On the corner of 47^th Street and Madison Avenue in New York City, half a dozen cement mixer trucks line up to deliver their loads to the growing construction that will ultimately be JP Morgan’s new headquarters at 270 Park Avenue. The construction site—spanning an entire city block—is a hive of activity.

Across the street, it’s a different story on the 26^th floor of 575 Fifth Avenue, home of alternative data provider Thinknum. The office is open, and staffed by a skeleton crew, though it’s not clear whether that’s due to the company’s woes recently reported by Insider—which include allegedly not paying staff, and the abrupt departure of co-founder and president Justin Zhen, who didn’t respond to a request for comment, but whose email auto-reply confirms he is “on leave”—or Covid-19 work-from-home policies.

Either way, the company is still alive, though Zhen’s co-founder and Thinknum CEO Gregory Ugwi won’t say for how long. Ugwi can be overheard on the phone reassuring someone that the company is “still operational.” He looks harried, as would be expected given the circumstances. I’m clearly not the first reporter he’s given the brush-off in the past week, though I may be the first one who walked into his office in person. Once I introduce myself, he declines to hear my questions, politely but firmly asking me to leave. “Please leave. Please just leave our building,” he says. If he has a rescue plan, he’s not sharing it with outsiders.

A former employee confirms the staff in the office is about the number required to keep the company running, collecting and delivering its data—which at time of writing, it continues to do. “When something like this happens, you have to maintain the codebase, and you need to keep your existing clients happy, and keep delivering data,” the former employee says.

Whether Thinknum can pull together a deal with investors to fund the company through this crisis, or whether it could even find a buyer remains to be seen. One alt data expert believes this week is critical, and that the company will either be snapped up or close shop altogether.

Ironically, anyone using Thinknum’s data—which the company collated from public sources to enable clients to “track when companies are hiring or firing employees, interacting with customers, moving product, and many other metrics indicative of company performance” for more than 450,000 companies—to look at the company itself should have seen this coming.

Certainly US regulator the Securities and Exchange Commission (SEC) saw something like this coming—perhaps not with Thinknum specifically in mind, but definitely with an eye on alternative data providers in general.

The first rumors of trouble at Thinknum surfaced just a week after the SEC’s Division of Examinations published a risk alert on April 26, warning that financial firms did not have sufficient due diligence practices in place to address the risks of misuse of material non-public information (MNPI) in alternative data—and those that did have procedures in place did not always follow them properly or consistently when performing due diligence on sources of alternative data. Under Section 204A of the Investment Advisers Act of 1940, firms are required to “establish, maintain, and enforce written policies … to prevent the misuse of MNPI.”

“Advisers did not appear to consistently implement their policies and procedures related to alternative data providers. For example, advisers did not apply their due diligence process to all sources of alternative data. In addition, staff observed advisers that had an onboarding process for alternative data service providers, but did not have a system for determining when due diligence needed to be re-performed based on passage of time or changes in data collection practices,” said the SEC in its April alert.

Chris Petrescu, founder and CEO of CP Capital, which advises firms and data providers on alt data strategy, says the alert represents a shot across the bow to hedge funds and their alt data suppliers to clean up their act and ensure all parties are compliant.

Before founding CP Capital, Petrescu held data strategy roles at ExodusPoint Capital Management and WorldQuant.

“The firms I worked at always had solid policies, and I’ve even helped shape the policies at these firms and continue to advise on this topic for my clients. Any fund that is buying data at scale should have policy in place already,” he says. “Four or five years ago, a due diligence questionnaire (DDQ) might be viewed as contentious for a fund to send to a vendor. These days, it is commonplace, and vendors are very accustomed to filling them out. If a vendor refuses to fill out a DDQ, that is an enormous red flag. I’ve had vendors decline to fill out paperwork, so we reject them, and then they end up in the news months and years later,” he says. Simply put, firms and suppliers must “know what they’re collecting and know if they have the right to sell it.”

Kelly Koscuiszka, partner at law firm Schulte Roth & Zabel in New York, says the alert is a sign that the SEC is aware that non-compliant situations exist and need to be remedied, and is a public warning to those that don’t yet have their affairs in order.

“The SEC’s Division of Examinations routinely puts out risk alerts. They want to give guidance on what they’re seeing that’s being done wrong,” Koscuiszka says. “It’s important for the industry, and it reinforces what we’ve known for a while: that they’ve identified alternative data as a priority.”

The SEC has been increasing its scrutiny of alt data providers and consumers in recent years, and last year charged mobile app data provider App Annie and its founder with securities fraud. Specifically, in return for receiving data on app usage from companies, App Annie agreed to not disclose that data to third parties without it first being aggregated and anonymized. However, the SEC’s investigation found that between 2014 and 2018, the vendor used the raw data to make its model-generated estimates more valuable to trading firms.

App Annie settled the case for more than $10 million, and since rebranded as Data.ai.

App Annie was the SEC’s first enforcement action against an alt data provider, but it almost certainly won’t be the last. Over the same timeframe that the SEC has been focusing on alt data, it’s become clear that alt data itself is a moving target and—far from becoming more standardized and easy to manage as it matures—is still evolving quickly and creating new challenges as it does so. One of Koscuiszka’s areas of expertise is performing due diligence on alt data providers, and whether they legally have rights to use and sell the data they collect.

“As outside counsel advising buy-side firms, we know what we need to do from a diligence perspective so we should all be in a better place now,” she says. “But what we’re seeing is that because there are so many vendors, there’s such intense competition, and the data is becoming more sophisticated, the issues—even for big vendors—are becoming more complicated. And new products can raise new regulatory issues.”

Ron Troy, a veteran market data management executive, agrees that the rising complexity of data is creating more problems.

“Early on, bankers used what we now call alternate data to help guide decisions on loans and the like. For instance, if you were lending to refineries, oil storage tank farms and the like, aerial photos of such might show indications of degree of utilization. At one point, tank farms were said to be mostly at capacity—something that such photos might at least partially confirm. I don’t recall any actual rules or regs, just that it seemed like good practice to find research firms that collected such data,” Troy says.

“Now alt data use has gone way above and beyond … and now its use is far more common. And investors may have little or no understanding of what they are investing in, including whether it’s someone rolling dice, or actually basing decisions on viable data. Some of these firms may literally have only one or two employees and all sorts of other risk issues. And while the Federal Reserve Board and New York State Department of Financial Services have had vendor risk management rules for banks, I’m not aware of such for securities firms—though common sense ought to prevail,” Troy says.

In Thinknum’s case, sources haven’t alleged any impropriety regarding the company’s data itself. Web-scraped data has been controversial because the original sources of the data being scraped consider it theft. Professional networking site LinkedIn sued Singapore-based business intelligence provider Mantheos in February, alleging that the company created hundreds of fake LinkedIn accounts, paid for premium Sales Navigator LinkedIn subscriptions, and used those to scrape information from millions of legitimate LinkedIn member profiles, in contravention of the site’s terms and conditions.

According to Bloomberg Law, LinkedIn recently settled the suit with the condition that Mantheos deletes all the scraped data. At time of writing, Mantheos’ website was only a holding page with its logo. Web scraping of public data has recently been ruled legal by a US court, though breaking a company’s terms to scrape proprietary data would still be illegal.

However, experts agree that ensuring a vendor’s data is kosher and the company has the rights to collect, use and sell the data may ensure they’re compliant, but won’t protect against the types of risks that arise when a company like Thinknum experiences financial or management issues.

Instead, data managers say even small providers of niche data should be treated with the same best practices used to perform due diligence on companies tendering for multi-million dollar enterprise deals.

“As market data sourcing teams step up their game on vendor relationship management (usually working closely with a separate VRM team), these are things to keep in mind,” Troy says. “Essentially, follow the rules, not just to the letter but to the spirit of such, and then extend that to areas not subject to regulation but where not doing such creates exposure to credit, market, legal and reputational risk.”