In ‘unusual’ move, Virtu fights $25m SEC fine for data safeguarding breach

​Last month, the US Securities and Exchange Commission (SEC) sued market-maker Virtu Financial over data safeguarding concerns, prompting questions around fairness as well as expected leniency after voluntary disclosures.

The SEC asserted that Virtu Financial operated two businesses that were supposed to be walled off from each other: a proprietary trading business, through which Virtu traded for its own benefit; and an order execution service for large institutional customers, on which Virtu executed orders for clients.

At some point between 2018 and 2019, Virtu discovered that a larger-than-intended number of people had access to a database that contained all post-trade information generated by customer orders, including customer-identifying information and material non-public information. As this pool of people included proprietary traders, this posed the threat of insider trading, so traders could have observed which trades had taken place in the database and then traded ahead of Virtu customers.

“At a time when Virtu Americas handled around a quarter of all market orders placed by retail investors in the US, we allege that proprietary traders had nearly unfettered access to material nonpublic information about its institutional customers’ trades—information which could be abused for personal gain,” said SEC director of enforcement Gurbir Grewal in the release.

Virtu fixed the issue internally, and then disclosed the situation to the regulator ahead of an SEC exam. Despite the market-maker’s disclosure and cooperation, as well as no evidence that insider trading had taken place, the SEC decided to bring an estimated $25 million fine against Virtu.

The enforcement action and its potential ramifications have captivated the industry over the last month. Both the SEC and Virtu say the company disclosed the breach voluntarily and addressed the problem itself, yet it is still facing a hefty fine. The administration of SEC chair Gary Gensler has ramped up the cost of fines and, in bringing actions against companies with hypothetical breaches alongside exploited ones, has signaled to market participants that disclosure won’t be a sufficient defense against an aggressive investigation.

Virtu contested the decision by the SEC in a separate statement, in which CEO Douglas Cifu said he intends to fight the decision in court, a decision that has left some scratching their heads.

ACA Group’s Carlo di Florio is the former director of the SEC’s office of compliance and examinations. He explains that the SEC is not alleging a crime was committed, but that it is bringing the case on the basis that Virtu did not have effective controls in place and misrepresented the controls they did have—which, the current regime seems to indicate, is a punishable offense.

“That tends to be the signal of a very aggressive enforcement agenda—when the SEC starts bringing cases not on the basis of actual violations but on the basis of inadequate policies and procedures,” he says.

Gensler has decided to have an aggressive agenda and has proposed and passed over 55 rules, an incredible number for the industry to understand, comment on, and implement

Carlo di Florio, ACA Group, and former director of the SEC’s office of compliance and examinations

Even if Virtu discovered an issue, fixed it, and reported it to the SEC, there was a period of time when the company publicly asserted it had a secure framework while it was in fact compromised. As for the issue of disclosure, di Florio says it is not uncommon for the SEC to ask firms to personally disclose their issues and then still go ahead and enter into an enforcement settlement.

“When the SEC finds violations, it does tend to bring actions even if those were disclosed,” di Florio says. “It’s not like you get a free pass just because you said, ‘Hey I violated the law, but I told you I violated the law, so you shouldn’t hold me accountable.’”

Di Florio says that while there is an SEC framework that gives credit to companies that proactively disclose and report issues to the Commission, this does not mean an enforcement action cannot be brought against them. He says the Virtu case, which contains no instance of actual insider trading, shows that the SEC is sending a message representative of Gensler’s policies and is a signal of things still to come during his tenure.

“Gensler has decided to have an aggressive agenda and has proposed and passed over 55 rules, an incredible number for the industry to understand, comment on, and implement,” di Florio says. “There’s a lot of concern that there is too much, too fast, and it’s not going to be something the industry can fully handle.”

Punitive or retributive?

One of the most eye-catching sections of Cifu’s retort is the implication that one of the reasons the SEC has decided to take this action against Virtu is a result of the market-maker’s public criticisms of the SEC’s market structure rule proposals.

“The SEC’s position appears to be driven by politics and headlines rather than the facts and the law,” Cifu said in a statement on Virtu’s website. He went on to say that Virtu looks forward to “vigorously defending ourselves in court” against “these meritless allegations.”

Cifu has been publicly critical of the Gensler administration on the X social network, formerly Twitter, reposting multiple criticisms of the SEC and of Gensler specifically. A spokesperson for the SEC declined to comment beyond public filings.

Cam Funkhouser worked at the Financial Industry Regulatory Authority for 35 years, starting in 1984. He led Finra’s office of fraud detection and market intelligence, including the insider fraud surveillance and insider trading units, for 10 years following its creation in 2009.

He says that financial services providers that fail to safeguard information should expect an aggressive regulatory response, and he doesn’t believe Virtu’s criticisms of the SEC’s market structure proposals are linked.

“I would be shocked if there is any evidence that the SEC position in any enforcement matter was influenced by comments made by a potential respondent to a proposed rule filing,” Funkhouser says.

He also says he believes the SEC is highlighting the importance of disclosure in making the move from an investigation into an enforcement action.

“The SEC has expressed significant concerns with Virtu’s disclosures not only as a registered broker-dealer, but also as a publicly traded company,” he says. “Timely and accurate disclosure is the lifeblood of Wall Street.”

In its dissenting statement, Virtu stated that the SEC “does not allege, and there is no evidence to indicate, that any data was ever accessed or used in an inappropriate manner.”

The decision for a publicly traded company to fight the SEC in court is unusual and may be a result of the SEC’s decision to increase the dollar amount of its fines for rulebreakers. As the SEC’s Grewal said earlier this year, the Commission believes that with higher fines, behaviors will change, and compliance will be expected. The SEC recovered its highest recorded sum of monetary penalties in the 2022 fiscal year, for a combined total of $6.4 billion, of which civil penalties constituted $4.2 billion.

There have been examples in the recent past of companies that committed similar offenses to Virtu but were fined less. In 2018, during the Trump administration, Japanese bank Mizuho was accused of failing to protect customer data, the same charge Virtu faces. But unlike Virtu, Mizuho was fined only $1.25 million. Despite this discrepancy, di Florio believes that Virtu’s decision to fight the SEC in court is strange.

“It’s unusual and I’ve not seen it be particularly effective,” he says. “With enforcement actions, firms usually want to get out of the news and make it go away. They’re going to assert their rights and challenge it, and make sure they get a good settlement, but it’s pretty unusual what Virtu’s doing here.”

No body, no crime?

This is not the first time this year that Gensler’s SEC has decided to act on an issue that, thus far, only carried the potential of harm.

In September, the Commission proposed to limit broker-dealers’ usage of predictive data analytics on the grounds that brokers could profit unfairly over their customers through recommendations made by these tools. Such conflicts of interest should be “eliminated” or “neutralized” wherever possible, the proposal read.

However, the SEC provided no concrete use case or examples of what those conflicts of interest might look like in practice—making it difficult, if not impossible, for broker-dealers to identify such harms or rectify them.

In its dissenting statement, Virtu stated that the SEC “does not allege, and there is no evidence to indicate, that any data was ever accessed or used in an inappropriate manner.”

Sources who have been following the story say that the SEC statement does a poor job of explaining the multiple layers of security that market-makers like Virtu have implemented to prevent a breach from being exploited, and instead gives the impression that the market-maker’s security protocols were lax and that there was malicious intent.

Some sources said the SEC statement seems overexaggerated, similar to an ongoing case against broker-dealer Citadel Securities. In that statement, SEC associate director Mark Cave described abusive market practices, including “naked short selling” but did not accuse Citadel of committing that offense.

Virtu also said that it has cooperated with the SEC, “supplying more than 30,000 documents over a three-year period.” Full cooperation, disclosure of the potential issue, and no evidence of insider trading would seem to be strong points in the market-maker’s favor, but the SEC proceeded with the enforcement action anyway, leaving industry participants to speculate about the regulator's motivations—and who might be next.