Estimation of Maximum Potential Losses for Digital Banking Transaction Risks Using the Extreme Value-at-Risks Method

Abstract

The application of industry 4.0 in banking presents many challenges, with several operational risks related to downtime and timeout services due to system failures. One of the operational risk management steps is to estimate the value of the maximum potential losses. The purpose of this study is to estimate the maximum potential losses for digital banking transaction risks. The method used for estimating risks is the EVaR method. There are several steps in this study. The first step is to resample the data using MEBoot. This process is a simulation of the operational risk loss data of digital banking. Next, the threshold value is determined to obtain the extreme data value. Then, a Kolmogorov–Smirnov test is conducted to fit the data with the GPD. Afterward, the GPD parameter is estimated. Then, EVaR is calculated using a portfolio approach to obtain a combination of risk values as maximum potential losses. The analysis results show that the maximum potential loss is IDR144,357,528,750.94. The research results imply that the banks need to pay attention to the maximum potential losses of digital financial transactions as a reference for risk management. Therefore, banks can anticipate the adequacy of reserve funds for these potential risks.

1. Introduction

Industry 4.0 refers to the concept that technology has permeated all areas of society: production, finance, services, transportation, and communications (Cividino et al. 2019). The current global economy is constantly changing so that innovation and technological development are key issues in a sustainable approach. Industry 4.0 in banking system technologies is applied in digitizing assets, creating a digital identity, providing special offers to customers, and offering customization (Nethravathi et al. 2020). Financial service providers are not only banks but also other financial institutions such as non-bank FinTech. Banking companies need to ensure that they keep up and take significant steps to compete effectively with financial institutions at the forefront of technology, such as FinTech and WealthTech companies. The introduction of next-generation technologies, such as application programming interfaces (API), artificial intelligence (AI), machine learning, and robotics, is demanded to bring the customer experience to a new level of convenience (Mishra 2020; Carbo-Valverde et al. 2020a). In this case, the focus is bank companies because the reach of customers from banking companies is greater than non-banks. In addition, financial transaction services offered by banks can be more comprehensive than non-banks. Therefore, banking companies must be able to develop digital technology to increase the advantages of financial transaction activities (Carbo-Valverde et al. 2020b).

The development of new digital information technology in banking has a positive effect on financial activities in banks (Rahman et al. 2018). The main positive impact is to make transactions easier for customers. Customers do not need to make financial transactions at the bank but only use their gadgets. This is also a good impact on post-COVID-19 life because digital banking has reduced direct interaction. The digital or electronic banking services include: (a) account statements for customers; (b) information on banking products (deposits, loans, securities); (c) applications for opening deposits and obtaining loans and bank cards; (d) internal transfers to bank accounts; (e) transfers to an account at another bank; (f) currency conversion; (g) bill payments; (h) online shopping payment instruments; (i) topping up e-money or e-wallets; (j) and a means of payment in conventional stores using a QR code (Susanto et al. 2016; Hernández-Murillo et al. 2010).

The first two types of services can be carried out using only cellular communication. Still, an Internet connection is usually required for the other services. With various digital services for customers to facilitate financial transactions, banking companies compete with FinTech or WealthTech. Banking companies must be able to provide a wider range of digital services so that customers are more interested in using banking services and the value of banking transactions will increase. Referring to the report of the Institute of International Finance, data digitization activities and bank financial operations also create around 70% of the digital risk for banks. The report also shows that 22% of banks worldwide have invested more than 25% of their annual budgets in digitizing risk management (Institute of International Finance 2017).

The risk of digital financial transaction activities in a bank can be generalized by several indicators such as (a) risk of defects and system failure; (b) risk of losing data integrity and unauthorized access to customer data; (c) risk of the violation of technical systems in an information room; (d) risk of cyber-attack; and (e) risk of misuse of the system (Zabala Aguayo and Ślusarczyk 2020; Casaló et al. 2007; Ojeniyi et al. 2019; Sarma and Singh 2010).

Banking companies need to pay attention to the existence of risks related to digital financial transactions. Besides taking advantage of these new opportunities, banks must identify, measure, monitor, and control these risks with prudent principles (Tanase and Serbu 2010). Based on the regulations of the Indonesian Financial Services Authority (OJK) number 7/POJK.03/2016 and the provisions of Law 2/No.10/1998, it is stated that Indonesian banks, in conducting their business, are based on economic democracy by using the principle of prudence. Because digital financial activities pose an increased risk, banks are required to apply prudential principles and risk management. As a consequence, one form of regulatory implementation is the real-time gross settlement (RTGS) system to minimize the risks of digital financial transactions (Iman 2020; Lubis et al. 2019). RTGS is implemented if there is a system failure during a transaction, in which case bank companies are required to send new transactions in real time. The new transaction must be executed immediately without waiting for a refund. The funds used in the new transaction are the bank’s own company funds. This makes it important to allocate reserve funds for operational risks (Keister and McAndrews 2009; Belás et al. 2016).

Related to the operational risks and the need to measure the reserve fund allocation, it is necessary to calculate the maximum potential losses. The method used to calculate the maximum potential losses is value-at-risk (VaR), with extreme value theory (EVT) for extreme risks. In economics and finance, the risk of loss can be measured using VaR. If the economic phenomenon shows an extreme event, an EVT approach is needed to represent it. VaR is the maximum loss that will not be passed for a probability defined as the confidence level over a certain time (Esterhuysen et al. 2008). Securities institutions or banks usually use VaR to measure the risk of their asset portfolio or the company’s operational risk (Boudt et al. 2013; Aebi et al. 2012). The VaR analyzed by EVT can be called extreme value-at-risk (EVaR) (Muteba Mwamba and Mhlanga 2013). If more than one risk is analyzed, the EVaR needs to be measured with a portfolio approach to obtain a combination of risks based on the weight of each risk. Therefore, the EVaR obtained is a weighted result that represents each risk (Gilli and Këllezi 2006). One study that carried out the calculation or modeling of bank reserve funds was conducted by Schalkwyk and Witbooi (van Schalkwyk and Witbooi 2017), who considered the spread model of bank reserves to cover the maximum potential loss due to banking risks. They formulated optimal stochastic control problems related to minimizing the risk of deposits and the reserve process, net cash flow from storage activity, and the cumulative costs of the bank’s strategic sector.

Several relevant studies on the problem of EVT and EVaR analysis and its relationship to banking have been conducted. Abbate et al. (2009) conducted data modeling with big data tails using EVT and introduced the copula theory. They showed that VaR with EVT becomes the measurement of the risk that occurs. In addition, the results show that the use of standard VaR is not appropriate for risk asset diversification involving a mean-infinite distribution (representing extreme events). Therefore, the EVT approach is needed to determine VaR in extreme events. Baran and Witzany (2011) conducted a study comparing EVT with standardized estimation methods (variance, covariance, historical simulations) to produce value-at-risk. This value-at-risk search method is compared with backtesting procedures and produces variated volatility returns in a given period of time. Gilli and Këllezi (2006) applied the EVT to measure risk. EVT is considered to provide the basis for extreme statistical modeling. Many science and modern engineering fields must deal with rare events that have significant consequences and are usually called extreme events. That study was intended to explain the basics of EVT and the tactical aspects of predicting and evaluating the statistical models for measuring risk from extreme incidents.

Furthermore, risk measures for the banking sector have been discussed in several studies. Esterhuysen et al. (2008) performed EVaR management in financial institutions through robust calculation techniques and the effect of this value on the capital owned by the bank for operational risk. The robust calculation, among others, collected the operational loss data, then tracked operational loss data and used a robust internal risk control system. They illustrated the differences of an internal risk control system in regulatory capital when using the advanced measurement approach (AMA) and the standardized approach (SA) by using examples of banking problems. Yao et al. (2013) observed that operational risk management plays an important role in decision making for banks. The conditional value-at-risk (CVaR) model based on the peak value method from the EVT analysis is used to measure operational risk. Bank loss data are used with empirical analyses. Tests are conducted using the EVaR and CVaR EVT calculation models at 95% and 99% confidence levels, respectively, to assess expected and unexpected losses in operational risk.

After conducting the literature review, the study suggested the gaps between the previous and present studies, as summarized in

Table 1. Research gap.

Authors	Titles	Methods	Risks (Variables)
Gilli and Këllezi (2006)	An Application of Extreme Value Theory for Measuring Financial Risk	Extreme value theory, value-at-risk, expected shortfall	Market risk, financial series, daily returns of some financial portfolios
Esterhuysen et al. (2008)	Calculating Operational Value-at-Risk in a Retail Bank	Operational value-at-risk, advanced measurement approach, standardized approach	Operational losses data in the retail bank, gross income, net interest income
Yao et al. (2013)	CVaR Measurement and Operational Risk Management in Commercial Banks According to the Peak Value Method of the Extreme Value Theory	Conditional value-at-risk, peak value method, extreme value theory	Operational risks, losses data of commercial banks
van Schalkwyk and Witbooi (2017)	A Model for Bank Reserves Versus Treasuries under Basel III	Portfolio diversification, stochastic optimal control	Deposit risk, cumulative cost, net cash flows in a bank
This work	The Estimation of Maximum Potential Losses of Digital Banking Transactions Risks Using the Extreme Value-at-Risks Method	Extreme value-at-risk, portfolio approach	Operational risks, digital banking transactions risks

.

Based on Table 1, previous research has implemented the VaR, EVT, and portfolio diversification measures. However, in the research of Gilli and Këllezi (2006), the application of the EVT method is carried out for several markets but only for one form of risk, namely daily returns. Then, the research of Esterhuysen et al. (2008) focused on the data of several operational risks but only used VaR without implementing EVT. Meanwhile, operational risks are generally large in number but rarely by occurrence or vice versa. Therefore, it is worth implementing the EVT because of these operational risk characteristics. Yao et al. (2013) realized the importance of EVT for measuring operational risk. However, the processing of some risks was carried out through data grouping. This data grouping method cannot be representative of several types of risk that are measured directly. Another method is needed to represent the weight of each risk, one of which is the portfolio approach. van Schalkwyk and Witbooi (2017) carried out a portfolio approach to determine the allocation strategy in risk management. However, risk measurement is based on stochastic modeling. Stochastic modeling is not suitable for measuring operational risk due to specific characteristics.

Therefore, Table 1 shows the gap between previous studies and the current research. Previous studies did not measure EVaR based on multiple risks with a portfolio approach, as this study has. In addition, there has been no previous research that uses digital banking transaction risk data as this study has.

Based on the research gap, this study intends to determine the maximum potential loss for the operational risk of digital banking transactions using the extreme value-at-risk (EVaR) method. The EVaR method is thought to be able to accurately measure risk for extreme events of digital banking risk loss. This is due to the extreme modeling approach suited to operational risk characteristics of digital banking as an extreme event (Abbate et al. 2009). This study promotes advantages over other studies because it performs EVaR analysis based on a combination of risk with a portfolio approach. The EVaR results represent several risks at once. This research’s contribution is to provide banks with advice and materials for consideration and evaluation in digital transaction risk management activities. The results of this study can be used as material for calculating the allocation of operational risk reserve funds to avoid collapse due to potential losses.

2. Literature Overview

2.1. Digital Banking Transaction

Digital banking is the transformation of all traditional banking activities and services into a digital environment. Digital banking is one of the bank services that allows customers to obtain information, communicate, and conduct banking transactions through the internet service network. In general, digital banking is an operating model based on a technology platform for exchanging information and conducting transactions between banks and customers. This process is carried out through digital devices connected to computer software in an internet environment (Mbama et al. 2018).

Digital banking transactions have two types of services based on the platform, namely web, and mobile platforms. The web platform can be used with a computer via a browser. As for the mobile platform, it is only used with mobile phones through digital banking applications (He 2015). Digital technology provides benefits to customers (Dinçer et al. 2021). For customers, banking provides transactions that are convenient in terms of time, place, and cost. Customers do not need to visit the bank office to obtain information or perform banking transactions. As a result, the use of digital banking makes it easier and faster for customers to make financial transactions. For banking companies, digital banking services increase fee-based income and reduce operational costs when compared to transaction services through relatively large branch offices, which require the bank to pay employees, building rent, security, electricity, and others. The financial transactions include purchases, transfers, payments, and so on (Yoon and Steege 2013; Jang-Jaccard and Nepal 2014). Therefore, cash transactions can actually disappear, and payments can be centered on digital platforms (Mikhaylov 2021).

2.2. Digital Banking Transaction Risks

Digital banking transaction risk includes the risk that occurs due to the failure of a system in digital financial transactions. Some of the risks that may occur include the threat of cyber-attacks, errors from system users, possible defects of the internet system or applications used, or service downtime due to system failures on the application side. Digital banking risks will have a negative impact on companies if mitigation is not carried out. Banking risks can negatively affect the company’s business in the following ways: (a) decrease the level of market confidence and business players; (b) decrease the level of investor confidence; (c) decrease the company’s value; (d) decrease or lose the business’ competitive value; and (e) potentially lead to lost income (Sathyanarayana 2014).

The possible risk of digital financial transaction activities in banking can be observed from the operational risk perspective. Operational risk is caused by errors in the operation of a system and includes both internal and external factors. In this context, the provision of digital financial transaction services has potential losses arising from operational risks (Ferreira and Dickason-Koekemoer 2019).

2.3. Operational Risk

Churchill (2013) revealed that risk is divided into pure and speculative risks. Speculative risk is further divided into four types of risk, namely market risk, credit risk, liquidity risk, and operational risk. The Basel framework defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or external events. In other words, operational risk can come from processes, structures, systems, and internal or external factors. This study focuses on operational risks originating from the system, namely potential losses from digital transaction risks due to downtime and service timeouts. This study focuses on the risks associated with downtime and timeout because these risks are the most common in the digital banking system. This is based on the system’s need for maintenance in a period that causes downtime. In addition, connection problems often occur and interfere with transactions. If this occurs, the system will timeout because the system loading exceeds the service level agreement time (AlAbdullah et al. 2010).

One of the steps in mitigating risk is recognizing the risks, which is known as risk identification. Risk identification is an initial action that provides input to measure, monitor, and control these risks. The better the risk identification action, the better risk mitigation will be. The result of the required risk identification process is a risk measure. Risk measures are useful for risk mitigation because banking companies already know how the impact of risks may occur. Based on these risk measures, companies can take strategic steps to carry out risk management (Churchill 2013).

2.4. Measurement of Operational Risk Based on the Basel Standard

Efficient operational risk management will ultimately improve the company’s business performance in general. On the other hand, the inability to manage operational risk will make the company suffer losses and then will have an impact on the company’s capital. If the company’s business capital is getting smaller, then the company’s sustainability is not optimal. Operational risk management is based on the measurement of operational risk loss itself. There is a standard method for measuring operational risk losses in the Basel Committee on Banking Supervision (Basel II). The standard measurement method promotes three approaches in measuring operational risk losses. The three approaches use different risk exposure indicators, namely: (a) the basic indicator approach (BIA), (b) the standardized approach (SA), and (c) the advanced measurement approach (AMA) (Hubbert 2012).

AMA measures operational risk with internal methods. The internal model consists of assumptions, statistical techniques, key performance indicators, and other mathematical and economic techniques. The process of collecting internal data affects the relevance, quality, and standardization of content. The basic difference between AMA and BIA or SA is the parameter of the probability of the event being considered. The BIA and SA methods only consider the average gross profit in determining risk measures, whereas the AMA considers data on losses that have occurred and the probability of risk events. Therefore, the AMA method will be more powerful in identifying risks. The internal approaches are grouped as the AMA model and include the following: the internal measurement approach (IMA), the bootstrapping approach, the loss distribution approach (LDA), the Bayesian approach, and the extreme value theory (EVT) (Hubbert 2012). This study uses a risk measurement technique with the EVT method.

3. Materials and Methods

Materials are data objects and software used in a study, whereas the method comprises models used in analyzing the data. The descriptions of the materials and methods in this study are sequentially explained below.

3.1. Materials

This research uses digital banking transaction risk data due to downtime services and service timeouts. The nominal risk loss data is obtained by simulating the risk data sample at one of the commercial banks in Indonesia. As for the initial sample data, it represents the risk of digital banking losses due to downtime and timeouts. The sample data period is 1 May 2020 to 31 August 2020. Then, the sample data becomes material for digital banking risk simulation. Banking companies as a sample cannot be mentioned because they are protected by Law No. 30/2000. The law regulates company secrets, including information in technology and business. Confidential company information is an asset that has economic value and is not known by the public (Government of Indonesia 2000). The characteristics of these banking companies are in the BUKU IV bank group. Based on the Indonesian Financial Services Authority Regulation (6/POJK.03/2016), BUKU IV is a bank with the highest core capital of at least IDR30,000,000,000.

3.2. Methods

The methods used in this study are maximum entropy bootstrapping (MEBoot), the threshold percentage method, the peak-over-threshold method, generalized Pareto distribution, the extreme value theory, and extreme value-at-risk (EVaR). In addition, this study uses several software to process the data, namely R software, Excel, and EasyFit.

3.2.1. Maximum Entropy Bootstrapping (MEBoot)

Bootstrapping was first introduced as a method for resampling data by Efron (Efron 1982) in 1982. It is used as a solution to the problem of outliers in statistics. It can also be used to estimate the sampling distribution by surrogate sampling from the original sample to obtain the parameter’s confidence level. In addition, it is the resampling of data with random depiction by replacing a series of data points so that data distribution can be close to normal.

Later, Vinod and López-de-Lacalle (2009) developed a bootstrap based on the principle of maximum entropy, commonly called MEBoot. MEBoot is a method for obtaining robust estimates of standard errors and confidence intervals as estimates of proportion, mean, median, odds ratio, correlation coefficient, or regression coefficient. The MEBoot algorithm is simplified from the original version for practical reasons. The MEBoot algorithm can be decomposed into six steps: (1) sort the original $x_t$ data so that they are arranged from the smallest to the highest; (2) calculate intermediate points $z_t=\frac{x_{\left(t\right)}+x_{\left(t+1\right)}}{2}$; (3) calculate the trimmed mean, $m_{trim}$, of the deviation $x_t-x_{t-1}$ for any two consecutive data sets; then, count the left tail $z_0=x_{\left(1\right)}-m_{trim}$ and the right tail $z_T=x_{\left(t\right)}-m_{trim}$; (4) generate a uniform random number (0, 1) of some original data $x_t$ and sort and count the quantile samples for each U (0, 1); (5) reorder the obtained quantiles according to the order index vectors recorded in the steps to recover the dependent relationship on the original observation data; and (6) repeat steps 1–5 repeatedly until the desired repeat size.

In this research, MEBoot uses R software (MEBoot package) to facilitate data management. The command function used is MEBoot (x, reps, trim = list (trim = 0.10), reachbnd = TRUE, expand.sd = FALSE, force.clt = TRUE, scl.adjustment = TRUE).

3.2.2. Threshold

The threshold is a lower limit value from the tail of the distribution that fits the extreme value distribution. The determination of the threshold value is seeking the optimal balance to obtain model errors and parameter errors to a minimum. One of the methods to determine the threshold is the percentage method, which is more practical and easier to implement.

This study uses the percentage method for the determination of the threshold. Based on extensive research simulation, Rydman (2008) recommended choosing the threshold such that the data above the threshold value is approximately 10% of the total data. The data above the threshold value is called extreme data.

Lots of extreme data is obtained using this equation:

$$m=10\%\times n,$$

(1)

where m is lots of extreme data and n is lots of total observed data. Then, the threshold value u is obtained using this equation:

$$u=m+1,$$

(2)

3.2.3. Extreme Value Theory (EVT)

EVT is a branch of statistics that discusses data deviations from the mean in the probability density function. EVT is generally used in extreme data modeling, such as rare loss events, but has a big impact. The usual approach cannot model the arising losses. The probability of extreme events is difficult to identify because of the lack of data held in the modeling process. Therefore, the usual modeling approach cannot be applied (Gomes and Guillou 2015).

There are two methods that can calculate the identification of extreme values from the data of loss value. The first method is the maxima block, which is the traditional method used to analyze seasonal data. Each block of the period is determined to be the maximum loss value. Second, the peaks-over-threshold (POT) method uses data more efficiently by identifying extreme values above a certain maximum loss value or threshold value (Ferreira and De Haan 2015). In this study, the peaks-over-threshold (POT) method is used to determine the extreme value.

3.2.4. Peaks-Over-Threshold (POT)

The POT method identifies extreme values by setting the threshold values and ignoring the time of occurrence. Extreme values are data that are above the threshold value. This extreme value becomes the distribution model. The POT method applies the Pickland–Balkema–de Haan theorem, which states that the higher the threshold, the more the data distribution above the threshold will follow the generalized Pareto distribution (GPD) (Makarov 2007). The assumption of data above the threshold that follows the GPD is obtained by looking at the tail of the distribution away from the trust line. A heavy tail can be detected by making a QQ plot against data above the threshold.

3.2.5. Generalized Pareto Distribution (GPD)

GPD is defined as the distribution limit of scaled excesses above the threshold value. Supposing x is a random variable from loss risk with two GPD parameters, the GPD distribution function of x is as follows (Baran and Witzany 2011).

$$g_{\xi ,\beta }\left(x\right)=\{\begin{array}{l}\frac{1}{\beta }{\left(1+\frac{\xi }{\beta }x\right)}^{-1-\frac{1}{\xi }},\xi \ne 0\\ \frac{1}{\beta }exp\left(-\frac{x}{\beta }\right),\xi =0\end{array},$$

(3)

where β > 0; x ≥ 0 if ξ > 0; $0\le x\le -\frac{\beta }{\xi }$ if ξ < 0, with ξ indicating the shape parameter and β indicating the scale parameter.

The GPD can be divided into three types based on the shape parameter value (ξ) as follows: exponential distribution if the value ξ = 0, Pareto type I distribution if ξ > 0, and Pareto type II distribution if ξ < 0 (Baran and Witzany 2011). Zhao et al. (2019) discussed the estimation of generalized Pareto parameters. The formula of parameter estimation is obtained by the maximum likelihood estimation (MLE) method. This study estimates GPD parameters with the help of EasyFit software with fit distribution tools.

3.2.6. Extreme Value-at-Risk (EVaR) Method

Extreme value-at-risk (EVaR) measures losses arising from extreme risk with a certain confidence level. The risk measure is started based on the excess loss function. Suppose X is a random variable (Mwamba et al. 2017), the conditional distribution function $F_u$ of excess losses above the threshold u is defined as

$$F_u\left(y\right)=P\left[X-u\le y|X>u\right],$$

(4)

to $0\le y\le X_F-u$, $X_F$ is its least upper bound of F. Where $X_F=Sup\{x\in R:F\left(x\right)<1\}\le \infty$ and $y=x-u$ is the excess above u. Equation (4) can be written in the form

$$F_u\left(y\right)=\frac{P[X-u\le y,X>u]}{P[X>u]}=\frac{P[u<X\le u+y]}{1-P\left[X\le u\right]}=\frac{F\left(u+y\right)-F\left(u\right)}{1-F\left(u\right)}=\frac{F\left(x\right)-F\left(u\right)}{1-F\left(u\right)},$$

(5)

the parametric model of the distribution function’s excess loss $F_u$ of the generalized Pareto distribution (GPD) is based on the limit theorem, i.e., the Picklands–Balkema–de Haan theorem (Kang and Song 2017; Jocković 2012). It is based on the Picklands–Balkema–de Haan theorem where u large and approaching $X_F$, where β(u) is a positive real function.

$$\underset{u\to X_F}{lim}\underset{0\le y\le X_F-u}{Sup}|F_u\left(y\right)-G_{\xi ,\beta \left(u\right)}\left(x-u\right)|=0,$$

(6)

so that the excess loss function of $F_u$ converges to GPD $G_{\xi ,\beta }$ and can be written as $F_u\left(x\right)=G_{\xi ,\beta }\left(x-u\right)$.

Then, the result of Equation (5) substituted to the underlying distribution function (x) of Equation (6) can be written as

$$F\left(x\right)=\left(1-F\left(u\right)\right)G_{\xi ,\beta }\left(x-u\right)+F\left(u\right),$$

(7)

where $n$ is the sample size of the data and Nu represents the number of losses above the threshold $u$. The estimator tail of F(x) for $x>u$ is

$$\widehat{F}\left(x\right)=\frac{N_u}{n}\left(1-{\left(1+\frac{\xi \left(x-u\right)}{\beta }\right)}^{-\frac{1}{\xi }}\right)+\left(1-\frac{N_u}{n}\right)$$

$$\widehat{F}\left(x\right)=1-\frac{N_u}{n}{\left(1+\frac{\xi \left(x-u\right)}{\beta }\right)}^{-\frac{1}{\xi }},$$

(8)

EVaR is defined as the expected value of maximum loss from the value of the risk asset in a certain period and at a certain confidence level (Williams et al. 2018). Let p be the highest odds above (u), then substitute it into the distribution function equation (GPD).

$$1-p=\frac{N_u}{n}{\left(1+\frac{\xi \left(x-u\right)}{\beta }\right)}^{-\frac{1}{\xi }}$$

$${\left(1+\frac{\xi \left(x-u\right)}{\beta }\right)}^{-\frac{1}{\xi }}=\frac{n}{N_u}\left(1-p\right)$$

$$\frac{\xi \left(x-u\right)}{\beta }={\left(\frac{n}{N_u}\left(1-p\right)\right)}^{-\xi }-1$$

$$\left(x-u\right)=\frac{\beta }{\xi }{\left(\frac{n}{N_u}\left(1-p\right)\right)}^{-\xi }-1$$

(9)

Then, for the opportunity p > (u), the estimated quantile function can be used to calculate the magnitude of the potential loss to the GPD distribution (Baran and Witzany 2011). Thus, EVaR can be searched based on the threshold value for extreme risk data and the estimated value of the GPD parameter.

$$EVaR=u+\frac{\beta }{\xi }\left\{{\left[\frac{n}{m}\left(1-p\right)\right]}^{-\xi }-1\right\},$$

(10)

where $u$ is the threshold, β is the scale parameter, ξ is the shape parameter, n is lots of observed data, m is lots of data above the threshold, and p is the confidence level

The portfolio approach is applied to several risks that are shared into one risk loss value (Ortiz et al. 2021; Gambrah and Pirvu 2014). Therefore, we need the weight of each risk as a measure that represents the risk.

$$W_i=\frac{EVa{R}_i}{{{\displaystyle \sum }}_{i=1}^{n}EVa{R}_i},$$

(11)

where $W_i$ is the weight of risk-i and $EVa{R}_i$ is the EVaR of risk-i

$$Maximumpotentiallosses={{\displaystyle \sum }}_{i=1}^{n}EVa{R}_i\times W_i,$$

(12)

4. Results

4.1. Determination of Threshold and Extreme Data through the MEBoot Process

R software was used to obtain data values of digital banking losses processed by MEBoot. In addition, a threshold value of 10% and lots of extreme data above the threshold were obtained. The summary results of the processed data are shown in

Table 2. The summary results of the MEBoot processed data.

Risk Type	Resample	Lots of Data	Lots of Extreme Data	Threshold (IDR)
Downtime	10	1230	123	IDR81,080,836,365
Timeout	10	1230	123	IDR64,806,050,343

.

MEBoot processing results in Table 2 show 1230 data obtained after 10 time resamples. The process of resampling 10 times was taken because the results of the data form already showed heavy tail or were far from approaching the normal line (seen in Figure 1). This indicates that the data are fit with the EVT characteristics. Furthermore, extreme data can be calculated using Equation (1), which accounts for as much as 10% of the sequence of 1230 data. The threshold value obtained used Equation (2) so that the threshold value is at the 124th data sequence. The threshold values for the risk of downtime and timeout services are IDR81,080,836,365 and IDR64,806,050,343, respectively. The data results are taken because they are following the assumption of heavy-tail data distribution. The distribution of heavy-tail data is seen from the QQ plot results on the MEBoot data. The QQ plot results are used to estimate the heavy-tail distribution data to show the extreme data following the generalized Pareto distribution (GPD). The QQ plot was processed by the QQ plot package of software R. The following QQ plot results from MEBoot data can be seen in Figure 1.

Figure 1 shows the results that match the desired assumption, namely the results of the heavy-tail data or data that are far from approaching the normal line. As seen in the QQ plot results for each risk, the distribution of plot points away from it must be normal at the tail of the data. Based on the QQ plot results, it is certain that the extreme data will fit the GPD.

4.2. Goodness-of-Fit of Extreme Data to the GPD

The extreme data from the MEBoot are assumed to follow the generalized Pareto distribution (GPD). Before making parameter estimates, it is necessary to prove the assumptions first. Proof of assumption is carried out by first fitting the distribution to the generalized Pareto distribution (GPD) in order to ensure its suitability so that GPD parameter estimation can be conducted.

The process of fitting the distribution is carried out using the EasyFit tool’s goodness-of-fit software. The proof is carried out using the Kolmogorov–Smirnov test to determine the distribution test results for GPD. The results of the goodness-of-fit test are provided in

Table 3. The results of the Kolmogorov–Smirnov test of the (a) downtime and (b) timeout.

(a)
Kolmogorov–Smirnov Test
Sample Size	123
Statistic	0.0599
p-Value	0.74642
$\alpha$	0.2	0.1	0.05	0.02	0.01
Critical Value	0.09675	0.11207	0.12245	0.13687	0.14688
Reject?	No	No	No	No	No
(b)
Kolmogorov–Smirnov Test
Sample Size	123
Statistic	0.09628
p-Value	0.19151
$\alpha$	0.2	0.1	0.05	0.02	0.01
Critical Value	0.09675	0.11207	0.12245	0.13687	0.14688
Reject?	No	No	No	No	No

.

The results of the goodness-of-fit test in Table 3 show that the extreme data values follow the GPD distribution because there is no rejection in the test. The test using the Kolmogorov–Smirnov method was carried out in several $\alpha$ levels: 0.2, 0.1, 0.05, 0.02, and 0.01. Each of these $\alpha$ levels result in the acceptance of the hypothesis that the extreme data match the GPD. This strengthens the test results because it is accepted at several alpha levels. Then, the GPD parameter can be determined from the extreme data values.

4.3. Estimation of the GPD Parameter

The estimation of GPD parameters requires the deviation standard $\left(s\right)$, lots of extreme data $\left(n\right)$, and the sum of extreme data values $\left({{\displaystyle \sum }}_{i=1}^n{x}_i\right)$ taken from the extreme data of descriptive statistics. The process of descriptive statistical analysis was carried out with the help of Excel software. The data analyzed is the extreme data of each risk. The results of the descriptive statistics are shown in

Table 4. Extreme data of the descriptive statistics.

Descriptive Statistics	(Timeout Risks)	(Downtime Risks)
Data	123	123
Mean	118,715,100,522.2	116,326,654,020.561
Standard Deviation	54,110,542,295.94	43,314,723,866.9
Sample Variance	2.927950787 × 1025	1.876165303 × 1021
Kurtosis	0.263336436495423	3.67055481773892
Skewness	1.16545766227375	2.01686434554239
Minimum	65,183,178,591.0188	81,410,403,286.1475
Maximum	286,932,960,062.233	278,181,957,858.857
Sum	1,4601,957,364,231	14,308,178,444,528.9

.

Table 4 shows that the standard deviation value (s), the number of extreme data (n), and the number of extreme data values were obtained. These results were used to find the estimated GPD parameters for each risk. Then, the results of the shape parameter and scale parameter estimator were obtained using EasyFit software, as shown in

Table 5. GPD parameter estimator.

Parameter	Timeout Risk	Downtime Risk
$\hat{\xi }$ Shape Parameter	−0.4513410383432	−0.367209611440187
$\hat{\beta }$ Scale Parameter	118,715,100,522.203	116,326,654,020.561

.

The results of the two GPD parameters in Table 5 show the distribution function with ξ < 0 then x that bounded of 0 ≤ x ≤ −$\frac{\beta }{\xi }$. The upper limit value of x is −$\frac{\beta }{\xi }$. That upper limit value of x is no more than the maximum values of the extreme data in Table 4. The results for timeout risk and downtime risk were −$\frac{\beta }{\xi }$ < 286,932,960,062.233 and −$\frac{\beta }{\xi }$ < 278,181,957,858.857, respectively. Therefore, the maximum values of extreme data did not pass through from the upper limit value. This shows the suitability of the GPD parameter’s estimator value. Because the calculation of the two GPD parameters was obtained and appropriate with an extreme data value, then the estimation of the expected claim can be calculated with EVaR.

4.4. Estimation of Maximum Potential Losses

After estimating the two GPD parameters shown in Table 5, the calculation of EVaR was conducted as the estimation of bank reserve funds for digital banking risks. The value of EVaR was obtained with a 95% confidence level. The result of EVaR used Equation (10) on the following calculation.

$$EVa{R}_1=\text{64,806,050,343}+\frac{\text{118,715,100,522.2}}{-0.4513410383432}\left\{{\left[\frac{1230}{123}\left(1-0.95\right)\right]}^{0.451341038}-1\right\}=\text{135,465,044,269.741}$$

$$EVa{R}_2=\text{81,080,836,365}+\frac{\text{116,326,654,020.5}}{-0.3672096114401}\left\{{\left[\frac{1230}{123}\left(1-0.95\right)\right]}^{0.367209611}-1\right\}=\text{152,268,681,535.392}$$

$EVa{R}_1$ and $EVa{R}_2$ show the value of potential losses from the risk of timeout and service downtime. However, it is necessary to combine these EVaR values to represent the risk of digital banking transactions. The combined EVaR becomes the maximum potential loss from banking transaction risks. The EVaR risk value combination process was carried out by weighting each EVaR risk. The calculation results from weighting the risks based on the portfolio approach using Equation (11) are shown in

Table 6. The results of weighting risks using the portfolio approach.

Risk	EVaR	Weight of Risks
Timeout Risk	IDR135,465,044,269	0.4708
Downtime Risk	IDR152,268,681,535	0.5292

.

Based on the results presented in Table 6, the risk weight of the downtime risk is 0.5292, whereas the timeout risk is 0.4708. These results indicate that the weight of the downtime risk is greater than the risk of the timeout because the value of $EVa{R}_1$ is greater than $EVa{R}_2$. This is also based on the threshold value of the timeout risk, which is greater than the timeout risk. After calculating the two weights of the risks, the calculation of EVaR was conducted to estimate the maximum potential losses of digital banking transactions risks. The result of maximum potential losses used Equation (12) on the following

$$Maxpotentiallosses={\displaystyle \sum }EVa{r}_i\times W_i$$

$$Maxpotentiallosses=\left(\mathrm{IDR}\text{152,268,681,535}\times 0.5292\right)+\left(\mathrm{IDR}\text{135,465,044,269}\times 0.4708\right)$$

$$Maxpotentiallosses=\mathrm{IDR}\text{144,357,528,750.94}$$

The maximum potential losses of digital banking risks using the EVaR method is IDR$\mathrm{144,357,528,750.94}$. The EVaR value is obtained from the 95% confidence level. The estimation for risk management as consideration for maximum potential losses becomes a reference for banking companies to provide operational reserve funds. In addition, it can be used for risk management as consideration for maximum potential losses, thus becoming a reference for banking companies to provide operational reserve funds for digital banking risks.

5. Discussion

Today’s banking activities are increasingly shifting toward digital transactions. Digital banking presents a special type of operational risk. The global financial crisis has awakened the importance of studying extreme events, and the implementation of EVT is the main step in mitigating operational risk. However, operational risk management still cannot be handled effectively. One reason is that operational risk is more complex, involves many types of risk, and is not always easy to measure (Aebi et al. 2012; Yanagawa 2020; Beccalli 2007; SOFIA 2017).

Digital banking risk analysis can use QQ plots, as in Figure 1. The fat-tailed shape of the QQ plot indicates an extreme data case. The data identification results follow the risk data in the banking industry. Cases of banking losses due to digital transactions occur in a fairly rare time. However, the nominal loss is potentially large in every risk case. This is reinforced based on the Global Financial Stability Report by the International Monetary Fund (IMF), which states that one source of threats to the stability of the financial system is digital risk. In addition, the survey results of The Depository Trust & Clearing Corporation (DTCC)’s 2017 Systemic Risk Barometer in the first quarter put digital risk in the first place as a banking threat (DTCC 2017). The survey results of systemic risk barometer can be seen in Figure 2.

Furthermore, the results of extreme risk analysis using extreme value theory result in the distribution of data in the GPD. The estimated GPD parameters in Table 5 serve as the basis for analyzing the EVaR risk measure. The EVaR risk measure in Table 6 shows that “downtime risk” is greater than “timeout risk.” This is in line with the technical analysis of digital banking. “Downtime risk” in the digital banking system is a common risk that causes operational losses. Based on the initial sample data on digital banking risk losses, the value of downtime losses is greater than the timeout. In addition, in the digital banking system, downtime is bound to occur due to the need for service maintenance. This is the reason why downtime has a higher risk value than timeout. When there is downtime, all transactions cannot run, and it causes a system failure. In recent years, there was a failure of the banking system in the U.K. market, which made headlines. This can lead to big losses, even making active customers switch to competing banks. In addition, survey results from private bank customers in Indonesia show concern about the risks of the digital banking system. Surveys from customers stated that the risk of the system causing service disruptions caused them to become skeptical of digital banking (DTCC 2017).

The operational risks of digital banking can cause prolonged company losses. Risk management to overcome these losses can be carried out through the allocation of reserve funds. Reserve funds must be able to cover the maximum potential loss from these risks. The result of the estimation of the maximum potential loss from digital banking risks is IDR144,357,528,750.94, which is equivalent to USD 10,014,601.46. This huge value shows the number of potentially large losses from digital banking risks. This needs to be interpreted as a preparation for risk mitigation. Banks and other financial institutions must evaluate and manage operational risk through various tools and mitigation strategies. The main strategic step is to detect potential operational risks, collect operational risk data, then track the losses incurred. After that, the mitigation process is carried out by determining the size of the risk as an expectation of loss. This process has been carried out in this research. Furthermore, it is necessary to interpret the results of maximum potential losses as a measure of reserve funds, which can help banks prepare to manage digital banking risks. This will help ensure that bank companies are ready to face the possibility of risks through these mitigation strategies.

The estimated risk of digital banking with a large nominal loss has significantly increased with the data on the number of transactions in recent years. Data on many digital financial transactions in the annual report of one of the banks in Indonesia in 2020 shows an increase of 132.20% (YoY) to 2.72 billion transactions compared to the 1.17 billion transactions in 2019 (BRI 2020). The increase in the number of digital transactions makes the possibility of risk even greater. Based on a report from Bank Indonesia (BI), the volume of digital banking transactions throughout Indonesia in 2021 increased by 21.5% to IDR39,130 trillion. In addition, BI forecasts that the projection of digital banking transactions in 2022 will reach more than IDR48,000 trillion, or an increase of around 22.6% (Bank Indonesia 2020). The graph of the projection of digital banking transactions in Indonesia can be seen in Figure 3. Based on these projections, the importance of a risk mitigation strategy is illustrated since the probability for risk to occur is directly proportional to the volume of digital banking transactions. Risk mitigation for the next year can be started today. One of these mitigation measures is to estimate the maximum potential loss from digital banking risks. As has been conducted in this study, the results of the estimation of the maximum potential loss can be used by banking companies as a risk mitigation measure for digital banking transactions. With the preparation of the estimation of maximum potential loss, the company can take a better risk management strategy.

Responding to the importance of banking risk mitigation measures in Indonesia, OJK issued prudential regulations based on the authority delegated to it by Law No. 21/2011. The regulation requires the application of the Basel framework to all conventional commercial banks in Indonesia. Based on OJK regulations, the mitigation process to measure risk is carried out using the standard Basel approach, namely the basic indicator approach (BIA). The use of the BIA method for commercial banks in Indonesia is further explained in POJK Regulation No. 11/POJK.03/2016 (Bank for International Settlements 2016).

However, OJK regulations currently in force in Indonesia still need to be adjusted, especially regarding operational risk mitigation. Based on the report on the assessment of Basel III risk-based capital regulations in Indonesia, there are things that the OJK must consider. The first thing is that the explanation of indicators in calculating gross income for the BIA method is not explicitly specified in the regulations. Furthermore, OJK needs to describe the scope of operational risk that is clearer and consistent with Basel standards. In addition, OJK does not implement the AMA method for measuring operational risk (Bank for International Settlements 2016). This is unfortunate because the BIA method is a very simple traditional approach compared to the AMA.

The AMA method demands that banks use internal loss data to calculate the EVaR of operational risk. The size of the operational loss will be in line with the state of risk in the banking company. If the banking company has implemented operational risk prevention well, then the value of the potential loss is lower. This is related to historical data on operational risk losses from the company. However, this is not the case with the BIA method, which is not influenced by a strong operational risk management environment.

The results of this study provide a comparison of the measurement of operational risk between the AMA and BIA methods. The BIA method measures operational risk capital requirements based only on gross income from the bank, so it is not sensitive to operational risk. The BIA formula is $riskcapital=\overline{Grossincome}\times \beta$, with $\beta =15\%$. The BIA formula is very simple when compared to the EvaR formula in Equation (10). BIA, which uses gross income as an indicator of operational risk exposure, can be categorized as a traditional measure. Meanwhile, the maximum potential loss value with EVaR is included in the advanced measurement approach (AMA). EVaR performs an operational risk assessment based on the distribution of loss data. This adds to the security of operational risk estimates. The results obtained in the AMA method tend to be smaller than the BIA method (Zhu et al. 2019). Smaller yields can be leveraged for the minimum optimal backup value. The minimum optimal reserve fund will make capital diversification better. The remaining excess capital can be used for the company’s investment interests. Thus, banking companies can have more sources of income.

On the other hand, one of the most visible impacts of implementing EVaR in the AMA approach to operational risk management is the positive impact on reputation and stakeholder perceptions. A better risk calculation process certainly provides shareholders, clients, rating agencies, and the market with clear information on safety risk management. This certainty is very important and provides comfort for stakeholders, especially in times of economic turmoil and uncertainty. Therefore, this is a very useful approach for the sustainability of the company that is safe against risk, especially when it comes to the operational system of digital banking.

6. Conclusions

This study discusses the analysis of the maximum potential loss from digital banking transactions. The analysis result shows the maximum potential loss from the risk of digital banking transactions is IDR144,357,528,750.94 with a 95% confidence level. The extreme value-at-risk (EVaR) method used in this study uses the generalized Pareto distribution (GPD) method. The GPD is interpreted as a distribution that describes extreme data. Digital banking risk is an extreme risk. Therefore, the analysis results of this study are in accordance with the characteristics of the risk. Thus, the result of the maximum potential loss value becomes a reference for mitigating digital banking risk. Banking companies need to provide reserve funds that can cover these potential losses. If banks cannot provide these reserve funds, it is feared that a collapse will occur. In particular, unexpected extreme events such as a global financial crisis can occur at any time. If this occurs, the unpreparedness of reserve funds can certainly make the bank company collapse. Therefore, the potential for maximum loss is an important concern for risk mitigation efforts.

This study still has limitations related to the exploration of digital banking risk data. For further studies, attention can be paid to more types of digital banking risks, one of which is the risk of digital banking from the customer’s point of view as a user. There are digital banking risks that arise from users, such as transaction errors. In addition, the leakage of customer account data is also a calculated risk. The leakage of customer account data can be misused by irresponsible parties. The misuse of customer data can harm banking companies, so data security also needs to be a risk management concern. Therefore, further research can explore digital banking risks. Risk exploration is expected to strengthen the estimated loss, and better loss estimation will make risk management safer.