The Volcker Rule has been saved
Perspectives
The Volcker Rule
The new compliance monitoring program
The final(1) Volcker Rule was approved and released by the US regulators on December 10, 2013, requiring banking entities to demonstrate that prohibited proprietary trading is not taking place at their firms. Medium-sized and larger banks must implement a rigorous compliance program.
Explore content
- Download
- Three types of compliance programs
- Roles and responsibilities
- Technology considerations
- Join the conversation
Compliance program requirements
This paper explores the compliance program requirements for the proprietary trading restriction component of the Volcker Rule, in particular for the medium-sized and larger banks where much work is required with not much time to do it. Download this paper to obtain additional insights into the three types of compliance programs—standard vs. enhanced compliance programs, timing considerations, technology considerations, and roles and responsibilities.
Three types of compliance programs
Banks with greater than $10B in total consolidated assets (nearly 100 U.S. banks and 50 foreign banks) must implement the "standard" compliance program, outlined in Subpart D of the regulation, by July 2015. This program has six required components for banks with covered activities and is sometimes also called the six-point compliance program:
- Policies and procedures
- Controls
- Governance
- Independent testing
- Training
- Recordkeeping
Roles and responsibilities
The standard compliance program requires a management framework that clearly delineates responsibility and accountability for compliance with the Volcker Rule. The Volcker Rule requirements for monitoring compliance lend themselves to the "three lines of defense" model. In the first line, the business line managers must create a culture of compliance for the desks, including implementing a compensation structure that rewards risk reduction and not risk-taking. The second line of defense focuses on the compliance function, which must monitor any breaches, ensure that false positives are clearly explained and documented, and that any true violations are promptly remediated and senior management is made aware. The third line of defense is the independent testing and audit required by the regulation.
Technology considerations
The largest firms that must report quantitative metrics beginning in June 2014 are understandably focusing their technology resources on these efforts. Regardless of size, firms should not lose sight of the infrastructure required to support the monitoring of these metrics and other limits that they may implement in policy.
Recommendations
Cyber Risk Services | Deloitte US
Deloitte Cyber & Strategic Risk offers a unified approach to help you tackle obstacles, build new capabilities, and move forward fast. Leverage our breadth and depth to transform your organization, wherever you are on your journey.