Recently, the United States Securities and Exchange Commission (SEC) filed a lawsuit against broker dealer Virtu Americas LLC and its parent company Virtu Financial Inc. (hereinafter collectively referred to as "Virtu"), accusing them of material false and misleading statements and omissions in the information barrier to prevent the misuse of customer sensitive information.
The SEC filed a complaint that Virtu Americas and its subsidiaries operate two allegedly isolated businesses: one providing order execution services to large institutional clients. Virtu Americas typically charges commissions for executing customer orders through this service; The other is self operated trading business. Virtu Americas trades securities in its own account and profits from it by changing its business. However, from approximately 2018 to early April 2019, Virtu Americas was reported to have failed to properly protect one of its databases. This data covers all post transaction information generated by customer orders routed to Virtu Americas and executed by the company, including customer identification information and other important non-public information.
The SEC filed a complaint stating that almost all members of Virtu Americas and its subsidiaries (including its proprietary traders) have access to the database through two sets of publicly available and frequently shared common usernames and passwords. Virtu Americas' failure to properly protect the database has resulted in its proprietary traders potentially abusing the database information or sharing it outside of Virtu Americas, posing significant risks. For example, it is reported that Virtu Americas' proprietary traders can view all large institutional customer orders executed by Virtu Americas throughout the day and learn about similar trading patterns that the same customer may follow in the next few days, and use this information to trade before the customer's subsequent orders are executed.
Despite such loopholes, Virtu Americas failed to establish, maintain, and implement reasonably designed policies and procedures to prevent the misuse of this information during these 15 months, and Virtu misled customers about the existence and adequacy of such information barriers. The SEC stated in the complaint that in some cases, Virtu exaggerated the control, prevention, and process measures it had taken to protect its clients' post execution transaction data, and in some cases lied to clients that only employees (excluding proprietary traders) who needed to view such information data could view it. Under the guise of these false and misleading statements, many institutional clients choose to continue using Virtu Americas to execute orders and have earned Virtu Americas huge commissions from them.
Gurbir S., Deputy Director of SEC Law Enforcement Department Grewal stated: Virtu Americas processed approximately a quarter of market orders from US retail investors at the time, and we accuse its proprietary traders of obtaining important non-public information about their institutional client transactions with almost no restrictions, thus posing a risk of abusing the information for personal gain. We also accuse Virtu of repeatedly misleading institutional clients and the market, concealing the company's lack of appropriate protection measures for client information And obtained a large commission from it. This law enforcement action is not only aimed at holding Virtu accountable for its own mistakes, but also at issuing a strong warning to industry companies to take more measures to protect customer information and prevent the abuse of important non-public information
The SEC filed this lawsuit in the Southern District Court of New York, accusing Virtu of violating sections 17 (a) (2) and 17 (a) (3) of the Securities Act of 1933, accusing Virtu Americas of violating section 15 (g) of the Securities Exchange Act of 1934, and demanding that the court issue a permanent injunction against him, return pre judgment interest, and impose civil penalties.
