On Sept. 24, 2019, the Securities and Exchange Commission released information that TMC Bonds LLC, operator of an alternative trading system (ATS), will pay $2.1 million after being charged for failing to protect confidential information in violation of Regulation ATS. The wrongdoing occurred from Jan. 2016-June 2018 when TMC exposed client information nearly 2,600 times via email and instant message.
TMC marketed the ATS service as an “anonymous secondary trading platform” to advertise that ATS users would not know who they are trading with. ATS subscribers were told by TMC that their names would be kept confidential and would not be disclosed at any point during the trading process.
The affected subscribers were large brokerage firms trading corporate bonds for retail clients; TMC employees facilitating corporate bond trading were the ones disclosing the names of brokers to other subscribers. ATS subscribers were found to be very willing to trade with retail brokerage firms, so TMC compromised the firms’ anonymity to speed up the corporate bond trading process.
Although TMC had written policies and procedures in place to address the expectation of anonymity, the wording of such requirements was very vague and corporate bond trading desk employees were provided inadequate training on the topic.
TMC did not disclose to the Commission or to subscribers that its Form ATS statements were false. It was not until the Commission requested documentation about the group’s anonymous trading, that TMC amended policies and procedures to make note of deviant practices.
The misconduct of TMC was found to be in willful violation of multiple parts of Regulation ATS. After being contacted by Commission staff, “TMC undertook substantial remedial efforts to address the deficiencies in enforcing and implementing their anonymity policy.”
TMC was ordered to pay a civil penalty and to cease and desist from continuing to violate Regulation ATS.
WHAT DOES THIS MEAN FOR ME?
Creating and implementing effective data privacy policies and procedures is an essential business practice. Writing and maintaining policies and procedures and fully training staff to comply with business and Commission expectations will protect your business and your clients’ information.
Contact Fairview® Investment Services or Fairview® Cyber for more information about best practices for data privacy policies and procedures and conducting comprehensive employee training.