On April 26, 2022, the Division of Examinations (“EXAMS”) of the Securities and Exchange Commission (the “SEC”) issued a Risk Alert titled “Investment Adviser MNPI Compliance Issues” (“Risk Alert”) on the use of alternative data.  The Risk Alert outlines EXAMS’ recent observations on compliance deficiencies related to Section 204A of the Investment Advisers Act of 1940—including deficiencies relating to policies and procedures for alternative data—and Rule 204A-1 (the “Code of Ethics Rule”).  Based on the Risk Alert, and the recent SEC enforcement action in this area, we offer three takeaways for investment advisers to reduce their risk when purchasing and using alternative data.

EXAMS’ Findings on Investment Advisers’ Alternative Data Usage

The Risk Alert defines “alternative data” to include “many different types of information increasingly used in financial analysis, beyond traditional financial statements, company filings, and press releases, [and] does not necessarily contain MNPI.”  The Risk Alert puts investment advisers on notice that they must ensure that their sourcing and use of alternative data are in compliance with Advisers Act Section 204A, which requires all investment advisers to “establish, maintain, and enforce written policies and procedures that are reasonably designed, taking into consideration the nature of the adviser’s business, to prevent the misuse of material non-public information (“MNPI”) by the adviser or any person associated with the adviser.”

EXAMS observed that advisers “did not appear to adopt or implement reasonably designed written policies and procedures to address the potential risk of receipt and use of MNPI through alternative data sources.”  Specifically, it noted three categories of deficiencies relating to alternative data:

  1. Failure to adequately memorialize diligence processes with respect to alternative data service providers or follow such processes systematically and consistently. The Risk Alert noted that certain advisers “instead engaged in ad hoc and inconsistent diligence of alternative data service providers.”
  2. Failure to have policies and procedures regarding assessment of terms, conditions or legal obligations for Alternative Data collection or provision. The Risk Alert observed in particular that advisers did not have policies and procedures addressing “red flags about the sources of such alternative data.” 
  1. Failure to demonstrate via documentation consistent implementation of policies and procedures related to alternative data service providers throughout the lifecycle of the data. The Risk Alert noted that advisers did not conduct due diligence on all sources of alternative data; that even when advisers had an onboarding process for alternative data service providers, such advisers did not always have systems for “determining when due diligence needed to be re-performed based on passage of time or changes in data collection practices”; and that advisers could not always demonstrate through documentation consistent implementation of policies and procedures.

In addition to the focus on alternative data, the Risk Alert also discussed observed deficiencies involving policies and procedures relating to “value-add investors” and “expert networks” in the context of Section 204A compliance and separately discussed observed deficiencies involving compliance with the Code of Ethics Rule under Section 204A-1.

Key Takeaways

The Risk Alert should be considered along with the SEC’s September 2021 enforcement action against alternative data provider App Annie and EXAMS’ recent statement in its 2022 Priorities that it plans to scrutinize advisers’ use of alternative data in their business and investment decision-making processes.  When viewed together, these actions demonstrate the agency’s increasing scrutiny of the usage of alternative data for securities trading and the potential that such data may contain MNPI.  As discussed in our blog post on the case, the SEC found that alternative data provider App Annie made material misrepresentations and omissions about its policies and procedures for handling alternative data (in that case, data on companies’ mobile app usage) and failed to implement its policies and procedures involving such data.  As discussed in our Client Alert, EXAMS’ 2022 Priorities stated that “to the extent that firms are using alternative data or data gleaned from non-traditional sources as part of their business and investment decision-making processes, reviews will include examining whether RIAs, including RIAs to private funds and registered funds, are implementing appropriate compliance and controls around the creation, receipt, and use of potentially MNPI.”

The Risk Alert, the App Annie matter, and EXAMS’ 2022 Priorities, taken together, signal that alternative data will continue to be a focus for both examinations and enforcement activities.  Advisers that use alternative data in developing trading strategies should, therefore, consider the following measures to mitigate regulatory and reputations risks associated with the use of alternative data:

  1. Memorialize Due Diligence Processes for Alternative Data Providers. Investment advisers should consider developing and documenting specific policies and procedures to address the unique risks presented by alternative data, including policies and procedures specifically relating to the due diligence to be conducted on third-party providers of such data.  While such policies and procedures can be part of the firm’s preexisting vendor management policy, they can also be tailored to the specific MNPI risks that alternative data might present in the context of the adviser’s business use case.
  2. Develop Oversight Mechanisms to Ensure Consistent Implementation of Policies and Procedures. The Risk Alert highlighted that due diligence policies and procedures are not sufficient when they are not consistently implemented and emphasized that appropriate due diligence on alternative data must be conducted not only at onboarding, but also post-adoption.  As such, advisers should consider having policies and procedures regarding alternative data that address the full lifecycle of usage of such data, as well as documentation of their ongoing efforts to comply with such policies and procedures.
  3. Empower Relevant Personnel to Identify and Escalate Red Flags. Advisers should provide criteria for relevant personnel to escalate potential red flags in the use of alternative data.  Advisers should also consider clearly delineating methods of escalation and pathways for investigating and resolving such red flags, such that identified risks are not left unaddressed and evolve into a source of potential future examination or enforcement risk.

The authors would like to thank Debevoise law clerk Linda Lin for her contribution to this post. 

To subscribe to our Data Blog, please click here.

 

Author

Andrew J. Ceresney is a partner in the New York office and Co-Chair of the Litigation Department. Mr. Ceresney represents public companies, financial institutions, asset management firms, accounting firms, boards of directors, and individuals in federal and state government investigations and contested litigation in federal and state courts. Mr. Ceresney has many years of experience prosecuting and defending a wide range of white collar criminal and civil cases, having served in senior law enforcement roles at both the United States Securities and Exchange Commission and the U.S. Attorney’s Office for the Southern District of New York. Mr. Ceresney also has tried and supervised many jury and non-jury trials and argued numerous appeals before federal and state courts of appeal.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Julie M. Riewe is a litigation partner and a member of Debevoise's White Collar & Regulatory Defense Group. Her practice focuses on securities-related enforcement and compliance issues and internal investigations, and she has significant experience with matters involving private equity funds, hedge funds, mutual funds, business development companies, separately managed accounts and other asset managers. She can be reached at jriewe@debevoise.com.

Author

Kristin Snyder is a litigation partner and member of the firm’s White Collar & Regulatory Defense Group. Her practice focuses on securities-related regulatory and enforcement matters, particularly for private investment firms and other asset managers.

Author

Jonathan Tuttle, managing partner of the Washington, D.C. office, is a member of the firm’s Litigation Department. He has represented public companies, regulated institutions, boards of directors, audit and special committees of boards, and individual directors, officers and employees in enforcement investigations and proceedings brought by the Securities and Exchange Commission, the Department of Justice, FINRA and the PCAOB, as well as in securities class actions, shareholder derivative suits, internal corporate investigations and a variety of other securities and finance-related litigation and regulatory matters.

Author

Charu A. Chandrasekhar is a litigation partner based in the New York office and a member of the firm’s White Collar & Regulatory Defense and Data Strategy & Security Groups. Her practice focuses on securities enforcement and government investigations defense and cybersecurity regulatory counseling and defense.

Author

Mengyi Xu is an associate in Debevoise's Litigation Department and a Certified Information Privacy Professional (CIPP/US). As a member of the firm’s interdisciplinary Data Strategy & Security practice, she helps clients navigate complex data-driven challenges, including issues related to cybersecurity, data privacy, and data and AI governance. Mengyi’s cybersecurity and data privacy practice focuses on incident preparation and response, regulatory compliance, and risk management. She can be reached at mxu@debevoise.com.