In most industries, data is treated as a neutral input. It’s something that can be collected, analyzed, and optimized without much concern for how it’s created or why it exists.

In regulated finance, that assumption breaks down. Here, data isn’t just information.

It’s contextual, consequential, and supervised.

This lesson establishes a shared definition of “data” that reflects how regulators, examiners, and risk teams actually view it, and not how it’s discussed in analytics, AI, or technology circles.

Before we talk about AI, automation, or analytics, we need to be clear about what we are governing.

IN THIS LESSON

The common misconception

A common working definition of data is that it represents raw material or information that can be collected and processed to generate insight.

That definition may be sufficient in technical disciplines, but it fails in regulated finance.

In financial contexts, data doesn’t sit passively in a system. It informs judgment, shapes decisions, and influences how firms interact with clients and markets.

Once information is used for any of those purposes, it’s no longer neutral or raw. It becomes interpreted input, and interpretation is where regulatory responsibility begins.

For instance, a firm may use historical account data to populate internal dashboards without issue. But when that same data is repurposed to rank clients, guide recommendations, or tailor communications, it becomes regulated data. The regulatory exposure arises not from the dataset itself, but from how it is interpreted and applied.

A regulatory-grade definition of data

From a regulatory perspective, data isn’t defined by format or storage method. It is defined by use and impact and can be understood as any recorded information that is used—or could reasonably be used—to inform decisions, judgments, communications, or actions that affect clients, markets, or regulatory obligations.

In this context, data includes structured and unstructured information, internal and external sources, historical records, as well as real-time feeds, quantitative metrics, and qualitative classifications. If information can shape understanding or behavior, regulators will treat it as data regardless of how a firm labels it internally.

Why data is never neutral in finance

As shown in the diagram, data becomes regulated not because of the tools applied to it, but because of the interpretive choices embedded upstream. Decisions about inclusion, categorization, timing, and purpose shape how information may be used and understood.

These choices introduce bias, suitability constraints, and supervisory responsibility. Accordingly, examiners focus less on outputs alone and more on origin, transformation, permissions, and accountability.

That’s because every dataset reflects a series of choices made before analysis ever begins. Decisions about what to include, how information is categorized, when it is captured, and why it exists all shape how that data can be used.

Those choices introduce bias, suitability constraints, and supervisory responsibility. This is why examiners rarely focus only on outputs. They ask where the data came from, how it was created, what permissions govern its use, and who is accountable for decisions made using it.

Data as a governed asset

In regulated firms, data is treated as a governed asset rather than a technical input. Its use is constrained by policy, not just capability. Its movement is subject to controls. Its transformation creates new obligations, and its outputs must be explainable and defensible.

This is true even when data is used internally, experimentally, or without any immediate client-facing application. Regulatory exposure often begins long before data reaches a model, product, or communication channel.

Download PDF

Additional Resources

- SEC — Books and Records Rule (Rule 204-2)
  Explains the SEC’s expectations around how investment advisers must retain and supervise information used in advisory and marketing activities, including internal analyses and communications.
- FINRA Rule 2210 — Communications with the Public (Conceptual Overview)
  Establishes that regulatory obligations apply based on use and audience, not format or medium, reinforcing that information becomes regulated through application.
- SEC — Marketing Rule (Rule 206(4)-1) Overview
  Provides context on how information used in advertising and investor education is evaluated for accuracy, fairness, and disclosure, regardless of how it is created.
- COSO — Internal Control Framework (Conceptual Guidance)
  Widely used framework that emphasizes accountability, documentation, and control over information used in decision-making.
- SEC Cybersecurity and Data Governance Guidance (2023)
  Highlights expectations around data handling, governance, and third-party systems, reinforcing that data governance extends beyond IT security.
- NIST — Data Governance and Risk Management Concepts
  Provides non-technical guidance on treating data as a governed asset rather than a purely technical input.
- OECD — Principles on Data Governance
  Offers a policy-level perspective on responsibility, transparency, and accountability in data use.
- Regulatory speeches on analytics and data oversight
  Public remarks from SEC and FINRA leadership discussing supervision, data use, and emerging risks in analytics-driven environments. Example: https://www.sec.gov/newsroom/speeches-statements/daly-020326-artificial-intelligence-future-investment-management

Lesson 1.1: What Data Means in Finance

Additional Resources

Regulatory perspective

Governance and risk management

Data and accountability

Optional reading