By Jonathan A. Forman, Teresa Goody Guillén & Jeewon Kim Serrato

As one of its latest enforcement actions, the Securities and Exchange Commission (“SEC” or “Commission”) continued its push into the fintech space by charging an alternative data provider with securities fraud for the first time ever – namely for allegedly selling data sets to trading firms that were not aggregated or anonymized as contractually agreed to and represented by the provider.  The SEC’s September 14, 2021 consent order with the private company App Annie Inc. and its former CEO and Chairman[1] represents a significant warning to alternative data providers and trading firms that the Commission is scrutinizing the use of alternative data sets in investment strategies.  Because trading firms increasingly use information compiled by third parties through mobile devices, financial transactions, satellites, public records, and the internet as well as other alternative data sets to form or corroborate investment hypotheses, this enforcement action underscores the need for them to appropriately vet data providers and any alternative data they may obtain prior to acting on it.  Significantly, while the consent order and accompanying press release do not mention insider trading and the consent order makes passing reference to material nonpublic information, best practices relating to insider trading policies provide helpful guidance that alternative data providers and trading firms using their data sets should follow.  Although we highlight below specific takeaways for alternative data providers and trading firms, this SEC enforcement action also provides best practices for all entities seeking to design and implement a sound data governance program.

Consent Order

According to the SEC’s order, App Annie “is one of the largest sellers of market data on how apps on mobile devices are performing, including data on the number of times a particular company’s app is downloaded, the amount of revenue that a company is generating through its app, and how often customers are using the company’s app.”[2]  App Annie allegedly collects this information from companies, including public companies, through a free analytics product that enables those companies to track the performance of their apps.  In exchange, those companies allegedly allow App Annie to access their confidential app performance metrics so long as App Annie only uses that data in aggregated and anonymized form.  App Annie allegedly performs statistical analyses on this data to derive aggregated and anonymized estimates to sell to trading firms “to inform their investment strategy” and even hired employees to generate and share ideas of how to use these “estimates to trade ahead of upcoming earnings announcements.”[3]

Yet, according to the order, App Annie generated these estimates with confidential information that was not aggregated or anonymized and represented to the trading firms that the companies consented to such use of their confidential data when they in fact did not.  App Annie also allegedly misrepresented that it conducted regular reviews and implemented other internal controls and processes to prevent the misuse of confidential information in those estimates even though it did not.  The SEC alleged that these misrepresentations fraudulently induced the trading firms to purchase the estimates because App Annie and its former CEO and Chairman knew the trading firms would not have purchased the estimates if they understood they constituted material nonpublic information. 

In particular, the SEC alleged App Annie did not have a written policy documenting its controls until April 2017 and, even at that point, the policy did not meaningfully limit the use of confidential information in generating the estimates.  The former CEO and Chairman also allegedly directed certain employees to use confidential information in ways that were prohibited by App Annie’s agreement with the companies to drive the estimates closer to the actual app metrics – specifically through a manual process where confidential information was used to “alter[] the estimates for apps that were of greatest interest to App Annie’s highest-paying subscribers.”[4]  In many instances, App Annie allegedly made these alterations in response to complaints from those trading firms about the accuracy of the estimates.  Notably, the order notes that App Annie allegedly discontinued these practices and excluded all public company data from its statistical model after it learned of the SEC’s investigation in June 2018.

Ultimately, App Annie and its former CEO and Chairman settled the SEC’s charges of securities fraud violations without admitting or denying the allegations.  As part of the settlement, App Annie agreed to pay a $10 million civil penalty and its former CEO and Chairman agreed to pay a $300,000 civil penalty and be barred from serving as a public company executive or director for three years.

Takeaways for Alternative Data Providers

This enforcement action demonstrates that the SEC will apply the federal securities laws to alternative data providers and others in new and aggressive ways even if they are private companies and are not themselves engaged in any securities trading.  As SEC Commissioner Hester Peirce objected in a tweet:  “This settlement stretches the ‘in connection with the purchase and sale of securities’ requirement under 10b/10b-5 beyond where I think it should go.”[5]  Given this apparent intention, alternative data providers should consider the following lessons from the App Annie consent order. 

• Understand Restrictions on Data.  Providers should catalog the types of data that they process and understand the associated legal or contractual restrictions on any sets of this data.  This lesson is particularly important where the data relates to public companies and may constitute material nonpublic information or to individuals and may constitute protected personal information.  Due to recent privacy laws enacted in the last three years, the scope of these laws and the legal obligations related to personal information have greatly expanded. Conducting data mapping on a regular basis (e.g., annually) should help to ensure that the providers understand what types of data they process may trigger new legal restrictions.
• Tailor Appropriate Controls.  Providers should ensure that their controls relating to their data processing practices are tailored to their legal and contractual obligations.  Data aggregation, anonymization, retention policies and other controls should be documented in written policies and periodically reviewed and updated to make sure they address any changes in operations or relevant regulations.  In addition, company practices should be periodically reviewed to ensure that the policies are being followed. Regularly scheduled audits or risk assessments (e.g., annually) can help to ensure that the right controls are in place and that they are working effectively.
• Review Agreements.  Providers should carefully review their terms of service, customer agreements, and counterparty agreements to confirm that their representations are in line with their current operations, particularly with respect to aggregating or de-identifying confidential information.  Recent privacy and data protection laws in the US and abroad also include requirements for specific clauses to be included in written agreements before certain data transfers can occur between third parties.  Providers should identify which data collection activities or transfers require a written contract and if any additional privacy and cybersecurity clauses need to be added to comply with these laws. 

Takeaways for Trading Firms

Although the App Annie consent order did not involve charges of insider trading, the allegations themselves appear to be akin to those the industry has seen in insider trading cases applying the misappropriation theory.  Like the expert network cases that were brought over a decade ago, the App Annie consent order includes allegations that track the misappropriation theory – namely allegations that a public company outsider (i.e., App Annie) obtained nonpublic information relating to a public company (i.e., the app data) and used that information in violation of a duty (i.e., a breach of App Annie’s terms of service with the public company) in connection with securities trading (i.e., selling the non-aggregated and non-anonymized data to inform trading strategies).  Given these similarities, trading firms would be wise to apply insider trading best practices to their use of alternative data sets.  And while none of the trading firms referenced in the App Annie consent order were respondents in this particular enforcement action, investment advisers to hedge funds, private funds, public funds, and other market participants that use alternative data nonetheless should consider the following lessons from this recent order.  After all, it appears from the release accompanying the consent order that the enforcement action resulted from a Division of Examinations review of certain of the trading firms that further demonstrates the SEC’s interest here.[6]

• Understand Nature of Alternative Data Sets.  Firms should conduct appropriate due diligence relating to any alternative data provider they engage to understand the origin of the data, how the provider processes it, and what controls they have in place to protect against the use of confidential, material nonpublic, and other protected information in a data set or work product generated from that data set.  Just as important, this due diligence process should be documented.  
• Obtain Appropriate Contractual Provisions.  Firms should include representations, warranties, and other contractual provisions in service agreements relating to the processing activities and controls of alternative data providers.  Like a documented diligence process, these provisions help demonstrate compliance with the federal securities and other laws.
• Incorporate into Compliance Program.  Firms should ensure that their codes of ethics, information barriers, and compliance programs properly address their use of alternative data sets and train their employees so they know what to do if or when they discover that a data set contains confidential information. 

*          *          *