SEC Announces First Enforcement Action Against Alternative Data Provider for Securities Fraud, Highlighting Regulatory Risks in Growing Industry

September 20, 2021

Click for PDF

The use of alternative data in investment decision-making—incorporating large volumes of data found outside a company’s public filings—has expanded rapidly in the last several years, as data has increased in availability.  Investment funds commonly have data analysts use a variety of alternative data sources, from data on commercial transactions to information about human behavior, to inform investment decisions in trading securities.  And the alternative data industry is continuing to grow.  In 2020, the industry was valued at $1.72 billion and, by 2028, is expected to reach close to $70 billion.[1]  With increasing popularity, it’s unsurprising this growth has led to increased interest from market regulators.  While the SEC has shown interest in alternative data in the past, it recently took the significant step in bringing the first enforcement action against an alternative data provider for securities fraud.

The App Annie Settlement 

On September 14, 2021, the SEC announced a settled enforcement action against App Annie, Inc., an alternative data provider, and the Company’s co-founder and former CEO and Chairman Bertrand Schmitt, for misrepresentations both to data sources in connection with the collection of data, and to investment firm subscribers regarding the data underlying its product.[2]  Without admitting or denying the findings, App Annie and Schmitt consented to a cease-and-desist order finding a violation of Section 10(b) of the Exchange Act and Rule 10b-5, and imposing a penalty of $10 million for App Annie, and $300,000 for Schmitt, and a three-year officer and director bar against him.

App Annie provides market data analytics on mobile application performance.  Companies with mobile applications provide App Annie access to their data in return for free analytics.  App Annie sells a data analytics product to investment firms and other subscribers for a fee.  App Annie’s Terms of Service represented that its data analytics estimates were generated using statistical models from data that was aggregated and anonymized.  In reality, according the SEC, between late 2014 and mid-2018, App Annie used actual non-aggregated and non-anonymized performance data from companies to reduce disparities between model-driven estimates and the actual data and thereby make App Annie’s paid subscription product more accurate and more valuable to its trading firm clients.

According to the SEC’s order, App Annie’s use of non-anonymized and non-aggregated data to enhance the accuracy of its analytics product rendered representations made to the sources of data, as well as the subscribers to the analytics, materially misleading.  In collecting data from companies’ applications, App Annie represented to the companies providing access to app usage data that all data would be aggregated and anonymized before utilized in its paid subscription product.  In addition, App Annie represented to its investment firm subscribers that the Company’s estimates were generated in a manner consistent with the consents it obtained from the underlying data sources, and that App Annie had effective controls to prevent misuse of confidential data and ensure compliance with federal securities laws.  However, the SEC found that because App Annie’s estimates used non-aggregated and non-anonymized data, in contradiction to its representations to its data sources, the Company’s estimates were based on data used in a manner inconsistent with its representations to its data providers.  According to the order, App Annie understood that investment firm subscribers were using the Company’s product to make investment decisions and that subscribers did in fact trade based on App Annie’s data product.

The order asserts, without explanation, that the data on app usage “often is material to a public company’s financial performance and stock price.”  The order also does not explain how App Annie’s incorporation of actual data into its estimates rendered the various representations to subscribers materially misleading as required by Section 10(b) or how the alleged misrepresentations were “in connection with” the purchase or sale of securities.  Rather the order asserts that Schmitt “understood it was material to trading firms’ decisions to use App Annie’s estimates for investment purposes.”

The order does not provide for any disgorgement or even provide a Fair Fund to distribute any of the penalty to customers who may have been harmed.  Finally, it is notable that Schmitt agreed to a three year officer and director bar even though App Annie is a private company.

Individual Liability for App Annie CEO Bertrand Schmitt

In bringing claims against Schmitt individually, the order emphasizes Schmitt’s direct involvement in the decision to use non-aggregated and non-anonymized data.  The SEC further found Schmitt oversaw a “manual estimate alteration process,” during which engineers made manual adjustments to purportedly statistical models to make them more “accurate” in tracking actual company metrics.  When the Company learned of Schmitt’s misconduct in June 2018, it ceased manually adjusting its data and stopped using non-aggregated and non-anonymized data in its subscription product.  Around the same time, Schmitt resigned as CEO.  He served as Chief Strategy Officer of App Annie until he was terminated in January 2020.

After the SEC published the order, Schmitt addressed the settlement on LinkedIn.[3]  He noted that “compliance was a critical element of the business” and that he and App Annie “obtained legal advice on compliance procedures and even hired an in-house compliance team.” Nonetheless, the SEC explicitly found that, contrary to the App Annie’s representations, “during the relevant period, the Company did not have effective internal controls and did not conduct regular compliance reviews,” suggesting the SEC did not credit any advice of counsel defense.

Regulatory Risks and Mitigation Strategies  

While this settlement represents the first enforcement action in this space, the SEC has been increasing its focus on the growing alternative data sphere for several years.  In its 2020 Examination Priorities, the Commission’s Office of Compliance Inspection and Examinations included for the first time a focus on investment advisers’ use of alternative data.[4]  The Commission noted that examinations will “focus on firms’ use of these data sets and technologies to interact with and provide services to investors, firms, and other service providers and assess the effectiveness of related compliance and control functions.”[5]  The SEC’s press release announcing the App Annie settlement also acknowledged the role of the examination staff in the investigation that led to the enforcement action.[6]

For years, we have counseled clients on risk mitigation strategies for the use of alternative data.  While this settlement highlights the regulatory risks accompanying the use of alternative data, it also validates the importance of the compliance oversight that subscribers have employed to manage those risks.  Notably, the representations that subscribers received protected them from the government’s allegation against App Annie’s alleged misuse of company data.  Accordingly, it bears repeating compliance and oversight mitigate the risks arising from the use of alternative data.

  • Compliance Oversight. An important first step in managing risk is to engage compliance before adopting new data sources.  This means that firms should have in place a mechanism to require compliance pre-approval before a new data source is accepted.
  • Policies and Procedures. While there is no requirement to have policies and procedures specifically addressing the use of alternative data, where an adviser is making significant use of such data, policies and procedures specifically addressing the risks unique to alternative data sources can be a way to demonstrate a firm’s attention to the risks of its business.  Policies and procedures for the use of alternative data could encompass requirements for compliance pre-approval, as well as guidance on compliance diligence of potential data vendors, contractual protections, training of investment professionals and periodic review of the use of alternative data sources.
  • Due Diligence on Data Vendors. The diligence process should be part of the compliance oversight process.  The diligence process can have multiple components which may vary depending on the nature of the data, the vendor, and the variety of legal issues that might be implicated.  Questions examined during the diligence process could include, for example, the original source of the data and the alternative data provider’s right to use and sell the data.  If appropriate, direct questioning of vendor representatives may be appropriate in evaluating the care and robustness of a vendor’s compliance approach.
  • Documentation and Record Keeping. Before finalizing an approval of the vendor, compliance may also involve documentation of certain representations and warranties to mitigate further the potential regulatory risks associated with alternative data.  For example, contracts could incorporate representations concerning: (i) the vendor’s right to use and sell the data; (ii) the vendor’s compliance with relevant laws concerning the collection and use of the data; (iii) the absence of material nonpublic information or a duty of confidentiality concerning the data; (iv) the absence of personal identifying information in the data; and (v) in the case of web-scraping services, compliance with the Computer Fraud and Abuse Act and other relevant laws.
  • Monitoring and Periodic Review. Given the rapidly evolving market, vendors engage in a continuous search for new sources of data and the development of better analytical insights.  Accordingly, effective compliance monitoring can benefit from periodically reviewing the status of existing vendors as part of the annual compliance review, particularly if the vendor’s offerings change over time.


   [1]   Grand View Research, Alternative Data Market Size, Share & Trends Analysis Report by Data Type (Credit & Debit Card Transactions, Social & Sentiment Data, Mobile Application Usage), By Industry, By End User, By Region, And Segment Forecasts 2021 – 2028, Report Overview (Aug. 2021), available at

   [2]   Order Instituting Cease-and-Desist Proceedings, Securities Exchange Act of 1934 Release No. 92975 (Sept. 14, 2021).

   [3]   Bertrand Schmitt, Lessons Learned, Closing a Chapter, Sept. 14, 2021, available at

   [4]   See U.S. Securities and Exchange Commission, Office of Compliance Inspections and Examinations, 2020 Examination Priorities at 14 (OCIE 2020 Priorities), available at

   [5]   Id.

   [6]   SEC Press Release, SEC Charges App Annie and its Founder with Securities Fraud (Sept. 14, 2021), available at

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Securities Enforcement Practice Group, or the following authors:

Mark K. Schonfeld – Co-Chair, New York (+1 212-351-2433, [email protected])
Richard W. Grime – Co-Chair, Washington, D.C. (+1 202-955-8219, [email protected])
Reed Brodsky – New York (+1 212-351-5334, [email protected])
Alexander H. Southwell – New York (+1 212-351-3981, [email protected])
Zoey G. Goldnick – New York (+1 212-351-2631, [email protected])

Please also feel free to contact any of the following practice group leaders and members:

New York
Zainab N. Ahmad (+1 212-351-2609, [email protected])
Matthew L. Biben (+1 212-351-6300, [email protected])
Reed Brodsky (+1 212-351-5334, [email protected])
Joel M. Cohen (+1 212-351-2664, [email protected])
Lee G. Dunst (+1 212-351-3824, [email protected])
Barry R. Goldsmith (+1 212-351-2440, [email protected])
Mary Beth Maloney (+1 212-351-2315, [email protected])
Mark K. Schonfeld (+1 212-351-2433, [email protected])
Alexander H. Southwell (+1 212-351-3981, [email protected])
Avi Weitzman (+1 212-351-2465, [email protected])
Lawrence J. Zweifach (+1 212-351-2625, [email protected])
Tina Samanta (+1 212-351-2469, [email protected])

Washington, D.C.
Stephanie L. Brooker (+1 202-887-3502, [email protected])
Daniel P. Chung (+1 202-887-3729, [email protected])
M. Kendall Day (+1 202-955-8220, [email protected])
Richard W. Grime (+1 202-955-8219, [email protected])
Jeffrey L. Steiner (+1 202-887-3632, [email protected])
Patrick F. Stokes (+1 202-955-8504, [email protected])
F. Joseph Warin (+1 202-887-3609, [email protected])

San Francisco
Winston Y. Chan (+1 415-393-8362, [email protected])
Thad A. Davis (+1 415-393-8251, [email protected])
Charles J. Stevens (+1 415-393-8391, [email protected])
Michael Li-Ming Wong (+1 415-393-8234, [email protected])

Palo Alto
Michael D. Celio (+1 650-849-5326, [email protected])
Paul J. Collins (+1 650-849-5309, [email protected])
Benjamin B. Wagner (+1 650-849-5395, [email protected])

Robert C. Blume (+1 303-298-5758, [email protected])
Monica K. Loseman (+1 303-298-5784, [email protected])

Los Angeles
Michael M. Farhang (+1 213-229-7005, [email protected])
Douglas M. Fuchs (+1 213-229-7605, [email protected])
Nicola T. Hanna (+1 213-229-7269, [email protected])
Debra Wong Yang (+1 213-229-7472, [email protected])

© 2021 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.