurred(d11l)

No. of transactions

failed due to Cause

1(n11l)

1 1 83

2 4 76

3 4 47

4 9 54

5 7 58

6 1 68

7 3 76

8 5 94

9 3 72

10 6 68

11 4 91

12 7 33

13 1 86

14 3 65

15 6 53

16 7 83

17 4 90

18 8 100

19 3 31

20 4 55

21 3 45

22 8 77

23 7 32

24 6 47

25 5 40

40

26 2 97

27 7 80

28 3 88

29 3 61

30 4 53

31 2 95

32 9 51

33 5 56

34 3 77

35 7 78

36 8 47

37 5 71

38 7 80

39 4 44

40 5 39

41 6 80

42 6 36

43 3 84

44 2 70

45 5 90

46 5 55

47 6 53

48 1 42

49 7 88

50 4 94

51 5 93

52 1 77

53 1 51

54 5 65

55 1 67

56 8 71

57 1 71

58 3 34

59 8 86

60 8 62

61 6 33

62 8 74

63 7 93

64 3 71

65 10 51

66 6 62

67 7 89

68 7 58

69 8 92

70 4 93

41

71 4 38

72 7 92

73 8 75

74 7 84

75 6 69

76 5 62

77 1 77

78 8 95

79 7 91

80 7 71

81 3 47

82 8 92

83 10 54

84 5 79

85 4 68

86 6 65

87 4 50

88 7 74

89 8 64

90 4 58

91 4 45

92 3 32

93 3 84

94 8 54

95 3 39

96 8 57

97 3 91

98 5 75

99 8 50

100 5 50

101 8 46

102 6 44

103 7 64

104 4 31

105 4 60

106 7 34

107 3 56

108 6 81

109 3 38

110 3 48

111 7 38

112 4 30

113 7 37

114 4 66

115 3 43

42

116 4 42

117 4 79

118 7 48

119 3 41

120 3 68

121 8 62

122 10 46

123 5 74

124 8 69

125 8 53

126 6 78

127 7 41

128 4 77

129 8 32

130 5 65

131 4 42

132 7 30

133 8 83

134 8 89

135 5 53

136 5 63

137 4 46

138 4 59

139 8 40

140 6 84

141 7 64

142 6 43

143 7 38

144 5 50

145 4 84

146 7 37

147 2 83

148 9 92

149 3 45

150 8 99

151 4 62

152 6 56

153 8 96

154 6 55

155 1 78

156 3 55

157 7 100

158 4 63

159 9 80

160 4 43

43

161 7 90

162 4 86

163 3 78

164 6 95

165 6 92

166 7 31

167 7 58

168 7 92

169 8 40

170 1 61

171 2 60

172 8 73

173 1 88

174 8 36

175 1 73

176 3 99

177 1 41

178 4 50

179 8 96

180 5 48

181 3 60

182 1 83

183 3 61

184 7 61

185 5 61

186 7 37

187 3 68

188 4 35

189 8 98

190 4 91

191 4 93

192 8 91

193 1 64

194 8 79

195 7 76

196 5 52

197 10 82

198 5 91

199 8 58

200 1 95

201 4 73

202 4 44

203 6 82

204 8 83

205 5 50

44

206 6 44

207 8 60

208 7 79

209 5 32

210 8 76

211 4 63

212 6 32

213 1 77

214 7 40

215 3 39

216 7 83

217 5 38

218 1 33

219 5 61

220 4 70

221 5 33

222 5 86

223 6 61

224 3 44

225 10 99

226 5 74

227 10 49

228 3 90

229 10 66

230 5 64

231 4 74

232 8 86

233 4 75

234 5 52

235 7 45

236 1 51

237 4 36

238 5 99

239 4 97

240 4 52

241 6 68

242 5 38

243 3 83

244 7 69

245 4 84

246 3 74

247 5 78

248 4 100

249 4 35

250 3 71

45

251 7 39

252 5 70

253 7 52

254 6 70

255 4 71

256 4 57

257 3 40

258 8 51

259 1 31

260 7 79

261 4 83

262 8 99

263 5 35

264 3 61

265 3 87

266 4 97

267 6 55

268 9 37

269 7 81

270 1 59

271 6 68

272 7 98

273 4 85

274 2 94

275 5 90

276 5 81

277 3 72

278 1 84

279 1 60

280 1 87

281 7 97

282 6 93

283 6 100

284 3 43

285 4 89

286 5 72

287 5 55

288 3 95

289 9 95

290 1 51

291 4 64

292 3 100

293 3 48

294 4 37

295 7 73

46

296 7 42

297 6 30

298 3 88

299 3 62

300 5 31

301 1 47

302 4 58

303 7 35

304 7 80

305 2 50

306 7 93

307 3 66

308 3 90

309 5 62

310 3 88

311 3 87

312 7 47

313 6 69

314 9 82

315 3 30

316 6 94

317 4 51

318 8 82

319 5 41

320 7 77

321 3 44

322 3 51

323 2 73

324 5 71

325 4 57

326 3 70

327 6 61

328 6 34

329 4 38

330 4 30

331 7 63

332 3 89

333 2 58

334 8 69

335 3 59

336 6 69

337 6 82

338 7 56

339 5 31

340 10 34

47

341 3 54

342 6 40

343 4 53

344 5 94

345 8 45

346 3 33

347 3 76

348 3 62

349 5 43

350 7 38

351 3 52

352 8 64

353 7 94

354 3 32

355 3 61

356 6 89

357 2 53

358 3 35

359 4 39

360 7 41

361 3 38

362 8 35

363 7 78

364 1 35

365 8 35

48