On September 12, 2023, the U.S. Securities and Exchange Commission (SEC) filed a litigated complaint against Virtu Americas LLC (Virtu Americas), a broker-dealer, and its parent, Virtu Financial Inc. (Virtu Financial) (collectively, Virtu), for making materially false and misleading statements and omissions to customers and the public regarding information barriers used to prevent the misuse of sensitive customer trade and other information.1 The SEC also alleged that Virtu failed to establish, maintain, and enforce written policies and procedures reasonably designed to prevent the misuse of material nonpublic information (MNPI).
The action is notable in that the SEC did not allege trading based on MNPI by Virtu or any of its employees but instead charged Virtu based on disclosures to customers and inadequate policies and procedures. The action serves as a reminder that the SEC may be willing — and has a variety of charging theories short of insider trading available — to charge entities for alleged failure to adequately safeguard against the risk of insider trading.
SEC v. Virtu
The SEC charged Virtu with violating Sections 17(a)(2) and 17(a)(3) of the Securities Exchange Act of 1934 by making materially false and misleading statements about the strength of its information barriers. According to the SEC’s complaint, Virtu Americas and its affiliates operated two distinct types of businesses that were purportedly walled off from each other through information barriers, namely (1) customer-facing trade execution services that generated MNPI regarding customers’ trade orders and executions and (2) a proprietary trading business. The complaint alleged that from approximately January 2018 through April 2019, Virtu Americas failed to safeguard a database that contained all post-trade information generated from customer orders routed to, and executed by, Virtu Americas, including customer-identifying information and other MNPI. Specifically, the SEC alleged the database lacked effective information barriers and, as a result, “virtually all employees” at Virtu Americas and its affiliates, including proprietary traders, could access the database and the MNPI contained therein by using widely known and frequently shared generic usernames and passwords.
The SEC further alleged that during the same period, Virtu misled customers about the existence and adequacy of its information barriers in certain materials, including public presentations to actual and potential customers and investors, a customer letter, a press release, and responses to customer due diligence questionnaires. Virtu allegedly overstated the controls, barriers, and processes it had in place and misrepresented that only employees with a need to see customer information could do so. The SEC’s disgorgement theory is that Virtu profited from these allegedly materially false and misleading statements by executing orders and obtaining commissions that it might not have otherwise received from customers.
The SEC’s charges include that Virtu Americas failed to adequately establish, maintain, and enforce reasonably designed information barriers to prevent proprietary traders from misusing nonpublic customer post-trade information in violation of Section 15(g) of the Securities Act of 1933. In particular, the SEC alleged that Virtu Americas did not know which employees were accessing the database so could not test for potential MNPI misuse, and its automated systems and policies in place during the relevant period were not designed, maintained, or enforced to, and were inefficient for the purpose of, detecting and preventing the misuse of MNPI. The SEC, however, did not allege that any data was actually inappropriately accessed or used, let alone that anyone traded on the data.
The action suggests the SEC is willing to pursue aggressive enforcement of its information barrier rules, even where there are no allegations of insider trading and even without alleging that data was accessed or used in an inappropriate or illegal manner. In that regard, the SEC arguably expanded its application of Section 15(g) beyond a 2011 enforcement action in which it also charged a firm for failure to prevent misuse of institutional customer order information where the SEC actually alleged that the proprietary traders used the customer information.2 According to Director of the SEC Division of Enforcement Gurbir S. Grewal, the SEC’s enforcement action “sends a strong message to firms that they must do much more than use shared, generic usernames and passwords to protect against and prevent the misuse of material nonpublic information.”3 Further, the SEC apparently brought this action despite Virtu’s voluntary disclosure of the conduct during a routine SEC examination, according to a press release issued by Virtu on the filing of the action.4
Firms should consider their MNPI risks and evaluate their policies and procedures in place to address those risks given the specific nature of their businesses, including by reviewing any policies and procedures in place to address potential MNPI in trade information. Firms should also review the adequacy and sufficiency of any information barriers or other systematic separations designed to safeguard information. Finally, firms should periodically test their MNPI policies and procedures, including information barriers, to identify any gaps or weaknesses in the implementation and effectiveness of those policies and procedures.