Sep 302021

SEC Fines Alternative Data Provider for Securities Fraud

Ranah Esmaili, Ryan L. Parchment, W. Hardy Callcott, Stephen L. Cohen, Laurin Blumenthal Kleiman and Barry W. Rashkover
, , , , ,

On September 14, 2021, the U.S. Securities and Exchange Commission (SEC) settled an enforcement action against App Annie Inc., an alternative data provider for the mobile app industry, and its former CEO Bertrand Schmitt. The SEC charged App Annie and Schmitt with securities fraud, under Section 10(b) of the Securities Exchange Act of 1934 and Rule 10b-5, for engaging in deceptive practices and materially misrepresenting how App Annie derived its alternative data, thereby inducing trading firms to become subscribers to use App Annie’s data in their decisions to buy and sell securities. 

This first-of-its-kind enforcement action shows that the SEC is taking an aggressive approach with respect to alternative data. This alert examines the implications of this settlement and takeaways for entities that gather and provide alternative data as well as for alternative data consumers, such as investment advisers.

The SEC’s Enforcement Action

The SEC describes App Annie as one of the largest sellers of market data for how apps on mobile devices are performing (e.g., how many times an app is downloaded, how much revenue is being generated through the app). App Annie provides an analytics product to companies with mobile apps that allows them to visualize and track how their app is performing. Through this product, App Annie would collect confidential data from these companies. Trading firms will then subscribe to App Annie through a separate product to learn information that is typically not in financial statements or other traditional data sources and will use this data to inform their investment decisions. This type of nonfinancial data, when used in connection with securities trades, is often referred to as “alternative data.”

According to the SEC’s findings, which the respondents neither admitted nor denied, App Annie and Schmitt promised companies that shared their information with App Annie that their company-specific data would not be disclosed to third parties. App Annie would instead aggregate and anonymize the data before generating estimates of app performance in order to make the companies’ data nonidentifiable.1

Although App Annie and Schmitt understood the companies’ expectations regarding the use of their data, the SEC found that from late 2014 to mid-2018, App Annie manually altered their estimates for certain apps by using nonaggregated and nonanonymized data in order to make them more attractive and valuable to trading firms. Despite the fact that they were misusing the companies’ confidential information, App Annie and Schmitt represented to both customer-facing employees and trading firms that it was not selling material nonpublic information (MNPI), that App Annie had the proper controls necessary to prevent the misuse of confidential data, and that it was in full compliance with the federal securities laws.2

The SEC ultimately found that App Annie and Schmitt violated the Exchange Act’s antifraud provisions, Section 10(b) and Rule 10b-5, by making material misrepresentations about the confidential nature of their data estimates to trading firm customers that App Annie knew were relying on the data to make investment decisions. The SEC also found that although App Annie represented to trading firms that it had adequate internal policies, Schmitt failed to direct anyone at App Annie to document and implement an internal policy restricting the use of public company data until April 2017, and even when the policy was documented (which excluded only some public data), Schmitt and App Annie failed to take steps to implement the policy. According to the SEC’s order, it was not until June 2018, when App Annie learned of the SEC’s investigation, that it amended the policy to exclude all public company data from its estimate generation process and took steps to implement the process it had described to customers.

App Annie and Schmitt consented to the entry of a cease-and-desist requiring App Annie to pay a $10 million civil penalty and Schmitt a $300,000 civil penalty. The order also bars Schmitt from serving as an officer or director of a public company for three years.

Takeaways

While the SEC’s focus on alternative data is not new and has been the subject of examinations of registered investment advisers for a number of years now, this is the first enforcement action involving an alternative data vendor. This enforcement action indicates that the SEC will not hesitate to take an aggressive approach against companies that are providing alternative data in connection with trading, even if the company itself is not engaging in trading.

The SEC’s willingness to charge an entity and individual with fraud even though they did not trade in securities, broker securities trades, or even participate in the securities industry raises questions under the “in connection with” element of Section 10(b) and Rule 10b-5.3 But the SEC might consider this case supported by precedent. In United States v. O’Hagan,4 the Supreme Court, when upholding the misappropriation theory of insider trading, held that the facts satisfied the “in connection with” element because the information in question, a corporate merger, derived its value ordinarily from its utility in securities trading.5 Here, too, the SEC’s order explains that the respondents touted to clients how the alternative data in question would be valuable for securities trading purposes. Similarly, in SEC v. Zanford, the Supreme Court found that a fraudulent scheme was “in connection with” a securities sale and thus violated Rule 10b-5.6 There, a broker stole proceeds of sales of securities in his client’s account. Although the fraud itself did not involve an actual securities transaction, the conduct coincided with the sales of securities, therefore satisfying the in connection with requirement.

Data providers should consider the following when providing data for sale to trading firms that rely on in their investment decisions:

  • Data providers should implement, maintain, and amend as necessary policies and procedures surrounding the use of MNPI. These controls should take into full account any consent or confidentiality agreements with companies that are providing their data for these purposes. If a company represents that it aggregates and anonymizes its data before selling it to trading firms, the process for doing so should be adequately documented and periodically reviewed/amended so the policy is being followed and is up to date with respect to any changes in the company’s legal obligations.
  • When selling nonpublic data to securities firms, data providers should confirm that the data is aggregated and anonymized according to documented policies and that the company is in full compliance with all relevant securities laws. Any disclosures or representations that data providers make to securities firms about the data being sold should be accurate such that there is no breach of duty to the companies providing the data.

Investment advisers and broker-dealers contracting with alternative data providers should develop and maintain policies and procedures sufficient to prevent the misuse of MNPI in connection with those arrangements. No one size fits all. But those procedures should focus on obtaining adequate representations that the data being provided is pursuant to consent, conducting due diligence when onboarding those data providers, and engaging in ongoing monitoring of those relationships. Although App Annie did not involve charges against securities firms, we expect the SEC to continue to focusing on whether investment advisers and broker-dealers are developing and maintaining policies and procedures for alternative data reasonably tailored for the firms’ actual use of that data.

1 In the Matter of App Annie Inc. and Bertrand Schmitt, Administrative Proceeding File No. 3-20549, Litigation Release No. 93975 (Securities and Exchange Commission, Sept. 14, 2021)
2 Id.
3 SEC Commissioner Hester Peirce, in a Twitter post, indicated that she had dissented from approving the settlement on these grounds. https://twitter.com/HesterPeirce/status/1437862378713096197.  
4 521 U.S. 642 (1997).
5 Id. at 657.
535 U.S. 813 (2002).

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Ranah Esmaili

Washington, D.C.

resmaili@sidley.com

Ryan L. Parchment

New York

rparchment@sidley.com

W. Hardy Callcott

San Francisco

wcallcott@sidley.com

Stephen L. Cohen

Washington, D.C., Boston, ...

scohen@sidley.com

Laurin Blumenthal Kleiman

Barry W. Rashkover

New York

brashkover@sidley.com

You might also like
EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.

FinCEN Seeks Input on Banks’ Collecting Partial Social Security Numbers for Customer Identification Programs

On March 28, 2024, the Financial Crimes Enforcement Network (FinCEN), in consultation with the U.S. banking agencies and the National Credit Union Administration, issued a request for information (RFI) regarding the customer identification program (CIP) requirement for depository institutions (referred to herein as banks) to collect tax identification numbers (TINs).Comments are due by May 28, 2024.