The U.S. Securities and Exchange Commission (SEC) announced a settlement with Virtu Financial Inc. and its subsidiary Virtu Americas LLC (VAL) to resolve a 2023 lawsuit alleging failures to protect customers’ material nonpublic trade information (MNPI) and misleading statements about the company’s data safeguards.
The SEC alleged that weaknesses in access controls and information barriers created a risk that confidential customer order and trade data could be misused, in violation of Exchange Act Section 15(g). Without admitting or denying the SEC’s findings, the companies consented to a cease-and-desist order, a censure, and a $2.5 million civil penalty, underscoring the SEC’s continued focus on safeguarding customer MNPI and the adequacy of broker-dealer compliance controls.
Background
Virtu agreed to settle allegations that the firm failed to implement and enforce policies and procedures reasonably designed to prevent misuse of customers’ MNPI, including confidential order and trade data.
According to the SEC, between January 2018 and April 2019, Virtu represented to customers that it maintained information barriers to safeguard customer MNPI, while nearly all employees at VAL and affiliated broker-dealers had unrestricted access to sensitive trade details—including customer names, securities traded, execution prices, and volumes—through a widely shared generic login.
Customer MNPI was allegedly accessible to VAL employees regardless of any legitimate business need for such information, and although Virtu identified deficiencies in August 2018, the SEC alleged that remediation did not occur until April 2019. The SEC claimed Virtu’s written policies lacked sufficient detail and were not fully enforced, in violation of Section 15(g), which requires broker-dealers to maintain controls designed to prevent misuse of customers’ MNPI.
What the SEC Alleged
According to the SEC, Virtu’s written supervisory procedures and related information barrier controls did not sufficiently address the risks posed by internal access to customer trading information. The SEC determined that gaps in access permissions, monitoring, and enforcement could have allowed personnel outside customer-facing functions to access data reflecting customers’ MNPI.
The SEC did not find that Virtu or any of its employees engaged in improper trading during the relevant period. The SEC nonetheless concluded that the design and enforcement of Virtu’s policies did not meet Section 15(g)’s requirements to prevent the misuse of MNPI.
The SEC also alleged that during the relevant period, Virtu misled customers about the existence and adequacy of its information barriers. Certain institutional customers continued to use Virtu’s services to execute orders based on those statements, resulting in significant commissions for Virtu.
Why It Matters
The settlement highlights the SEC’s continued scrutiny of how regulated entities oversee customer MNPI, particularly when multiple business lines, analytics teams, or proprietary functions operate alongside client execution services.
For investment managers, the case signals the importance of due diligence on counterparties’ information barriers, clear data-sharing expectations, and ensuring that confidentiality provisions are operationally enforceable. These considerations are particularly important for SEC-registered investment advisers subject to obligations under Sections 204A and 206(4) of the Advisers Act, Rule 206(4)-7, and Regulation S-P.
For broker-dealers, the order underscores that firms’ policies must be tailored, specific, and demonstrably enforced. High-level statements of information barriers are insufficient where data flows, systems access, or personnel roles create potential MNPI risk.
For investment advisers, the settlement also highlights the importance of incorporating information-barrier diligence into counterparty onboarding, trading venue questionnaires, and confidentiality and data-use controls around post-trade data and analytics.
Key Takeaways
The SEC’s action reinforces that firms should align written policies, technical controls, and supervisory practices with the actual flow of customer trading data, especially now that amended Regulation S-P is in effect for large financial institutions. Regulation S-P complements Section 15(g)’s standards for handling sensitive information by adding requirements related to data security, incident response, and customer notification.
Effective compliance with Section 15(g) typically requires:
- Data-mapping that identifies where MNPI resides.
- Role-based, “least privilege” access controls.
- Surveillance designed to detect anomalous access or potential misuse.
- Periodic testing and certification of information barriers.
- Escalation frameworks to document and approve exceptions.
Where proprietary trading or analytics functions coexist with client execution services, firms should scrutinize interfaces that could expose client order or post-trade details and ensure access logs are complete and routinely reviewed.
Broker-dealers should also ensure that system entitlements reflect documented “need-to-know” principles, that cross-functional access is justified and approved, and that exceptions are tested and escalated.
Firms should ensure appropriate board or senior management oversight of MNPI risk, with periodic reporting on control effectiveness and remediation.
Additional Reg S-P Requirements
Firms should also consider how compliance standards have heightened under the new Reg S-P and be ready to show evidence of complete readiness to comply with the amended requirements. Key requirements include:
- An incident response program with written policies and procedures to detect, respond to, and recover from unauthorized access to or use of consumer information.
- Procedures for notifying impacted customers whose “sensitive customer information” was, or is reasonably likely to have been, accessed or used without authorization.
- Written policies and procedures around service provider oversight, requiring firms to ensure that service providers take measures to protect against unauthorized access to or use of customer information, including notifying the financial institution about possible breaches.
- Annual privacy notices and record retention according to specified periods based on the type of covered institution.
Looking Ahead
The Virtu settlement follows the SEC’s recent enforcement actions emphasizing the protection of customer trading data and the integrity of information barriers and aligns with the SEC’s 2026 examination priorities, which highlight scrutiny of access controls, data governance, and consistency between firms’ stated controls and operational reality—particularly with the amendments to Reg S-P now in effect.
Firms can expect continued examinations and enforcement activity focused on whether written policies, access controls, surveillance, and governance collectively reduce both the risk of MNPI misuse and the unauthorized use and access to customer and client private information.
If you have any questions, or would like additional information, please contact one of the attorneys on our Investment Funds team; one of the attorneys on our Privacy, Cyber & Data Strategy team; or one of the attorneys on our White Collar, Government & Internal Investigations team.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.