SEC Enforcement Order Highlights Risks of Data-Based Market Intelligence

Posted by Kimberly Zelnick, Doru Gavril, and Christine E. Lyon, Freshfields Bruckhaus Deringer LLP, on
Sunday, October 17, 2021
Comments Off on SEC Enforcement Order Highlights Risks of Data-Based Market Intelligence print this page Print
, , , , , , ,
More from: , , , ,

Kimberly Zelnick, Doru Gavril, and Christine E. Lyon are partners at Freshfields Bruckhaus Deringer LLP. This post is based on a Freshfields memorandum by Ms. Zelnick, Mr. Gavril, Mr. Lyon, and Brock Dahl.

Data miners and data aggregators should carefully examine their policies and procedures to avoid the inclusion of material nonpublic information (“MNPI”) in analytical products. Consumers of such analyses should avoid trading activities informed by market intelligence that is knowingly based on MNPI. Last week, the SEC announced a $10 million settlement with market data intelligence company AppAnnie that has broad implications for both producers and consumers of data-based market intelligence. The ruling pushes the enforcement envelope in significant ways, but leaves unanswered many questions that will be critical as the role of big data grows.

Novel Issues Underpin the SEC Settlement

AppAnnie is an app analytics and app market data provider. Founded in 2010, it was premised on a simple model of gathering data: users would download a free, high quality app on their phone (e.g., a VPN app). In turn for the free use of its app, AppAnnie would be allowed to collect the end-user’s data on their use of other apps of interest. Over time, at scale, AppAnnie would amass a large, free, and incredibly valuable dataset of user behavior.

The potential uses for analytics based on such a dataset quickly enticed multiple possible consumers. App developers (some of whom are the world’s most successful tech companies) were keenly interested in how their competitors were performing. Investors also realized that user trends would anticipate, and sometimes reveal, a lot more about some of the fastest growing and valuable stock ahead of those companies’ own disclosures. More granular data could also mean better intelligence than published user metrics could provide.

But as students of statistics know, how you collect your data matters greatly. Because AppAnnie depended on users independently downloading its app, its dataset had multiple inherent biases: only a subset of users, generally the tech savvy, would download its app, skewing results across demographics, geographies, and other dimensions. An app creator, seeking intelligence on its competitors, might be sorely disappointed when noticing that AppAnnie’s analysis on their own app performance did not line up with the creator’s own data (which, by definition, is correct). [1]

AppAnnie came up with an interesting variation on its data collection model. If it could persuade app creators to give it access to (parts of) their own usage data, it would obtain an objective and accurate yardstick that it could use to refine or inform its own analyses and understand the biases in its own datasets and models.

The SEC alleges that AppAnnie’s terms of use assured app creators that AppAnnie would only use anonymized data and no MNPI would be provided to AppAnnie customers. (This is not surprising: no app creator would agree to give its competitors its own data.) In turn, according to the SEC’s order, AppAnnie assured its clients that it was not sharing any MNPI with them . In fact, the SEC notes, AppAnnie expressly represented that it had policies in place to comply with the federal securities laws.

The SEC’s order alleges that reality was quite different: According to the order, policies for handling MNPI covered only some metrics but not others, and, even then, policies were circumvented by teams making manual interventions untethered from statistical principles. In practice, according to the order, AppAnnie analyst teams would take user metrics obtained from app creators (MNPI) and would manually adjust the output of its statistical model by halving the variance between AppAnnie’s model and the directly-observed app data. When the practice was challenged internally, the SEC alleges, the former CEO overruled the company’s chief data scientist. As a result, per the order, AppAnnie analyses became closer to the correct numbers provided by app creators. The SEC alleges that AppAnnie specifically marketed its products to investing firms, illustrating the benefits of its analyses in use cases tailored to stock traders. It also charged traders more.

One can speculate that the SEC must have reached an impasse at some point. The traditional elements of an insider trading case are not present: no trader received MNPI from AppAnnie, [2] the traders owe no duty of confidentiality to AppAnnie, and the case would not fit neatly within the tipper/tippee paradigm absent a tippee.

Instead, the SEC’s order alleges that AppAnnie violated the securities laws in a more fundamental way, by engaging in fraud in violation of Section 10(b) of the Exchange Act. Section 10(b) prohibits “manipulative and deceptive devices” “in connection with” “the purchase or sale of a security.” 15 U.S.C. § 78j(b).

The fact that the matter was settled means of course that no judge considered the allegations. By agreeing to settle the matter, AppAnnie passed on the opportunity to challenge the SEC’s factual findings and legal theories (though the Order specifically provides that AppAnnie neither admits nor denies the SEC’s findings). The SEC, of course, also passed on the opportunity to litigate the matter, electing to allow AppAnnie and its former CEO to resolve the matter without an admission of wrongdoing, seemingly content with the sizable penalty and a three-year prohibition on the former CEO’s service as an officer or director of a public company.

Critical Questions Remain Open

The settlement advances a novel theory of what constitutes a violation of the securities laws. But questions linger regarding each of the elements of the SEC’s case.

First, recognizing that the SEC did not frame this as an insider trading case, the order seems to argue that the mere utilization of MNPI in AppAnnie’s analysis was improper. What if MNPI had been used, as AppAnnie had represented, in an anonymized fashion? What if MNPI has been integrated in its statistical model? What would have happened if a company used MNPI to train an AI, but then allowed the AI to examine and analyze data that is public or belongs to the client? Is there a fruit of the poisonous tree doctrine forming in the SEC’s mind? Would such a doctrine withstand judicial scrutiny?

Second, AppAnnie’s conduct amounted to wrongdoing in the SEC’s view because the circumvention of its policies was allegedly deliberate. But what if the policies had been merely ineffective, but observed in good faith? What if MNPI had been incorporated inadvertently in the analyses? By the same measure, what if a company provides in good faith anonymized data but a sophisticated end-user can reverse engineer the data and arrive at the MNPI?

Third, given the peculiarities of the SEC’s chosen theory of liability, what if the company had disclosed its methodology to end users? What if it also disclosed the approach it was taking to the app creators (assuming the use would have been palatable)? Given that the SEC’s theory is based on fraud, not on traditional insider trading theories, by informing its counterparties, AppAnnie would have removed any appearance of deception. In the same vein, what if neither end-sellers nor app creators relied on AppAnnie’s representations?

Finally, the SEC’s Order stretches what constitutes “in connection with” the sale or purchase of a security. The SEC seems to have taken the view that by specifically targeting and marketing to traders, charging them more, and by specifically tailoring its use cases to traders, AppAnnie satisfied the “in connection with” requirement. But what if AppAnnie had charged users the same regardless of the use case? What if someone used AppAnnie’s analysis for trading without AppAnnie’s knowledge?

One can see that the outcome in the AppAnnie settlement is closely dependent on a combination of factors, each of which could be factually different in some future scenario. How are companies in this space supposed to navigate the issues raised, but left unanswered, by the SEC’s enforcement order?

Recommendations for Data Miners and Data Consumers

Our experience with technology companies and investing firms suggests there are some basic and immediate steps that these entities can take to mitigate risk. Companies that mine, aggregate, and analyze data should evaluate whether their internal data collection and handling policies adequately protect against MNPI being transmitted to end-users.

Internal controls regarding these issues typically benefit from being documented and periodically reevaluated and tested. To the extent they collect data from publicly traded corporations, such data mining companies should weigh the risks posed by any confidentiality obligations they undertake. The continued accuracy of any representations made to data sources might also benefit from periodic review and evaluation. If products are specifically geared towards traders, data mining companies—in collaboration with experienced securities counsel—might consider examining whether the description of the product, data, methodologies, and sources is accurate. Boards of companies in this space may also find it advisable to evaluate whether compliance with these requirements is “mission critical” and, if so, whether their internal controls and oversight mechanisms are consistent with fiduciary duties under the law of the state of incorporation.

And if you are a trader, benefitting from market intelligence, you should ask yourself: what is in the data you are using? To what extent is it based on MNPI? Have you received assurances regarding the provenance of the data and its compliance with the securities laws? Are these assurances believable?

Within this sea of uncertainty lies one reliable insight: we have not heard the last word on this. To paraphrase that oft-invoked font of wisdom, Winston Churchill: this is not the end, it is not even the beginning of the end, it is perhaps the end of the beginning. The extensive role that market intelligence plays in the modern investment landscape raises these questions to the forefront of regulatory and compliance risks. The resources devoted to ensuring compliance and adequate treatment should be of commensurate magnitude.

Endnotes

1For a variety of reasons outside of the scope of this article, perfect user metrics are not available even to app creators.(go back)

2AppAnnie’s former CEO has stated that “AppAnnie did not actually disclose any customer confidential information or MNPI (material non-public information) outside the company and the SEC has made no such claim.” The SEC’s Order alleges in paragraph 22 that AppAnnie’s misrepresentations to traders concerned the effectiveness of its internal controls and reviews.(go back)

Both comments and trackbacks are currently closed.