By Jonathan Stempel and Chris Prentice
NEW YORK (Reuters) -The U.S. Securities and Exchange Commission on Tuesday sued Virtu Financial (NASDAQ:VIRT), a broker-dealer that handles 25% of all market orders placed by retail investors in the U.S., for misleading customers into believing it properly safeguarded their confidential information.
In a complaint filed in federal court in Manhattan, the SEC said Virtu repeatedly and falsely told customers that it used "information barriers" and "systemic separation between business groups" to protect their material nonpublic information.
The SEC said that, in reality, "anyone" at the New York-based company's Virtu Americas unit could from January 2018 to April 2019 access sensitive information about customers and their trades by using generic user names and passwords.
This created the risk that Virtu's proprietary traders, who were supposed to be "walled off" from customers' trades, could use the information to benefit themselves at the expense of customers, even as Virtu accepted trading commissions from those same customers, the SEC said.
Information that was allegedly exposed included details identifying the customers, and the names, prices and volumes of securities they bought and sold, the regulator added.
The lawsuit seeks civil fines, the recoupment of ill-gotten gains, and an injunction against further violations.
In a statement, Virtu said it has maintained reasonable policies and controls to protect customer data.
Virtu also said the lawsuit followed its criticism of SEC proposals on market structure, and its own lawsuit concerning the regulator's rulemaking.
"Unfortunately, the SEC's position appears to be driven by politics and headlines rather than the facts and the law," Virtu Chief Executive Douglas Cifu said. "We look forward to vigorously defending ourselves in court against these meritless allegations."
Shares of Virtu fell 2% to $18.10 in trading after market-hours.
SEC enforcement chief Gurbir Grewal said the case "sends a strong message to firms that they must do much more than use shared, generic usernames and passwords to protect against and prevent the misuse of material nonpublic information."
In July, Virtu said it received a Wells notice from the SEC, indicating that SEC staff believed civil charges were warranted, and giving it a chance to mount a defense.