On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) issued proposed rules (the “Proposed Rules”) that would require broker-dealers and investment advisers (collectively, “firms”) to evaluate their use of predictive data analytics (“PDA”) and other covered technologies in connection with investor interactions and to eliminate or neutralize certain conflicts of interest associated with such use. The Proposed Rules also contain amendments to rules under the Securities Exchange Act of 1934[1] (“Exchange Act”) and the Investment Advisers Act of 1940[2] (“Advisers Act”) that would require firms to have policies and procedures to achieve compliance with the rules and to make and maintain related records.

In this memorandum, we first discuss the scope of the Proposed Rules and provide a summary of key provisions. We also discuss some key implications regarding the scope and application of the rules if adopted as proposed. The full text of the proposal is available here.

Scope of the Proposed Rules

The Proposed Rules would apply to all broker-dealers and SEC-registered investment advisers who use “covered technologies” in connection with investor interactions. The requirements would generally be parallel, but there are a few notable exceptions, the most significant of which is the scope of the defined term “investors.” As discussed further below, the definition for broker-dealers is limited to retail investors while the investment adviser rule has no such limitation.

The Proposed Rules define the following terms relating to the scope and application of the provisions:

Covered Technology

Covered technology is defined as any “analytical, technological or computational function, algorithm, model, correlation matrix, or similar method or process that optimizes for, predicts, guides, forecasts or directs investment-related behaviors or outcomes.”

This definition is exceptionally broad. Read literally, it would cover practically any forward-looking use of technology, theory, correlation analysis or other technique in the context of an investor interaction (which as discussed below also is defined broadly) and would include even internal analyses compiled on Excel spreadsheets.

The proposing release[3] (the “Release”) confirms that the SEC intended such a broad scope. Among other details, the Release notes the following:

  • The proposed definition is designed to capture PDA-like technologies such as artificial intelligence (“AI”), machine learning, deep learning algorithms, neural networks, natural language processing (“NLP”) or large language models, but also any other “technologies” that make use of historical or real-time data, lookup tables or correlation matrices.
  • The proposed definition would include off-the-shelf and bespoke technologies, future and existing technologies, sophisticated and relatively simple technologies as well as technologies developed by a firm internally or licensed from third parties.
  • The proposed definition is intended to cover not only technologies that provide “investment advice or recommendations,” but also “design elements, features, or communications that nudge, prompt, cue, solicit, or influence investment-related behaviors or outcomes from investors”—so-called “digital engagement practices” (or “DEPs”).
  • Covered technologies would also include tools that analyze investors’ behaviors to proactively provide information, such as curated research reports on particular investment products.
  • Covered technologies, however, would not include technology designed “purely” to inform investors, such as a website providing current account balances. It would also not include technology that is used to predict non-securities investment-related matters such as whether an investor would be approved for a particular credit card issued by the firm’s affiliate or to assist investors with basic customer support services.


For broker-dealers, the definition of investor would include a natural person or the legal representative of such natural person who seeks to receive or receives services primarily for personal, family or household purposes.[4] This definition is similar in scope but broader in practice than the definition of “Retail Customer” in Regulation Best Interest because there is no requirement that such a person receive a “recommendation.”

For investment advisers, the definition of investor would include any client or prospective client and any current or prospective investor in a pooled investment vehicle advised by the investment adviser.[5] Notably, the definition does not appear to be limited to natural persons and their representatives, though the Release provides no explanation for this difference as compared to the broker-dealer version of the rule.

Investor Interaction

The term “investor interaction” is defined as engaging or communicating with an investor, including by exercising discretion with respect to an investor’s account, providing information to an investor or soliciting an investor.

This definition appears to include virtually any communication or presentation of visual or other sensory data to an “investor,” by whatever means, regardless of whether the interaction would rise to the level of investment advice or a recommendation.[6] The Release explicitly states that it includes any advertisements disseminated by or on behalf of the firm. The proposed definition does provide a carve out for interactions solely for the purpose of meeting legal or regulatory obligations or for the purpose of providing clerical, ministerial or general administrative support. The Release also explains that certain “back-office” functions are not covered, including “routing of customer orders,” because they do not involve investor interactions within the meaning of the Proposed Rules.


The Proposed Rules cover situations where there is a “use” of covered technology “in” an investor interaction. For this purpose, “use…in” is not defined, but the preamble makes clear this terminology is intended to include both direct uses, such as where the covered technology itself presents data to an investor, and indirect uses, such as where the technology informs an associated person of the firm and that person communicates information gleaned from the technology to an investor.

Summary of Key Provisions

Once a determination has been made that a firm is using covered technology in connection with an investor interaction, the Proposed Rules would require the firm to take affirmative steps to identify all “conflicts of interest” (as specifically defined in the rule) and then eliminate or neutralize certain of these conflicts of interest as well as adopt policies and procedures meeting prescriptive requirements.

Substantive Elimination or Neutralization Requirement

Substantively, a firm would be required to (i) evaluate any use or reasonably foreseeable potential use (by the firm or its associated persons) of a covered technology to identify whether it involves a “conflict of interest,” (ii) determine if any such conflict of interest places or results in placing the interest of the firm (or a covered associated person) ahead of investors’ interests, and (iii) eliminate or “neutralize” any such conflict that has such effect.

Evaluation and Identification of Conflicts

The Proposed Rules would define “conflict of interest” broadly to include any use of a covered technology that takes into consideration an interest of the firm or an associated person of the firm.[7] Notably, this definition doesn’t actually require a conflict, just consideration of the firm’s own interest. In the Release, the SEC makes clear that, if the covered technology considers any information favorable to a firm or associated person, the firm should evaluate the conflict and determine whether it places the interest of the firm or its associated persons “ahead” of investors’ interests.

The Proposed Rules do not mandate a particular means by which a firm is required to evaluate a covered technology or identify a conflict of interest associated with that use or potential use. Rather, a firm would be permitted to adopt an approach that it considers appropriate for its particular use of covered technology, provided that its approach is sufficient for the firm to identify the conflicts of interest that are associated with how the technology has operated in the past and how it could operate once deployed by the firm. More advanced or complicated technologies, particularly those using complex modeling or machine learning, would be expected to require more complex evaluative strategies. For example, where a firm is using a machine learning technology without knowing whether the specific data used by the machine might somehow skew results in the firm’s favor, it might have to build “explainability” features or otherwise conduct outcomes testing on the outputs. Further, the firm would be required to consider scenarios that are reasonably foreseeable unless the firm has taken reasonable steps to prevent use of the technology in scenarios it has not approved.[8]

As part of this requirement, the Proposed Rules would include a specific requirement to test each covered technology periodically to determine whether the use of such covered technology is associated with a conflict of interest. While the Proposed Rules do not specify any particular method of testing or frequency of retesting that the firm must conduct, testing would be required (1) prior to implementing the covered technology and (2) before deploying any “material modification”[9] of the technology.

Determination as to Placement of Interests Ahead of Investor Interests

After evaluation and identification of a “conflict of interest” in the use of a covered technology, a firm would then have to determine whether such use places or results in placing the firm’s or a covered associated person’s interest ahead of investors’ interests. No particular guidance is given in the Proposed Rules as to the tipping point at which a firm would be considered to be placing its own interests ahead of investors. The Release notes that such determination is based on a facts and circumstances analysis.

Neutralization or Elimination of Conflict

As previewed above, the Proposed Rules would require a firm to act promptly to eliminate, or neutralize the effect of, any conflict of interest determined to result in an investor interaction that places the firm’s (or a covered associated person’s) interest ahead of the interests of its investors.[10] The Release notes that the test for whether a firm has successfully eliminated or neutralized the effect of a conflict of interest is whether the interaction no longer places the interests of the firm ahead of the interests of investors.

The Release notes that a firm could eliminate a conflict by, for example, completely eliminating the practice generating the conflict (whether by changes to the algorithm, technology or otherwise) or removing the firm’s interest from the information considered by the technology.

For example, if a firm determined that covered technology that generated predictions or provided financial model results to an investor favored investments that provided advantageous revenue sharing to the firm, it may choose to eliminate the conflict by ending revenue sharing payments or by ensuring that its covered technologies do not consider investments that share revenue. Alternatively, such a firm may be able to “neutralize” the effect of such a conflict by taking steps to prevent the technology from biasing the output towards the interest of the firm or its associated persons (e.g., by changing how information is analyzed or weighted such that the technology always holistically weights other factors as more important).

While the Release provides a number of such examples, the SEC notes that the Proposed Rules do not prescribe a specific way in which a firm must eliminate, or neutralize the effect of, its conflicts of interest.[11]

Policies and Procedures

The Proposed Rules would also require all covered firms that employ covered technologies to implement policies and procedures that would both (i) be reasonably designed to prevent a violation of the Proposed Rules and (ii) satisfy detailed prescriptive requirements.

The prescriptive requirements would include, among other things, written descriptions of: (a) the processes for evaluating any use or reasonably foreseeable potential use of any covered technology in any investor interaction for conflicts of interest; (b) the material features of any covered technology; (c) the processes for determining whether any such conflicts of interest result in an investor interaction that places the interest of the firm or its covered associated persons ahead of the interests of investors; and (d) the processes for determining how to eliminate, or neutralize the effect of, any such conflicts that place firm interests ahead of investor interests. In addition, such policies and procedures would be required to provide for a review (and written documentation of such review) of the adequacy of such policies and procedures to be conducted on a periodic basis (and no less frequently than annually).

The SEC notes in the Release that a firm that makes extensive use of more complex covered technologies or a firm whose conflicts of interest are more complex or extensive would need a more robust set of policies and procedures. As such, the SEC states that firms designing such policies and procedures should consider including other elements as appropriate, such as (i) compliance review and monitoring systems and controls, (ii) procedures that clearly designate responsibility to appropriate personnel for supervision of functions and persons, (iii) processes to escalate identified instances of noncompliance to appropriate personnel for remediation, and (iv) training of relevant personnel on the policies and procedures, as well as the forms of covered technology used by the firm.


The SEC is also proposing to amend relevant rules under the Exchange Act and Advisers Act to set forth requirements for firms to maintain and preserve, for specific retention periods, books and records related to the requirements of the Proposed Rules. The proposed retention periods conform to existing retention periods for broker-dealers (not less than 6 years) and investment advisers (not less than 5 years).[12]

Request for Comments

In the Release, the SEC generally requests comments on all aspects of the Proposed Rules and raises a number of specific items for comment on each part of the provision.

Comments should be received on or before October 10, 2023.

Implications for Broker-Dealers, Investment Advisers and Investors

The Proposed Rules contain a number of elements that are likely to be highly controversial to a variety of market participants.

Breadth of Covered Technologies and Practice

The scope of the Proposed Rules is exceptionally broad. While much of the preamble to the Release focuses on digital platforms and the issues and characteristics of technologies in the nature of high-end PDAs employing AI or machine learning, in actual fact virtually any technique or technology that influences investment behavior or investor interactions would be a “covered technology.”

This means the Proposed Rules would not only apply to newer headline-grabbing advanced technologies, but also to much simpler technologies and practices that have traditionally been employed widely by broker-dealers and investment advisers, such as spreadsheets and other basic models.

Indeed, the “covered technology” and “investor interaction” concepts are so broadly defined and loosely linked in the Proposed Rules that they also may apply to activities that are not immediately recognized as involving any kind of predictive data analytics. For instance, DEPs, such as behavioral prompts, differential marketing, gamification features and other design elements or features designed to engage retail investors, are clearly intended to be in scope. While modern practice is increasingly to provide these prompts through digital interfaces, the “analytical” or “model” element of DEPs may be nothing more than the empirical observation that people enjoy playing games and are motivated to “win” them. Such DEPs are a very different kind of “technology” or innovation than AI or other computational models that are plainly in the intended scope, and in framing a rule with a single set of concepts to encompass both, the SEC has proposed a framework that may apply to a vast amount of activity.

Vagueness of Scope and Application of Terms

The scope and application of the Proposed Rules is not only extremely broad, it is also vague and at times logically inconsistent.

For example, while it is clear that DEPs are intended to be covered by the Proposed Rules, the actual prongs of the definition that are supposed to cover such elements, features or communications are not specified. One possibility is that SEC would view DEPs as technologies that “optimize for” or “guide” behavior. Logically, it would also seem that the cognitive or psychological theory behind the nudge is the “technology,” and that the nudge itself is an investor interaction “using” this technology. In any event, the uncertainty leads to potential challenges in determining the scope of covered technologies in practice. For instance, it is not clear whether an application that is not a covered technology could suddenly become a covered technology if it is modified to include a feature or design element (say, a different color button or default toggle) that could be said to “optimize for” or “guide” behavior.

The treatment of order routing and other “back-office” functions under the Proposed Rules also seems largely unexplained. The Release makes clear that the SEC would view order routing as out-of-scope for purposes of the Proposed Rules on the basis that it does not involve an investor interaction. However, it is not apparent on the face of the Proposed Rules why a “back-office” use of technology to handle a customer order would be any less of a covered interaction than any other internal use of technology (say, quantitative internal analysis to support marketing activities) that supports discretionary decision-making with respect to an investor or its account.

The Proposed Rules’ lack of distinction between retail and institutional investors relative to investment advisers is also problematic. While the Release explains (at least in part) the decision to focus on interactions with retail investors for purposes of the broker-dealer rule, it is entirely silent as to why the investment adviser rule would not be similarly limited. If the operative concern is the ability of retail investors to understand and appreciate the risk posed by conflicted interests in the use of covered technologies, it is not clear why the investment adviser rule should apply more broadly to institutional investors and other sophisticated advisory clients. This is materially inconsistent with the SEC’s own 2019 guidance in connection with advisers’ fiduciary obligations, which recognized that those obligations apply markedly differently as between institutional and retail clients.[13]

Scope of Covered “Uses” of Technology

The elastic nature of the term “use” in the Proposed Rules is potentially very material—particularly because the scope is meant to cover both indirect use of covered technologies, as well as reasonably foreseeable (direct and indirect) uses.

While the example provided in the preamble is one in which an associated person of the firm passes on information from a model or other predictive technology to an investor, it also seems likely that indirect “use” would be involved where the covered model informs an associated person as to how to communicate with an investor in a manner predicted to generate business or revenue from investment-related behavior. If this latter “use” is in scope, then virtually all marketing communications involving specific securities or investment products may be covered by the Proposed Rules. Indeed, as proposed, it is unclear why general advertising by a retail broker-dealer that involves the mention of particular products or services would not be a use of a covered technology (effectively advertisement theory) in an investor interaction.

Abandonment of Disclosure Framework

The Proposed Rules forego the use of “reasonable customer” assumptions that would cabin the applicability of the conflict elimination/neutralization requirement in two important ways.

First, there is no requirement that there be a “recommendation”—or a communication that a reasonable person would deem a “call to action” in reliance on superior knowledge of the broker-dealer or investment adviser. Any investment-related communication involving an element of self-interest would potentially be sufficient to implicate the conflict neutralization duties under the rule, even if it were obviously self-interested marketing.

Second, the Proposed Rules forego disclosure as an adequate mitigant for potential harm, meaning that the proposal effectively dismisses in all cases the possibility that a customer with adequate information would make reasonable decisions for himself or herself in the face of covered marketing communications from the firm.

Consequently, it is unclear how a firm could ever engage in certain kinds of communications that are below the level of a recommendation but involve covered analytics and a marketing element in a context where they have not conducted a detailed suitability or best interest analysis of the recipients. In those situations, it would potentially be impossible to determine if any element of self-interest in the communication would put the firm’s interest ahead of that of the investor. As a result, it would seem that the firm would presumptively be under a duty to eliminate or neutralize the conflict.

With respect to investment advisers, the Proposed Rules’ requirement to “neutralize” or “eliminate” conflicts of interest would effectively overturn decades of the SEC’s own guidance (and affirmed as recently as 2019) and run contrary to Supreme Court precedent that requires “mitigation,” not “elimination,” of conflicts and expressly permits disclosure and informed consent to address conflicts.[14]

* * *

Please do not hesitate to contact us with any questions.

To subscribe to the Data Blog of our Data Strategy and Security practice, please click here.

[1]       15 U.S.C. § 78a.

[2]       15 U.S.C. § 80b.

[3]       Conflicts of Interest Associated with the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers, available at https://www.sec.gov/files/rules/proposed/2023/34-97990.pdf.

[4]       The SEC notes in the Release that the definition is intended to capture prospective and current retail investors.

[5]       “Pooled investment vehicle” for purposes of the Proposed Rules means any investment company as defined in section 3(a) of the Investment Company Act of 1940, as amended (the “Investment Company Act”) or any company that would be an investment company under section 3(a) of the Investment Company Act but for the exclusion provided from that definition by either section 3(c)(1) or section 3(c)(7) of the Investment Company Act.

[6]        For example, the SEC notes in the Release that, in addition to providing investment advice or recommendations, the intended scope extends to design elements, features or communications that “nudge,” prompt, cue, solicit or influence investment-related behaviors or outcomes from investors.

[7]       For broker-dealers, consideration of the interests of associated persons is limited to individuals who are associated persons.

[8]       In this context, the Release suggests that limiting the personnel who are able to access the technology may be one means to prevent use of the technology in unapproved scenarios.

[9]       A material modification may include, for example, adding a new functionality such as expanding the asset classes covered by the technology. On the other hand, the Release notes that the SEC would not generally view minor modifications such as standard software updates, security or other patches, bug fixes or minor performance improvements as material modifications.

[10]     An exception is provided for a conflict of interest that exists solely because the firm seeks to open a new investor or client account. The Release notes that even though opening an account would likely be in the interest of the firm, the Proposed Rules are not designed to limit firms’ abilities to attract clients and customers. However, incentivizing specific types of activity (such as margin or options trading privileges, as opposed to opening a general account, or investing in a particular type of investment, as opposed to just opening an account to invest) that is particularly profitable to a firm (and not always in investors’ interests) is intended to be addressed by the Proposed Rules.

[11]     The SEC recognizes in the Release that some firms may use certain complex technologies that lack explainability as to how the technology functions in practice and how it reaches conclusions (e.g., a “black box” algorithm where it is unclear exactly what inputs the technology is relying on and how it weights them). Such technologies would nevertheless remain subject to the Proposed Rules. The SEC states that in such cases, firms may be able to modify the technologies by embedding explainability features into their models and/or adopting back-end controls in a manner that will enable firms to satisfy the requirements of the Proposed Rules. However, where such techniques cannot be employed or are ineffective such that a firm cannot determine that its use of a covered technology in investor interactions does not result in a conflict of interest that places its interests ahead of those of investors, the firm generally would be required to consider any conflict of interest associated with such use as one that needs to be neutralized or (where that is not possible or practicable) eliminated.

[12]     Six specific types of records to be maintained for these purposes include: (i) written documentation of the evaluation of any conflict of interest associated with the use or potential use by the firm or associated person of a covered technology in an investor interaction; (ii) written documentation of the determination of whether any conflict of interest so identified places the interest of the firm or associated person of the firm ahead of the interests of the investors; (iii) written documentation evidencing how the effect of any conflict of interest identified as placing the interest of the firm or associated persons ahead of the interests of investors has been eliminated or neutralized; (iv) the written policies and procedures adopted, implemented and (in the case of a broker-dealer) maintained in accordance with the rules; (v) a record of disclosures provided to investors regarding the firm’s use of covered technologies, including, if applicable, the date such disclosure was first provided or the date such disclosure was updated; and (vi) records of each instance in which a covered technology was altered, overridden or disabled, the reason for such action and the date thereof.

[13]     See, Commission Interpretation Regarding Standard of Conduct of Investment Advisers, Release No. IA-5248 (June 5, 2019) (the “Fiduciary Release”).

[14]     See Fiduciary Release, supra, and SEC v. Capital Gains Bureau, 375 U.S. 180 (1963).


Andrew J. Ceresney is a partner in the New York office and Co-Chair of the Litigation Department. Mr. Ceresney represents public companies, financial institutions, asset management firms, accounting firms, boards of directors, and individuals in federal and state government investigations and contested litigation in federal and state courts. Mr. Ceresney has many years of experience prosecuting and defending a wide range of white collar criminal and civil cases, having served in senior law enforcement roles at both the United States Securities and Exchange Commission and the U.S. Attorney’s Office for the Southern District of New York. Mr. Ceresney also has tried and supervised many jury and non-jury trials and argued numerous appeals before federal and state courts of appeal.


Charu A. Chandrasekhar is a litigation partner based in the New York office and a member of the firm’s White Collar & Regulatory Defense and Data Strategy & Security Groups. Her practice focuses on securities enforcement and government investigations defense and cybersecurity regulatory counseling and defense.


Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.


Robert Kaplan is a litigation partner based in the firm’s Washington, D.C. office. He has significant experience with a broad range of securities-related enforcement and compliance issues, including those involving requirements affecting SEC-registered investment advisers affiliated with hedge funds, private equity funds, investment companies, mutual funds and separately managed accounts. Mr. Kaplan routinely represents these clients in matters before the SEC, state attorneys general and FINRA. He is recommended by Chambers USA (2020), and, in 2017, Securities Docket recognized him as one of the “best and brightest in securities enforcement defense.”


Marc Ponchione, a partner in Debevoise's Investment Management Group, focuses on advising financial services firms on various regulatory, compliance and transactional issues arising in the asset management industry. He can be reached at mponchione@debevoise.com.


Julie M. Riewe is a litigation partner and a member of Debevoise's White Collar & Regulatory Defense Group. Her practice focuses on securities-related enforcement and compliance issues and internal investigations, and she has significant experience with matters involving private equity funds, hedge funds, mutual funds, business development companies, separately managed accounts and other asset managers. She can be reached at jriewe@debevoise.com.


Jeffrey L. Robins is a corporate partner and a member of the Debevoise Banking Group. His practice focuses on representing broker-dealers, swap dealers, banks, securities exchanges, industry associations and buy-side institutions in regulatory and transactional matters. He can be reached at jlrobins@debevoise.com.


Kristin Snyder is a litigation partner and member of the firm’s White Collar & Regulatory Defense Group. Her practice focuses on securities-related regulatory and enforcement matters, particularly for private investment firms and other asset managers.


Matthew Kelly is a litigation counsel based in the firm’s New York office and a member of the Data Strategy & Security Group. His practice focuses on advising the firm’s growing number of clients on matters related to AI governance, compliance and risk management, and on data privacy. He can be reached at makelly@debevoise.com


Gary Murphy is a counsel and a member of Debevoise's Blockchain, Hedge Fund and Derivatives Practice Groups. He can be reached at gemurphy@debevoise.com.


Sheena Paul is a counsel in the Investment Management Group’s U.S. regulatory practice, based in the firm’s Washington, D.C. office. Ms. Paul focuses her practice on providing regulatory advice to investment managers, with a particular focus on private equity clients. She works closely with the firm’s other practices on regulatory advice related to domestic and cross-border corporate and capital markets transactions, and enforcement matters. She can be reached at spaul@debevoise.com


Jarrett Lewis is an associate and a member of the Data Strategy and Security Group. He can be reached at jxlewis@debevoise.com.


Catherine Morrison is a corporate associate and a member of Debevoise's Banking and Financial Institutions Groups. She can be reached at ccmorrison@debevoise.com.


Mengyi Xu is an associate in Debevoise's Litigation Department and a Certified Information Privacy Professional (CIPP/US). As a member of the firm’s interdisciplinary Data Strategy & Security practice, she helps clients navigate complex data-driven challenges, including issues related to cybersecurity, data privacy, and data and AI governance. Mengyi’s cybersecurity and data privacy practice focuses on incident preparation and response, regulatory compliance, and risk management. She can be reached at mxu@debevoise.com.