Compliance Planning - The Volcker Rule

As rule-making gathers steam, banks have started putting together exploratory (some are further ahead) teams to define their “Dodd-Frank Compliance Strategy”.

If we have to comply with the DFA, we will need to do much better than waiting for rules to be finalized and rolled out. Old hands know that any compliance starts with an outline (even hazy to begin with) of the expectations and potential responses and evolves as you get a better handle on it (this applies to the act of complying, not the strategic options). We will have lay the foundation for compliance based on what we know about the Act today and we will have to create a unified theme for our compliance effort that makes some sense and start compliance ‘runs’ starting now and then tweak the engine as every rule takes shape. If we are not compliant by the time the final rule is published, it is too late already. Remember how we complied with HIPAA in 2002 and then with SOX in 2003 and then GLBA in 2005 and then PCI DSS in 2006 and how we did everything six times over? “It broke the bank” metaphorically then, it will not be a metaphor this time around.

I take the Volcker rule as an example for this blog and let us see what business process or  technology level measures will need to be planned in order to achieve,

One quick qualifier. The focus is on business process compliance and not strategic options or business model issues.

Volcker rule’s compliance burden is going to be essentially in one area. How do you demonstrate that whatever you have done falls under “Permitted Activities” of the rule?

Let us take one example. One permitted activity is “transactions in connection with underwriting or market-making activities, to the extent designed not to “exceed the reasonably expected near term demands of clients, customers or counterparties”.

Let us analyze the steps needed to comply with this:

1.       All transactions of underwriting or market-making activities need to be brought together in a central place (this will have to be done, no matter what shape or content of the final rule)

2.       All client, customer or counterparties orders and instructions will have to be captured, tagged and massaged so each can be related to one or more underwriting or market-making activities performed by the bank (anywhere in the world?). A huge business process issue here will be about re-designing the customer interaction process and documentation to have enough information and commitment from the client, customer or counterparty for you to justify your actions. Can this be done? Or this starts another “transaction code rationalization” a la HIPAA?

3.       All underwriting or market-making activities performed by the bank that do not have a direct link to a client, customer or counterparty order but can be demonstrated as “reasonably expected near term demands”?,  Demonstrate that it was necessary to perform a transaction to “support” a client, customer or counterparty order and that it was simply a risk mitigation measure of a risk that was already there due to a client, customer or counterparty order and not a new risk created by bank’s own decisions. “reasonable expectations”, “near term demands” – all minefields but still enough to kick-off compliance planning.

There will be more things to do but let us say this is the gist of it.

From a pure compliance planning and technology support perspective, these three things will translate to a) building ‘data warehouses’ of certain types of transactions to be able to analyze   their cause-effect relationships with certain third-party (client, customer, counterparty) actions or orders and b) building strong analytical and heuristic engines that will establish & report connections, dependencies, pairing and risk-mitigation across different transactions.

It will be expensive, difficult and will take a few years (even five or more) of testing and double-checking to make sure that it actually works and generates dependable information.

The Pros:

Regardless of the Volcker rule or the DFA, this information will be a great risk management and decision-making tool for a bank and those who do it well will have a huge competitive advantage. As of today, the power to correlate transactions and risks across clients and proprietary actions does not exist at most banks and where it exists, it exists in pockets.

The Cons:

If the rule-making process loses sight of these real challenges, we may have rules that will take thousands of person-days to file returns that the regulator never gets to and suddenly it is too late all over again.