by Andrew J. Ceresney, Avi Gesser, Julie M. Riewe, Kristin A. Snyder, Jonathan R. Tuttle, Charu A. Chandrasekhar, and Mengyi Xu
On April 26, 2022, the Division of Examinations (“EXAMS”) of the Securities and Exchange Commission (the “SEC”) issued a Risk Alert titled “Investment Adviser MNPI Compliance Issues” (“Risk Alert”) on the use of alternative data. The Risk Alert outlines EXAMS’ recent observations on compliance deficiencies related to Section 204A of the Investment Advisers Act of 1940—including deficiencies relating to policies and procedures for alternative data—and Rule 204A-1 (the “Code of Ethics Rule”). Based on the Risk Alert, and the recent SEC enforcement action in this area, we offer three takeaways for investment advisers to reduce their risk when purchasing and using alternative data.
EXAMS’ Findings on Investment Advisers’ Alternative Data Usage
The Risk Alert defines “alternative data” to include “many different types of information increasingly used in financial analysis, beyond traditional financial statements, company filings, and press releases, [and] does not necessarily contain MNPI.” The Risk Alert puts investment advisers on notice that they must ensure that their sourcing and use of alternative data are in compliance with Advisers Act Section 204A, which requires all investment advisers to “establish, maintain, and enforce written policies and procedures that are reasonably designed, taking into consideration the nature of the adviser’s business, to prevent the misuse of material non-public information (“MNPI”) by the adviser or any person associated with the adviser.”
EXAMS observed that advisers “did not appear to adopt or implement reasonably designed written policies and procedures to address the potential risk of receipt and use of MNPI through alternative data sources.” Specifically, it noted three categories of deficiencies relating to alternative data:
1. Failure to adequately memorialize diligence processes with respect to alternative data service providers or follow such processes systematically and consistently. The Risk Alert noted that certain advisers “instead engaged in ad hoc and inconsistent diligence of alternative data service providers.”
2. Failure to have policies and procedures regarding assessment of terms, conditions or legal obligations for Alternative Data collection or provision. The Risk Alert observed in particular that advisers did not have policies and procedures addressing “red flags about the sources of such alternative data.”
3. Failure to demonstrate via documentation consistent implementation of policies and procedures related to alternative data service providers throughout the lifecycle of the data. The Risk Alert noted that advisers did not conduct due diligence on all sources of alternative data; that even when advisers had an onboarding process for alternative data service providers, such advisers did not always have systems for “determining when due diligence needed to be re-performed based on passage of time or changes in data collection practices”; and that advisers could not always demonstrate through documentation consistent implementation of policies and procedures.
In addition to the focus on alternative data, the Risk Alert also discussed observed deficiencies involving policies and procedures relating to “value-add investors” and “expert networks” in the context of Section 204A compliance and separately discussed observed deficiencies involving compliance with the Code of Ethics Rule under Section 204A-1.
Key Takeaways
The Risk Alert should be considered along with the SEC’s September 2021 enforcement action against alternative data provider App Annie and EXAMS’ recent statement in its 2022 Priorities that it plans to scrutinize advisers’ use of alternative data in their business and investment decision-making processes. When viewed together, these actions demonstrate the agency’s increasing scrutiny of the usage of alternative data for securities trading and the potential that such data may contain MNPI. As discussed in our blog post on the case, the SEC found that alternative data provider App Annie made material misrepresentations and omissions about its policies and procedures for handling alternative data (in that case, data on companies’ mobile app usage) and failed to implement its policies and procedures involving such data. As discussed in our Client Alert, EXAMS’ 2022 Priorities stated that “to the extent that firms are using alternative data or data gleaned from non-traditional sources as part of their business and investment decision-making processes, reviews will include examining whether RIAs, including RIAs to private funds and registered funds, are implementing appropriate compliance and controls around the creation, receipt, and use of potentially MNPI.”
The Risk Alert, the App Annie matter, and EXAMS’ 2022 Priorities, taken together, signal that alternative data will continue to be a focus for both examinations and enforcement activities. Advisers that use alternative data in developing trading strategies should, therefore, consider the following measures to mitigate regulatory and reputations risks associated with the use of alternative data:
1. Memorialize Due Diligence Processes for Alternative Data Providers. Investment advisers should consider developing and documenting specific policies and procedures to address the unique risks presented by alternative data, including policies and procedures specifically relating to the due diligence to be conducted on third-party providers of such data. While such policies and procedures can be part of the firm’s preexisting vendor management policy, they can also be tailored to the specific MNPI risks that alternative data might present in the context of the adviser’s business use case.
2. Develop Oversight Mechanisms to Ensure Consistent Implementation of Policies and Procedures. The Risk Alert highlighted that due diligence policies and procedures are not sufficient when they are not consistently implemented and emphasized that appropriate due diligence on alternative data must be conducted not only at onboarding, but also post-adoption. As such, advisers should consider having policies and procedures regarding alternative data that address the full lifecycle of usage of such data, as well as documentation of their ongoing efforts to comply with such policies and procedures.
3. Empower Relevant Personnel to Identify and Escalate Red Flags. Advisers should provide criteria for relevant personnel to escalate potential red flags in the use of alternative data. Advisers should also consider clearly delineating methods of escalation and pathways for investigating and resolving such red flags, such that identified risks are not left unaddressed and evolve into a source of potential future examination or enforcement risk.
Andrew J. Ceresney, Avi Gesser, Julie M. Riewe, Kristin A. Snyder, and Jonathan R. Tuttle are Partners, Charu A. Chandrasekhar is Counsel, and Mengyi Xu is an associate, at Debevoise & Plimpton LLP. The authors would like to thank Debevoise law clerk Linda Lin for her contribution to this post. This post originally appeared on the firm’s blog.
The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.