The US SEC sued Virtu Financial Inc. on Tuesday in federal court for alleged policy lapses that the regulator said could have let employees access confidential information behind customers’ trades.
As alleged in the SEC’s complaint, Virtu Americas and its affiliates operated two businesses that it purported to have walled off from each other: an order execution service for large institutional customers, whereby Virtu Americas executed customer orders, typically for a commission, and a proprietary trading business, through which Virtu Americas bought and sold securities for its own accounts and benefit.
“At a time when Virtu Americas handled around a quarter of all market orders placed by retail investors in the US, we allege that proprietary traders had nearly unfettered access to material nonpublic information about its institutional customers’ trades – information which could be abused for personal gain,” said Gurbir S Grewal, Director of the SEC’s Division of Enforcement.
“Today’s enforcement action … sends a strong message to firms that they must do much more than use shared, generic usernames and passwords to protect against and prevent the misuse of material nonpublic information.”
Gurbir Grewal, Director, SEC Enforcement Division
“Despite the absence of any critical safeguards whatsoever around this information, we further allege that Virtu repeatedly misled institutional customers and the market about how Virtu Americas was protecting this valuable data to generate significant commissions. Today’s enforcement action not only holds Virtu accountable for its failings, but also sends a strong message to firms that they must do much more than use shared, generic usernames and passwords to protect against and prevent the misuse of material nonpublic information,” Grewal said.
Failure to safeguard
From approximately January 2018 through the beginning of April 2019, however, Virtu Americas allegedly failed to safeguard a database that contained all post-trade information generated from customer orders routed to, and executed by, Virtu Americas, including customer identifying information and other material nonpublic information.
The SEC’s complaint alleges that this database was accessible to practically anyone at Virtu Americas and its affiliates, including their proprietary traders, through two sets of widely known and frequently shared generic usernames and passwords.
Virtu Americas’ failure to safeguard this information created significant risk that its proprietary traders could misuse it or share it outside Virtu Americas, the agency said.
Relying upon Virtu’s statements, a number of institutional customers continued to use Virtu Americas to execute their orders, resulting in significant commissions for the company, the SEC said.
The company also had no policies or procedures that directly addressed this database and it provided no training or other directives to its employees regarding the expectations for use of that database and its highly sensitive information, the SEC said in its complaint.
To make matters worse, during this 15-month period when Virtu Americas failed to establish, maintain, and enforce policies and procedures reasonably designed to prevent the misuse of that information, Virtu misled customers about the existence and adequacy of such information barriers.
As alleged in the SEC’s complaint, in some instances Virtu overstated the controls, barriers and processes it had in place to secure its institutional customers’ post-execution trade data, and in others falsely represented to those customers that only employees with a need to see such information – a group that did not include proprietary traders – could do so.
Relying upon Virtu’s statements, a number of institutional customers continued to use Virtu Americas to execute their orders, resulting in significant commissions for the company, the SEC said.
Virtu responds
In a public statement, Virtu said it has maintained reasonable policies and controls to protect customer data.
Virtu pointed out that the SEC does not allege that any data was ever accessed or used in an inappropriate manner. And it said this lawsuit followed its criticism of SEC proposals on market structure, and its own lawsuit concerning the regulator’s rulemaking.
“We look forward to vigorously defending ourselves in court against these meritless allegations.”
Douglas Cifu, CEO, Virtu Financial Inc.
“Unfortunately, the SEC’s position appears to be driven by politics and headlines rather than the facts and the law,” Virtu Chief Executive Douglas Cifu said. “We look forward to vigorously defending ourselves in court against these meritless allegations.”
The SEC’s complaint, filed in US District Court for the Southern District of New York, alleges that Virtu violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 (prohibiting fraud and misrepresentations in the offer or sale of securities), and Section 15(g) of the Securities Exchange Act of 1934 (obligating firms to protect against the misuse of material nonpublic information).
The SEC seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties and a trial by jury.