Direct Edge has been sanctioned for weak internal controls that led to millions of dollars in trading losses and a systems outage.

The SEC said untested computer code changes led to the overfulfillment of orders on Direct Edge's two national exchanges, EDGA and EDGX in one instance in late 2010.

The unwanted trades involved an estimated 27 million shares in about 1,000 stocks, with the amounts in question amounting to roughly $773 million.

In a second instance in early 2011, an EDGX database administrator inadvertently disabled database connections, disrupting the exchange’s ability to process incoming orders, modifications, and cancellations, and leading several EDGX members to file claims for more than $668,000 in losses.

Direct Edge and its affiliated broker, Direct Edge ECN, all agreed to settle cease-and-desist and administrative proceedings without admitting or denying the Commission’s findings.

The exchanges and the routing broker, known as DE Route, cooperated with the SEC’s investigation and agreed to be censured and undertake remedial measures.

“Direct Edge was required to police not only its members’ conduct, but its own conduct as well,” said Robert Khuzami, director of the SEC’s Division of Enforcement. “Despite those responsibilities, it violated the principal obligations of self-regulatory organizations and national securities exchanges to put the public interest first by ensuring the strength and security of their systems."

According to the SEC, Direct Edge violated its own rules when trying to resolve the first problem. When the orders came in in November 2010, the SEC said one Direct Edge member traded out of the overfilled shares and submitted a claim to the exchanges for $105,000 of losses.

When other members refused to do likewise, the exchanges assumed and traded out of the overfilled shares through the routing broker’s error account, in violation of their own rules. The Commission also found that in resolving the overfilled trades, which cost the exchanges about $2.1 million, DE Route violated rules on short selling.

DE Route failed to mark the orders as short or mismarked them as long, and failed to locate or document the availability of shares to borrow before selling them short, violating the SEC’s Regulation SHO.

In the second case, EDGX received internal alerts immediately and got external notifications soon after, including from members seeking to cancel unfilled trades and from numerous trading centers that were bypassing EDGX because it wasn’t responding immediately to incoming orders.

EDGX "waited approximately 24 minutes after the outage to remove its quotations from public market data, and violated the SEC’s Regulation NMS by failing to immediately identify its quotations as manual quotations,'' the SEC said.

Based on the incidents, the Commission found that EDGA violated Sections 19(b) and 19(g) of the Exchange Act, EDGX violated Sections 19(b) and 19(g) of the Exchange Act and Rule 602(a)(3) thereunder, and DE Route caused violations of Section 19(g) of the Exchange Act and violated Rules 200(g) and 203(b) thereunder.

All three consented to an order censuring them and requiring them to cease and desist from further violations of U.S. securities laws and to take remedial efforts to strengthen their information technology systems and controls and compliance procedures.

Here is what Direct Edge has told the SEC it will do to remediate the problems:

  • Enhance policies and procedures for systems development and maintenance.
  • Implement an enterprise risk management framework and information security program, including the hiring of an information security director, and enhancing their information technology control framework and underlying controls.
  • Hire a corporate training director to train employees about U.S. securities laws and the exchanges’ policies and procedures.
  • Retain outside counsel to review the circumstances leading to the two systems incidents at the exchanges.
  • Hire a chief compliance officer whose responsibilities include implementing policies and procedures reasonably designed to ensure that respondents fulfill their regulatory and compliance obligations.
  • Hire outside counsel and professionals to assist in the implementation
  • Fund the remediation plan

 -- This article first appeared on Securities Technology Monitor.