As part of our ongoing series on enforcement actions by the Securities and Exchange Commission (“SEC”) in data- and cybersecurity-related matters (here, here, and here), we have been closely tracking regulatory developments and gathering insights on enforcement trends.  Last week, the SEC announced that App Annie and its former CEO and Chairman, Bertrand Schmitt, (“App Annie”) had agreed to a $10.3 million payment to settle charges for engaging in fraudulent practices and making material misrepresentations about its data use from 2014 to 2018 (the “Relevant Period”) in violation of Section 10(b) of the Securities Exchange Act of 1934 (“Exchange Act”) and Rule 10b-5 thereunder (“SEC Order”).  Although not explicitly articulated in the SEC Order, the SEC’s basis for jurisdiction was ostensibly the fact that the app aggregated public company data.  This is the SEC’s first enforcement action against an alternative data provider.  As was the case in the BlueCrest settlement late last year, the App Annie enforcement action underscores the importance of making accurate disclosures regarding data collection and use, and the regulatory risk for companies that do not follow their data policies and procedures.

App Annie’s Business Model

“Alternative data” refers to information about companies or investments that is not contained within financial statements or other traditional data sources, and can include data on how a company’s apps are performing, as measured by the number of downloads, amount of app generated revenue, and frequency of app usage by customers.  According to the SEC Order, App Annie is one of the largest providers of such market data on mobile app performance.

To collect the alternative data, App Annie offered a free analytics product called “Connect” to companies that offer apps.  These companies can track their apps’ performance in exchange for granting App Annie the ability to collect their confidential app performance metrics (“Connect Data”) using their app store login credentials.  App Annie represented in its Terms of Service, and in communications with Connect users, that it would only use Connect Data in aggregated and anonymized form in generating estimates of app performance.

To monetize the alternative data, App Annie offered, for a subscription fee, another product called “Intelligence.”  According to the SEC Order, App Annie represented to trading firms (who were charged a premium) and other subscribers that the estimates were generated through a statistical model that used aggregated and anonymized Connect Data, and that the Connect users had consented to such use.  It also represented to trading firms in various marketing fora, and in response to diligence questionnaires, that (1) it had internal controls and processes to ensure compliance with legal requirements governing the handling of material nonpublic information and to prevent the misuse of confidential Connect Data, and (2) public companies’ Connect Data was not used to generate Intelligence estimates.

SEC Findings

The SEC found that, contrary to its representations, App Annie did not have a policy mandating the exclusion of all public company Connect Data (“Policy”) from its model estimates until April 2017, and even then, the Policy only required the exclusion of app revenue data (and not download and usage data) from certain public companies whose app revenue exceeded 5% of total revenue.  The SEC also found that App Annie failed to take steps to ensure that the Policy was properly implemented.

In addition, the SEC found that during the Relevant Period, in violation of App Annie’s own Terms of Service, Schmitt had directed certain employees, with no involvement from its data science team, to make manual alterations and apply “error-halving” to the model-generated Intelligence estimates, so that the estimates delivered to the Intelligence subscribers could be closer to the actual app performance figures.  The manual alterations were based on confidential non-aggregated and non-anonymized Connect Data, including public company app data.  “Error-halving” was a process by which, if the difference between the model estimate and the actual performance figure was larger than a certain pre-set threshold approved by Schmitt, App Annie would cut the difference by half and replace the model estimate with the new figure.  According to the SEC Order, there was no statistical basis for these post-model alterations, and there was no documentation on which estimates were adjusted and why.  Moreover, the use of these manual alteration procedures was not disclosed to customers, customer-facing employees, or other App Annie executives. The SEC Order noted that, despite these deceptive practices, App Annie continued to make material misrepresentations about its handling of data when it knew or should have known that the trading firm subscribers were using its altered estimates in making their investment decisions.

Key Takeaways

This SEC enforcement action against an alternative data provider illustrates the agency’s continuing focus on data-related issues through the lens of adequate disclosures and policies, and not just in terms of the existence of appropriate policies and procedures, but also in terms of the effectiveness of their implementation.  This action also highlights, as was the case with BlueCrest, that the SEC does not need new AI or algorithm regulations in order to bring enforcement actions, and that model transparency and explainability will be subject to increasing regulatory scrutiny.  Below, we reiterate some of our recent recommendations for best practices and supplement those with a few new ones.

Companies that make trading decisions based on alternative data should try to ensure that they:

  1. Conduct diligence on the providers of alternative data to ensure that the provider has the rights to sell the data for the purpose it is to be used, and that all applicable regulatory and contractual obligations have been met. Such diligence may include requiring data providers to complete due diligence questionnaires detailing the manner in which they obtained the relevant data, including their compliance with applicable laws and regulations; obtaining copies of the data vendors’ compliance-related policies, procedures and/or contracts with downstream data providers; and  documenting due diligence follow-up as appropriate.
  2. Obtain contractual representations from data providers that stipulate that the data provider has the authority to license the data and has not violated any laws or other contractual obligations in obtaining or licensing the data for trading purposes.
  3. To the extent that the data sets are being generated internally or scraped from the public Internet, make sure that there are policies and procedures to confirm regulatory compliance with contractual, IP and privacy obligations that may limit the use of that data.
  4. Make accurate disclosures to customers about the use of alternate data and algorithms in trading recommendations and decisions.
  5. Institute the proper governance structure for senior-level oversight of the lifecycle for complex investment models, which may include implementing internal controls so that model outputs cannot be tinkered with without a sound statistical basis and involvement of the data science team. If model outputs need to be adjusted, make sure to document why and how, and ensure any significant model changes are adequately disclosed to the relevant stakeholders.

To subscribe to the Data Blog, please click here.

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and artificial intelligence risks. He can be reached at agesser@debevoise.com.

Author

Charu A. Chandrasekhar is a litigation counsel based in the New York office and a member of the firm’s White Collar & Regulatory Defense Group. Her practice focuses on securities enforcement and government investigations, internal investigations and complex commercial litigation.

Author

Eric Silverberg is an associate in Debevoise's Litigation Department. He can be reached at ewsilverberg@debevoise.com.

Author

Mengyi Xu is an associate in Debevoise's Litigation Department and a Certified Information Privacy Professional (CIPP/US). As a member of the firm’s interdisciplinary Data Strategy & Security practice, she helps clients navigate complex data-driven challenges, including issues related to cybersecurity, data privacy, and data and AI governance. Mengyi’s cybersecurity and data privacy practice focuses on incident preparation and response, regulatory compliance, and risk management. She can be reached at mxu@debevoise.com.

Author

Adrian Gonzalez is an associate in Debevoise's Litigation Department. He can be reached at agonzalez@debevoise.com.