ARTICLE
5 June 2025

Key Considerations For Alternative Data And AI Vendors To Investment Firms: Demonstrating Compliance In The Face Of An Evolving Regulatory Environment

LS
Lowenstein Sandler

Contributor

Lowenstein Sandler logo
Lowenstein Sandler is a national law firm with over 350 lawyers working from five offices in New York, Palo Alto, New Jersey, Utah, and Washington, D.C. We represent clients in virtually every sector of the global economy, with particular strength in the areas of technology, life sciences, and investment funds.
Explore Firm Details
The Securities and Exchange Commission (SEC) has previously provided guidance through risk alerts, proposed rules, and enforcement actions that outline expectations for registered investment advisers and other financial firms using alternative data, particularly to mitigate risks related to exposure to material nonpublic information (MNPI).
United States Technology
Lowenstein Sandler LLP

The Securities and Exchange Commission (SEC) has previously provided guidance through risk alerts, proposed rules, and enforcement actions that outline expectations for registered investment advisers and other financial firms using alternative data, particularly to mitigate risks related to exposure to material nonpublic information (MNPI). At the same time, state-level regulators (such as the New York State Attorney General pursuant to New York's Martin Act (General Business Law Article 23-A)) remain poised to step in to investigate and prosecute securities fraud, including insider trading, should the SEC begin to take a more hands-off approach. Meanwhile, artificial intelligence (AI) regulation in the U.S. has seen a shift toward deregulation at the federal level under the Trump administration (seeking to foster an environment of rapid growth for the AI industry in the coming years), which contrasts with active state-level efforts to impose regulation. The net outcome of these regulatory approaches to investment firms remains uncertain, but as a general matter, investment firms will need to comply with the strictest applicable laws and regulations governing their activities, absent preemption at the federal level.

In the face of such regulatory uncertainty around AI and, to some degree, alternative data, prudent investment firms will seek to maintain their due diligence and contractual best practices around the purchase and use of alternative data and seek to apply similar standards when onboarding AI systems. Generally, these best practices will consist of thorough and systematic due diligence on alternative data and AI vendors to ensure compliance with applicable securities laws and regulations, including Section 204A of the Investment Advisers Act of 1940, which requires advisers to establish policies and procedures to prevent misuse of MNPI.

Potential vendors of alternative data or AI systems to investment firms should maintain an awareness of these evolving regulatory considerations and demonstrate a compliance focus in fostering these business relationships. Vendors should consider implementing the following compliance best practices:

  1. Have a Form Due Diligence Questionnaire Ready. This may include redacted copies or excerpts of underlying agreements or privacy notices used in the collection of data (including training data), along with copies of any relevant terms and disclosures applicable to the AI system.
  2. Provide Detailed Information on Data Provenance. Investment firms expect detailed information on data provenance (and will have similar questions about AI training data). Consider in detail all sources of information, including paid subscriptions, surveys, industry conversations, and web scraping. Are third-party rights being respected? Be able to explain all data sources used and the process for reviewing the relevant legal and contractual rights surrounding such data. With respect to AI systems, it may be helpful to have a training "cutoff" date, as somewhat stale data is less likely to inadvertently include MNPI. To the extent practicable, this information can be included in any due diligence questionnaires that are exchanged in an effort to streamline the due diligence process.
  3. Demonstrate Familiarity With Insider Trading/MNPI Issues. Insider trading and the misuse of MNPI are significant concerns at investment firms due to the potential for severe legal and reputational consequences. Regulators closely monitor investment firms such as hedge funds for compliance with securities laws and to ensure adequate policies and procedures are in place around these issues. Vendors should share this compliance focus and be prepared to promptly notify their investment firm clients should any issues arise.
  4. Be Able To Explain an Escalation Process for Legal/Compliance Issues. For smaller firms, this may be escalation to a founder or president who can escalate to outside compliance consultants or legal counsel. For larger firms, investment firms would expect to see at least a few dedicated internal personnel whose duties/titles relate to legal/compliance issues and who are trained on the appropriate escalation of any issues. At the end of the day, investment firms wish to be notified promptly upon awareness of any compliance concerns with respect to the data or AI system.
  5. Consider Adopting a Formal Set of Compliance Policies. Ideally these would cover protection of confidential information, data privacy, and insider trading/MNPI issues. Vendors should also consider imposing trading restrictions on employees that restrict their personnel from trading on the securities of any companies covered in their data sets, especially if the data sets focus on particular sectors or a limited number of issuers. These policies help create alignment between investment firms and their vendors around compliance culture.
  6. Conduct and Document Basic Compliance Training at Hire and Annually Thereafter. In conjunction with adopting formal compliance policies, it would be best practice to conduct a brief training with your teams in this regard to ensure that everyone is aware of these policies. Thereafter, periodic updates are appropriate both as reminders of team duties and to bring awareness to any updated compliance policies. Protection of confidential information, data privacy, and insider trading/MNPI issues should ideally be covered in these trainings.
  7. Be Prepared for Detailed Follow-Up Questions Regarding Data Provenance and Underlying Rights to Data. This is easiest to address in advance by inserting appropriate wording in relevant documentation such as underlying contracts/consumer notices and memorializing the efforts undertaken to ensure compliance, including with respect to data privacy concerns. Given that AI systems may be trained on incredibly large sets of data, consider providing summaries of data collection procedures and practices for these purposes, along with a description of safeguards to take to avoid improper training data. It may also be helpful to share a brief data sample and/or data dictionary with the compliance team or to include technology or data product personnel on any follow-up due diligence call to more efficiently explain data provenance and sourcing methods.
  8. Don't Let Due Diligence Discussions Present a Hurdle With Important Customers. Having responses ready to go on these topics helps ensure a timely diligence process, allowing the relationship to proceed on a commercial basis as soon as possible.

Allowing for contractual flexibility with investment firms is another area in which alternative data and AI vendors can help address underlying compliance and regulatory considerations:

  1. Investment Firms Prefer To See Firm Representations and Warranties Around the Data's Provenance (Not Merely an IP Indemnity). Among the most significant risks for investment firms are misappropriation claims (use of data obtained in violation of law or the rights of a third party), which can lead to claims of improper procedures and controls or, in the worst case, insider trading or other allegations related to the misuse of MNPI. Vendors can offer comfort by providing firm representations and warranties around the data to confirm that the vendor is not aware of any material issues in this regard. Representations and warranties will need to consider the local jurisdiction and applicable laws and regulations. Local regulations and laws, such as the EU's General Data Protection Regulation, EU AI regulations, and China's data security law, would potentially be relevant. Vendors should be ready to provide assurance that they are fully compliant in all relevant jurisdictions.
  2. Investment Firms Prefer Notice of Any Adverse Event Concerning the Data/AI System. The SEC has consistently emphasized the importance of due diligence around alternative data, and the same concerns apply to AI systems and training data. Ongoing due diligence (and notice of material events) is no less critical after an investment adviser signs a contract with a vendor, and notice of any developing compliance issues provides an avenue for timely follow-up.
  3. Be Willing To Offer Trial Data/AI Agreements. A few free weeks or months to test data and AI systems can be a worthwhile method of developing business. Be willing to provide the same representations and warranties as for paying customers, as this will ensure investment firms can test the data in connection with their current trading operations. In addition, consider offering a trial based on aged or stale data, which can further reduce MNPI risks.
  4. Be Willing To Forgo Auto-Renewals. Automatic renewals can be a convenient feature, but investment firms will be wary of subscriptions that do not permit periodic due diligence on at least an annual basis. Further, evolving regulatory standards and uncertainty weigh against longer-term contracts.
  5. Investment Firms Are Reluctant To Grant Broad On-Site Audit Rights With Access to Physical Premises or Electronic Systems. Among other issues, such rights may run afoul of other policies and procedures, including information security policies, at the investment firm. Consider forgoing these rights with respect to investment firms in favor of provisions calling for reasonable cooperation in the event of a suspected breach.
  6. Investment Firms Will Need To Firmly Protect Their Own Confidential Information. The purchased data or AI system is not the only information that should be protected. An investment firm should be especially mindful when providing valuable information, such as its trading positions, to a data or AI vendor. That information should be protected and not used as a basis for new datasets or for training AI systems for use by third parties.

Implementing these steps and otherwise preparing in advance for the onboarding process at investment firms will enhance the ability of investment firms to meet their regulatory and compliance obligations and should lead to a more efficient process and an increased likelihood of success in building these important relationships.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Lowenstein Sandler LLP
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More