The following is an excerpt from the SEC website:
“Washington, D.C., Oct. 13, 2011 — The Securities and Exchange Commission today sanctioned two electronic stock exchanges and a broker-dealer owned by Direct Edge Holdings LLC for violations of U.S. securities laws arising out of weak internal controls that resulted in millions of dollars in trading losses and a systems outage.
EDGA Exchange Inc., EDGX Exchange Inc., and their affiliated routing broker Direct Edge ECN LLC – all based in Jersey City, N.J. — agreed to settle cease-and-desist and administrative proceedings without admitting or denying the Commission’s findings. The exchanges and the routing broker, known as DE Route, cooperated with the SEC’s investigation and agreed to be censured and undertake remedial measures, many of which are underway, to correct the deficiencies that led to the systems problems and the violations at the all-electronic exchanges.
The SEC’s Division of Enforcement, Division of Trading and Markets, and Office of Compliance Inspections and Examinations coordinated efforts and conducted the investigation jointly.
“Direct Edge was required to police not only its members’ conduct, but its own conduct as well,” said Robert Khuzami, Director of the SEC’s Division of Enforcement. “Despite those responsibilities, it violated the principal obligations of self-regulatory organizations and national securities exchanges to put the public interest first by ensuring the strength and security of their systems, complying with their own Commission-approved rules, providing for adequate backup and failover systems, and preventing or responding appropriately to significant system outages and failures. The SEC will continue to closely coordinate its oversight, inspection and enforcement activities to ensure that self-regulatory organizations demonstrate the robust compliance necessary to protect investors.”
Carlo di Florio, Director of the SEC’s Office of Compliance Inspections and Examinations, added, “Direct Edge has agreed to substantial remedial undertakings that, when fully implemented, will significantly enhance the governance, risk management and compliance culture of these entities as well as information technology systems and controls.”
According to the SEC’s order instituting administrative proceedings, in the first incident on Nov. 8, 2010, untested computer code changes resulted in EDGA and EDGX overfilling orders submitted by three members. The unwanted trades involved an estimated 27 million shares in about 1,000 stocks, totaling roughly $773 million. At the exchanges’ instruction, one member traded out of the overfilled shares and submitted a claim to the exchanges for $105,000 of losses. When the other members refused to do likewise, the exchanges assumed and traded out of the overfilled shares through the routing broker’s error account, in violation of their own rules. The Commission also found that in resolving the overfilled trades, which cost the exchanges about $2.1 million, DE Route violated rules on short selling, which involves sales of borrowed shares. DE Route failed to mark the orders as short or mismarked them as long, and failed to locate or document the availability of shares to borrow before selling them short, violating the SEC’s Regulation SHO.
According to the SEC’s order, in the second incident on April 13, 2011, an EDGX database administrator inadvertently disabled database connections, disrupting the exchange’s ability to process incoming orders, modifications, and cancellations, and leading several EDGX members to file claims for more than $668,000 in losses. EDGX received internal alerts immediately and got external notifications soon after, including from members seeking to cancel unfilled trades and from numerous trading centers that were bypassing EDGX because it wasn’t responding immediately to incoming orders. EDGX waited approximately 24 minutes after the outage to remove its quotations from public market data, and violated the SEC’s Regulation NMS by failing to immediately identify its quotations as manual quotations.
Based on the incidents, the Commission found that EDGA violated Sections 19(b) and 19(g) of the Exchange Act, EDGX violated Sections 19(b) and 19(g) of the Exchange Act and Rule 602(a)(3) thereunder, and DE Route caused violations of Section 19(g) of the Exchange Act and violated Rules 200(g) and 203(b) thereunder. All three consented to an order censuring them and requiring them to cease and desist from further violations of U.S. securities laws and to take remedial efforts to strengthen their information technology systems and controls and compliance procedures.
After the incidents, the exchanges and DE Route voluntarily began to put substantial remedial measures in place. A comprehensive remediation plan submitted by the exchanges to the SEC staff requires the exchanges to:
Enhance their policies and procedures for systems development and maintenance.
Implement an enterprise risk management framework and information security program, including the hiring of an information security director, and enhancing their information technology control framework and underlying controls.
Hire a corporate training director to train employees about U.S. securities laws and the exchanges’ policies and procedures.
Retain outside counsel to review the circumstances leading to the two systems incidents at the exchanges.
Hire a chief compliance officer whose responsibilities include implementing policies and procedures reasonably designed to ensure that respondents fulfill their regulatory and compliance obligations.
EDGA, EDGX and DE Route also agreed to spend sufficient funds to put the remediation plan into effect, including the retention of outside counsel or other outside professionals.”