measuring operational risk in mobile bankingidrbt.ac.in/assets/alumni/pt-2014/surya...
TRANSCRIPT
MEASURING OPERATIONAL RISK IN MOBILE BANKING
A summer internship project report
submitted by
NERSU SURYA VENKATA ASHISH
011104144
in partial fulfillment of the requirement for the award of the degree of
MBA
DEPARTMENT OF MANAGEMENT STUDIES
July, 2014
Under the guidance of
Dr. V.N. SASTRY
to
INSTITUTE FOR DEVELOPMENT AND RESEARCH IN BANKING TECHNOLOGY
Road No.1, Castle Hills, Masab Tank
Hyderabad – 500 057.
July 18, 2014
PROJECT COMPLETION CERTIFICATE
Name of the Student: Nersu Surya Venkata Ashish
Roll Number: MS13A037
Project Period: 22 May 2014 – 18 July 2014
Project Title: Measuring Operational Risk In Mobile Banking
This is to certify that Mr. NERSU SURYA VENKATA ASHISH, a final year student of
MBA in Department of Management Studies, IIT Madras has successfully completed his
summer internship projectwork under my supervision.
The student has submitted the final report.
Name: V.N. Sastry
Designation: Professor
Organization:
Institute for Development and Research in Banking Technology
Road No.1, Castle Hills, Masab Tank
Hyderabad – 500 057, Telangana.
DECLARATION
I NERSU SURYA VENKATA ASHISH hereby declare that this project paper
entitled “MEASURING OPERATIONAL RISK IN MOBILE BANKING” submitted by
me under the guidance and supervision of Dr. V. N. Sastry, Professor, IDRBT, is a
bonafide work. I also declare that it has not been submitted previously in part or in full to
this University or other University or Institution for the award of any degree or diploma.
Date: Name: NERSU SURYA VENKATA ASHISH
Roll. No. MS13A037
Signature of the Student:
Acknowledgements
First and foremost I would like to thank my guide Dr. V.N. Sastry, who guided me throughout
the project. He gave this project to me based on my background and area of interest. He was
very much approachable to students. His ideas helped me in completing this project
successfully.
I would like to thank Placecom team, DOMS, IIT Madras for helping me to get my
internship in IDRBT.
I would thank my teachers in IIT Madras, for the knowledge I gained in the last one
year.
Finally I would like to thank my parents for their unconditional love and affection,
which is a great source of strength.
Nersu Surya Venkata Ashish
ABSTRACT:
Mobile banking usage in India is growing exponentially. Most of the banks are providing
mobile banking. So there is a need for banks providing mobile banking to measure the
operational loss occurring in their mobile banking portfolio for risk management purposes,
for regulatory compliances and also for risk mitigation purposes.
There are studies about how to measure operational risk but none of them
specifically addressed mobile banking. In this report, granular details of mobile banking are
considered to compute operational risk. The various types of transaction failures in
Immediate Payment Service (IMPS) and different channels (SMS, USSD and WAP) are
considered and an algorithm is proposed to compute the operational risk.
Table of Contents
Notations
1. Introduction ………………………………………………………………….1
1.1. Background…………………………………………………………….…1
1.2. Motivation…………………………………………………...……………1
1.3. Objectives……………………………………………...……………….…1
1.4. Mobile Banking…………………………………..………………….……2
1.4.1. IMPS…………………………………………………………….…2
1.4.2. Types of Transaction Failures in IMPS………...……………….....4
1.5. Operational Risk……………………………………………………….….6
1.5.1. Loss Distribution Approach………………………………….….....6
1.6. Thesis Organization……………………………………………............…..9
1.7. Conclusion……………………..………………………………………......9
2. Literature Survey……………………………...…………….......……….......10
3. Channel – wise risks……………………………………………..………..…..12
3.1. SMS Based Mobile Banking…………………………………...……….....12
3.1.1. Transaction flow for SMS Based Banking………………….…..…13
3.1.2. Transaction failure types in SMS channel……………………....….13
3.2. USSD Based Mobile Banking…………………………...……….……….14
3.2.1. Transaction flow for USSD Based Banking…………….…..….....14
3.2.2. Transaction failure types in USSD channel……….......………..…15
3.3. IVRS Based Mobile Banking………………………………....………..….15
3.3.1. Transaction flow for IVRS Based Banking………….……..……...15
3.3.2. Transaction failure types in IVRS channel….…….......……………16
3.4. WAP Based Mobile Banking………………………………....………..…..16
3.4.1. Transaction flow for WAP Based Banking………….……..……....16
3.4.2. Transaction failure types in WAP channel….…….......………….…16
3.5. Conclusion...………………………………………………….……...….….17
4. Algorithm for measuring Operational Risk…………………………....….…18
4.1. Notations……………….……………………………….........……....….…18
4.2. Algorithm…………………………………………….....……………….…20
4.3. Illustration………………………………………………………………....28
4.4. Conclusion………………………………………………………...….……35
5. Conclusion and Future work……………...……….…………………....……36
5.1. Conclusion………………………………..……….…………………….…36
5.2. Future work………………………………………….………….……...…..36
References…………….……………………………………….………….....….37
Appendix……………………………………………………………………..…38
Notations
CBS – Core Banking System
IMPS – Immediate Payment Service
IVRS – Interactive Voice Response System
LDA – Loss Distribution Approach
MLE - Maximum Likelihood Estimation
NPCI – National Payments Corporation of India
P2M – Person to Merchant
P2P – Person to Person
SMS – Short Message Service
USSD – Unstructured Supplementary Service Data
WAP – Wireless Access Protocol
1
Chapter 1: Introduction
This chapter gives an introduction about mobile banking in India, the transaction flow of
Immediate Payment Service (IMPS) and various types of transaction failures that can occur
in IMPS transactions. An introduction about how to measure operational risk is also given in
the chapter.
1.1 Background
Mobile phones are transforming the lives of people in India. India has the second largest
mobile phone user base in the world. More people own a mobile than a PC. This provides a
huge opportunity for banks to use it as an alternate channel for revenue. More banks are
offering mobile banking services to their customers. Immediate Payment Service (IMPS)
provides an easy way for an instant money transfer. The total amount of transactions done
through IMPS as of May 2014 is Rs. 25 billion (Source: NPCI website). Mobile banking is
provided through different channels like SMS, USSD, mobile applications.
1.2 Motivation
Operational Risk has to be computed by banks for risk management purposes as well as to
meet regulatory compliances. Under Advanced measurement approach, banks are allowed to
develop their own approach to measure operational risk capital provided they meet the
considerations specified by the regulatory authorities.
There are ways to measure operational risk capital, but there are no studies
about measuring operational risk in particular to mobile banking. This gave the motivation to
study mobile banking at a granular level, identify various types of transaction failures and
propose an algorithm to measure operational risk capital for the identified types.
1.3 Objectives
The objectives of the project report are to:
• Identify various types of transaction failures in IMPS transactions
• Propose an algorithm to measure operational loss capital based on the types.
• Identify various types of transaction failures based on the channels (like SMS based,
USSD based, mobile application based).
2
1.4 Mobile Banking
Mobile Banking isdoing financial transactions through mobile devices.Mobile banking
contains two sectors: financial sector (Banks, NPCI) and Telecom Sector (Mobile Network
Operators). In India, Immediate Payment Service (IMPS) facilitated real time fund transfer
through mobile devices.
1.4.1 Immediate Payment Service (IMPS)
Immediate Payment Service (IMPS) provides an instant, 24*7 fund transfer.IMPS is operated
by NPCI.
IMPS services are:
• Fund transfer fromPerson to Merchant (P2M)
• Fund transfer fromPerson to Person (P2P)
• IMPS fund transfer through Account number/ IFSC
(Source – NPCI website)
In this report, P2M transactions are explored in detail, and various types of transaction
failuresare identified. The transaction failures for other types are also similar.
IMPS Person to Merchant (P2M) transactions are of two types:
• P2M PUSH
• P2M PULL
3
Transaction flow for P2M PUSH:
1) Customer enters merchant MMID, merchant mobile number, payment reference,
amount and M-PIN either in his mobile application or through SMS.
2) Issuing Bank validates the customer account and debits his account.
3) Issuing Bank sends the information to NPCI.
4) NPCI identifies the acquiring bank through merchant MMID and mobile number and
forwards the information to acquiring bank.
5) Acquiring Bank identifies merchant account number through MMID and mobile
number.
6) Acquiring sends the payment reference and amount to merchant.
7) Merchant verifies payment reference and amount and sends acknowledgement to
acquiring bank.
8) Acquiring Bank credits merchant account and sends SMS to merchant mobile.
9) Acquiring Bank then sends the response to NPCI.
10) NPCI forwards the response to Issuing Bank.
11) Issuing Banks sends confirmation to customer through SMS.
12) Acquiring bank updates merchant back-end system.
4
Transaction flow for P2M PULL:
1) Customer enters his mobile number, MMID, amount and OTP in merchant
application. OTP is generated in customer mobile through SMS or mobile application.
2) Acquiring bank validates the merchant details through merchant MMID and mobile
number and forwards the information entered by customer to NPCI.
3) NPCI identifies the issuing bank through customer MMID and customer mobile
number and sends the information to Issuing Bank.
4) Issuing Bank identifies the customer account through customer MMID, customer
mobile number and OTP. The customer account is debited.
5) Issuing Bank sends the response to NPCI.
6) NPCI sends the response to acquiring bank.
7) Acquiring Bank credits the merchant account and sends response to merchant
application.
1.4.2 Types of Transaction failures in P2M PUSH:
Type 1: Acquiring Bank is not able to send payment reference to merchant.
Type 2: Merchant is not able to acknowledge the payment reference sent by acquiring bank.
Type 3: Errors from customer like errors in payment reference and amount, merchant MMID,
merchant mobile number, account validation, using P2M form for P2P transaction, using P2P
form for P2M transaction.
5
Time out scenarios
Type 4: Time out during debit between Issuing bank and its CBS.
Type 5: Time out after debit between NPCI and Acquiring Bank.
Type 6: Time out after debit between Acquiring Bank and its CBS.
Types of Transaction failures in P2M PULL:
Type 7: Rejection at Issuing Bank.
Type 8: Rejection at NPCI.
Communication failures
Type 9: Acquiring Bank is unable to forward to NPCI.
Type 10: NPCI is unable to forward to Issuing Bank.
Type 11: Issuing Bank is unable to forward to its CBS.
Type 12: Issuing Bank CBS is unable to respond to Issuing Bank.
Type 13: Issuing Bank is unable to respond to NPCI.
Type 14: NPCI is unable to respond to Acquiring Bank.
Type 15: Acquiring Bank is unable forward response to its CBS.
Type 16: Acquiring Bank CBS is does not respond to Acquiring Bank.
Type 17: Acquiring Bank is unable to respond to merchant.
Note: The above types of transaction failures can be due to causes like server not
responding, server overloading etc.
6
1.5 Operational Risk
Operational Risk is defined as "the risk of direct or indirect loss resulting from inadequate
orfailed internal processes, people and systems or from external events".(Source: BCBS
Consultative Document Operational Risk)
There are 3 approaches for measuring Operational risk Capital
1) Basic Indicator Approach (BIA)
2) Standardised Approach
3) Advanced Measurement Approach
Basic Indicator Approach (BIA): Operational risk capital that a bank must hold is equal to
15% of its average gross income of past three years.
Standardised Approach (SA): Bank’s operations are divided into eight business lines
(Corporate finance, Trading and sales, Retail banking, Commercial banking, Payment and
settlement, Agency services, Asset Management, Retail Brokerage). For each business line,
operational risk capital is a fixed percentage (called beta factor) of the average gross income
of past three years.
Advanced Measurement Approach (AMA): Banks are allowed to develop their own model.
The estimates must include internal loss data, external loss data, scenario analysis and
Business environment / internal control factor data.
Loss Distribution is a model to compute operational risk capital. This comes under AMA
approach.
1.5.1 Loss Distribution Approach (LDA):
Loss Distribution Approach (LDA) involves computing frequency of loss and severity of loss
and aggregating both of them to get total loss.
Frequency of loss:
Frequency of loss is the occurrence of each cause of the transaction failure type during a
period of one year.
To this data, a distribution like Poisson or Negative binomial is fitted.
The probability density function of a Poisson distribution is
7
where� ≥ 0 and λ> 0.
λcan be estimated using Maximum Likelihood Estimation (MLE). The maximum likelihood
estimator of λ is
�� = ∑ i/ n
wherexi is the observations used to compute frequency.
The Goodness of fit is computed using Chi-squared test. The Chi test statistic is given by
whereOi is the observered values and Eiis the expected values computed by the distribution.
These values are divided into n bins for computing. If the Chi test statistic is less than 5%
than the distribution is a bad fit.
Severity of loss:
Severity of loss is the impact of each cause on the loss due to transaction failures.
To the severity data, a distribution like lognormal or generalized pareto or weibull is fitted.
The probability density function of a Lognormal distribution is given by
8
µ is the mean and σ is the standard deviation.
The parameters µ and σare computed using Maximum Likelihood estimation and is given
below
The Goodness of fit is computed using Chi-squared test.
Aggregate Loss:
Aggregate Loss Distribution is computed by combining frequency of loss and severity of
loss. Monte Carlo simulation can be used to compute Aggregate Loss. In Monte Carlo
simulation, the frequency and severity are simulated from their distributions and
corresponding aggregate loss is estimated. This method is repeated like times (say 10000) to
get the empirical distribution.
The Operational value at risk (OpVaR) is computed at 99.9 percentile of the
aggregate loss distribution.
9
1.6 Thesis Organization:
Chapter 1 deals with the introduction to mobile banking and operational risk. It provides an
insight about mobile banking in India. It gives the transaction flow of IMPS. It identifies
various types of transaction failures that can occur in IMPS transactions. It also provides an
introduction about operational risk and various approaches to compute operational risk
capital. It details about Loss Distribution Approach which is used in this paper.
Chapter 2 deals with the literature survey in the development of operational risk and mobile
banking in India. It discusses some methods that can be used to measure operational risk. It
gives the regulatory compliances that need to be met. It also gives the risks and issues in
mobile banking.
Chapter 3 details the proposed algorithm to measure operational risk. It also gives an
illustration of the proposed algorithm.
Chapter 4 discusses various channels for mobile banking. The transaction flow of the
customer requests in the channels. It identifies the types of transaction failures that can occur
in these channels.
Chapter 5 presents the conclusion to the paper and provides the scope for future work in this
area.
1.7 Conclusion
To compute operational risk in mobile banking, the mobile banking transaction flow is to be
studied and various types of transaction failures are to be identified. Operational risk for the
identified types is computed using LDA approach.
10
Chapter 2: Literature Survey
This chapter gives the details of some of the works of measuring operational risk and mobile
banking.
[Operational Risk – Consultative Document, BCBS, 2001] discussed the three approaches for
measuring Operational Risk Capital namely, Basic Indicator Approach, Standardised
Approach and Internal Measurement Approach. In Internal Measurement Approach the
document suggested Loss Distribution Approach for measuring operational risk capital.
[Operational Risk – Supervisory guidelines by BCBS, June 2011] expected that AMA
method for calculating Operational loss to include four elements: internal loss data, external
data, scenario analysis and business environment and control factors (BECIFS).
[Marcelo Cruz, Rodney Coleman et al, 1998] proposed a method, similar to market risk and
credit risk, to measure operational risk using Extreme value theory [EVT] and determine
appropriate level of operational risk capital. This method is only for extreme events and
focussed on the tail of the distributions. This method modelled the database of a large British
bank.
[QIS 2 – Operational Risk Loss Data, 2001] has the appropriate form for the collection of
Operational loss data for banks. This was the survey organized by the BIS. Losses are
classified into 8 business line x 7 loss event categories matrix.
[A.Frachot et al, 2001] discussed loss distribution approach [LDA] for calculating operational
risk capital. The method used Value at Risk to arrive at the operational risk capital. The paper
discussed about computing frequency of loss, severity of loss and aggregate loss.
[Suhas Desai, 2011] discussed various security risks in USSD channel and proposed a four
phased approach for mitigating security risk.
[HYLMUN IZHAR, 2012] proposed a method to calculate High Frequency – Low Severity
(HF-LS) and Low Frequency – High Severity (LF-HS) types of operational risks. This paper
used Delta-Gamma Sensitivity analysis to measure HF-LS and EVT for LF-HS.
[Alexander Johenmark, 2012] studied different methods used for calculating the operational
risk capital that satisfy AMA requirements. The study suggested that Poisson distribution
fitted well for frequency, log-normal and generalized pareto fitted well for severity of loss.
11
[Vishal Goyal et al, June 2012] reviewed the current operating practices of m-banking in
India. The paper classified challenges of m-banking into economic, regulatory, rupee
transactions, existing account holders and demographic challenges. The paper outlined the
transactions model in India. This paper discussed various security issues faced in WAP and
SMS based mobile banking.
[IMPS Merchant Payments, 2012] discussed IMPS P2M (Person to Merchant) Push and P2M
Pull. It also discussed the types of transaction failures that occurred in P2M Push and P2M
Pull.
[Dr. Vinod Kumar Gupta et al, January 2013] identified the factors that influence mobile
banking adoption. The paper detailed the architecture of mobile banking channels like SMS,
WAP. The positive and negative impacts of mobile banking in Indian context are explained
by the paper.
[Mobile Banking, RBI, 2014] outlined Mobile Banking in India. It discussed about the
channels of Mobile banking (SMS, USSD, Application based), architecture, risks and issues
associated with them.
Conclusion:
Mobile banking adoption is growing in India and so it is important to measure Operational
risk associated with it. There are studies about how to measure operational risk but nothing
related to measuring operational risk in specific to Mobile banking. This paper aims to
measure operational risk in mobile banking.
12
Chapter 3: Channel-wise Risks
Mobile Banking in India is offered through various channels like SMS, USSD, GPRS etc.
While SMS channel is available to all the mobile device users, the channel is not very secure
as there is no end-to-end encryption. So there are limits to the amount that can be transferred.
USSD channel is menu-driven, session-oriented and interactive. This is not available to
CDMA users. There is no additional security other than the security available for GSM
channel. IVRS is also menu-driven, session-oriented and interactive. Service is offered in
multiple languages, voice prompts and numeric inputs by the customer. This channel is also
not end-to-end encrypted. WAP can be accessed by most of the customers but requires active
data connection.
3.1 SMS Based Mobile Banking
SMS is widely used channel and can be used in all mobile phones. Customers can avail SMS
banking services by sending a request with keyword, short code or long code. For example,
for Balance enquiry customers can send an SMS like BAL to the short code or the long code
specified by the bank.
Some of the limitations to SMS banking are customers need to know the
correct syntax, not end-to-end encrypted, transaction limit of Rs. 5000 set by RBI. Also SMS
remains as plain text in ‘Sent Items’, so if the mobile custody is with someone else there is a
loss of confidential information.
To reduce the above risks, Sim Tool Kit (STK) application on the SIM
provided by the operator is proposed. This application is interactive, menu-driven, user-
friendly. STK encrypts the SMS before sending.
13
3.1.1 Tranaction flow for SMS Based Banking
The SMS based services are hosted on SMS gateway. The SMS gateway connects to the SMS
centre of the Mobile Service Provider.
3.1.2 Transaction failure types in SMS channel
• Failures between Mobile Service Centre and SMS Centre
• Failures between SMS Centre and SMS Gateway
• Failures between SMS Gateway and Internet
• Failures between Internet and Bank
14
3.2USSD Based Mobile Banking
USSD services are real time, session-oriented and menu driven. It allows two way interaction
of data. For using USSD services, Dial *99# for using USSD services. It asks for MMID
number. After authenticating, it shows a menu of options like IMPS, Enquiry, Change mpin,
mobile top up etc. USSD works on all GSM mobile devices. It is more secure than SMS
channel and enables transactions in local languages.
The common USSD Gateway is proposed by NPCI. This enabled banks to
overcome the challenges of tying up with each Mobile Network Provider separately.
3.2.1 Tranaction flow for USSD Based Banking
Customer dials *99# in his mobile. The customer then enters his MMID in the prompt
obtained. NPCI forwards to the respective bank based on the MMID. Customer gets a menu
of options from the banking services of the bank. Customer responds appropriately and
completes the transaction.
15
3.2.2 Transaction failure types in USSD channel
• Failures between Mobile Service Centre and Telco USSD Gateway
• Failures between Telco USSD Gateway and NPCI USSD Gateway
• Failures between NPCI USSD Gateway and Internet
• Failures between Internet and Bank
3.3IVRS Based Mobile Banking
Interactive Voice Response System (IVRS) involves customers call to the IVR number. The
customers are greeted by the stored electronic message and it is followed by a menu of
options. Customers respond by pressing appropriate keys based on their requirements.
3.3.1 Tranaction flow for IVRS Based Banking
The IVRS Gateway is the access point between the Mobile Service Centre and NPCI.
16
3.4.2 Transaction failure types in IVRS channel
• Failures between Mobile Service Centre and IVRS Gateway
• Failures between IVRS Gateway and NPCI
• Failures between NPCI and Bank
3.4WAP Based Mobile Banking
WAP bridges the gap between mobile and internet. A WAP site is maintained by banks and
customers access this site through WAP compatible browser on their mobiles. Customer can
have anytime, anywhere access to a more secure channel.
3.4.1 Tranaction flow for WAP Based Banking
The Bank site is accessed through WAP Gateway by the mobile users for carrying out
transactions. The WAP Gateway is the access point from the mobile network to the Internet.
The WAP server stores the forms that are displayed in the displayed in the mobile.
3.4.2 Transaction failure types in WAP channel
• Failures between Mobile Service Centre and WAP Gateway
• Failures between WAP Gateway and Internet
• Failures between Internet and WAP Server
17
3.5 Conclusion
Mobile Banking is done through various channels like SMS, USSD, WAP etc. In the
transaction flow, a Gateway connects Mobile Service Centre to the Internet and which is
connected to the Bank. The transaction failure occurs if the connection fails between any two
entities due to any cause.
18
Chapter 4: Algorithm for measuring Operational
Risk
Here an algorithm is proposed to compute operational risk in mobile banking. The algorithm
uses a type/cause matrix. A transaction failure type is due to many causes like server not
responding, server over loading.
This algorithm used Poisson distribution for frequency and Lognormal for severity. More
distributions like Negative Binomial for frequency and Weibull for severity can also be used
depending on which ever is the better fit.
4.1 Notations
m: number of types of transaction failures
Ti :ith
type of transaction failurewhere i∈ {1,2,3….m}
Ci : number of causes for transaction failure of type Ti.
Cij:jth
cause of ith
type of transaction failure where j ∈ {1,2, …,Ci}
n :Total number of Causes identified
l denotes the day in the year. l∈ {1,2,3,….,365}
aij= �1, ���������ℎ����������������������, �0, ��ℎ������ �, ∀i = 1 to m and j =
1 to n.
dijl : number of times cause Cij occurred on lth
day of the year.
nijl : the number of transactions failed due to cause j and lthday of the year.
Lijl:cost of any other losses (in Rs.)like repair costs, incurring due to cause
Ci,j.
C : loss due to each transaction failure
19
Sijl : severity of loss for type Tiand cause Ci,j.
ALi,jdenote the Aggregate loss of Cause Ci,j.
AL= ∑!"i,j,∀ i = 1 to m and j = 1 to n
The algorithm uses a type/cause matrix like the one shown below
For example,
Cause
Type
Cause 1 Cause 2 ………………… Cause n
Type 1 0 0 0
Type 2 1 1 1
Type 3 1 0 0
Type 4 0 0 0
.
.
.
Type m 1 0 1
If a type is caused by a particular cause a value of ‘1’ is assigned to the corresponding cell.
The data is inputted as shown below for each Cause Cij.
Days
Type Ti
Number of times Cause Cij occurred (dijl)
Number of
transactions failed due to Cause Cij
(nijl)
Other costs like repair costs (Lijl)
Day 1
Day 2
Day 3
Day 4
Day 5
Day 6
20
Objectives:To compute Operational Loss Capital for all the Types of Transaction failures.
Assumptions:
1)The Type/Cause matrix shown above is constructed which is helpful while giving input.
2) The data for dijl , nijl and Lijl is already known and they needed to be given as input.
3) Poisson and Lognormal distributions gives a good fit to the given data. If not other
distributions can be used by the model to compute remains same.
4.2 Algorithm
Step 1: Call Initialization( )
/*Upon calling the Initialization module the algorithm takes all the required inputs
and initializes the algorithm */
Step 2:Call TypeCauseMatrix( )
/* Check if type Ti can be caused by cause Ci,j and if yesproceed to Step 3 */
Step 3:Call Fit_PoissonDistribution( )
/*For computing Frequency of losses. Upon calling the above function it fits the
Poisson distribution for frequency using Maximum Likelihood Estimation (MLE) and checks
the Goodness of fit using Chi-Squared test */
Step 4:Call Severity( )
/*For computing Severity of loss based on the daily transaction failures */
Step 5:Call Fit_LogNormalDistribution( )
/*Fits a Lognormal distribution for severityusing Maximum Likelihood Estimation
(MLE) and checks the Goodness of fit using Chi-Squared test */
Step 6:Call AggLossi,j( )
21
/*Calculate Aggregate Loss for Type T1 and Cause C1,1 using Monte-Carlo Simulation */
Step 7:AggregateLoss = AggregateLoss + AggLossi,j
/*For computing Total Aggregate loss due to all the types and causes */
Module 1:
Initialization( )
{
m = input( ) /* give the input value of m*/
n = input( ) /* give the input value of n*/
fori =1 to m /* for all types*/
for j = 1 to n /* for all causes */
aij = input( )/* give the input value of aij */
end for
end for
fori =1 to m /* for all types*/
for j = 1 to n /* for all causes */
for l = 1 to 365 /* for all days in the year */
dijl = input( )/* give the input value of dijl*/
nijl = input( ) /* give the input value of nijl */
Lijl = input( ) /* give the input value of Lijl*/end for
end for
end for
end for
22
go to Step 2
}
Module 2:
TypeCauseMatrix( )
{
fori =1 to m /* for all types*/
for j = 1 to n /* for all causes */
if aij = 1 /*if type i is due to the cause j*/
go to Step 3
end for
end for
}
Module 3:
Fit_PoissonDistribution( )
{
λ = 0
max = 0
for l = 1 to 365
λ = dijl / 365 /* Max Likelihood Estimation of λ*/
end for
for l = 1 to 365
if dijl >max
max = dijl /* max value*/
23
end if
if dijl < min
min = dijl
end if
end for
bininterval = round { (max – min +1)/6 } /* bin interval value is rounded*/
b[x] = [min, min + bininterval, …….., min + 5 x bininterval] /* bin range*/
for x = 1 to 5
Expect_value[x-1] = ROUND ( 365 *( poisson.dist(b[x] , λ) - poisson.dist(b[x-1], λ)
) ) /* Expected Values using in-built Poisson distribution function of the software used*/
end for
Expect_value[5] = ROUND ( 1 - poisson.dist(b[5]-1 , λ))
obs_value = go to Observedvalues (dijl,b)/* calling Observedvalues module and giving inputs
dijl and bin values b which is [ b[0], b[1], b[2], b[3], b[4],b[5] ] */
fitPoisson = go to Goodness_Of_Fit(obs_value, Expect_value)
go to Step 4
}
Module 4:
Observedvalues (pijl , bin)/*pijltakes the values sent with in the
arguments when calling it and bin contains bin values sent*/
for l = 1 to 365
switch ( xijl) /* observed values*/
24
Case 1 (xijl<b[1])
obs_value [0] = obs_value [0] +1
Case 2 (b[1] < = xijl< b[2])
obs_value [1] = obs_value [1] +1
Case 3 (b[2] < = xijl< b[3])
obs_value [2] = obs_value [2] +1
Case 4 (b[3] < = xijl< b[4])
obs_value [3] = obs_value [3] +1
Case 5 (b[4] < = xijl< b[5])
obs_value [4] = obs_value [4] +1
Case 6
obs_value [5] = obs_value [5] +1
end for
returnobs_value/* returns the array of values of obs_value*/
}
Module 5:
Goodness_Of_Fit (observed value, expected value)
{
chi = chitest(observed value, expected value) /* in-built function for chi-test statistic*/
if chi < .05
return 0 /* return bad fit*/
end if
25
ifchitest> .05
return 1 /* return good fit */
end if
}
Module 6:
Severity( )
{
for l = 1 to 365 /* for all days in a year*/
Sijl = nijl x c + Lijl /* Severity of loss*/
end for
go to Step 5
}
Module 7:
Fit_LogNormalDistribution( )
{
mean = 0
sigma = 0
max = 0
min = 0
for l = 1 to 365
mean = mean + (ln Sijl ) / 365 /* MLE for mean*/
26
end for
for l = 1 to 365
sigma = sigma + ( ln Sijl - mean ) / 365 /* MLE for sigma*/
end for
for l = 1 to 365
if Sijl >max
max = Sijl /* max value */
end if
if Sijl != 0
if Sijl < min
min = Sijl /* Take a min value other than zero*/
end if
end if
end for
bininterval = ROUND ( (max – min +1)/6 ) /* Rounded value of Bin interval*/
b[i] = [min, min + bininterval, …….., min + 5 x bininterval] /* bin range*/
for x = 1 to 5
Expect_value[x-1] = ROUND ( 365 *( lognorm.dist(b[i] – 1, mean, sigma) -
poisson.dist(b[i-1], mean, sigma) ) ) /* Expected Values */
end for
27
Expect_value[5] = ROUND ( 1 - lognorm.dist (b[5]-1 , mean, sigma) )
obs_value = go to Observedvalues (Sijl, b)
fitLogNormal = go to Goodness_Of_Fit(obs_value, Expect_value)
go to Step 6
}
Module 8:
AggLossi,j( )
{
for simulation = 0 to 9999 // simulation 10000 times
AggLoss[x] = AggLoss(λ, mean, sigma)
end for
AggLossi,j= percentile(AggLoss,0.999) /* Operational Value at Risk */
go to Step 7
}
Module 9:
AggLoss(λ, mean, sigma)
{
nLoss = PoisRV(λ)
aggLoss = 0
For x = 1 to nLoss
sumLoss = sumLoss + LogInv(Rand, mu, sigma)
end for
AggLoss = sumLoss
28
}
Module 10:
PoisRV(λ)
{
m = exp( - λ)
prob = 1
a = 0
Do while prob> = m
prob = prob * Rand
a = a + 1
Loop
PoisRV = a – 1
}
4.3 Illustration:
For the purpose of illustration, consider the below types of IMPS P2M PUSH mentioned in
Chapter 1.
Type 1: Acquiring Bank is not able to send payment reference to merchant.
Type 2: Time out during debit between Issuing bank and its CBS.
Consider the below causes
Cause 1: Server overloading at merchant.
Cause 2: Disk failure at merchant.
Cause 3: Merchant transaction logs filled up
29
Cause 4: System crash at Issuing Bank CBS
Cause 5: Issuing Bank transaction logs got corrupt
This type of failure can be caused due to causes or errors like server overloading at merchant,
system crash at merchant, disk failure at merchant, merchant not responding.
Cause
Type
Cause 1 Cause 2 Cause 3 Cause 4 Cause 2
Type 1 1 1 1 0 0
Type 2 0 0 1 1 1
Illustration is done for Type 1 and Cause 1 for the purpose of ease.
Step 1: Call Initialization( )/* Calls the Initialization( ) as shown below */
Initialization( )
{
m = input( ) = 2
n = input( ) = 5/* give the input value of n*/
a11 =1
a12 = 1
a13 = 1
a14 = 1
Similarly till a25 = 1
d111 = 1
d112 = 2
Similarly till d11(365) = 8/* Data is given in Appendix. Data is givenonly for Cause C11*/
n111 = 83
n112 = 76
30
Similarly till L11(365) = 35
L111 = 0
L112 = 0 /* Other costs is zero */
Similarly till L11(365) = 0
}
Step 2:Call TypeCauseMatrix( )
TypeCauseMatrix( )
{
a11 =1
go to Step 3 /* From Step 3, illustration is done only for a11 =1. For others it is similar
*/
a12 =1
go to Step 3
a13 =1
go to Step 3
a14 =0
go to Step 3
a15 =0
Similarly till a25 =0
}
Step 3:Call Fit_PoissonDistribution( )
Fit_PoissonDistribution()
{
31
λ = 0
max = 0
λ = 5.07/* λ remains same throughout the program till it gets over ridden */
max = 10
min = 1
bininterval = round{ (10 – 1 +1)/6} = 2
b[i] = [1, 3, 5, 7, 9, 11] // bin range
Expect_value[0] = 44
Expect_value[1] = 122
Expect_value[2] = 100
Expect_value[3] = 94
Expect_value[4] = 10
Expect_value[5] = 2
obs_value = go to Observedvalues (dijl, b)= [38, 124, 85, 103, 15, 0] /* Observedvalues (dijl,
b) is shown below this module */
fitPoisson = go to Goodness_Of_Fit(obs_value, Expect_value) = 1
go to Step 4
}
Observedvalues (pijl , bin)/* Called in the above module */
{
obs_value [0] = 38
32
obs_value [1] = 124
obs_value [2] = 85
obs_value [3] = 103
obs_value [4] = 15
obs_value [5] = 0
returnobs_value
}
Goodness_Of_Fit (observed value, expected value)/* Called in the Fit_PoissonDistribution(
) module */
{
chi = chitest(observed value, expected value) = 0.14
return 1
}
Step 4:Call Severity( )
Severity( )
{
S111 = 44 x 4.75 + 0 = 394.25/* loss due to each transaction failure = 4.75 */
Similarly till /* Calculation for getting 4.75 is given in appendix and Lijl is
zero */
S11(365) = 35 x 4.75 + 0 = 166.25
go to Step 5
}
Step 5: Call Fit_LogNormalDistribution( )
33
mean = ( ln S111 + ln S112 +ln S113 +….+ ln S11(365) ) / 365 = 5.66
sigma = [ ( ln S111 - mean ) + ( ln S112 - mean ) +……+ ( ln S11(365) - mean ) ] / 365
= 0.34
max = 475
min = 142.5
bininterval = ROUND( (475 – 142.5 + 1) / 6 ) = 56
b[i] = [ 143, 199, 255, 311, 367, 423 ]
Expect_value[0] = 45
Expect_value[1] = 70
Expect_value[2] = 80
Expect_value[3] = 70
Expect_value[4] = 59
Expect_value[5] = 48
obs_value = go to Observedvalues (Sijl, b) = [55, 61, 77, 59, 54, 59]
fitLogNormal = go to Goodness_Of_Fit(obs_value, Expect_value) = 1
go to Step 6
}
Observedvalues (pijl , bin)
{
obs_value [0] = 55
obs_value [1] = 61
obs_value [2] = 77
34
obs_value [3] = 59
obs_value [4] = 54
obs_value [5] = 59
returnobs_value
}
Goodness_Of_Fit (observed value, expected value)
{
chi = chitest(observed value, expected value) = 0.15
return 1
}
Step 6:Call AggLoss1,1( )
AggLoss1,1( )
{
AggLoss[0] = AggLoss(5.07, 5.66, 0.34) = 1330
AggLoss[1] = AggLoss(5.07, 5.66, 0.34) = 2242
Similarly
AggLoss[9999] = AggLoss(5.07, 5.66, 0.34) = 2480
AggLoss1,1= percentile(AggLoss,0.999) = 3797.82/* OpVaR at 99.99 percentile */
}
AggLoss(λ, mean, sigma)
{
nLoss = PoisRV(5.10) = 5
aggLoss = 0
35
For x = 1 to 41
sumloss = sumloss + LogInv(Rand, 5.22, 0.15)
end for
AggLoss = sumloss
}
PoisRV(5.56)
{
m = exp( - 36.5) = 1.41E-16
prob = 1
a = 0
prob = prob * Rand = 0.0026
a = 6 // loop is executed 42 times
PoisRV = a – 1 = 5
}
4.4 Conclusion
The type/ cause matrix is used for measuring operational risk. Loss Distribution Approach
(LDA) approach is followed for computing operational risk in the algorithm. The proposed
algorithm used Poisson and Lognormal distributions for calculating frequency and severity of
losses. Monte-Carlo simulation is used for calculating aggregate loss. The OpVaR
(Operational Value at Risk) is taken as 99.9 percentile.
36
Chapter Five
Conclusion and Future Work
5.1 Conclusion
In the proposed algorithm for calculating operational loss capital, the transaction flow of
mobile banking is studied. In this report, transaction flow of IMPS and channels (SMS,
USSD, IVRS and WAP) are studied. Various types of transaction failures are identified from
the transaction flow. The associated causes for these transaction failure types are identified. A
type/ cause matrix is formed based on the types and causes of the transaction failures.
Loss Distribution Approach (LDA) is used in computing operational loss
capital. In this approach, the losses are classified as frequency of losses and severity of losses.
Frequency and severity are aggregated to get the Aggregate Loss.
In frequency of losses, the occurrence of each cause of failure is determined
for a period of one year. A Poisson distribution is plotted for the observed values. The
parameters of the distribution are determined using Maximum Likelihood estimation and the
Goodness of Fit is estimated using Chi-squared distribution.
In severity of losses, the daily capital loss due to transaction failures of each
type is identified. A lognormal distribution is plotted for the observed values. The parameters
of the distribution are determined using Maximum Likelihood estimation and the Goodness
of Fit is estimated using Chi-squared distribution.
For computing aggregate loss, Monte-Carlo simulation is used. The aggregate
loss of individual types is added to get the overall operational loss.
5.2 Future work
• The causes of failure need to be identified by taking real-time data from any bank or
NPCI.
• Operational risk mitigation measures have to be suggested by using real-time data.
37
References
• Basel Committee on Banking Supervision: Operational Risk, Consultative Document,
Bank for International Settlement, May 2001
(http://www.bis.org/publ/bcbsca07.pdf)
• Frachot, O. Moudoulaud and T. Roncalli, "Loss Distribution Approach in
Practice." The Basel Handbook: A Guide for Financial Practitioners. London: Risk
Books, December 2003.
• Nigel Da Costa Lewis. Operational Risk with Excel and VBA: Applied Statistical
Methods for Risk Management. New Jersey: John Wiley & Sons, Inc., 2004.
• Andreas A. Jobst, “Consistent Quantitative Operational Risk Measurement and
Regulation: Challenges of Model Specification, Data Collection, and Loss
Reporting,” Working Paper, Monetary and Capital Markets Department, International
Monetary Fund, November 2007.
• Bank Frontier Associates, “Managing the Risk of Mobile Banking,” Fin Mark Trust,
28 March 2008.
• Basel Committee on Banking Supervision: Results from the 2008 Loss Data
Collection Exercise for Operational Risk. Bank for International Settlement, July
2009.
(http://www.bis.org/publ/bcbs160a.htm)
• Mo Chaudhury, “A review of the key issues in operational risk capital modeling,” The
Journal of Operational Risk, Volume 5/Number 3, Fall 2010
• Basel Committee on Banking Supervision: Operational Risk – Supervisory Guidelines
for the Advanced Measurement Approaches, Bank for International Settlement, June
2011.
(http://www.bis.org/publ/bcbs184.htm)
• Vishal Goyal, Dr.U.S.Pandey, Sanjay Batra, “Mobile Banking in India:
Practices,Challenges and Security Issues,” International Journal of Advanced Trends
in Computer Science and Engineering, Volume 1/Number 2, June 2012.
• Vinod Kumar Gupta, RenuBagoria, Neha Bagoria, “Mobile Banking Services as
Adoption and Challenges: A Case of M-Banking in India (Positive and Negative
Impacts, Mobile Growth in India, Adaption Models and Mobile Technology),”
38
International Journal of Scientific and Research Publications, Volume 3/Issue 1,
January 2013.
• B Sambamurthy, Rahul Joshi et.al., “ Mobile Banking – Report of the Technical
Committee,” Reserve Bank of India, January 2014.
39
Appendix
Sample data for the above illustration
Loss per transaction failure for Issuing Bank
Charge per transaction to customer 5
NPCI charge 0.25
Refund from Acquiring bank 0
Refund from NPCI 0
Any Other costs(like repair costs, legal costs etc) 0
Net Loss to Issuing Bank 4.75
Days
Type 1
Number of times
Cause 1
occurred(d11l)
No. of transactions
failed due to Cause
1(n11l)
1 1 83
2 4 76
3 4 47
4 9 54
5 7 58
6 1 68
7 3 76
8 5 94
9 3 72
10 6 68
11 4 91
12 7 33
13 1 86
14 3 65
15 6 53
16 7 83
17 4 90
18 8 100
19 3 31
20 4 55
21 3 45
22 8 77
23 7 32
24 6 47
25 5 40
40
26 2 97
27 7 80
28 3 88
29 3 61
30 4 53
31 2 95
32 9 51
33 5 56
34 3 77
35 7 78
36 8 47
37 5 71
38 7 80
39 4 44
40 5 39
41 6 80
42 6 36
43 3 84
44 2 70
45 5 90
46 5 55
47 6 53
48 1 42
49 7 88
50 4 94
51 5 93
52 1 77
53 1 51
54 5 65
55 1 67
56 8 71
57 1 71
58 3 34
59 8 86
60 8 62
61 6 33
62 8 74
63 7 93
64 3 71
65 10 51
66 6 62
67 7 89
68 7 58
69 8 92
70 4 93
41
71 4 38
72 7 92
73 8 75
74 7 84
75 6 69
76 5 62
77 1 77
78 8 95
79 7 91
80 7 71
81 3 47
82 8 92
83 10 54
84 5 79
85 4 68
86 6 65
87 4 50
88 7 74
89 8 64
90 4 58
91 4 45
92 3 32
93 3 84
94 8 54
95 3 39
96 8 57
97 3 91
98 5 75
99 8 50
100 5 50
101 8 46
102 6 44
103 7 64
104 4 31
105 4 60
106 7 34
107 3 56
108 6 81
109 3 38
110 3 48
111 7 38
112 4 30
113 7 37
114 4 66
115 3 43
42
116 4 42
117 4 79
118 7 48
119 3 41
120 3 68
121 8 62
122 10 46
123 5 74
124 8 69
125 8 53
126 6 78
127 7 41
128 4 77
129 8 32
130 5 65
131 4 42
132 7 30
133 8 83
134 8 89
135 5 53
136 5 63
137 4 46
138 4 59
139 8 40
140 6 84
141 7 64
142 6 43
143 7 38
144 5 50
145 4 84
146 7 37
147 2 83
148 9 92
149 3 45
150 8 99
151 4 62
152 6 56
153 8 96
154 6 55
155 1 78
156 3 55
157 7 100
158 4 63
159 9 80
160 4 43
43
161 7 90
162 4 86
163 3 78
164 6 95
165 6 92
166 7 31
167 7 58
168 7 92
169 8 40
170 1 61
171 2 60
172 8 73
173 1 88
174 8 36
175 1 73
176 3 99
177 1 41
178 4 50
179 8 96
180 5 48
181 3 60
182 1 83
183 3 61
184 7 61
185 5 61
186 7 37
187 3 68
188 4 35
189 8 98
190 4 91
191 4 93
192 8 91
193 1 64
194 8 79
195 7 76
196 5 52
197 10 82
198 5 91
199 8 58
200 1 95
201 4 73
202 4 44
203 6 82
204 8 83
205 5 50
44
206 6 44
207 8 60
208 7 79
209 5 32
210 8 76
211 4 63
212 6 32
213 1 77
214 7 40
215 3 39
216 7 83
217 5 38
218 1 33
219 5 61
220 4 70
221 5 33
222 5 86
223 6 61
224 3 44
225 10 99
226 5 74
227 10 49
228 3 90
229 10 66
230 5 64
231 4 74
232 8 86
233 4 75
234 5 52
235 7 45
236 1 51
237 4 36
238 5 99
239 4 97
240 4 52
241 6 68
242 5 38
243 3 83
244 7 69
245 4 84
246 3 74
247 5 78
248 4 100
249 4 35
250 3 71
45
251 7 39
252 5 70
253 7 52
254 6 70
255 4 71
256 4 57
257 3 40
258 8 51
259 1 31
260 7 79
261 4 83
262 8 99
263 5 35
264 3 61
265 3 87
266 4 97
267 6 55
268 9 37
269 7 81
270 1 59
271 6 68
272 7 98
273 4 85
274 2 94
275 5 90
276 5 81
277 3 72
278 1 84
279 1 60
280 1 87
281 7 97
282 6 93
283 6 100
284 3 43
285 4 89
286 5 72
287 5 55
288 3 95
289 9 95
290 1 51
291 4 64
292 3 100
293 3 48
294 4 37
295 7 73
46
296 7 42
297 6 30
298 3 88
299 3 62
300 5 31
301 1 47
302 4 58
303 7 35
304 7 80
305 2 50
306 7 93
307 3 66
308 3 90
309 5 62
310 3 88
311 3 87
312 7 47
313 6 69
314 9 82
315 3 30
316 6 94
317 4 51
318 8 82
319 5 41
320 7 77
321 3 44
322 3 51
323 2 73
324 5 71
325 4 57
326 3 70
327 6 61
328 6 34
329 4 38
330 4 30
331 7 63
332 3 89
333 2 58
334 8 69
335 3 59
336 6 69
337 6 82
338 7 56
339 5 31
340 10 34
47
341 3 54
342 6 40
343 4 53
344 5 94
345 8 45
346 3 33
347 3 76
348 3 62
349 5 43
350 7 38
351 3 52
352 8 64
353 7 94
354 3 32
355 3 61
356 6 89
357 2 53
358 3 35
359 4 39
360 7 41
361 3 38
362 8 35
363 7 78
364 1 35
365 8 35
48