FacultyFaculty/Author Profile

The Volcker Rule - Compliance and Conformance


,


DEREK M. BUSH: Great. Thanks, Ken. And so yeah, let's get started with our compliance panel. We're very fortunate to have a lot of expertise on this panel again this year. Curtis Tao from Citi, Rena Shadowitz from U of A, Joerg Riegel from Soc Gen, and Chris Scarpati from PWC. We need a term for whoever's done this four years in a row, like a lifer. They're lifers at this program. And we're delighted to have Rena with us and Joerg too as a veteran of this panel.

And it's also I think very helpful that all three of our in house representatives are not only deeply involved in compliance, but also active in a lot of the ongoing policy issues and industry initiatives. So bring a lot to bear on this question. But I think this is our opportunity to really sort of dig into what banks actually do to manage their compliance programs.

And we've talked about some of the interpretive issues and other complications in prop and funds and now this will get down to some real world experiences. And so I guess I'll start. We have a lot to cover, but start with just asking you basically how you are approaching and managing your compliance program, what you're doing, especially anything that may be new over the course of this past year or new areas of focus, and then we'll come back to what you might have done differently if you could.

CURTIS K. TAO: Thank you, and goof afternoon, everyone. I'm really pleased to be here. I'll just start off by just saying one qualifiers that all the views that I'll express will be my own, not necessarily of my firm. The other thing I'd like to just be curious, how many people here work in house as a lawyer within the legal department?

Great. A lot of these questions, as many people sometimes ask, what's the role of legal with respect to implementing a Dodd-Frank rule? And I think many of us who've worked in legal, but worked on Volcker especially your role does not end in just being advisory. Really, it's a team effort working with your-- and I've got some of my compliance department internal audit partners here, working together finding out what's the right answer and the right solution for the company.

And just stepping away and just giving advice and saying the rest of it is Godspeed and you're on your own doesn't really work frankly in an in house. So Volcker's been something that we've been doing since 2015 and we've all kind of developed our own learning of what's the right way for us to do it. And some of this is colored by the rules. Some of it's colored by going through 3 and 1/2 examination cycles.

So there are some key aspects to having a compliance program. Obviously complying with the rule, but Appendix B key aspect. Each of us have designed the manner by which our firms comply with the Volcker Rule. I'll just cover two aspects.

Risk management and internal controls. What most of our experiences have been is that when you have Volcker, which is supposed to be a key part of how we operate and do day-to-day operations in the trading context, then frankly, outside of the trading context when it involves a cover financial instrument, you want to build your Volcker controls and your program into your DNA. So it becomes second nature and very natural.

So for risk management purposes, we're already had a risk management framework, having limits setting processes, and having management triggers that all get tied into Volcker. So I've got some limits that are tied to how I calculate my run D, and then how also how I produce my metrics. All those things got embedded.

Also internal controls. So all of us live by a standard philosophy by which the regulators have imparted on us. First line of defense, second line of defense, third line of defense.

First line of defense, that's front office business. Compliance always starts with the business. Second line of defense, that's the control function. Sets independent risk, that's compliance, that's legal. And then third line of defense is your testing, internal audit. So your internal control framework, very much consistent and very much top of mind as to how you build your Volcker Compliance Program.

RENA SHADOWITZ: So a couple of the other elements of the compliance program and the rule are policies and procedures. That's a requirement if you have those. You have to have a training program and a management framework. So I can speak to our policies and procedures, we have an enterprise policy that covers Volcker, and then we have below that standards. One on covered funds, one on prop trading, and one on the back stop.

We used to have more. And actually we consolidated a bunch of the different prop trading ones into one prop trading standard. We also have what we call the VCP because it wouldn't work at a bank if we didn't have an acronym for every single thing we do. So VCP for us stands for Volcker Compliance Program. And so that's the document that describes our entire program.

So the program is a program, and it's all the things that we're going to talk about. Internal controls, testing, training, et cetera. But the document describes all of that and it goes to the board and the board approves that. We also have a training program and that's run through compliance. So that's my group. I'm assuming the other people who didn't raise their hands for legal are actually in compliance.

And so we run a training program. We've got somebody from compliance at the back. We have an annual web based training that goes out to a very large swath of people at Bank of America, and it's modular based. So we try to tailor it to the different areas so our CFO group are not getting a module on market making, but they are getting on RMH, our wealth management guys getting a different kind of coverage fund modules than maybe other people not even getting any coverage from modules, maybe the folks in equities are getting a different version of that.

So we do that annually. And I'm not sure if we're supposed to be talking about what we do differently. I can say where we progressed to is I think the first couple years we had even way greater number of people actually doing their training. Over the years we've managed to take different people out who have absolutely nothing to do with it. So a good example is research.

The first couple of years for whatever reason are our colleagues in research were doing the Volcker training. And it's really not part of their job, I mean, unless they're writing a research report on the Volcker Rule. There isn't really Volcker in their job. And so we've managed to carve them out. And so that's just how we've progressed over the while.

I think management framework is probably one of the heavy builds that I think all of us have built and probably where there's a little bit more variety between the different banks. We personally have business level, what we call control forums. So that's a line of business level. So, for example, we have a rates forum that meets monthly, and then we have a higher sort of at the business level, senior management committee.

So the markets business or the CFO group have a monthly meeting. And then that all rolls up to basically the CO directs and they have interim sort of reporting to that committee. And that's our management framework. In terms of progression where we've ended at the beginning, all of those forums met monthly. As we've gone through we've realized in certain areas they really just don't have enough.

They're not really doing enough Volcker specific activity. So we've managed to scale some areas back to quarterly meetings where there's just the meetings were taking like 10 minutes because they just didn't have anything to say. Joerg.

JOERG RIEGEL: Sure, thanks. Let me just doctor with a I have a degree. Every one of us has a governance framework. Ours is somewhat different but we can go into details in a little bit if you want to think about changes necessary. But one thing to point out with Volcker's here, I'm sure many of you who are experts have experience as well, is that there is on top of the governance framework that operates year long, there's also an annual cycle.

It comes with testing, with [INAUDIBLE], with annual reports to the senior management and to the board. And so that annual cycle is part of our governance as well, of course, embedded into our run now. I want to cover two topics. So to round out the program architecture, there's this desk mandates and fund processes that have to be developed.

The rule is very specific as to the various requirements that have to be addressed in policies and procedures for each trading desk. And the way might as many, maybe all firms have developed that in practices fairly detailed desk mandates. A lot of us started out with traded mandates previously, but now they roll up into desk mandates that are very prescriptive as to the kind of products we trade into strategies that can be used by the desk and details around the requirements that the rule provides.

And these desk mandates are attested to annually as part of the overall structure. We have these test mandates, well over hundred of them in areas that include trading areas, but go beyond those areas as well, just to make sure that the activities that aren't actually in scope for the rule or shouldn't be in scope for the rule don't exceed their mandate in ways that might be problematic, one of the many effects of the Volcker Rule with it's pretty sweeping definition.

On the fund side, again, at least for the banks that have enough trading assets to be subject to Appendix B, which has the heaviest compliance requirements. In order to be able to identify covered funds, you have to have a process in place. That process has to have management review internal testing on it. And since the covered fund definition itself is so sweeping, this brings into scope a number of assets, a number of issues that are actually fairly frequently traded, which raises an issue of how to embed these kinds of assessments, which can be quite technical into a run process.

So we've created an intake process where an issue has once been classified either internally or by an external tool, this information is retained so that others can rely on it as they come upon the same investment. And there's further database uses for this database where all this information is stored, such as ownership controls are run across this universe off assets.

RENA SHADOWITZ: So what will we change? Is that the next question? What will we change? I give up.

CURTIS K. TAO: Let's say if we can wave a magic wand and we have a new NPR and we were given the discretion to design a compliance program in the way that we saw fit, in the way that we thought was most appropriate to ensure compliance by our firms with, let's say, a simplified Volcker Rule. OK. So now I've got an Appendix B that happens to be a sentence. And the sentence says firm shall establish compliance program.

So we've been asking that questions of ourselves. And frankly, because we've been, as many of you have heard, we are in a period of hopefully seeing NPR here soon, we've asked ourselves the question as we formulate our advocacy, what do we want to ask for in terms of the compliance program?

So a couple of things to keep in mind as you evaluate this question because you're probably going to get asked this question from your client, whether it's an internal client or external client. Keep in mind that what you've built already and what you've spent resourcing towards, it's all spent money. You're never going to get it back, number one.

Number two, keep in mind that your examiners have been quite used to what you've been doing for the past three and 1/2 years, let's say four years by the time we see final rule. And then finally, keep in mind, assuming you're a prudentially regulated institution here in the United States, you've got heightened standards. And these are standards in which-- particularly the OCC issued, talking about all the kind of things that we're supposed to do, in post Dodd-Frank 165, about risk management, governance, documentation, testing, and so forth-- all things which happen to show up co-incidentally, what a coinkidink, in Appendix B now.

So let's start off with a couple of aspects. So risk management. What do I think I would say, 1, that I would want to design differently, and 2, my regulators would let me change or simplify from a risk-management perspective? I'm not sure there's a lot. And it's because if you think about how the regulators think about prudential regulation, everything starts with risk management.

So am I really going to be able to have less risk limits or have flexible risk limits or have less management triggers? Probably not. Am I going to be able to have less monitoring, less aggregation of risks, convergent risk, of credit risk, and market risk, different risk factors? Probably not. Now maybe on the edges, if I have some changes in the rule where I have to do less metrics, do I maybe have, let's say, less focus on those metrics which really don't tie themselves to risk limits that I currently operate under? Sure. But from a risk-management perspective, limit monitoring, limit establishment, limit governance, I, honest to goodness, doubt that we're going to end up being able to do something less that only for internal prudential reasons, but also our external regulators wouldn't let us do that.

Controls. Internal controls. That's the other topic that I talked about. What would I be able to do differently from a first line, second line, third line defense? You know, I really don't know. That's a hard one too. Again, when you're supposed to build Volcker into your DNA and how you operate, your internal controls, which are the second line of defense, legal is not going anywhere. I hope not. Compliance? No. Internal risk management, independent-- nope. So there are going to be aspects, I think, of the Appendix B that as we ask the hard questions of ourselves, can I find a way of simplifying and reducing the administrative burden of the Volcker Rule on my firm, on my institution, you may not find a lot of help there in risk management or internal controls.

Rena, how about your areas?

RENA SHADOWITZ: So one thing that I would add that I just actually thought of while you're speaking is I was thinking about the policies and procedures section. And something that we struggle with is if-- and I know this by heart, which is really sad, which is one of the things that it says in your policies and procedures for your trading-desk mandate is there's a line there about executive comp. And that you have to, in your policies and procedures, talk-- or your trading-desk mandate-- about executive comp. But it doesn't reflect the fact that executive comp is only the incentivising of risk only applies to some of the exemptions.

So, for example, if you have a desk that trades only in government obligations, you have a mandate for that. You have to have a section in your mandate that talks about executive comp is not a component of the [INAUDIBLE] exemption. So stuff like that, which I think we've all grappled with, in like, why do I have to put this in-- and maybe at your institution you said, that's stupid. I'm not doing it. But those are the kind of things where I think more flexibility-- where it's not itemized, specifically, what you need to put in your mandate-- those things might change.

But I agree with you in terms of the broad picture, especially if you're not changing metrics. You're not changing the market-making exemption with market-making inventory limits, market-making hedging limits, and financial exposure limits, which is, I think, something the guy from the SCC said this morning, right? Which is you can't just say, well, we have FE limits, so we don't need market-making hedging or market-making inventory limits, or one of the other. You have to have all three. I think as long as that remains, then your risk limits stay the same. Additional quantitative measurements-- that's in Appendix A, not Appendix B. So they got rid of Appendix A and just said, hey, do some metrics and figure out-- maybe some of those things would go away, including thresholds on additional quantitative measurements and metrics. Those are things that might get lessened a little bit. But I agree with you.

CURTIS K. TAO: But that's a big maybe, because remember, even though we're not going to cover it-- spend too much on it-- on Appendix A, on the metrics, remember there are three categories-- risk-management metrics, source-of-revenue metrics, and customer facing metrics. Two of them, the risk management and the source of revenue, our on-site team get already. They get them every single day. So your management triggers your compliance program tied to those particular metrics, probably not going away.

RENA SHADOWITZ: But we like to call it-- we call it the three flavors of metrics. So those are not our three flavors, because you're right about--

CURTIS K. TAO: Chocolate, vanilla, and strawberry.

RENA SHADOWITZ: Yes. Neapolitan. So you have your reportable metrics, which are the ones that you just went through. And then you have your additional quantity of the measurements, which are the ones that you have to think about. You have to figure out what kind of metrics would indicate prop trading, right? And then you have the thresholds on all of those. So those are our three flavors. So I think maybe the second two, if they got rid of A. Maybe those are things that we would get rid of or have less focus on.

I think generally in terms of what I spoke about previously, in terms of describing training and policies and procedures, we're not going to be able to get rid of any of our policies or standards. We're not going to be able to not train on it. But I think the frequency with which things are reviewed or the frequency through which we train-- we haven't talked about this, but testing. So I'm in compliance, so the second-line testing program. I think the frequency of all that might go to the level that other regulatory programs use.

So Reg W. Like how often do they train on Reg W? Do they train every second year, every year? How often do they update their procedures? I've been in two banks. Typically, procedures are usually on a two-year review process. So we're on a one year, and we have to go back to the board with our program, because the rule says the board has to approve your program. So the board has to approve your program annually? That would be the kind of thing that might--

So I don't think that we would take away anything other than the metrics things that I just point out, but maybe the degree to which the frequency of tasks, the frequency of training, the frequency of review of policies and procedures, maybe that would go away. As well as testing-- taking a risk-based approach to testing and not going through the rule line by line and saying, do we test on this? Do we test on that? Which has been the focus now. Your point about enhanced prudential standards, the regulators-- OCC, the Fed, FCCs-- may say, well, you already been doing that, so you should continue doing that.

CURTIS K. TAO: I completely agree on testing. And I know that some of my friends from my firm from compliance assurance testing and internal audit would love to hear this. But when you think about how we generally have approached testing, we don't test our entire firm for every single desk and every single rule every single year. You do risk based. You have certain cycles, right? But if you look at the Appendix B and the language of the independent testing requirements, it's fairly rigid. You got to do a holistic review of the entire firm and all of the requirements.

And I think all of us have read that generally to mean that you got to do a full testing regime for the entire institution, A to Z, every single year. So that flexibility, allowing us to, in our discretion, find out and figure out where are the places that require additional, more frequent testing. And the other areas where they've got it, it's spot on, I get the reporting and I see the monitoring, I don't need to test them every single year. That amount of flexibility would be of immense help in the reduction of the administrative burn.

Because many of us, frankly, do the testing with a full-blown team dedicated to it. And sorry, Chris, also with external assistance from an external auditor, which we may then not necessarily need. But that is a huge resource deployment that we do every single year, that you would not hurt safety and soundness if you had more discretion and more flexibility to design the testing program as you see fit, to fit the individual needs of your particular institution.

JOERG RIEGEL: Yeah. And I would add that similar ideas, I think, should hold sway for revisiting controls. There are controls that may be, on a technical level-- as the Volcker Rule is so technical right now-- are interesting hits. And you need to fix something, and you fix it, and the control is working. But the control is really useful, for all intents and purposes, to really capture the essence of the rule. And so I think the essence of the rule could probably be captured in far less controls than the controls currently run on [INAUDIBLE] alone or on Super (23)(a) and many other aspects of the rule that are just to sweeping.

Which really shows that the rule is currently written with a couple of dimensions that are excessive and [INAUDIBLE] reach that is excessive, at least for foreign banks. A reach outside of the markets activities that is excessive. And when those get cut back, I think the controls will follow.

DEREK M. BUSH: Can I ask two follow-up questions on that? 1, you touched on board approval. If you were designing this from scratch, would you take the Volcker program to the board for approval?

CURTIS K. TAO: Great question. So let me just think back as when we brought our plan for approval to the board. And there were two things that we needed to do, because it was prescribed in the rule. 1, we had to have the board formally delegate to a subcommittee thereof, approval of the program, an ongoing monitoring of the program. And then the second thing is we had the program approved by the board. And what's also required in the rule currently in Appendix B is that, no less than annually, management has to report on the effectiveness of the program to the board.

So would I do all of that, if I had more flexibility from a governance program perspective? So I would say a couple of things. Highly likely that I would have brought the program to the board at least at inception. So for like big, Dodd-Frank implementation issues, swap dealer or swap margin, capital, CCAR-- frankly, I do see CCAR every single year on quarterly-- resolution plan-- frankly, I do that quarterly and annually-- I'd probably at least bring it. But I think over time, it becomes much more routine.

And so bring it the first time. If there are major issues, I would probably bring it back. But I think the board, generally speaking, its responsibility is to develop and require management to execute on a commercial strategy for the firm. But major issues, including compliance issues, as we've all known and seen some of the compliance blowups that have occurred at other institutions, must go to the board. So unless you have an issue, unless you have a problem, the board will expect management to execute. And the board has responsibility to oversee management. And I do think that the regulators have begun to express a view that the board shouldn't necessarily get itself completely immensed in the minutiae of compliance issues.

The board is not a compliance body. It's a board that provides oversight. So I think if I had more discretion, I would bring it the first time, and probably no more frequent than annually, and only if there are major issues and blowups. That's my view. What do you guys think?

RENA SHADOWITZ: That sounds very reasonable. And I think that's the approach. And I think that we have to think about a new reg in the context of all-new regs. And you have a new reg, and it's going to get a lot of attention, a lot of money, a lot of focus, a lot of management oversight at the beginning. And then what naturally should happen is it becomes part of BAU or part of your DNA-- is does it really need that level? Does it need to go at least annually to the board, at least being my least favorite word?

I don't know. I think there's compliance frameworks that are set up. Volcker Rule is just a reg like every other reg. So why, in the end, are we treating it different than-- I always say, because the woman who runs the programs sits next to me, Reg W. Reg W is an important rule as well, and why is Volcker different than Reg W in terms of the governance?

DEREK M. BUSH: And you know what I'm going to ask next, which is if you're doing it from scratch, would you include a CEO attestation? I know you're going to talk about other issues related to that, but would you include it?

RENA SHADOWITZ: Well, I personally would not. But I think the FDIC would not like that and has, I think, been on the public record of saying over my dead body.

DEREK M. BUSH: No, but we're in Curtis' world.

RENA SHADOWITZ: In Curtis' world--

CURTIS K. TAO: I wave the magic wand.

RENA SHADOWITZ: I think speaking from compliance perspective, in some ways, the CEO attestation is helpful to doing our role, because you use that as a stick with people. And you say, well, the CEO has to attest to this program, so we better be sure that we've got it down and that it works. Without that stick, would it make our lives a little bit more difficult? Maybe. But then it would make it easier in terms of actually getting the CEO to attest.

CHRISTOPHER V. SCARPATI: I would agree. I think it's a draconian measure, to be honest with you. And it's not like you require attestation on every other piece of financial reporting that's provided to your regulator with respect to your capital position and your risk position. So it's really no different from that in my view.

I also think, with respect Curtis, to things that could potentially change, I think the metrics reporting, in some cases, while it's useful internally, I think there's a difference between data and information. And what's getting reported is data, not real information about the business. And we spend a lot of time with our clients helping to visualize that data and represent the data to the business in a way that's useful. And then there are certain metrics that are somewhat useless to the business and don't have any real meaningful significance to how a trading operation is run on a day-to-day basis, particularly around the customer side, right?

RENA SHADOWITZ: I would say somewhat would be an overstatement.

CHRISTOPHER V. SCARPATI: Yeah. True. But I think if you just look at the way the information, or the data, is being presented, it's really difficult to ascertain any sort of position, positively or negatively, when you look at that data in and of itself. It requires some analysis, some manipulation, and representation in a way that actually makes sense and is reflective of the true risk position happening out there.

Although, I would agree with you that the money's been spent. And in some cases, it is at some cost. But it's also a competitive differentiator, because Dodd-Frank, as we all know, is created not only too big to fail but too small to compete in our markets. And perhaps the other area I would think could potentially use change is the whole risk-mitigating hedging piece. Both of your institutions trade and have locations.

I know it's Citi, so in over 103 different countries that you're trading in. And your macro hedging books tend to be very, very complex and not very straight forward, because, as we all know, there's no such thing as a perfect hedge out there, right? And the amount of documentation that's required in order to prove that the hedging that's being done at a portfolio or macro basis is in fact legitimate hedging, so to speak, is a very, very onerous exercise, and in some cases quite difficult. And I think it's time being taken away unnecessarily from risk managing the business in my view.

JOERG RIEGEL: And to go back also to Rena's point on the governance, I think broader than even going to the board or having a CEO attest, I think governance generally, ideally-- in the ideal world of Curtis-- should revert, in my mind, to Volcker not being treated different than any other rule. And if we find enough to discuss on Volcker that it fits into proper government forms that already exist and not more, that we don't have to spend an hour and a 1/2, two hours to go through metrics, internal metrics, of every single task, then I think we've accomplished a great deal of streamlining.

CURTIS K. TAO: Thanks. Well, Derek, since you brought up the CEO attestation, let's just pretend my magic wand just broke, and now we're back to reality. One of the interesting aspects of Appendix B is that we do have discretion in terms of how would we get our CEO comfortable with-- he or she-- deciding their attestation annually? So here we are. Rena, you've managed the program at Bank of America, and you've got this piece of paper, and you walk up the stairs-- all 42 flights-- to Brian Moynihan's office. And Mr. Moynihan, I'd like you to sign this. What does Mr. Moynihan ask of you to give him comfort that when he is signing this particular document, he is not committing an intentional violation of the Bank Holding Company Act?

RENA SHADOWITZ: So we built out a pretty detailed-- and it sort of starts in December, our program to support the CEO attestation. So if it were to go, that would be-- as I said, it would be a lot less work for us. But it starts with, essentially-- everybody has sub-attestors. So we start with defining who that population of sub-attestors are. We have over 200 sub-attestors. And we go top down and bottom up, so we're looking which ones of Brian's direct reports are dealing with Volcker and which ones aren't.

And then we go bottom up in looking at, OK, so we've got desk heads, and then moving up from the desk heads. And we have, basically, three waves of sub-attestation that happens over, basically, a month in February, March, where we start at the desk-head level and we move up. And so we actually go, we figure out who the population of sub-attestor is going to be. We go to our management frameworks. We get them to sign off, which is an important tool for us, because when people start complaining that they-- why are they attesting, then we actually say, well, senior management. Your boss, or your boss's boss, said that they want you to attest.

Interestingly, we actually have issues with people wanting to have more people attest to them. So if the desk head, for example, is attesting, he's like, I want all my traders to attest. And senior management has said, no. You've got to have some skin in the game, and that's you. If you want to talk to people and figure out how you're comfortable, that's great. But there's no formal attestation below that level.

And then what we create is a deck. Like I said, it has to have an acronym, so it's called the WYCA desk, which is actually Why You Can Attest. So we prepare a deck for Brian that's called why you can attest. It actually gets provided to all sub-attestors. And it gets updated as we go through the process in terms of things changing, et cetera. So what it does is it goes through all of the elements of the attestation, which is establish, maintain, enforce, review, test, and modify. So we have a slide on each one of those elements, and we give evidence of how it is possible for us to say that we've established a program. So we list all the things that we've done, how we review, how we monitor, et cetera.

And then we go through and we say, OK, so what are our outstanding, internally-identified, or regulatory-identified issues with the program? And we go through each one of those in a very simplified fashion, where we're basically saying, what's the problem at the level where Brian or senior man-- the head of-- our CAO, who attests, she can understand it, and she's not working on the mortgages desk. So we have to simplify the explanation of the issue, bring it down to like two sentence. The data that was being provided was incorrect, so the metrics had to be manually changed. So that might be an issue.

And then we say why that issue doesn't call into question the reasonableness of our program, which is basically what he's attesting to, that the program is reasonably designed. And then that goes through-- basically everybody who attests gets to see that, and that's their support for attestation. We use a vendor-provided tool for people to actually attest, so we can keep records of every single person's attestation. And we do QA sessions as well for the sub-attestors, so they can ask questions, if they have, about what the attestation means.

And I think at the beginning we got a lot of questions of like, well, there's all these issues. How can I attest? We had to reinforce with people, it doesn't mean that the program is perfect. It means that the program is reasonably designed.

CHRISTOPHER V. SCARPATI: Yeah. And that's a really key point, right? Because you're not signing off, or you're not attesting that you're not prop trading. You're attesting to the fact that you have a program in place to measure, monitor, and manage on an ongoing basis.

RENA SHADOWITZ: And not even just that that program is perfect. So there could be issues like you don't have enough tests on this, or these people weren't trained. But it's still, at the higher level, it's a reasonably-designed program.

CHRISTOPHER V. SCARPATI: Right.

CURTIS K. TAO: So Joerg, your institution is a foreign-banking organization, and your attestation merely needs to be executed by the head of your US business. So how does your process differ from Rena's?

JOERG RIEGEL: I would say the process doesn't really differ much. And by the way, for foreign banks, the split is about-- or the last survey that was conducted about a year and a 1/2 ago was about half/half of foreign banks that have opted to go with a US CEO attestation, and those that have chosen global CEO attestation. Our firm does do a US CEO attestation. But then we went through the initial step of Rena's process and do so every year of determining who are our sub-attestors. And it doesn't stop with the US remit. It's the global remit except for the areas of our global operations that have no touch points to the US.

And a lot of our operational background and infrastructure to comply with the Volcker Rule also sits in our Paris headquarters. So there too, we have a attestors, up the chain, that attest to their elements to Volcker.

RENA SHADOWITZ: So I have a question for the two of you. Do you have audit sub-attests? Well, you haven't said if you have sub-attestors, but I'm assuming you do. So do you have audit sub-attests?

CURTIS K. TAO: So my view on the CEO attestation is interesting here, because I think part of what drives the vigilance that we do to support the CEO attestation is the rule. But the other part of it is your CEO, right? And your obligation, and your job, is to make sure that there is ample support to give comfort to the most important executive in your company, that he or she can sign. And it's the entire organization, because it's global. And it's across the company. And it's frankly all of trading. When you think about what Volcker covers, every single covered financial instrument, derivative or security, purchased or sold as principal. And then you've got covered funds, right?

And so, frankly, I think what drives what we do really is more the fact that we're being asked to provide an execution of a document at the most senior level. Now, there is, I think, a level of coherence to Appendix B. While I think we can certainly improve it, but when you think, everything is derivative, right? It starts with trading mandates, got risk management. Then it goes to governance. Then it goes to the senior management assessment, then independent testing. All that stuff fits together.

So for what my institution does is that we take every single aspect of our compliance program, and all of it is there to support the CEO attestation. So we do the sub-attestations. All desk heads, they have to sign. Key control leads and business heads do a very similar attestation to our CEO attestation, to support. But I take my senior management assessment report, which is in part based on NCA's management control assessments across the entire company, which is in part supported by quarterly reviews that are presented to the board of our compliance program. I also take my compliance department, their risk assessment of the program. And I take my independent testing report. All that stuff gets bumped together into a senior management assessment report, which gets approved by senior management, gets presented to the board, and then that supports my CEO attestation. It's all together in one place.

But you see, every single aspect of Appendix B gets all put together to ultimately culminate in the apex, which is your CEO attestation. So I would love to simplify it, but I think, realistically speaking, once we are in a position of needing to have our senior executive sign that document, there's a lot that we're going to end up still having to do. That's my perspective.

RENA SHADOWITZ: But do you have audit sub-attests?

CURTIS K. TAO: Audit sub-attestation is effectively their independent testing report. That's their report. That's what they would call their sub-attestation. By the way, my directs of my CEO, everyone says, do they sub-attest? Well, yeah, because I require a unanimous vote to approve the senior management assessment report. So that is the form of their attestation, whether or not they've approved, affirmatively, the senior management assessment report. So call it a sub-attestation, call it an approval, call it an issuance of an independent testing report. Everyone's on the hook.

JOERG RIEGEL: We've timed our attestation on the audit to be sequenced in the way that the CEO relies on the audit report as well.

RENA SHADOWITZ: Yeah. We do all those things too. We have the senior management report. It supports the attestation as well as the-- I've had conversations with some other banks about whether audit actually-- our sub-attestation is exactly the same language as the CEO, word for word, except for-- some people's are limited. It's I hereby attest, with respect to my area, that, blah, blah, blah. And so the question is always, well, if you have an audit report, what is audit actually attesting to? Because that's all they're required to do under the rule is to do that. And you've got evidence of it. So I think it's interesting about whether they actually do that sign at the bottom line on the sub-attestation, or they just provide their report?

CURTIS K. TAO: Any questions on CEO attestation? Yes?

AUDIENCE: -- where I guess one of the sub-attestors refused to sub-attest. And what do you do in that situation?

CURTIS K. TAO: So great question. So the question from the audience was that what do you do if one of your sub-attestors refuses to attest? So what we have is a process, in my institution, is that we sometimes have individuals, and they have a legitimate reason. And then there is a way for them to provide an exception.

So they get the sub-attestation form, they provide an exception in certain parameters. It goes electronically into the mailbox, which is managed by compliance. Then we convene a group of legal, the front office-- which is the group that manages the program for the entire company-- compliance, being observed by internal audit. And we go through every single one of those exceptions.

Most exceptions are things like this. I was only the desk head for three months, so I can't speak to what happened in the other nine months. Totally fine. Or my desk actually never existed. It merged with someone else, and the other person is responsible.

We have never encountered a situation when, flat out, the person refused to attest, because if they did, I want to know why. Is there a noncompliance issue? Are they uncomfortable because they actually have an issue from a substantive perspective, rather than just like, oh my god, I never like to sign anything. Because I do need to investigate. And then I will dig in, and I will figure out what's the issue.

If there's a substantive issue, then it goes right into my governance program. Noncompliance issue? I have to investigate, and then it gets escalated to the right level. If it's significant enough, once there's an investigation by compliance or the business or risk, it goes to my working group. If it's significant enough, it goes beyond that to the risk committee. If it's even more significant, goes to my senior management committee.

And then ultimately, if it is so significant that it amounts to a significant deficiency that calls into question either standard, which is the senior management assessment, which is the effectiveness of the program, or the reasonable design, which is the CEO standard, I have to bring it to the board, because that is a material issue. So that's how all this stuff should work itself out. But you better sign.

JOERG RIEGEL: Yeah. You better sign.

RENA SHADOWITZ: We get the same kind of questions about why-- because of the way we do it, where we have all the members of our forums, the voting members of the forums, have to attest, sometimes there's some weird-- especially within risk-- some weird lines where, for whatever reason, the credit risk is actually the risk guy, who's on one of the forums. And so his boss is a credit-risk guy. He's like, why am I being asked to do this? And it's like, well, because the person who works for you is doing it, and that's the way ours works. It goes up the hierarchy. And so mostly it's things like that.

CURTIS K. TAO: Yeah.

RENA SHADOWITZ: And I think we anticipate those kind of questions, which is why we do an FAQ session with the attestors to remind them that they're not attesting that the program is perfect. And they're not testing that there's no issues, but they're testing that it's reasonably designed.

CURTIS K. TAO: And frankly, some of these sub-attestors are going to be only attesting to their desk. So they don't have to attest to other aspects or other parts of the firm, right? But if you're attesting to whether or not you transacted within your trading mandate, and you're the desk head, you darn well should know. And at the end of the day, we all report to someone, right? Every single trading desk head reports to someone, reports to the CEO, and the CEO reports to the board. So if the CEO has to attest, Mr. or Mrs. desk head, you're going to attest or tell me why you're not going to.

JOERG RIEGEL: Yeah. And I would add, in the process of figuring out every year who the right attestors, and with it comes for us as well the same language that the CEO attests to but with a condition around it that specifies the area of responsibility. And this is an opportunity for what we call a dry run, to raise any issues and to discuss whether this is appropriately assigned to that person. And that's where these issues should come out, not in the one monthly note during which the actual attests are electronically furnished.

CURTIS K. TAO: Any other questions on CEO attestation?

AUDIENCE: I have one here. What do you do around individual business units that have been deemed to be out of scope of [INAUDIBLE] either, perhaps, geographically, looking at a particular region or looking at a particular business, do you fold them into your CEO attestation, for example confirm that they continue to remain out of scope of the rule? Or are they completely comped out?

CURTIS K. TAO: That's a great question. So the question, for those who didn't hear, is what do you do with those business units or desks, which are technically out of scope from the rule-- and I'll just put words in your mouth-- because of an exclusion or because they may not necessarily engage in a transaction involving as principal or purchase of sale of a covered financial instrument? Do you include them in your compliance program? And, more specifically, do you include them in your sub-attestations? Does someone want to take that?

RENA SHADOWITZ: So I think the best example would be retail banking, right? Right. So we actually have them attest, because what they're attesting to is that they continue to remain, what we call, out of scope. Exclusions for us are exemptions light, and so we don't treat exclusions differently. But areas that just don't trade, they don't do that retail banking, investment banking-- like the M&A guys, that sort of thing-- what they're basically attesting to, my business model hasn't changed. I'm now, all of a sudden, trading in money-market funds or whatever.

JOERG RIEGEL: We keep that outside of the attestation cycle and call it activity mapping. We do that on an annual cycle as well. And this is actually a negative attest as to nothing untoward happening in these activities.

CURTIS K. TAO: Fully agree. I think an experience thematically that we've all experienced is that how do you know that those businesses which were deemed to be out of scope or excluded continue to conduct their activity in a way consistent with their mandate to remain out of scope or excluded? So it goes exactly to that.

DEREK M. BUSH: Question about numbers. Supposedly draft FAQ has been around for years. How many do you do? One on top of the house? One lead national bank? Any broker dealers? How many attestations?

RENA SHADOWITZ: We do two. Like, our IDI-- OCC gets their own. And everybody else gets.

CURTIS K. TAO: Yeah. That's right. So I think there have been some bumps in the road as to how we got here. But if you're an OCC regulated bank, it's no surprise-- I think it's been discussed in the other panels-- your CEO of your OCC-regulated bank is going to sign a attestation for the bank only. And then your CEO for the firm, the top-tier, parent, bank-holding company will sign as well.

Now, Volcker is agnostic as to legal entity. And as many of us experience, many of our desks transcend different legal entities. So we still have a firm-wide program that our CEOs rely upon. So that doesn't mean that we have to have a specific compliance program for only the IDI. That would be impossible to manage. But what it does require us to do is make sure we have the management information systems to the bank-centric and bank-management governance teams, so that they hear as much as we're providing at the firm-wide level about updates to our compliance program, any issues that arise. So that's an MIS issue that each of us probably has to do.

And then for the other agencies, I think, the SCC, and I know-- was it last year-- Angelina Mogadean had said this. That what they require is that they will rely on the top-tier holding companies' CEO attestation. But in your transmittal email, just make sure you say that my attestation on behalf of firm A, which includes my SCC-registered broker dealer, is hereby attached. And I think the CFTC requires something of the same.

JOERG RIEGEL: Yeah. The US CEO attesting to all the agencies that are relevant for us. Should we switch over to a slightly more esoteric topic? As you may have heard earlier in the day, one of the many areas where the Volcker Rule connects with, and has some, interrelationship with a preexisting regulation is the definition of banking entity. And so the entire scope of the Volcker Rule is premised on what is a banking entity? Which is in term defined as an affiliate under the Bank Holding Company Act.

So for Rena and Curtis, have you encountered instances where you find yourself maybe not the only bank in charge of-- per the control definition of the Bank Holding Company Act-- of an affiliate? And what do you do in those cases in order to make sure that entity is in compliance with the Volcker Rule?

CURTIS K. TAO: Oh, sure. So let me just provide a little bit of background and geek out a little bit on Banking Holding Company and Reg Y analysis. So pre-Volcker-- we all, as a bank holding company, had to deal with this particular issue, right? The control standard in the Bank Holding Company Act is 24.9% of any class of voting securities. And sometimes, under the Fed's control standard, it can be lower, depending on whether or not you've got covenants, or you've got governance rights, or you got a board seat-- one of four, one of five.

But you can oftentimes be in a situation where you have Fed, control, where you're expected to have responsibility as a supervisory matter of the entity, but you don't have actual control, because you don't have enough votes. And there's management, and there's a gorilla in the room controlling shareholder. And so how do you deal with that as a bank holder company pre-Volcker?

Well, if it was a financial company, financial in nature, which means they engage in activity which we're permitted to do, which is, for example, securities, broker-dealer activity, lending, you have to take a very close view. And what we often, I think most of the firms represented here in this room and online, have had to consider is where is the supervisory or regulatory or compliance risk?

So if that happens to be, let's say, just a plain vanilla kind of company that owns a piece of software-- and let's say the software involved data processing of banking, financial, or economic information-- do I have a lot of compliance risk if I owned 33% of the company, but I don't have actual control, but I have regulatory control? Maybe, as an institution, it will be like, yeah. I'm willing to take that particular regulatory risk, because there really is none.

Much different than, let's say, it was a money transmitter. Money transmitter, I got 33%. I've got regulatory, supervisory responsibilities, but I don't have actual control. I think most of us, if not all of us, would have stayed away from that situation with a 10-foot pole. OK. But you can make that analysis. You can make that judgment.

Flip the page. Now I've got Volcker. So let's say it's a company like the data processing company-- low risk, low supervisory compliance risk. They own a piece of software, but they have some revenues. I own 33%, so technically a controlled sub for a bank-holding company, our purposes. It's a banking entity, but I don't have actual control. Oh my gosh. They have idle cash. Oh my gosh. They invest the idle cash in money-market securities. Less than 60 days. It's a cover financial instrument, right? I've got a prop trading issue.

How do you then pick up the phone and say, hey, guess what, we've been this really great partner, and you really like us, we made an investment in you a long time ago, I may actually have a board seat. We get along. Have you ever heard of the Volcker Rule? So, Rena, how does that conversation go?

RENA SHADOWITZ: So I had that conversation twice at two different banks. So both at Bank of America and in my previous Canadian bank that I worked for running the Volcker compliance program, we had the same issue. I think that, in both instances, in a way I got lucky-- lucky, air quotes-- because, in both instances, the entity was owned by my bank and other banks who were subject to the Volcker Rule, and in both instances were very technically savvy with respect to the rule.

I think it comes down to two fundamental questions. First of all, do they do a full compliance program that's identical to all of the things that we've been talking to. Or do they do like a slimmed down version of it. And I think that that primarily-- it drives from what the activity that they're doing. So if they're doing like a liquidity management kind of thing, where they're buying money-market funds to handle their cash, their excess cash, that's a little bit different than if they're engaging in trading in securities, as [INAUDIBLE] principal let's say.

I think at a minimum what you want to think about is you're going to need an attestation, because they're a banking entity. They're subject to the rule. So at minimum, you need an attestation to support your CEO attestation. And I guess, depending on what their activities are, you might want to institute like a monthly attestation, just making sure nothing's going awry during the year.

One thing that's interesting is do they have to submit metrics? And how does that work out, because there are presumably a smaller-- well, at least, in my case a smaller, currently, financial institution, maybe less savvy. Maybe they're not calculating VAR or MALL or any of those metrics. Do they report metrics on their own? Do they report metrics as part of one of the bank's metrics, both the bank's metrics? How does that work? And that will also impact what your program looks like?

Another element you want to think about, policies and procedures. So I always think it's interesting because then you really get to a little bit see under the hood of what other bank's programs look like. There's usually a discussion at the beginning, will they use our form of policies and procedures, or the other banks? Or will they come up with their own? In both instances, I can say that we had outside counsel do their own program for them, their own policies and slimmed-down procedures.

But you do get to see a little bit under the hood of the other banks, because you get to see what kind of comments they're coming back on, especially in my old job, where Volcker was very new. And it was like, oh, what kind of questions is that other bank asking? Oh, do we have that? Let's see what they're looking for in the policies and procedures to get a little bit of a sense of what other banks are doing.

I would say, lastly, notwithstanding any process that you have, and I'm sure you're going to-- especially if you've got a somebody of your firm that sits on their board-- you're going to have a process that they're going to have to tell you if something changes. Notwithstanding that, it might make sense to do some kind of annual review of their activities, because what I found, especially at the outset, was that a lot of non-bank that are subject to the rule because of who their parents are, they're like befuddled by the idea that simply buying money-market funds puts them in the rule.

And so it's less part of their DNA that it is part of our DNA. And so they may think if they're not buying money-market funds, they may think, oh, well, I'm just going to buy some money-market funds or cash equivalent. I'm good, right? And so I think it's probably a good idea to just check in on an annual basis and say, hey-- if you had a questionnaire that you sent them originally, maybe can you just confirm all of this is still true?

CURTIS K. TAO: Yeah. Let me just add to that that I think thematically your examiners are going to be reasonable, because they're going to understand the practical challenges of how to apply a new role like Volcker, even though we're three and 1/2 years in to a long-standing legacy investment that you've had in an entity where you own a third for the past 10 years.

But I think the context matters. So let's say you own, along with four other broker dealers, four other bank-holding companies, this very small government securities dealer that's got a balance sheet of, I don't know, $20 million. And so would you be able to get everyone comfortable with a, quote, Volcker-like program, still complying with the technical aspects, but being able to demonstrate the management-information systems reporting. And maybe they report metrics on their own. And you have an ability to demonstrate that you kicked the tires. Probably.

Well, let's say instead, because of certain governance rights, you have bank-holding company had control of an Asian bank with $200 billion in trading assets, much different story as you can probably imagine. So context matters. And I think all these issues will probably have been worked out by now, 2018. But sometimes these things do creep up on you, because it's just a far off kind of business that they never thought that was any issue, because it's a passive investment. And these things do sometimes creep up even a couple of years into the program. Any other kind of questions on this? Or anyone have similar experiences of having to struggle with the uniqueness of applying Volcker to a control, but non-controlled company? OK. Oh, yeah.

AUDIENCE: I think you're right. Context matters. You got a foreign bank, imagine trying to apply the rule to something small [INAUDIBLE] Switzerland. They're looking at you like, what? Volcker?

CURTIS K. TAO: In fact, you're probably the foreign regulator of that foreign subsidiary, non-controlled subsidiary-- would probably be saying, you know what, I don't think you need to apply Volcker to your institution. And then what do you do? So you have to come up with some type of formula and solution that demonstrates that you take it seriously without creating any significant compliance or commercial burdens for the particular institution. That's a tough needle to thread. And I think I have a feeling that many of us had to thread that in the past. Any other questions on this particular topic, and banking-entity issues, and how to deal with the compliance program issues related to that?

RENA SHADOWITZ: We're going to put Chris on the hot seat, because--

CURTIS K. TAO: Go for it.

RENA SHADOWITZ: -- difficult question for some of us to answer, dealing with confidential supervisory information. So Chris doesn't have any constraints in that area, so we're going to ask him about preparing for a compliance examination. I guess, generally speaking, what have you seen your clients do to prepare? Is there a difference when they're preparing for an exam that's coming through one of the market regulators, like the SCC or the CFTC or the OCC or the Fed? And, I guess, is there anything that you have been recommending to your clients to do in advance? So even if you don't know there's an exam coming, but you think there's probably one coming, what can you do to get ready?

CHRISTOPHER V. SCARPATI: Yeah. I think from day 1, we've always been saying, you're guilty, until you prove that you're not sort of thing, right? And so it's imperative that you manage your story and you tell your story in a very clear and concise way, because, otherwise, everything is suspect. And I myself have been on the other side of the table from a regulator on Volcker exams as a consultant, and supporting banks. And I've seen the level of detail that some of the regulators-- the level of detail that they ask questions at.

And everything has to tick and tie, so it's always about just evidencing everything that it is you do because it's one thing to say the bank does something, and it's another thing to actually prove that the bank does something. And that's why, at least when sitting in front of an examiner, it's not really the legal and compliance people that they want to talk to. It's the people on the first line of defense, because that's the actual evidence that the desk head or business owner actually is living and breathing the values or the requirement of the rule. So for us, it's always been about make sure you tell your story. Make sure you document everything that it is you do. More is better in this case. And if follow-on evidence is required, make sure that that's provided in a timely manner.

With respect to different regulators being treated differently, I think it's a function of the stature of the bank. Certainly the bigger banks tend to take the Fed a bit more seriously than others. The smaller banks, they take a different approach overall. And I also think it's depended upon the regulator. The OCC clearly has been the most active, as we know.

With regard to do I treat the FCC differently than the OCC than the CFTC, I would say generally not, because the same rules and principles apply. I'd be interested to know, perhaps, if you all feel differently. But basically, what we try to help our clients do is cut that information and tell that story specific to the entity that the regulator has authority over.

Which is very, very difficult to do, as you well know, especially with your swap dealer, because you're presenting an asymmetric view of risk. And rather than try to slice and dice the metrics and report only on the swap dealer or the National Bank Charter, most of the clients that we've been working with just report the same thing to everybody and say, let the regulator figure it out, because I don't have the time, money, or resource to actually slice and dice that data up. And frankly, it doesn't do anything for me to do that. So I might as well just provide everything. Interestingly, I also know certain foreign banks that, on the TOTUS side, because that same issue of just it's too difficult to slice and dice the data, just report everything. And say, if the regulator wants to talk about it, we're happy to talk about it.

RENA SHADOWITZ: So one thing that we've actually-- I guess without revealing any CSI-- can speak to is, like you said, they don't want to hear compliance and legal. In fact, in a lot of instances, they are going to want compliance and legal to not even be in the room.

CHRISTOPHER V. SCARPATI: Correct.

RENA SHADOWITZ: So one thing that we found is that you have to have prep sessions where you're coaching the business about what to say. And I think there's a couple of things that we noticed. First of all, I think most of the trading, they have quarterly meetings with the prudential regulators anyways. And so they're in that mindset. And in those meetings, because I've seen the decks, they're very focused on how much money they make. We're a really profitable business. We're a really, really profitable business. And we have to coach them to say, no, just think you're working for a retail store. Customer always right-- customer, customer, customer. Everything we do we do for the customer. And so that's a bit of a mind shift for them, because they're really used to talking about, look how profitable we are. No risk.

And the other thing is for them to understand the documents, like the mandates. So you have a trading-desk mandate. And you're obviously going to give that to the regulators. Presumably, that's going to be something that's on their poll list, right? And you really don't want your traders or your desk heads to say either something that obviously conflicts with what's in that document, or I don't know what that document is or what it says. And it's a lot of prep.

CHRISTOPHER V. SCARPATI: Yeah. You get that with policies and procedures, because it's in a drawer somewhere. That's what someone on the trading desk will tell you. And then no one knows really where it is. So that's always an issue. So I would totally agree with that. You do have to do some coaching. But what I've seen now is it's second nature to the point-- I think Curtis, you were making about it-- being part of BAU. I also would agree that if we had our way, would we take away any controls or compliance commitments? I would say, no, because those controls are actually very useful, and they're already in place anyway as part of good risk management.

So I think to your point about the traders and coaching people, it's just getting them to present the information in a different way, through the lens not of capital and P&L and RWA, and more about the controls that are in place to ensure that you're operating by the spirit and letter of the law.

CURTIS K. TAO: Chris, one thing I realized here is that I think we've been speaking from largely a large bank [INAUDIBLE] perspective. But there's a lot of midsized institutions, banks, that may have not been a first-wave metrics reporter, but they've also lived through Volcker. Where do you think now in 2018 the challenges reside for those institutions in the compliance program perspective?

CHRISTOPHER V. SCARPATI: Well, we used to get a lot of requests for work and to assist banks in this area, who are like the holy crap moment. Oh my gosh, I have to do this. I'm not Bank of America. I'm not Morgan Stanley. I'm not B of A. I'm not Soc Gen, whatever the case may be. I'm just pick small community bank, but I have a sizable trading book. What is it that I do? Or I'm a hybrid, so you have some card issuers out there that are in that. Or GE is in that hybrid, or any of the industrials, the AG businesses that have significant trading businesses too. They're kind of a hybrid, so they're not really sure. We could spout off BHC all day long, and Reg W, and Reg Y, and Reg T, because this is the business that we live in. But for those banks, or those organizations, not so much.

But I think really what it is is designing that program or calibrating that program commensurate with the trading activities, so that you're not doing too much. But at the same time, you're not doing too little, and you're doing everything that you need to do, whether it's the regular compliance program or the enhanced compliance program. And now I think with everything going on in Washington, there's a bit of a wait-and-see approach out there with respect to what will change. And at least the community-banking sector or the smaller-tier banks, will that obviate the need for some of the compliance platform?

CURTIS K. TAO: My sense, having been on this panel now my fourth year, is that for the kind of mid-sized bank, regional bank, perspective, to the extent they're doing trading, they're largely flat risk. So they make a loan to a agricultural company, and the company needs to do a hedging trade. So they do a commodity swap back with the lending bank. And then the lending bank will then do it with the street and be relatively flat. So I suspect that the risk management and the RENTD, though it was work, and it was certainly something they weren't used to doing, they're not carrying a lot of inventory risk.

But the compliance burden really arises from this 60-day rebuttable presumption, because it brings in all of the traditional banking, treasury, asset-liability management activities that they do do, right? They've got a load of deposits that they need to earn a return to pay the deposit interest, and they're going to do it through an AFS book, and they're going to do hedging. Would you say that's right, that it's really the 60-day rebuttable presumption?

CHRISTOPHER V. SCARPATI: That's a really good point that I neglected to measure. Although, you have to be careful, because, yes, I would agree the activity is basically straight forward, and it's flat risk. You buy here, you sell here, and you walk away, and risk neutral at the end of the night. Although, about three months ago, I had a client call me up, and we got into this whole conversation about hedging currency risk with crude futures. And I went, oh, that's really interesting. Why would you want to do that? And this gentleman went on to try to explain to me about certain countries where oil is a primary export and taking hedging with an oil future with a crude future as a hedge against the currency.

And we had, let's just say, a lively debate about that, because my concern was, so your business is to manage FX risk, but now you're introducing commodity delta. That's a real issue. And it was clear that this individual saw, potentially, an opportunity to make additional spreads somewhere by doing this. But nevertheless, it's questions like that that come up around the fringes, that while most institutions you look at, they're flat, and it's relatively easy activity. And then it gets to my point about making sure that the program that you provide, or that you design, you're not doing more than you need to do, because most of these banks don't have the resource that your institutions have here. They can't throw 100 people at it overnight and solve a problem in six months the way your banks can. So that's really the challenge. But at the same time, it's also to keep them away from doing the bad things or issues that run afoul of the rule.

CURTIS K. TAO: And then how about for covered funds for mid-sized banks? My suspicion is that they're the cover fund rules do become a bit more of a burden. And it's because that, quite naturally, if you're a regional bank, you're going to look to try to bank your local customers' needs through banking and securities and other asset-management products. So I think it probably arises, like in asset management, and maybe in some of the investment products that they may want to invest in. And they have to then go through it to review. Is that particular securitization, or is that instrument that I want to hold as an investment security to cover a fund. Are those the issues they [INAUDIBLE]?

CHRISTOPHER V. SCARPATI: Yeah. Because-- I don't know about you all, but I always found the covered-fund side of the rule to be the more complex than the prop side even though everyone says, oh, the language generally across the rule, the 900-some odd pages, if memory serves me, is vague overall. But I found because of the particular issues that we discussed and the logistics that are required to ascertain whether or not something is a covered fund or not are just so onerous, or just the approach is not always clear, it becomes a really big challenge.

And to be honest with you, about, I would say, a year ago, the phone calls stopped coming. We get less and less of them. We'll get an odd question, here or there, on a covered-fund issue, but generally not as much as we used to. So I think we've achieved steady state. But that's definitely an area where, at least a few years back, as you as I'm sure you guys would agree, has been the most challenge in order to just identify the population and whether or not something is covered or not.

DEREK M. BUSH: So that may also have to do with the industry tagging initiative--

CHRISTOPHER V. SCARPATI: That's true. That's true.

DEREK M. BUSH: So that it's a lot easier for, especially a smaller bank, to know one way or the other.

CURTIS K. TAO: Any questions from the audience related to regional or smaller-sized institutions? Yes?

AUDIENCE: Any advice you would have for somebody who, I guess, isn't currently reporting, but, me, I have to report within the next year or two. I'd at least like to see some CEO attestation. What are some lessons learned from your banks that you could give to some of the smaller banks?

CURTIS K. TAO: Wow. So the question was from the audience-- great question-- is what would our advice be to an institution which may not be currently a reporter or subject to Volcker, but may soon become? And I'm going to assume that probably the circumstance would be that they may grow to a certain asset threshold that they're going to be subject to the Volcker Rule. I hate to say it--

CHRISTOPHER V. SCARPATI: Shrink.

CURTIS K. TAO: Don't grow.

CHRISTOPHER V. SCARPATI: That's what I was going to say.

CURTIS K. TAO: Yeah. It is a lot of work. And it is a legitimate point. Of those institutions on that size threshold, the burden of the Volcker Rule, the match-ups reporting, is, again, knowing what the institution likely is as to they grow to that particular threshold. There are probably, almost definitely, not a trading bank. They're a traditional bank that may be growing because they're taking more deposits and making more lending.

But to cross that threshold because they have some trading assets, I think it's a legitimate point of policymakers in concern that it is a gating issue, and you are creating an incentive of certain banks and financial institutions to drive their size in their balance sheet decisions based on regulatory burden, rather than a legitimate, commercial consideration, like client need, liquidity in the market, and whether or not I have ample ability to seize that liquidity and also to service it. Those are the right decision points I think policymakers-- economic issues-- that institutions should determine their balance sheet considerations on, not on regulatory burden. So it's not really a snarky comment, but it really is. Having lived through it, it was hard for G-SIB. It's really hard for a small institution.

JOERG RIEGEL: I would add-- maybe going in a slightly different direction with the answer. Though I agree with everything Curtis has said, it raises formidable hurdles. And maybe Volcker 2.0 can help lower some of these hurdles, or get rid of them altogether, for small institutions.

But I think part of the lessons learned is that when you have a diversified portfolio of activities, your program has to be set up from the first day as a program that is as diversified as the activities you are about to create a program for. So, yes, the market guys will step up and say, we hear Volcker is coming. We will help you out. But then you need a central, fully-staffed body that can look across all the different activities. You need engagement from the activities, like retail, that in the end won't be fully covered off or will be outside. But you need to rope them in early. And that's just one lesson learned, is how you get this engagement across the various business lines.

And there's different models that have worked. Business-line-owned SAP programs, I've seen, but with each of them reporting to the same standards. Push-down programs into the various business lines. On the CEO attestation, particularly if that was your point, that requires some build and a lot of lead time just to get people accustomed to the roles that they are now having to attest to and to build the infrastructure. The list is long, but there are certainly lessons learned in there.

RENA SHADOWITZ: I'd add to the list-- because I'm thinking, in my mind-- because I think you said metrics. So I'm thinking about data and data quality, because I think that's one thing where we found Volcker has actually improved the bank in a way, is resolving and you're submitting metrics. You're having data quality issues, and you're having to clean, basically, your systems to be able to report. And you're finding things, things that aren't being uploaded, downstreamed, upstreamed, whatever.

So I would say, there's two ways you can grow. You can grow naturally. And in that sense, you want to think about your systems, and will we be ready to submit metrics to me is how are our systems? How do they flow together? What kind of data quality issues do we have? And then say the other way to grow is presumably you buy through acquisition. And so if you're acquiring, particularly if you're more of a retail bank, and you're-- whatever-- deciding to buy a broker dealer, that's going to push you over the limit.

That's something you want to consider at the acquisition, at the M and A part, is talking to people about, OK, well, if we buy you, we're going to be submitting metrics. I'm assuming that these are the conversations that happen in [INAUDIBLE] deal anyways, but you want to have that lens of, wait a second, so we're going to be over the threshold for submitting metrics if we buy you. How are we going to submit metrics? How do you calculate this? How are we going to get all these systems to feed together and push out metrics to the regulators?

CURTIS K. TAO: Let me just touch upon the one point, which Rena made a good point about how Volcker has actually pushed us to improve our data. I think another area where Volcker has done a good thing for the industry is it's required us to focus more on risk management and managing our inventory risk. I think it is fair to say that during the financial crisis, institutions probably didn't have as much vigilance then as they do now, looking about, am I carrying the right amount of risk? Depending on various inputs.

And all those inputs today existed-- capital, liquidity, and risk appetite. But there has been this added flavor of vigilance from focus and governance. And you do have this additional analytic of RENTD. These are all good things. Trying to figure out whether or not your institution is right size for the risk it carries, that's been a good thing for Volcker. So if that was a choice that the firm wanted to make, and if they had to point to two positives that they will have to focus and improve their data, and they'll focus more on the risk, and the amount of risk that they're carrying, those are good things. Whether or not it's worth it, that's a different question.

I think we've got time just for one more topic. And I think we wanted to quiz Chris on-- so how would you advise an institution in how to manage noncompliance issues or enforce potential enforcement issues?

CHRISTOPHER V. SCARPATI: Well, problems don't get better with age. So the minute a problem is identified, or an issue has been identified, report it up. And I think, Rena, it gets back to the point you were saying before about when we were talking about what it is you're attesting to. You're not attesting to that your program is not without issue, and that it cannot use improvement, or that you're not prop trading. You're attesting to the fact that it's reasonably-designed commensurate with the complexity of the activity that the bank is undertaking.

And of course, no program is perfect. And I would say that audit reports that don't have any issues, I think, are more suspect than reports that do have issues. So what I would recommend is that-- and we've seen this actually in a few cases where issues are reported up. And they're resolved. And depending upon the nature of the issue, the institution may choose to report it to its on-site examination team and talk about that. Or they may choose to not report it because it's not significant enough. And they just deem it as something that was caught because we have a program that was effectively designed.

Remember, risks become issues if they're not managed. OK? And if an issue actually occurs, you actually should not only communicate it up the chain and ensure that it's being resolved, but, more importantly, take the steps necessary to make sure it doesn't happen again. And I think that's the one thing that, as we've seen with recent enforcement activity across a number of other areas unrelated to Volcker, it's not necessarily the activity itself. It's that the bank was blind to it occurring over and over and over again.

CURTIS K. TAO: Chris, I agree. I think part of this is a systems issue. Part of this is a cultural issue.

CHRISTOPHER V. SCARPATI: Yes.

CURTIS K. TAO: And so this is even before Volcker. What we want, as a part of a culture of an institution, is that people will raise their hand or say, mayday, I need help or, mayday, there's an issue. And you want those issues identified and then governed. And so may it be Volcker or another area of law, those things get brought to the second line of defense by the first line of defense. And then it goes up through your governance program in your system.

So for Volcker, it may be through your normal compliance review, or risk review, and then it goes to your working group, just like any other area of law. So that manner of identification and monitoring, that's a systems issue. Do I have a limit breach? And is that limit governed by RENTD? Did I do my RENTD, or did I have my management review occur that month, or was there a break in having the desk head review their particular limits, system issue? But never forget about culture. And you just need to have, and instill it in everyone's personal perspective.

And again, not only the firm's DNA but every person who works there, their DNA-- raise your hand. Issues are going to pop up. You don't need to resolve them yourself. Call out a mayday and bring it to someone. Bring in your control functions and make sure that the issue gets identified and resolved.

DEREK M. BUSH: The Volcker Rule is one of the few rules that is explicitly not a no-fault regime. It is a remediation regime. It's not pro-fault. It's maybe fault tolerant, which is helpful. One other thing that I think we're starting to see a little bit now is there's some traders who know enough about the Volcker Rule who, maybe, they are terminated for some reason having to do with their performance. And it is sometimes-- happens they say, well, yeah, but that desk over there, I know they're prop trading.

And they may do that in bad faith. They may do that in perfect good faith. They just may misunderstand. And so that's starting to create some processes for reviewing the activity, getting advice, documenting the conclusion of something short of a full-blown internal investigation. But because there is this phenomenon, and word gets around, I think it wouldn't surprise me if it kept going.

CURTIS K. TAO: Derek, you're right, because I think Volcker is one of those areas of law that has a lot of attention. It's been in the press. And so, yes, I think it's very reasonable to assume that you will have employees who have been terminated, raised this as a basis for which they were terminated. That I actually was a whistleblower on a Volcker issue, but I still got terminated.

See, in my mind, again, it still comes back to the way that the regulators-- and I think the way the regulators examine for Volcker. If you take prop trading alone, and you take what's the line between prop trading and legitimate inventory risk-taking for market-making purposes, if you can't get in the mind of the trader, you need to have indicators. And what are the most prevalent indicators of whether or not I'm prop trading? Well, is it a walled-off desk?

But the other thing which I think the regulators have said, strongest indicator of impermissible prop trading is excessive risk-taking. So it all comes down to risk management, which is what we opened with. When we talked about what are the areas of the Volcker Rule that currently exist in Appendix B, and what are the areas that probably won't change? Comes back to the ground zero. I don't think risk-management requirements, in that framework that we've all developed, is going to change, because that is the primary control against excessive risk-taking, which goes to the statutory purpose of Volcker, but it also goes to the statutory and prudential purpose of what our prudential regulators govern us for. Am I taking on too much risk? Am I managing risk appropriately?

We've got a couple of minutes left. Questions from the audience on any topic that we raised.

AUDIENCE: What sort of process do you have in place to decide whether to report a non-compliance issue to regulators? Kind of materiality assessment of something [INAUDIBLE].

CURTIS K. TAO: Great question. So the question is what kind of processes, or thinking, do we have around the threshold for us reporting issues to regulators? So I think what some firms have done is that they didn't need to recreate the wheel. There are a number of standards which have been created by internal audit. And internal audit has a number of different thresholds and levels. Is it a weakness? Is a deficiency? Is it a significant deficiency? And that level of standard becomes something that we end up revealing all issues.

So if I've got a foot fault on a risk limit that is part of my RENTD, but it was because there was a client break where I was going do the hedge immediately, but the client defaulted on or said, I'm sorry. I said, yes. And I said, done, but they decided not to execute. And for that reason, intraday, I went over. OK. I've got a process for dealing with risk-limit breaches. I govern that. That is not a material, non-compliance issue. I deal with through my normal risk-management process.

I will tell you in my mind what demonstrates a material break in your Volcker compliance program-- is if three and 1/2 years going through Volcker there is a desk that I just never reviewed for Volcker. And I've never brought them into metrics. And I've never brought them into my trading mandate processes in the governance and the documentation. That is a material issue. That goes to the heart, do I have a reasonably-designed program when I missed a desk? So those are the extremes, so then what's the middle?

At the end of the day, I don't think any one person needs them to answer that question. Bring it through your governance process that you've established already. If you've got a working group, you've got a control forum, bring it there. Then bring it to the risk committee. These are all things that are there already, and you don't need to make the judgment call on your own. Bring the entire forefront of the institution and your processes and your governance into that question. And I think whatever answer pops out of that process is the right answer.

CHRISTOPHER V. SCARPATI: Yeah. Curtis, I would agree. Maybe one other point is it'd be interesting to see-- remember, the rule over the past three years has been live in a period of relative stability in the market. And now we're seeing a lot more volatility, as you know. So if I think about the regulators while the Fed is typically principles based, the CFTC and the SCC tend to be event driven.

I know with Brexit, it's caused a lot of questions and inquiries around this very topic. And now with-- what was it? January, when the market dropped over 1,000 points, right? I think as we continue to see volatility spike-- and what happens when volatility spikes, there's a lot of activity in the market. And it's actually good for the banks, because trading activities are up and revenues, therefore, are up. The question will be will there be an increased amount of inquiry due to market activities like that?

Because in extreme events and stress events, when banks may take on more risk or let go of more risk, that could potentially be problematic under the rule. So whether or not we see more inquiries, I think would just be interesting. And anyway, it puts more of a premium on all the things you were saying, and it makes sure that your controls, your governance, your processes are in place and the culture is there to measure, monitor, and manage activity on an ongoing basis as transparently as possible.

DEREK M. BUSH: Proving perhaps the wisdom of extending this panel by 15 minutes, I think we've run just a little bit over.

CURTIS K. TAO: Sorry about that.

DEREK M. BUSH: Please join me in thanking our panel. Terrific.

[APPLAUSE]

CURTIS K. TAO: Thank you. Thanks for having us.

[INTERPOSING VOICES]

Share
Email

  • FOLLOW PLI:
  • twitter
  • LinkedIn
  • YouTube
  • RSS

All Contents Copyright © 1996-2018 Practising Law Institute. Continuing Legal Education since 1933.

© 2018 PLI PRACTISING LAW INSTITUTE. All rights reserved. The PLI logo is a service mark of PLI.