SEC Seeks Disgorgement from Virtu for Misleading Statements on Customer Data Protection

 September 21, 2023

Privacy Plus+

Privacy, Technology and Perspective

SEC Seeks Disgorgement from Virtu for Misleading Statements on Customer Data Protection. This week, let’s highlight the U.S. Securities and Exchange Commission’s recent complaint against Virtu Americas, LLC (“VAL”) and its parent company, Virtu Financial, Inc. (“VFI”) (collectively, “Virtu”), seeking, among other things, disgorgement for failing to establish reasonable security measures in the first place to protect their customers’ material nonpublic information (“MNPI”) about trades, and then telling customers repeatedly that appropriate security measures were in place. 

Background: Briefly, subsidiary VAL is an “execution” arm of VFI, and processes about 25% of the market orders placed by retail investors in the United States. This includes the orders of a number of large institutions. VFI has a number of proprietary traders, who trade on VFI’s behalf including “making markets” in various stocks. VAL is required to keep its customers’ MNPI confidential, including setting up “information barriers” between VAL and VFI to limit VFI’s proprietary traders’ access to it, lest the traders (for example) study the institutional trades and “trade ahead of them.” 

The SEC’s Complaint: In the Complaint, the SEC asserts that VAL failed to establish such “information barriers” effectively. It says there was instead a “direct access” system which was not limited to staff with a “need to know” confidential information, but was rather nearly wide-open to practically anyone at VAL and VFI through “two sets of “widely-known and frequently shared generic usernames and passwords.” Rather than being strictly limited and controlled, this direct-access system was apparently used so frequently that traders complained of alerts saying the number of allowed users had been exceeded – in response to which VFI is alleged simply to have increased the number of allowed users (per the Complaint at ¶45). 

The SEC goes on to allege that in letters, presentations, and responses to institutional due-diligence questionnaires, VFI claimed that it did have effective information barriers to protect MNPI confidentiality, particularly against the type of access which the SEC alleges was actually happening.  The SEC seeks damages, injunctive relief and disgorgement of all commissions VFI earned during the approximately 15-month period this was happening. 

A link to the complaint follows:

https://www.sec.gov/files/litigation/complaints/2023/comp-pr2023-176.pdf

You can review the SEC’s press release on the matter by clicking on this link:

https://www.sec.gov/news/press-release/2023-176

Our Views.  To us, the most interesting thing here is what we don’t see – namely, allegations of actual trading based on improper access to MNPI.  Of course, allegations of actual improper trading are not necessarily required; failing to take reasonable steps to secure customer MNPI, failing to disclose that lack, and affirmatively misrepresenting  what actually is happening may be – if established – enough for liability.  The rest may be an issue of appropriate remedy.   

We do sense, however, that asking for disgorgement of “all” commissions earned during this time may be extreme. Is such a sweeping demand because VFI is thought frequently to “short the market,” earning the ire of other traders and investors? Is it because of all-too-human reasons stemming from years of arguing between VFI and the SEC? Or does the SEC expect to develop actual evidence of improper trading during discovery and extrapolate to a damages model from there, despite already having conducted a three-year investigation?  

And is VFI choosing not to settle because the SEC is now facing headwinds from the courts across a number of issues, such as the “Major Question Doctrine?”  

One thing seems certain: Disclosure issues are distinct from hypothetical access to information and hypothetical harm caused by such access.

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.