Virtu Financial and its broker-dealer affiliate Virtu Americas face a lawsuit filed by the Securities and Exchange Commission (SEC) alleging the company misled its customers regarding its safeguards to protect their information contained in its trading business database.

The SEC’s complaint, filed Tuesday in U.S. District Court for the Southern District of New York, accuses Virtu of failing to establish, maintain, and enforce policies and procedures reasonably designed to prevent misuse of customer information.

The agency is seeking permanent injunctive relief, disgorgement with prejudgment interest, and civil penalties in its continuing litigation.

The details: From January 2018 through April 2019, Virtu’s database for daily business operations that contained post-trade information generated from Virtu Americas customer orders was left accessible to all Virtu employees through a “widely known and frequently shared generic username and password,” according to the SEC’s complaint.

During this time, Virtu misinformed customers regarding the strength of its information barriers at Virtu Americas, according to the SEC. Despite the firm’s policies prohibiting traders from accessing post-trade information, it failed to ensure no misconduct occurred as it “could not track what information was extracted from the database by proprietary traders” and still can’t make that determination to this day, the SEC alleged.

Notably, the agency did not claim any data was accessed or used inappropriately by Virtu employees.

Compliance considerations: For its part, Virtu said in a press release it voluntarily disclosed to SEC staff as part of a 2019 examination its database was “hypothetically accessible to a broader group of employees than intended” during the period from 2018-19.

“The period coincided with the migration of Virtu’s then-recently acquired KCG business to a consolidated Virtu back-office database and predated Virtu’s migration of data related to the ITG business to the database,” the company said. “During this time, other controls and policies mitigated the risk of unauthorized access or use, and the firm developed and ultimately implemented controls enhancements to further restrict database access in accordance with its policies.”

Virtu said it cooperated with the SEC during its investigation for the past three years regarding the matter and provided more than 30,000 documents.

“We are disappointed by the SEC’s decision to bring this action. Despite our belief that these allegations are meritless, we engaged in good-faith settlement discussions with the SEC to bring this matter to a reasonable resolution,” stated Virtu Chief Executive Douglas Cifu. “Unfortunately, the SEC’s position appears to be driven by politics and headlines rather than the facts and the law. We will always seek to act rationally and manage risk and exposure responsibly on behalf of our firm and our investors.”

Cifu said Virtu would defend itself against the SEC’s claims in court.