SEC charges Virtu for inappropriate access to nearly 25% US retail order data

The Securities and Exchange Commission (SEC) has taken legal action against Virtu Americas LLC, a prominent broker-dealer, and its parent company, Virtu Financial Inc., collectively known as Virtu.

The charges stem from alleged materially false and misleading statements and omissions pertaining to information barriers intended to prevent the misuse of sensitive customer information.

Virtu’s security lapse between Jan’18 and Apr’19

According to the SEC’s complaint, Virtu Americas and its affiliates operated two distinct businesses that they purported to segregate: an order execution service for large institutional customers and a proprietary trading business.

The former involved executing customer orders for a commission, while the latter consisted of buying and selling securities for Virtu Americas’ own accounts.

However, between January 2018 and the beginning of April 2019, Virtu Americas allegedly failed to adequately protect a database containing post-trade information generated from customer orders executed by the company. This database included customer identifying information and other material nonpublic information.

Virtu’s prop traders could observe clients’ order execution

The SEC’s complaint alleges that the security lapse allowed practically anyone at Virtu Americas and its affiliates, including proprietary traders, access to the database via widely known and frequently shared generic usernames and passwords.

This oversight created a substantial risk that proprietary traders could misuse or disclose sensitive information for personal gain. For instance, a Virtu Americas proprietary trader could potentially observe the execution of orders for a large institutional customer throughout the day, anticipate the customer’s future trading pattern, and trade ahead of the customer’s subsequent orders.

During this fifteen-month period when Virtu Americas allegedly failed to establish, maintain, and enforce policies and procedures to prevent information misuse, the firm provided false and misleading information to customers regarding the existence and effectiveness of information barriers.

In some instances, Virtu overstated the controls, barriers, and processes in place to secure customer data. In others, it falsely assured customers that only employees with a legitimate need could access this information. These deceptive statements led several institutional customers to continue using Virtu Americas for order execution, resulting in substantial commissions for the company.

Virtu handled 25% of all market orders by retail investors in the US

Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, commented on the charges, stating, “At a time when Virtu Americas handled around a quarter of all market orders placed by retail investors in the U.S., we allege that proprietary traders had nearly unfettered access to material nonpublic information about its institutional customers’ trades – information which could be abused for personal gain.”

The SEC’s complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, and civil penalties. The charges are based on violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933, as well as Section 15(g) of the Securities Exchange Act of 1934.

This enforcement action underscores the SEC’s commitment to ensuring that financial firms provide accurate information to customers and maintain robust safeguards to protect sensitive data. The SEC’s investigation was conducted by the Market Abuse Unit and will be led by Damon Taaffe under the supervision of James Carlson and James Connor.

The Division of Examinations also played a role by conducting an examination that contributed to the investigation, highlighting the SEC’s multifaceted approach to enforcing regulatory compliance in the financial industry.