An exponential increase in the use of alternative data by fund managers has become a hot topic for the Securities and Exchange Commission. The SEC's Office of Compliance Inspections and Examinations (OCIE) has sharpened its focus on alternative data, and a risk alert by the OCIE staff is forthcoming.
Additionally, the recent uptick in SEC enforcement actions under Section 204A of the Investment Advisers Act provides a blueprint for how the SEC is likely to charge fund managers who fail to have adequate policies and procedures in place to account for the risks posed by alternative data.
Under Section 204A, all investment advisers, including advisers exempt from SEC registration, are required to "establish, maintain, and enforce written policies and procedures reasonably designed, taking into consideration the nature of such investment adviser's business, to prevent the misuse ... of material, nonpublic information" (MNPI). While there are a variety of risks posed by the use of alternative data, much of OCIE's focus has been on whether fund managers have compliance functions in place to address the possibility that alternative data contains MNPI.
OCIE Focus on Alternative Data
In its 2020 Examination Priorities, OCIE--for the first time--highlighted alternative data issues, stating that "examinations will focus on firms' use of these data sets and technologies" and that OCIE would "assess the effectiveness of related compliance and control functions." That "assessment" is underway in both routine exams and "sweep" exams focused specifically on alternative data. OCIE staff has used the exam process to develop a greater understanding of how fund managers are using various datasets and verifying that adequate policies and procedures are in place.
The SEC's examination effort has two areas of focus: first, whether a private fund manager received MNPI from an alternative data vendor and, second, but equally important, whether the manager has and enforces policies and procedures designed to address the MNPI and other risks posed by the use of alternative data. More specifically on this second factor, the SEC has focused on whether the manager has policies and procedures that are tailored to address the risks posed by the use of alternative data and that adequately address:
- Diligence of alternative data vendors, both at on-boarding and on an ongoing basis
- The roles and responsibilities of employees tasked with the review and approval of alt data usage
- Sufficient consents "up the chain" from the underlying source of the data to the vendor
- Controls around web-scraping performed by vendors or employees
- The robustness of the adviser's controls and reviews
All fund managers should consider whether their policies and procedures are adequate to address these concerns when it comes to obtaining alternative data.
SEC Enforcement Actions Under 204A
OCIE's focus on policies and procedures should be viewed in tandem with the SEC Enforcement Division's trend of charging advisers under Section 204A in addition to, or in lieu of, underlying violations. Enforcement cases under 204A do not require the SEC to prove, or even allege, that the adviser engaged in a specific prohibited activity, such as insider trading. Instead, the SEC must simply prove that an adviser did not take adequate steps to prevent insider trading or other violations of the securities laws.
Though we have yet to see an SEC case against an adviser relating to alternative data, recent 204A cases related to public company board representation and political consultants are instructive:
Public Company Board Representation
In May 2020, the SEC settled an enforcement action under 204A with an alternative asset manager for not having policies that reasonably addressed the increased MNPI risks from having an employee on the board of a public company. According to the SEC, requiring compliance approval for trading in the company's stock as well as the company's pretrade confirmation that the trade would occur in a designated trading window were insufficient.
The SEC faulted the manager for not providing "specific requirements for compliance staff concerning the identification of relevant parties with whom to inquire regarding possession of potential MNPI and the manner and degree to which the staff should explore MNPI with these parties" and for its failure to document sufficiently that it had inquired with employees on the deal team about whether they had MNPI prior to clearing trades in the company's stock. The SEC took issue with what it described as leaving it to investment professionals to self-evaluate whether the information they received was material. The SEC also found that any documentation that did exist regarding MNPI reviews lacked consistency and detail.
Similarly, in August 2017, the SEC charged an adviser with deficiencies because its policies failed to take into consideration the nature of the adviser's business and related MNPI risks. The adviser conducted research in the health-care sector and engaged third-party consultants and research firms, including firms that specialized in providing political intelligence regarding upcoming regulatory and legislative decisions.
However, its policies and procedures did not subject political consultants to the same level of diligence as experts and expert networks. The adviser was not charged with insider trading. Instead, the SEC order described how the adviser had more robust policies and procedures for experts and expert networks but failed to subject research firms and political consultants to the same level of due diligence.
With respect to the latter firms, the adviser only required the firms to demonstrate that they "`observe policies and procedures to prevent the disclosure of material non-public information or any information in breach of a duty.' That demonstration was to be `refreshed from time to time.'" Its policies were silent as to what the reviews should entail or they should be conducted. The adviser also relied on its own employees "to self-evaluate and self-report potential receipt of material, nonpublic information, but failed to adopt policies and procedures to ensure that its employees did so." The SEC also found that it failed to enforce its own policy and failed to review the policies and procedures at one of the political intelligence consulting firms.
Designing and Implementing an Effective Program
The bedrock of a strong compliance program is thorough due diligence, which should include at least:
- A determination of whether the data contains any nonpublic information
- The underlying source of the data
- How the data is collected
- Whether appropriate disclosures were made to each source of data--e.g., an individual consumer or transaction--to ensure the information was not obtained in breach of a duty
Relying on a vendor's representation that the data does not contain MNPI, without more, may be deemed inadequate by the SEC. Instead, managers should be using the diligence process to understand the vendor's basis for the representation and get supporting documentation for their diligence file, such as redacted copies of disclosures made to the underlying data sources. Fund managers also should have policies in place for ongoing monitoring, particularly because vendors may update their offerings and data sources given the rapid pace at which this market is expanding.
Further, where alternative data is derived from personally identifiable information, such as consumer transactions, it is important to avoid the tendency to take comfort from the fact that data has been "de-identified" or "anonymized." Vendors often seek to assure clients by explaining that the data does not contain any personally identifiable information. While anonymization is important from a privacy perspective, this misunderstands the concern at the heart of the SEC's interest in MNPI.
Advisers who obtain web scraped data--either directly or via vendors--should conduct additional diligence to confirm the data was obtained in a lawful manner. The legal landscape regarding web scraping is constantly changing and uncertain, due in part to litigations that have been brought by companies whose websites have been targeted and the legal issues that remain unresolved. Further, where fund managers are performing web scraping in-house, compliance personnel need to work hand in hand with investment and technical professionals to evaluate their data collection sources and methods and the nature of the data collected.
The lesson for investment advisers using, or considering using, alternative data is clear: as with other areas of exposure, advisers not only need to maintain written policies and procedures, but also to tailor those policies and procedures to address the risks alternative data presents and--of course--to invest resources in consistent documentation and implementation. As with all areas of compliance, this effort needs to be rigorously assessed and documented, with improvements being rolled out as often as is necessary.