Governance, Risk and Compliance, Americas, Breach

SEC Fines Mizuho for Failing to Protect Customer Data


It is not enough for companies to establish policies and procedures designed to prevent the misuse of material nonpublic information. Companies must also enforce those policies and procedures.

That’s the lesson from the U.S. Securities and Exchange Commission's recent settlement with Mizuho Securities USA LLC (“Mizuho”), a broker-dealer, for the firm’s failure to safeguard customer information.

At issue was Mizuho’s handling of its issuer stock buyback program. Stock share buybacks occur when a publicly traded company buys its shares back from its shareholders. While companies may publicly disclose some information about their buyback programs, they typically do not reveal the specific dates on which they intend to execute the buyback trades. Traders privy to this information can use it to take advantage of the buyback order.

Mizuho, however, failed to safeguard this material nonpublic information in buyback programs it executed. According to the SEC, Mizuho traders at the desk overseeing the buyback program, the International Sales Trading Desk, “routinely” passed buyback order information to traders at the separate U.S. Equity Trading Desk, which had no role in executing the buyback program. Also, on several occasions traders at the U.S. Equity Trading Desk shared the buyback order information with other external Mizuho clients, said the SEC.

These events occurred despite Mizuho having in place specific policies and procedures designed to safeguard customers’ material nonpublic information. The SEC charged that Mizuho simply failed to maintain and enforce its existing policies and procedures.

SEC Order

The SEC order describes two types of policies and procedures Mizuho failed to maintain and enforce: (1) effective information barriers between trading desks; and (2) protection of confidential customer order information.

As to maintaining effective information barriers, the SEC explained that Mizuho policies prohibited its trading desks from viewing other desks’ orders. In fact, information about the buyback orders flowed from the International Sales Trading Desk to the U.S. Equity Trading Desk.

With respect to protecting confidential customer order information, Mizuho’s Code of Conduct and insider trading policy required traders to protect confidential customer order information, including nonpublic information. But, as described above, Mizuho traders shared nonpublic information with each other, and with Mizuho clients.

SEC Findings

As a result of these missteps, the SEC found that Mizuho had violated Section 15(g) of the Exchange Act, which requires registered broker-dealers to establish, maintain and enforce written policies and procedures to prevent the misuse of material nonpublic information. As punishment, the SEC imposed a cease-and-desist order prohibiting Mizuho from committing future violations of Section 15(g), issued a $1,250,000 fine, and censured the company.

Mizuho did not admit to or deny any of the SEC’s findings.

By Peter A. Kurtz and Craig A. Newman of Patterson Belknap Webb & Tyler LLP, a law firm in New York that has a Privacy and Data Security Practice. Read more Patterson Belknap blogs here.