SEC Settlement Gives Insight on Internal Control Requirements

Companies searching for examples of the Securities and Exchange Commission's latest thinking on good internal controls can learn a thing or two from the growing pains of stock exchange operator Direct Edge. The company was forced to settle with the SEC after a series of lax controls caused millions of dollars in trading losses.

Financial firms in particular might want to study the settlement and then review their controls, especially those associated with trading. John Sylvia, co-chair of the securities litigation practice group at law firm Mintz Levin, says the focus on the failures at Direct Edge is a sign of the “enhanced scrutiny that the SEC is giving to the market.”

The SEC's real fear is that thanks to poor internal controls, a stock exchange might introduce new risks to the financial system as a whole. “The operation of a national securities exchange carries with it among the most significant regulatory compliance obligations that are expected of any market participant,” the SEC stated in its administrative order against Direct Edge.

As part of that settlement announced last month, Direct Edge agreed to implement a comprehensive remediation plan, stemming from two separate securities law violations that occurred within five months of each other. The first incident took place only eight months after Direct Edge, which owns EDGA Exchange and EDGX Exchange, formally became a regulated securities exchange under the SEC in March of 2010.

In November 2010, an untested change to computer code caused the EDGA and EDGX exchanges to overfill orders for three of Direct Edge's customers, totaling about $773 million in unwanted trades. While the error itself did not constitute a violation, Direct Edge violated its own policies by trading out of the overfilled shares through the error account of its routing broker, DE Route, which it didn't have approval to use.

The SEC also found that, in an attempt to liquidate the overfilled positions as quickly as possible, Direct Edge further engaged in illegal short-selling, which involves sales of borrowed shares.

Direct Edge incurred a second violation last April, when an EDGX database administrator inadvertently disabled database connections. That disrupted the exchange's ability to process orders, modifications, and cancellations, causing exchange members about $668,000 in losses. Direct Edge was not fined for either incident.

“Direct Edge was required to police not only its members' conduct, but its own conduct as well,” SEC Enforcement Director Robert Khuzami said in a statement. He continued by firing off a laundry list of sloppy internal controls demonstrated by Direct Edge that can cause companies to run afoul of regulators. These include failures to:

“We live in an electronic age with ever-advancing technologies. I'm sure there are many other potential pitfalls that are out there that people haven't anticipated yet.”

—John Sylvia,

Co-Chair Litigation Practice Group,

Mintz Levin

Invest the appropriate resources necessary to ensure the strength and integrity of its systems, processes, and controls;

Comply with your own SEC-approved rules;

Provide for adequate backup and failover systems; and

Prevent or react appropriately to significant system outages and failures.

And these practices don't just apply to exchanges, experts stress. “These are best practices for good compliance at any regulated company,” says Amy Greer, formerly an attorney in the SEC Enforcement Division and now partner in the law firm Reed Smith.

Settlement Terms

Direct Edge neither admitted nor denied any wrongdoing in agreeing to the settlement, and it responded in a statement that it “understands and embraces the responsibilities that come with being a registered national securities exchange.”

As part of its remediation plan, the company said it has made “significant investments” to enhance its technology, personnel, and processes “to ensure the fulfillment of our obligations in a sustainable, repeatable, and demonstrable way.”  Specifically, Direct Edge has agreed to:

Enhance its policies and procedures for systems development and maintenance;

Implement an enterprise risk management framework and information security program, and enhance its information technology control framework and underlying controls;

Hire a corporate training director to train employees about U.S. securities laws and the exchanges' policies and procedures; and

Retain outside counsel to review the circumstances leading to the two systems incidents at the exchanges.

The settlement also called on Direct Edge to hire a chief compliance officer, which it didn't have, who reports directly to the chief executive officer of the exchanges, with dotted-line reporting to the exchanges' regulatory oversight committees and boards.

Direct Edge hired Thomas McManus in May to be chief compliance officer, “whose responsibilities include implementing policies and procedures reasonably designed to ensure that respondents fulfill their regulatory and compliance obligations,” the company said. Additionally, the company hired Saro Jahani as chief information officer in April.

Practical Lessons

The lesson for compliance officers, says Philip Lawton, a senior analyst at research and advisory firm Aite Group, is for business operation leaders to check with compliance as a matter of course before implementing new processes that could run afoul of the rules.

COMMISSION FINDINGS

The following excerpt is from the SEC's statement on the Direct Edge case:

According to the SEC's order instituting administrative proceedings, in the first incident on Nov. 8, 2010, untested computer code changes resulted in EDGA and EDGX overfilling orders submitted by three members. The unwanted trades involved an estimated 27 million shares in about 1,000 stocks, totaling roughly $773 million. At the exchanges' instruction, one member traded out of the overfilled shares and submitted a claim to the exchanges for $105,000 of losses. When the other members refused to do likewise, the exchanges assumed and traded out of the overfilled shares through the routing broker's error account, in violation of their own rules. The Commission also found that in resolving the overfilled trades, which cost the exchanges about $2.1 million, DE Route violated rules on short selling, which involves sales of borrowed shares. DE Route failed to mark the orders as short or mismarked them as long, and failed to locate or document the availability of shares to borrow before selling them short, violating the SEC's Regulation SHO.

According to the SEC's order, in the second incident on April 13, 2011, an EDGX database administrator inadvertently disabled database connections, disrupting the exchange's ability to process incoming orders, modifications, and cancellations, and leading several EDGX members to file claims for more than $668,000 in losses. EDGX received internal alerts immediately and got external notifications soon after, including from members seeking to cancel unfilled trades and from numerous trading centers that were bypassing EDGX because it wasn't responding immediately to incoming orders. EDGX waited approximately 24 minutes after the outage to remove its quotations from public market data, and violated the SEC's Regulation NMS by failing to immediately identify its quotations as manual quotations.

Based on the incidents, the Commission found that EDGA violated Sections 19(b) and 19(g) of the Exchange Act, EDGX violated Sections 19(b) and 19(g) of the Exchange Act and Rule 602(a)(3) thereunder, and DE Route caused violations of Section 19(g) of the Exchange Act and violated Rules 200(g) and 203(b) thereunder. All three consented to an order censuring them and requiring them to cease and desist from further violations of U.S. securities laws and to take remedial efforts to strengthen their information technology systems and controls and compliance procedures.

After the incidents, the exchanges and DE Route voluntarily began to put substantial remedial measures in place. A comprehensive remediation plan submitted by the exchanges to the SEC staff requires the exchanges to:

Enhance their policies and procedures for systems development and maintenance.

Implement an enterprise risk management framework and information security program, including the hiring of an information security director, and enhancing their information technology control framework and underlying controls.

Hire a corporate training director to train employees about U.S. securities laws and the exchanges' policies and procedures.

Retain outside counsel to review the circumstances leading to the two systems incidents at the exchanges.

Hire a chief compliance officer whose responsibilities include implementing policies and procedures reasonably designed to ensure that respondents fulfill their regulatory and compliance obligations.

EDGA, EDGX and DE Route also agreed to spend sufficient funds to put the remediation plan into effect, including the retention of outside counsel or other outside professionals.

Source: SEC Release on Direct Edge Case.

“Ensure that operational staff understands the regulations affecting the exchanges, on one hand, and the routing broker, on the other,” he says. Greer also advises companies to ensure that their audit functions are independent.

The Direct Edge case also indicates that the SEC is taking a close look at the technology systems used in securities markets. The SEC is much more focused on assuring that the use of technology—particularly by high-frequency traders—is “appropriate and in compliance with securities laws,” Greer says. “Those using and implementing technology need to be aware of what the inherent risks are.” The SEC is still reeling from the “flash crash” last year, when U.S. equity indexes nosedived and recovered in a matter of minutes, and the agency needed months to figure out why.

“We live in an electronic age with ever-advancing technologies,” Sylvia says. We need more checks and balances around electronic trading algorithms, he says. “I'm sure there are many other potential pitfalls that are out there that people haven't anticipated yet,” he adds.

To prepare for potential problems, Lawton advises that IT departments consider the following steps:

Formulate a problem escalation policy, so that unexpected incidents get immediate attention;

Plan for critical events such as unscheduled system outages, so you can take prompt and appropriate action.

Create and enforce a policy of testing code changes in a non-production environment (that is, someone other than the coders writing the changes) before they go live; and

Review system access permissions, and keep them up-to-date as people join and leave the company and change jobs within the organization.

In the case of Direct Edge, “it doesn't appear any of that was in place here, which is really shocking,” says Greer.

The SEC has indicated that it recognizes that detecting every electronic glitch all the time is impossible, but also hints that it will still pursue companies with lax controls. As the SEC stated in its administrative order: “While some system outages inevitably will occur and not every outage is a violation of the federal securities laws, such outages—particularly when combined with significant other deficiencies in an exchange's systems, processes, and controls—can present risks that, left unremediated, could cause harm to investors and other market participants.”

The SEC simply wants a company to be able to show that it has enhanced controls in place to detect those glitches more quickly, Sylvia says. “When the SEC is looking for compliance issues, it looks to see not just whether a rule has been violated, but what compliance procedures were in place to spot the violation and what was done to proactively remedy the problem,” he says.

As part of a broader effort to ensure market regulations keep pace with trading realities, the SEC and Commodity Futures Trading Commission have been plotting over the last year how to curb abuses in high-frequency trading. Additionally, the Financial Industry Regulatory Authority in April released a “volatility plan,” which spells out how it wants to rein in abusive practices.

“As systems become more sophisticated, I think you're going to see more incidents of error,” Sylvia says. The hope in implementing new rules and regulations, he says, is that “the methods of correcting the errors and minimizing the consequences of them will be heightened.”