The following is a guest article from Gene Ekster, who has been involved with alternative data on both the buy and sell side. This article is the third of a series.
In our previous article, we discussed the role of an R&D team with the alternative data research process. Now we will touch on issues of compliance and best practices with the growing field.
Compliant Datasets
Alternative data research compliance is an increasingly important topic and subject of intense discussion in part due to its regulatory ambiguity. Risks are sometimes decomposed into regulatory compliance risk and headline risk, but with little guidance to go on, research practitioners are often left to speculate on the proper course of action.
One concern relates to datasets of consumer behavior, specifically the access investors might have to personally identifiable information (PII). However, unlike direct marketing or advertising, the investment research industry has no clear incentive to possess or analyze individuals’ information. Investing decisions are based solely on aggregated data where the behavior of any one individual is fully diluted out. Investors are concerned with the trends of the many, not the trends of the one or the few.
Moreover, compliance teams on both the vendor and client sides tend to be highly proactive in ensuring that data sources are compliant with access controls and PII scrubbing processes in place. Therefore, data is typically aggregated and scrubbed in the early parts of the data supply chain, far upstream from investment professionals.
Information security has long been a top priority in the investment industry and many funds mandate internal teams as well as data suppliers to adhere to strict risk control standards. Lack of incentive, active PII scrubbing across the supply chain, stringent security standards and ubiquitously proactive compliance teams all mean that identifiable consumer information is reassuringly not a cause for significant alarm in the alternative data ecosystem.
All investment research including alternative data research is governed by a set of principles addressing insider trading issues. Distinct compliance risks are inherent and are tackled in each of the various research channels. For instance, expert networks deserve an extra degree of diligence around the sensitive information discussed during the phone consultations. [Integrity Research’s compliance best practices for expert networks can be viewed here.]
One comforting aspect of alternative datasets is that they are sourced from parties that do not have a fiduciary relationship with publicly traded firms and are broadly available (yet are difficult to aggregate), for example, web harvested information or municipalities’ public property records. Another facet is that datasets reporting on consumer behavior are typically sourced from specific spending channels, have relatively small sample sizes and significant biases. An analyst has to commit hard work, using their education, judgment, and expertise to create a meaningful investment thesis; resulting in insights derived, not obtained, a key difference.
Accordingly, having a process that ties the investing decisions to an alternative dataset can be an antidote to some of current regulatory concerns around insider information.
Alternative data best practices
While compliance and internal regulation are widely practiced in the alternative data research field, there exists a need for an industry-wide best practices standard. Such a standard should address PII obfuscation and access scheme requirements among other issues. It would help round out the uncertain interpretations of existing regulatory guidance.
In the meantime, compliance professionals and decision makers can benefit from proactively creating internal guidelines for data operations. Publications like the NIST 800-122, which provide guidelines for protecting PII, are useful when developing internal best practices, but due to the relative lack of case precedent, a great degree of diligence needs to be exercised to assess the risks.
An example of a best practice is for a company to set up separate control environments in its data flow architecture. As the raw data enters the organization, it can be initially staged in a restricted access zone. This is where the PII scrubbing and other privacy related data processes are performed. Once cleansed, data can move into the general analyst access environment where human and machine intelligence can manipulate the compliant data.
If a company is directly or indirectly engaged in web harvesting, then best practices include appraising the website’s terms and conditions, paying special attention to clickwrap agreements, having a written policy on handling incoming complaints and limiting the outgoing HTTP traffic.
Most importantly, best practices ought to diligently measure the individual risks of a data operation, each risk evaluated separately and explicitly. Due to its fragmented mosaic of widely available sources and arms-length distance from traded securities, alternative data research can exhibit lower levels of compliance risk than some other forms of primary research.
Nevertheless, being up to date with the latest laws and having a rigorous compliance strategy are key success factors for any firm in the alternative data supply chain. Compiling those strategies into a best practices document is a smart move for individual organizations and creating industry-wide guidelines is a sensible step for the alternative data research field as a whole.