Section 619 of the Dodd-Frank Act — the Volcker Rule — prohibits banking entities from engaging in proprietary trading and restricts their ownership interests in and relationships with covered funds. The implementing regulations, jointly issued by five US regulatory agencies, create a compliance programme requirement that goes well beyond maintaining a legal policy. Banking entities subject to enhanced compliance obligations must maintain a compliance programme that includes a CEO attestation, independent testing, and — most importantly for engineering teams — a quantitative metrics reporting system that demonstrates trading activity falls within permitted exemptions. This metrics system is a substantial technical undertaking that most banks underestimated when the rule was first implemented.
The Quantitative Metrics Framework
The Volcker Rule's enhanced measures require banking entities to calculate and report seven categories of quantitative metrics for each trading desk: risk and position limits, risk factor sensitivities, value-at-risk, stress VaR, comprehensive profit and loss attribution, inventory turnover, and customer-facing activity ratios. Each metric is calculated at the trading desk level, reported with specified frequency (daily for larger entities), and maintained for a period of five years in a format accessible to regulators. The purpose of the metrics is to allow regulators to assess whether a trading desk's activity is consistent with the claimed exemption — market-making, underwriting, or risk-mitigating hedging — rather than proprietary trading.
The engineering challenge is that most of these metrics require inputs from multiple upstream systems: risk limits from the risk management platform, P&L data from the trading system's bookkeeping function, VaR from the market risk engine, and customer flow data from the order management system. Building a metrics aggregation layer that pulls from all these sources, reconciles at the desk level, and produces the output in the format the reporting system requires is a data integration project of significant complexity. Firms that built the original implementation in 2014 using bespoke integrations are now maintaining fragile, undocumented pipelines that generate operational risk every time any upstream system changes.
The Volcker Rule metrics are not only a reporting obligation — they are evidence. When a regulator investigates a trading desk for potential proprietary trading violations, the metrics history is the first thing they examine. A firm that cannot produce accurate, consistent metrics for the relevant period has both a compliance programme failure and an investigative disadvantage. The data integrity of the metrics pipeline is a legal risk, not just an operational one.
Trading Desk Definition and Governance
The Volcker Rule requires banking entities to define their trading desks at a level of granularity that is consistent with how the business is actually managed. A trading desk is defined as the smallest discrete unit of organisation within a banking entity that buys and sells financial instruments as a principal. The definition of trading desks must be documented, consistent with internal risk management, and defensible to regulators. Banks that define their trading desks broadly — aggregating multiple strategies into a single desk to reduce the number of metrics reporting units — create compliance risk if the aggregated desk's metrics do not clearly reflect the nature of each underlying strategy.
Permitted Activity Documentation
For market-making exemptions, the implementing regulations require that the trading desk be designed to generate revenues primarily from fees, commissions, bid-ask spreads, and other income unrelated to price appreciation. This determination must be made at the desk level and documented. The P&L attribution metrics are specifically designed to reveal whether a desk is generating revenue from spread and flow — consistent with market-making — or from position changes — consistent with proprietary trading. Desks that cannot demonstrate revenue composition consistent with their claimed exemption through the metrics will be subject to closer scrutiny.
The Compliance Programme Architecture
The full Volcker Rule compliance programme for a large banking entity consists of a policy framework, a training programme, a metrics reporting system, an independent testing function, and a CEO attestation process. The engineering components — the metrics calculation and reporting system — must be designed to support the independent testing function: compliance and internal audit must be able to run their own queries against the metrics data, compare calculated values against source data, and identify anomalies without relying on the business to produce the analysis. This requires a data architecture where the metrics calculation logic is version-controlled, the source data is accessible for audit purposes, and the calculation results are stored immutably once produced. Most firms separate the production metrics pipeline from the audit analytics environment, but they must share the same source data to ensure consistency.
EU AI Act: What CTOs Actually Need to Do Before August 2026
DORA Is Live. Here's What 'Operational Resilience' Means for Your Codebase
FedRAMP Rev 5: What Changed and Why Most Current ATO Holders Are Already Non-Compliant
The engineering behind this article is available as a service.
We have done this work — not advised on it, not reviewed documentation about it. If the problem in this article is your problem, the first call is with a senior engineer who has solved it.