Hot Topics in the Financial Services Industry
Author: David S. Warner, Littler
The financial services industry (generally made up of the banking, securities and commodities, insurance and real estate sectors) is currently one of the most heavily regulated in our economy. In addition to intensified efforts to scrutinize past business practices, lawmakers have created new laws to make financial products and services even more transparent and easy for the public to understand. To facilitate exposure of improper conduct, Congress created new protections for employees who report, or blow the whistle on, conduct that they perceive as unlawful. To help overcome employees' fear of retribution, Congress also created unprecedented incentives for employees to report certain conduct to the government under a cloak of anonymity.
This heavily regulated landscape and its constant movement, which is expected to continue under the Trump Administration, make it vital for HR professionals to know the rules applicable to their organization. This Legal Insight, which does not address all of the rules applicable to employers in the financial services industry, highlights some of the more notable legal requirements to help HR spot potential issues. By becoming more familiar with the growing number of rules applicable to the financial services industry, employers can and should take proactive steps to ensure compliance and thereby lessen any risk of civil and/or criminal liability.
For obvious reasons, financial services industry employers generally consider background checks on job applicants to be a necessary part of the application process. In fact, insured depository institutions and credit unions are legally required to run them for any person who directly or indirectly helps the insured institution conduct its affairs. Similarly, certain financial services industry employers are required by the Financial Industry Regulatory Authority (FINRA), a nongovernmental body that regulates member brokerage firms and exchange markets, to investigate and verify information provided by applicants on their Form U4. In addition, employers in this industry often want to run background checks on employees suspected of misconduct.
While federal law does not prohibit employers from asking applicants to provide their financial information, the Equal Employment Opportunity Commission (EEOC) has issued these basic guidelines to help ensure that employers do not unlawfully discriminate when using this information in their employment decisions:
- An employer must not apply a financial requirement differently to different people based on their race, color, national origin, religion, sex, disability, age or genetic information;
- An employer must not have a financial requirement if it does not help the employer to accurately identify responsible and reliable employees, and if, at the same time, the requirement significantly disadvantages people of a particular race, color, national origin, religion or sex; and
- An employer might have to make an exception to a financial requirement for a person who cannot meet the requirement because of a disability.
For these and other reasons, all employers should have a background check policy for job applicants and employees. When creating this policy, employers must educate themselves on the federal, state and local laws that generally regulate the background check process, as well as any applicable industry regulations. For example, FINRA Rule 3110(e) requires FINRA members to have written procedures for verifying, subject to applicable legal restrictions, the accuracy and completeness of information provided by applicants in their Form U4 within 30 days of filing that form with FINRA.
The federal Fair Credit Reporting Act (FCRA) imposes several requirements that apply to many of these background checks. Several states and cities also have laws governing certain background checks that may be more onerous or restrictive than the FCRA. In addition, there is some tension between certain industry requirements, such as the acknowledgment and consent portion of the Form U4, and the requirements of the FCRA and its state and local counterparts. This requires careful attention to ensure compliance with all applicable laws and regulations.
The following is a guide to complying with the FCRA's requirements and a brief summary of how states and cities are regulating background checks.
Step 1 - Disclosure and Written Authorization
General Disclosure Requirements
Employers must first clearly disclose to an applicant or employee that the employer may request a background check for employment-related purposes before actually requesting it. This requirement generally applies to any information the employer may obtain from a reporting agency that bears on the individual's "credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living."
In general, this initial disclosure must be provided in writing without reference to any other subjects (i.e., the initial disclosure must be its own separate document that is apart from the job application itself and may not include an advance waiver of potential liability). The initial disclosure also must be conspicuous (e.g., not in a tiny unreadable font).
Additional Disclosure Requirements for Investigative Consumer Reports
Employers that want to request a background check report that is based even partially on information obtained through personal interviews with the individual's neighbors, friends or associates must provide an additional written disclosure. The FCRA requires this additional disclosure for these types of reports, also known as Investigative Consumer Reports (ICR), because of the sensitive nature of the content.
The disclosure must be provided no later than three days after requesting an ICR and must advise that:
- An ICR is being generated; and
- The individual may request additional information concerning the nature and scope of the investigation.
It must also contain a copy of the Consumer Financial Protection Bureau's (CFPB) Summary of Rights Form. If the individual requests information about the nature and scope of the ICR, the employer must supply it within five days of receiving the request.
The FCRA also requires employers to obtain the individual's signed authorization before obtaining the background check report. Unlike the foregoing disclosures, an individual's written authorization may be obtained through other documents, like an employment application, so long as the individual's consent is conspicuously displayed.
Step 2 - Certification to Consumer Reporting Agency
Before obtaining a background check report, the FCRA requires employers to certify to the relevant consumer reporting agency (using a form prepared by that agency) that:
- The required disclosures have been made to the employee or applicant;
- Consent was obtained from the individual that authorizes the employer to review the report;
- Pre-adverse action disclosures will be made, if necessary;
- No state or federal equal employment opportunity laws or regulations will be violated in connection with the employer's use of the report;
- Separate investigative consumer report disclosures have been made, if applicable; and
- The employer will provide further disclosure concerning investigative consumer reports, if requested.
Step 3 - Providing Notice Before Taking Any Adverse Actions
When information in a background check report influences an employer's decision to decline an applicant, the employer must provide notice before implementing its decision. It must provide the individual with notice of its intent to take an adverse action (e.g., not hire; terminate) based on the report and provide both a copy of the report and another copy of the CFPB's FCRA Summary of Rights Form. This is necessary to provide the individual with some opportunity to correct the report if it is inaccurate.
Step 4 - Adverse Action Notice
Although the FCRA does not state how long an employer must wait after providing notice before it can take an adverse action, the Federal Trade Commission (FTC) has stated that an employer must wait a reasonable amount of time. In one case, the FTC found a five-day waiting period to be reasonable, but declined to establish it as a bright-line test (i.e., used in every situation). The CFPB is now in charge of administering the FCRA, but there is no reason to believe that the CFPB would have a different position on this issue than the FTC. Against that backdrop, employers are encouraged to wait at least five days.
After the employer has completed all of the foregoing steps, it may then take its adverse action, so long as it provides a separate adverse action notice. Unlike the other notices required by the FCRA, this notice may be provided orally, in writing or electronically. However, employers are encouraged to provide notice in writing as it may quickly prove compliance in the event of a challenge. The adverse action notice must also contain:
- The background check provider's contact information, including its name, address and telephone number (including a toll-free number);
- A statement that the agency is not the decision-maker and is unable to advise the individual of the specific reasons for the employer's adverse action;
- A statement that the individual has the right to obtain from the background check provider a free copy of the background check report by requesting it within 60 days of receipt of the adverse action notice; and
- A statement describing the individual's right to dispute the accuracy or completeness of any information contained in the report.
Access to the background check report and related documents should be limited to only those in the company who have a legitimate need to know their contents. It is generally advisable to retain these documents for at least five years as FCRA claims must be brought within the earlier of five years after the alleged violation or two years after the individual's date of discovery. Since these documents often contain the individual's Social Security number and other sensitive personal information, the records should be disposed of carefully and in a manner designed to avoid any unintended disclosure.
State and Local Regulation of Background Checks
Several states, cities and counties now have laws governing background checks, in particular criminal and credit checks, which are more restrictive than the FCRA. These laws tend to regulate when employers may ask applicants about their criminal history and, in some cases, what information may be sought, but they do not generally require employers to hire ex-convicts. While some of these state and local laws may be preempted by requirements under federal law, such as the Federal Credit Union Act, any such conflicts should be considered carefully on a case-by-case basis.
For example, Connecticut and Massachusetts prohibit criminal history inquiries until after the initial written application has been submitted. Rhode Island prohibits such inquiries until the first interview. Oregon and New Jersey do not permit them until after the first interview. In Illinois, Minnesota and Vermont, employers may not inquire about an applicant's criminal history until after the applicant has been selected for an interview or, if no interview, until a conditional job offer has been extended. The District of Columbia and Hawaii preclude the inquiry until after a conditional offer of employment has been made.
Several cities have enacted similar measures, including New York City; Buffalo and Rochester, New York; San Francisco, California; Baltimore, Maryland; Philadelphia, Pennsylvania; Portland, Oregon; Austin, Texas; Columbia, Missouri; and Seattle, Washington. Multiple counties have similarly "banned the box" on application forms, such as Alameda and Santa Clara Counties in California, and Travis County, Texas. For more information about such laws, see Ban the Box.
Some jurisdictions also limit the scope of information that can be requested. For instance, California does not allow employers to ask about or consider criminal charges that did not result in a conviction or convictions that were judicially sealed, among other things. Hawaii bars employers from inquiring about convictions more than 10 years old.
Some of the state and local restrictions also extend to the use of credit-related information for employment purposes. For example, in California, credit history reports may be obtained only for certain types of jobs, like those involving certain financial data or sensitive information or managerial positions, or when such reports are required by applicable law. New York City also imposes similar restrictions.
States such as Colorado, Connecticut, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont and Washington have similar laws that limit using credit-related information for employment purposes, unless it is "substantially related" to the job. The District of Columbia bans employers from inquiring about credit history with limited exceptions for positions in law enforcement or for financial institution positions that entail access to personal financial information.
Electronic Employment Applications
It is becoming increasingly common for employers to invite applicants to submit their employment applications electronically. It is less commonly known, however, that certain methods must be used to obtain valid electronic signatures on these applications.
E-Signature Laws (E-SIGN and the UETA)
The Electronic Signatures in Global and National Commerce Act (E-SIGN)
Through the E-SIGN Act, Congress endorsed the idea of signing documents electronically and encouraged states to adopt laws allowing electronic signatures.
Uniform Electronic Transactions Act (the UETA)
Before the E-SIGN Act, a government commission drafted the UETA to help secure uniformity among state electronic signatures and records laws. The UETA generally allows electronic records to qualify as written records and electronic signatures to qualify as signatures. The UETA also allows records to be maintained electronically if they accurately reflect the original records and are accessible. Most states have adopted the UETA, but not New York, Illinois and Washington, which have their own e-signature laws.
Crafting Valid E-Signatures Under E-SIGN and the UETA
Under the UETA and E-SIGN, both parties must agree to transact electronically. Because an applicant can insist on signing a hard copy application, an electronic employment application should clearly show the applicant's agreement to submit it electronically. An electronic application should also prompt the applicant to expressly signify his or her agreement to each of its substantive terms.
Below is sample language concerning an applicant's consent to sign the employment application electronically and agreement to each of its substantive terms. This language should be conspicuous and preferably in bold print:
I hereby authorize and consent to the terms of the employment application including, among others, that I certify the truthfulness of my statements and grant permission to the Company to make all necessary inquiries. I further understand and agree to the use of an electronic method of signature to demonstrate my acceptance of the terms and conditions of this employment application.
Further, based on court decisions in California, authentication should be used that sufficiently ensures that a particular person (and not someone else) consented and agreed to the terms and conditions.
Additional Methods for Obtaining a Valid E-Signature
An electronic signature on an electronic employment application can be obtained through a combination of the following:
- Key or password access to the electronic application (ideally created and known only to that person);
- Acknowledgment of receipt and delivery messages;
- Completed review confirmation buttons at the end of each page of the application;
- Comprehension confirmation buttons at the end of each page or at the end of the application;
- Confirmation of notational signatures like "/s/ John Smith" or digital signatures; and
- Confirmation that the application was accurate and unaltered prior to signature.
This might include an unalterable PDF format presentation.
Additional Electronic Employment Application Issues
Disability Accommodation Issues
When designing an electronic application process, employers must be mindful of their duty to reasonably accommodate applicants with disabilities under federal, and possibly state and local, law. Accommodations may include options to increase text size and modify color schemes or allowing submission of an employment application by hand.
Background Check Authorizations and Disclosures
Authorizations to conduct background checks can be included in an electronic application. However, they must clearly capture the applicant's electronic signature authorizing the potential employer to run a background check. Applicants may authorize the background check electronically if the authorization can be retained and accurately reproduced. They must also contain the disclosures that must be given to the applicant before conducting the background check. To ensure compliance with any applicable disclosure requirements, it is especially important to provide some ability to print, download or email the disclosures or even the entire application.
An unwitting employee of a check-cashing company disposes of documents containing customers' Social Security numbers, bank account numbers and credit reports in unsecured dumpsters outside the office. What is wrong with this scenario?
Identity theft is a booming business. Each year, more and more people fall victim to identity theft. Employers in the financial services industry have to be especially wary in light of the highly personal information they routinely collect and maintain regarding their customers. Since this makes financial services employers ideal targets for identity thieves, federal and state regulators are now requiring that these businesses take steps to protect the security of their customers' personal information.
In addition, as employees are given more technology - laptops, phones, tablets, etc. - they often have more access to an employer's business information (i.e., trade secrets, confidential customer data and other sensitive information). Along with greater access to an employer's business information, employees have also been permitted to utilize their own technology in the workplace - what is referred to as the "Bring Your Own Device" (BYOD) to work movement. This has made it easier for employees to misappropriate, lose or improperly use sensitive employer information. Having safeguards to protect against these concerns can go a long way toward protecting the employer and its sensitive information from falling into the wrong hands. See also How to Protect Trade Secrets When Employing a Mobile Workforce and Telecommuters.
Federal Safeguard for Customer Information - an Information Security Program
To protect against identity theft, certain financial companies are required to adopt and implement a written information security program, so that they have measures in place to keep customer information secure. HR can play a role in helping craft and enforce information security programs for employees to follow that:
- Ensure the security and confidentiality of customer information (generally defined as any record containing nonpublic information about an individual that will be used primarily for personal, family or household purposes, if the individual has obtained a product or service from a company and has an ongoing relation with the company);
- Protect against any anticipated threats or hazards to the security or integrity of this information;
- Protect against unauthorized access to or use of this information that could result in substantial harm or inconvenience to any customer; and
- Ensure customer information is properly disposed of.
Below is a brief overview of the general standards for information security programs. Keep in mind that the governing federal agencies (the Federal Trade Commission, the Securities and Exchange Commission, banking agencies, etc.) each have their own requirements for the businesses they regulate.
Implementing the Information Security Program
Step 1: Perform a Risk Assessment
HR should work with IT and other organizational stakeholders to:
Identify the reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information.
For example, at a minimum, an employer should assess whether its computer network is accessible from the outside. If it is, what are the threats?
Determine the likelihood of, and potential damage from, the identified threats. The employer can take into account the sensitivity of the customer information.
For example, an employer could develop a framework that analyzes whether improper access to or loss of the information would result in harm or inconvenience to the customer.
- Assess the sufficiency of existing policies, procedures and customer information systems (i.e., methods to access, collect, store, use, transmit, protect or dispose of customer information) to control security risks. If weaknesses exist, determine the extent to which customer information is at risk.
Step 2: Design Security Controls
- Each financial institution or company must consider whether the following security measures are appropriate for it, and if so, adopt them:
- Installing access controls on customer information, including controls to limit access to authorized individuals and to prevent employees from providing customer information to unauthorized persons;
- Installing access restrictions at physical locations that house customer information, such as buildings and records storage facilities;
- Encrypting electronic customer information, including while in transit or in storage on networks or systems that unauthorized persons may access;
- Implementing procedures to ensure that customer information system changes are consistent with the overall information security program;
- Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems;
- Specifying actions to be taken when the company suspects or detects that unauthorized persons have accessed customer information; and
- Instituting measures to protect against destruction, loss or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.
Step 3: Create an Information Security Program for the Board of Directors to Adopt
- The company's Board of Directors is responsible for overseeing the development, implementation and maintenance of the information security plan.
- There is flexibility as to the program's design as it must be appropriate to the company's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. While not all parts of the company need to have the same policies, all elements of the information security program should be coordinated. HR may be uniquely situated to oversee or participate in the coordination effort.
Step 4: Train Staff to Implement the Information Security Program
- HR should train employees on how to protect all types of sensitive data. This training should teach employees to focus on preventing security breaches instead of just reacting to them and to help develop a culture of security.
- Training should also include guidelines for securing individual data files, both electronic and hard copy, discussion of record retention and destruction methods, and instructions on how to minimize security risks. In addition, training should include descriptions of the consequences for both inadvertent and intentional data security breaches.
- HR should ensure that compliance with information security protocols are part of each employee's required, core competencies.
Step 5: Regularly Test the Key Controls, Systems and Procedures of the Information Security Program
- The frequency and nature of the testing should be determined by the company's risk assessment.
- Ensure that independent parties, or at least staff independent of those who develop and maintain the information security program, run the testing.
Step 6: Oversee Service Provider Arrangements
- Select service providers that can implement and maintain necessary safeguards.
- Require service providers to contractually commit to implementing and maintaining those safeguards.
Step 7: Monitor, Evaluate and Adjust the Security Program
- Monitoring, evaluation and adjustments are to be made on an ongoing basis, in light of relevant circumstances, including changes in the company's business or operations or the results of security testing and monitoring. Once changes are made, HR should work with the organization's stakeholders to communicate changes to employees and, if necessary, retrain employees.
State Safeguards for Personal Information
In addition to federal law, all states, except Alabama and South Dakota, have their own security laws and regulations, and several states recently strengthened their safeguards, such as California, Illinois, Nebraska and Tennessee. The federal requirements described above do not pre-empt state laws that impose more stringent requirements. Rather, where applicable state laws exist, employers will have to comply with both the federal and the state laws, provided they do not conflict.
These state laws include:
Prohibition Against Using Social Security Numbers
Several states, like New York, prohibit businesses from:
- Posting or publicly displaying an individual's Social Security number (SSN);
- Using SSNs on identification cards (such as access pass cards); and
- Requiring transmittal of SSNs over the internet, unless through a secure (i.e., encrypted) connection.
In states like New York, HR should ensure that managers and employees have access to SSNs only for legitimate business reasons. HR should implement safeguards to prevent unauthorized access and take reasonable precautions to make sure SSNs are not publicly disclosed or displayed on documents. Employers that require submission of SSNs in connection with the employment application process (e.g., on the background check consent form) should be sure that the applicant may transmit it privately. This means using an encrypted connection for electronic submissions and providing sealable envelopes for hard copy submissions.
Destruction of Personal Information
Many states also require businesses to take reasonable steps to destroy records that contain personal information. This means a person's name accompanied by other information such as his or her SSN, credit or debit card number, savings or checking account number, or driver's license number. The key is to prevent this information from being retrieved. Reasonable measures include:
- Destroying papers containing personal information so it cannot be read or reconstructed; and
- Destroying or erasing electronic and other nonpaper media containing personal information so the information cannot be retrieved.
Notification of Theft
When an individual's personal information has been stolen, many states require notification to the affected individuals. However, notice is generally not required in the following two circumstances:
- If personal information had been encrypted; or
- If the business redacted personal information or took other steps to make it unreadable and unusable.
If notice is required, states often require that it provide:
- A brief explanation of the cause of the security breach;
- A description of the categories of information that were compromised;
- Additional steps taken to safeguard the information;
- Steps that the recipient can take to reduce the risk of identity theft; and
- A contact at the company who can provide assistance.
There are additional rules on when notice must be provided (generally, as soon as reasonably possible) and the notice format (i.e., written, electronically or by telephone). Additionally, if a larger number of residents (usually more than 1,000) are affected by a security breach, several states require that the business notify the three nationwide credit reporting agencies. A small number of states also require that businesses provide notice of the breach to a state agency, typically the Attorney General's office.
Disaster Recovery and Business Continuity Plans
The Commodity Futures Trading Commission (CFTC), the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) have released a joint advisory on disaster recovery and business continuity plans (BCPs). The advisory was issued after the three financial regulators reviewed the large-scale effects on Wall Street of Superstorm Sandy in October 2012 (e.g., the storm's impact on trading, customer relations, financial and regulatory obligations and operations).
The regulators suggest that employers be proactive and put in place effective BCPs and practices to help improve responses to - and reduce recovery time after - significant, large-scale events like Superstorm Sandy. For example, the advisory suggests that employers plan for:
- Widespread disruptions to their business;
- Alternative locations for employees to work (e.g., allowing employees to work from home, ensuring adequate staffing during a crisis);
- Disruptions in telecommunications services, technology, power, transportation and other services (e.g., where back-up data centers should be located);
- Communication issues (e.g., how to communicate with employees, customers and regulators during severe weather, system for updating information on website); and
- Regulatory and compliance issues (e.g., ensuring that BCP includes/complies with regulatory requirements).
BYOD to Work Policies
Employees have been allowed to use their own mobile devices, such as smartphones, netbooks and tablets, to perform work. Some employers even allow their employees to replace their work laptop with their own personal computer. As a result, employees use these employee-owned devices to create, store and transmit work-related data in addition to their personal data, earning these devices the label "dual-use devices." The dual use of employee-owned devices can expose a business's sensitive information to significant information security risks. One of the chief concerns is that dual-use devices make it extremely difficult for financial service industry employers to comply with their legal obligations to safeguard the privacy and security of sensitive personal and financial data, as noted above.
The first set of security risks involves the potential unauthorized acquisition of data stored on the dual-use device. These issues arise because the employer's data is now being stored and transmitted using devices and networks that the employer does not own or control. When an employer owns or controls the device, it can install anti-virus software on the device and make sure the device is password-protected or encrypted. The employer's lack of ownership or control often means that the dual-use device lacks these security measures. As a result, dual-use devices tend to be easy targets for hackers (especially when used on an unsecure network) and, more often than not, friends and family who have easy access to the device.
The second set of security risks involves the protection of a company's trade secret, proprietary or confidential information stored on a dual-use device upon the employee's termination of employment. Here, the difficulty is that the employee owns and possesses the dual-use device. Under federal law, the employer could be subject to criminal and civil liability if the employer remote wipes (i.e., deletes by remote action) any information on the dual-use, employee-owned device without the employee's prior consent. See also How to Protect Trade Secrets When Employing a Mobile Workforce and Telecommuters.
For organizations that permit dual-use devices, the issue is how to structure and implement a BYOD policy. At a minimum, an employer must consider whether it needs new or revised operating procedures to deal with the challenges posed by dual-use devices. For example, employers should develop and test internal processes for employees to follow when their devices are lost, stolen or hacked. If the employer does not already have an established reporting process, it should consider identifying a department or group within the company to be the central place to which employees report these occurrences. The group that receives reports of lost or stolen devices must be trained on how to use software that deletes data from the device. This group also must be sensitive to the fact that an employee's consent is required to execute a remote wipe and that this action must be taken quickly due to the relatively short battery life of many mobile devices. Once the device has lost power, or is no longer on a network, the device can no longer receive the wipe command. Additionally, employers should require employees to install up-to-date anti-virus software on their home personal computers or other devices to which they synchronize their dual-use device (if synchronization is permitted). Employers should also train their employees on their cyber-security policies, and update them periodically, as one of the most critical security risks is the lack of sufficient knowledge and skills to handle sensitive data securely.
With dual-use devices, the employer's HR department should reevaluate the employment termination process to include:
- What devices the employee used and could access;
- What information may be stored on the employee's dual-use device;
- How to disable the employee's ability to connect his or her mobile device to the company's network or system; and
- What efforts should be used to preserve data stored on the employee's dual-use device before the device is wiped and whether the employer needs to utilize a forensic consulting firm to help preserve and collect this information (i.e., company proprietary data, information subject to litigation holds or data that must be protected due to various privacy regulations).
Finally, employers should consider addressing these issues (including consent for a remote wipe) in an agreement with the employee and require employees to execute these agreements as a condition of being allowed to use dual-use devices. If the employer already has confidentiality, noncompete or nonsolicitation agreements that address post-employment activities, these issues could be added to those agreements.
More employees are demanding workplace flexibility, and the financial services industry is no exception. To retain top talent, employers in the financial services industry may want to consider adding flexibility. This is also valuable to help ensure business continuity in the event of a natural disaster or other emergency.
In addition, certain states and municipalities, including San Francisco, California, New Hampshire and Vermont, have created laws to ensure that some or all employees have a right to request flexible working arrangements without fear of reprisal. Flexible working arrangements may include telecommuting, job sharing or an alternative work schedule. See How to Handle Requests for Flexible Work Arrangements.
Protection of Trade Secrets
Not surprisingly, employers in the financial services industry tend to be highly conscious of the risks of unfair competition. Fortunately, there are laws that generally protect against trade secret theft and employee disloyalty. While this area has historically been governed by state law, Congress passed its own federal law in May 2016, known as the Defend Trade Secrets Act.
Defend Trade Secrets Act (DTSA)
The DTSA provides certain legal tools to owners of trade secrets that have been misappropriated. These include the right to bring a civil action in federal court for injunctive relief and/or damages and, in extraordinary circumstances, to immediately recover stolen trade secrets through a civil seizure process. Such actions must be brought within three years of discovery of the misappropriation.
In such actions, the prevailing party may recover actual damages, a reasonable royalty or an amount reflecting the extent to which possession of the trade secrets wrongfully enriched the thief. The prevailing party also may recover reasonable attorney fees and punitive damages, in certain circumstances. For example, an employer may recover these additional damages only if it first provided to the employee written notice of the DTSA's immunity provisions.
The immunity provisions protect employees from criminal and civil prosecutions for disclosing trade secrets in confidence to a domestic government official or an attorney for the sole purpose of reporting or investigating a suspected violation of law. They also allow employees to disclose the trade secrets in a complaint or other document filed in a legal action, as long as the document is filed under seal and not disclosed to the public. Notice of these immunity provisions should be included in nondisclosure agreements with employees, consultants and other contractors, and in the employer's whistleblower policy.
As a supplement to these laws, employers concerned about unfair competition also tend to rely on contracts, known as restrictive covenants. Such covenants are designed to prevent unfair competition, both during employment and for a limited period after employment ends.
They can be separate agreements or incorporated into an employment contract where applicable. If an employer insists upon a restrictive covenant as a condition of employment, it is a best practice to provide the contract containing that covenant along with offer letters.
There are several types of restrictive covenant agreements, including:
- Nondisclosure agreement;
- Noncompete agreement;
- Customer nonsolicitation agreement;
- Employee nonsolicitation agreement;
- Garden leave;
- Forfeiture of deferred compensation and/or benefits; and
- Equity clawbacks.
Some agreements are designed to entice cooperation through rewards (e.g., garden leave), while others may require judicial enforcement (e.g., noncompete agreements). In some states, employers may establish deferred compensation or other benefit plans (e.g., stock option or restricted stock plans) that require compliance with certain restrictive covenants in order to vest in, or keep, the benefits under those plans.
In addition, there is a Protocol for Broker Recruiting. This agreement, to which many of the major broker-dealers and investment advisors have subscribed, dictates what their representatives can do upon departure. For example, it allows them to take limited client information to their new firms as well as solicit clients they personally serviced.
Restrictive covenants are generally governed by state law. Some states disfavor certain types of restrictive covenants, while others do not. For example, California generally prohibits noncompete agreements. Illinois prohibits private employers from entering into noncompete agreements with low-wage workers.
A nondisclosure agreement prevents employees from using or disclosing an employer's confidential information and trade secrets both during and for a limited period after employment ends. See also How to Protect Trade Secrets When Employing a Mobile Workforce and Telecommuters.
The following is sample language for an employee's promise not to disclose confidential information:
Employee will maintain all Confidential Information as confidential and will not engage in any unauthorized use or disclosure of Confidential Information during employment and for so long thereafter as the information is maintained as Confidential Information by the Company (provided, however, that if a time limitation on this restriction is required in order for it to be enforceable then this restriction shall be limited to a period of three years following the termination of Employee's employment for any particular information that does not qualify as a trade secret).
The following is sample language for the definition of confidential information:
Confidential Information refers to an item of information, or a compilation of information, in any form (tangible or intangible), related to the Company's business that Company has not made public or that it has not authorized public disclosure of and that is not already generally known to the public or to other persons who might obtain value or competitive advantage from its disclosure or use. Confidential Information will not lose its protected status under this Agreement if it becomes known to others through improper means such as the unauthorized use or disclosure of the information by Employee or another person. Confidential Information includes, but is not limited to: (a) [insert anything specific the company can name, such as databases, periodic business reports and analytical tools, which are confidential]; and (b) Company's trade secrets, business plans and analysis, and customer lists.
A noncompete agreement (also known as a covenant not to compete, noncompetition agreement or noncompetition clause in a restrictive covenant) prevents an employee from working in a competitive capacity for a limited time and within a limited geographical boundary. In most states, a court will not enforce a noncompete agreement unless it is reasonable and protects an employer's legitimate business interests, such as protection of its unique employees, trade secrets, confidential client information or client relationships and goodwill.
The amount of time, geographic scope and scope of the employee's activity to be restrained must generally be tailored as narrowly as possible to protect only the employer's legitimate business interests and not restrain fair competition. Accordingly, a noncompete agreement covering a long period of time, a wide geographic area and a wide scope of activity may be enforceable against certain high-level employees, but may not be enforceable against other employees.
While there is no noncompete clause that is enforceable in every state against all types of employees, the following is sample language used by a financial services employer:
Employee agrees that while employed and for a period of one year following his or her termination of employment due to voluntary resignation from the Company, he or she will not: (A) form, or acquire a five percent (5%) or greater equity ownership, voting or profit participation interest in, any Competitive Enterprise (as defined herein), or (B) associate (including, but not limited to, association as an officer, employee, partner, director, consultant, agent or advisor) with any Competitive Enterprise and in connection with such association engage in, or directly or indirectly manage or supervise personnel engaged in, any activity (i) which is similar or substantially related to any activity in which the Employee was engaged, in whole or in part, at the Company, or (ii) for which the Employee had direct or indirect managerial or supervisory responsibility at the Company. For purposes of this Agreement, a Competitive Enterprise is a business enterprise located within the United States (or in any other countries where the Company does business) that engages in, or owns or controls a significant interest in any entity that engages in, financial services activity that competes directly or indirectly with the Company, including [insert services].
This restriction is understood to be inherently reasonable in its geography because it is limited to the places where the Company does business. However, for any jurisdiction where an additional geographic restriction is necessary to make this paragraph enforceable, it shall be considered limited in its geographic scope to the lesser of (a) Employee's assigned area of geographic responsibility if the Company assigned Employee a geographic territory, or (b) those states within the United States, and those comparable political subdivisions of other countries, where the Company does business or is actively planning to do business during Employee's employment and where Employee has involvement and contact with Clients of the Company.
Client Nonsolicitation Clauses
Client nonsolicitation clauses prohibit employees from diverting an employer's clients while employed at the company and from soliciting an employer's clients after the employee has departed from the company. Like noncompete agreements, a court will only enforce client nonsolicitation clauses if they are reasonable and protect the employer's legitimate business interests, such as the client's goodwill or the employer's confidential client information. Courts will often not enforce client nonsolicitation clauses that are based on protecting client goodwill if the clause extends to clients with whom the employee had no contact.
As with noncompete agreements, there is no client nonsolicitation clause that is universally enforceable. Here is sample language used by a financial services employer:
Employee hereby agrees that during his or her employment and for a period of one year following the termination of his or her employment, Employee will not, in any manner, directly or indirectly: (A) Solicit a Client (each as defined herein) to transact business with a Competitive Enterprise or to reduce or refrain from doing any business with the Company, (B) interfere with or damage (or attempt to interfere with or damage) any relationship between the Company and a Client, or (C) divert business opportunities away from the Company. For purposes of this Agreement, the term Solicit means direct or indirect communication of any kind whatsoever, regardless of by whom initiated inviting, advising, encouraging or requesting any person or entity, in any manner, to take or refrain from taking any action, and the term Client means any client or prospective client of the Company to whom the Employee provided services, or for whom the Employee transacted business, or from whom the Employee solicited business within one year prior to termination of the Employee's employment with the Company.
Employee Nonsolicitation Clauses
Employee nonsolicitation clauses prohibit employees from soliciting co-workers or former co-workers to leave the company. While courts generally require a time limitation on employee nonsolicitation clauses, they tend not to require a concurrent geographic limitation.
Below is sample language for an employee nonsolicitation clause used by a financial services employer:
The Employee hereby agrees that during the Employee's employment and for a period of one year following the termination of his or her employment, Employee will not, in any manner, directly or indirectly solicit any person who is an Employee to resign from the Company or to apply for or accept employment with any Competitive Enterprise.
Garden Leave Covenants
A garden leave provision requires the employee to provide a specified, minimum notice of resignation and then wait out the notice period before joining a competitor. During the notice period, the employer continues to provide full salary and benefits, but the employee need not work (i.e., he or she may tend to his or her garden).
Garden leave clauses are often used in the financial services industry and usually with executives and other high-level employees. In deciding how much notice should be required, the employer should consider how much time it will take to transition client accounts to a new executive and/or how much time the employer needs to ensure protection of its confidential information and trade secrets. A court may strike down a garden leave provision if the amount of required notice time is unreasonable.
The following is sample language for a garden leave covenant:
Employee may terminate his or her employment at any time for any reason, but he or she must give at least 30 days' written notice of the termination. During the 30-day notice period, Employee is not required to work and will be paid his or her full benefits and salary. Employee shall be restricted from working for a competitor during the 30-day notice period and for three months following his or her termination date. To alleviate any burden on Employee, the Company will continue to pay Employee his or her base salary, pursuant to its regular pay practices, through the end of the three-month, post-termination period.
In a forfeiture clause, an employee forfeits certain deferred compensation or benefits if he or she chooses to engage in prohibited conduct, such as competing with the employer or soliciting its clients after a separation of employment. An employer may include forfeiture provisions in a long-term incentive plan, deferred compensation plan, profit sharing or other forms of incentive compensation or benefits.
Forfeiture agreements have the advantage of discouraging employees from engaging in harmful competition without placing direct restraints on them. The enforceability of these clauses varies from one state to the next. For example, they may run afoul of California's broad public policy against restraining competition, but New York generally views them more favorably than direct restraints on competition.
The following is a sample forfeiture clause:
If, within two years after the Employee resigns, the Employee accepts employment with another company engaged in any business conducted by the Company, or if the Employee is involved in any business that solicits business from Clients of the Company, such employment will result in a forfeiture of deferred compensation.
An equity clawback requires an employee to repay certain financial gains (usually those acquired through stock, stock options or some equity equivalent form of deferred compensation plan) that were conditioned upon continued compliance with one or more restrictive covenants. An equity clawback is different than a forfeiture clause because it enables the employer to recover benefits previously provided to the employee if the employee violates certain restrictive covenants.
The following is a sample equity clawback clause:
Employee shall not, for a period of two years after he or she resigns from the Company, engage in any activity as an employee, consultant or director, personally or with any firm or organization, that is or becomes, in the Company's sole opinion, a competitor of the Company or its subsidiaries, or is otherwise prejudicial to or conflicts with the interests of the Company. If Employee violates this noncompetition agreement, the Company shall be entitled to receive from Employee all Common Stock held by Employee. If Employee has sold, transferred or otherwise disposed of Common Stock obtained under this Agreement, the Company shall be entitled to receive from Employee the difference between the Option Price paid by Employee and the fair market value of the Common Stock on the date of sale, transfer or other disposition.
The Protocol for Broker Recruiting
The Protocol for Broker Recruiting (the Protocol) was created in 2004 by several major brokerage firms to allow departing registered representatives to take certain limited client information with them to a new firm and solicit those clients.
Registered representatives are employees engaged in the solicitation or handling of accounts or orders for the purchase or sale of securities, or in the solicitation or handling of business in connection with investment advisory or investment management services furnished on a fee basis by their employer. If the registered representative's old and new firms are members of the Protocol, then the registered representative may take the name, address, phone number, email address and account title for every client that he or she personally serviced at the firm (subject to certain limitations for partnerships and retirement agreements), and he or she may solicit these clients on behalf of the new firm.
Additional Advice Regarding Restrictive Covenants
Hiring Employees Subject to a Restrictive Covenant
Employers certainly do not want a new employee joining the workforce when he or she is subject to a restrictive covenant under an agreement with his or her former employer. So, before hiring a new employee, it is important to get him or her to confirm in writing that he or she is not subject to any restriction on competition or other contractual limitation on his or her ability to do the job (again, the job application would be the obvious place to include this). See New Hire Paperwork. Note that if an employer hires an employee when it knows or should have known that the employee is subject to a restriction on competition, the employer may become jointly liable based on the theory that it wrongfully interfered with the employee's contractual commitment to his or her former employer. That exposure to liability could result in a court order interrupting the employee's relationship with the new employer and the new employer's relationship with clients that the new employee brought with him or her.
Ensuring the Employee Is Not Improperly Using Confidential Information from His or Her Former Employer
Just as employers do not want a new employee violating a restrictive covenant with his or her former employer, employers do not want a new employee using confidential information he or she acquired from competitors. If a competitor were to persuade a court that the employer knew or should have known that the new employee was improperly using the competitor's confidential information in the employer's business, both the employer and the employee could be liable to the competitor, which could include paying out money and/or an injunction. Therefore, an employer should have each new hire give his or her express written representation that he or she is not subject to any confidentiality agreement with a former employer.
When HR learns that an employee will soon be leaving the company, it should remind the employee of his or her restrictive covenants to the extent they affect his or her post-employment activities. This should be conducted as part of a larger exit interview, the purpose of which is to both gather information regarding the employee's experience and inform the employee regarding his or her post-employment legal obligations. In addition, because employees in the financial services industry often deal with or have access to confidential information about their employer and/or its clients, HR should coordinate efforts with management and IT to take appropriate steps to limit the employee's access to that information at, or prior to, his or her departure.
The Sarbanes-Oxley and Dodd-Frank Acts
In the wake of Enron's public collapse from ethically questionable business practices, Congress passed the Sarbanes-Oxley Act of 2002 (SOX). This law established new standards for public companies, as well as their executives and accounting firms.
After the housing bubble burst and drove the economy into the Great Recession, Congress enhanced some of these standards, particularly the provisions protecting whistleblowers, through the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (Dodd-Frank Act). President Trump has directed the Treasury Secretary to review Dodd-Frank Act implementing regulations, so developments can be expected.
In the meantime, the following provisions of SOX and the Dodd-Frank Act tend to be of greatest interest to HR professionals in the financial services industry.
The SOX Act's Protection of Whistleblowers
The SOX Act makes it unlawful for employers and their staff to retaliate against employees who provide information and/or assist an investigation into a potential violation of SOX or any Securities and Exchange Commission (SEC) regulations, or securities fraud. Congress adopted this anti-retaliation provision in the wake of allegations of retaliation against employees who tried to report the Enron fraud. The SOX Act provides both criminal penalties and civil remedies.
SOX's anti-retaliation protections are afforded generally to employees of publicly traded companies and those companies' subsidiaries so long as officers of the parent company have authority to affect their employment. According to a Supreme Court decision, these protections also extend to employees of privately held contractors and subcontractors that perform work for public companies and, technically, to employees of a public company's officers, employees and agents.
The Dodd-Frank Act extends SOX's anti-retaliation protections to employees of any non-publicly traded subsidiaries and affiliates of publicly traded companies whose financial information is included in the public company's consolidated financial statements. It also extends them to staff of nationally recognized statistical ratings organizations, like Moody's and Standard & Poor's.
Courts may impose personal liability on any officer, employee, contractor, subcontractor or agent of a public company (or its subsidiaries or affiliates) who violates the anti-retaliation provision. Aside from entities that are sufficiently connected to public companies and contractors of public companies, SOX does not generally apply to companies before they have made an initial public offering (IPO), even if they registered with the SEC in anticipation of an IPO.
While there has been some disagreement about whether SOX's whistleblower provision applies to conduct outside the US, federal courts have largely determined that it does not apply extraterritorially. However, in August 2017, the US Department of Labor's Administrative Review Board (ARB) reached a contrary conclusion, holding that the SOX whistleblower provision does apply extraterritorially, noting that it would only cover foreign conduct of publicly traded foreign companies if the misconduct affects the United States "in some significant way."
SOX protects employees who provide information or otherwise help an investigation into conduct the employee reasonably believes to violate any federal securities laws, SEC rules or regulations, or any other federal laws against shareholder fraud. Some authorities disagree as to whether SOX also protects reports of corporate fraud or misconduct generally, as compared to fraud against shareholders. For employees of private contractors, courts have not yet determined whether or not SOX's anti-retaliation provision applies only to work done for the contractor's public company clients or to all of the contractor's activities. However, it is well-settled that the employee need only subjectively and objectively believe that the conduct constituted a violation. It does not matter if the employee was ultimately mistaken or wrong.
In addition, protected activity may consist of simply suggesting that the employer conduct an inquiry to determine if there truly was fraud. In some cases, employees have not been required to wait for a violation to occur and may engage in protected activity if they have a reasonable belief that a violation is likely to happen.
The employee may express his or her concerns externally to a federal regulatory or law enforcement agency or any member of Congress. The employee may also express them internally to any person with supervisory authority over the employee or any other person with authority to investigate, discover or terminate misconduct. A mere refusal to act, unaccompanied by any expression of concern that the conduct did or would violate one of the substantive laws that SOX protects, is generally insufficient.
SOX also protects employees who file, testify in or otherwise participate in any proceeding relating to an alleged violation of federal securities laws, any SEC rule or regulation, or any other provision of federal law concerning shareholder fraud.
SOX does not protect employees who merely discuss their concerns with co-workers or subordinates and do not elevate those concerns to anyone with authority to investigate, nor does it protect employees who only disclose their concerns to the media.
Prohibited Forms of Retaliation
The law broadly prohibits terminating, demoting, suspending, threatening, harassing (directly or indirectly) or otherwise discriminating against the whistleblower.
Relief Under SOX
SOX allows whistleblowers who have been retaliated against to file suit to secure a host of remedies. These include reinstatement with the same seniority status, payment of back pay with interest, and payment for any special damages, attorney fees, expert witness fees and litigation costs.
While whistleblowers were initially required under SOX to first bring their complaint to the Occupational Safety and Health Administration (OSHA), a division of the US Department of Labor (DOL) before going to court, the Dodd-Frank Act eliminated that requirement, allowing whistleblowers to proceed directly to federal court. However, they must generally do so within 180 days.
Unlike some other government agencies, OSHA accepts oral complaints in addition to those submitted in writing. See also OSHA Now Accepting Whistleblower Complaints Online. If OSHA determines after its investigation that there is "reasonable cause" to believe the employer retaliated against a whistleblower, it may issue a preliminary order demanding that the employer make the employee whole. If that order requires reinstatement, the employer is required, absent a court order, to comply, even if it appeals that determination and even if the employee is a security risk.
The Dodd-Frank Act also makes it clear that claims for alleged violations of SOX may be tried before a jury. It further invalidates predispute agreements that require claims under SOX to be submitted exclusively to arbitration and prohibits private agreements that purport to waive any rights or remedies available under SOX. One court has held that the restrictions on predispute arbitration apply to claims under SOX and certain other statutes, but not to whistleblower claims under the Dodd-Frank Act itself.
SOX also makes it a felony to knowingly retaliate against any person for providing truthful information to a law enforcement officer relating to the actual or possible commission of a federal offense. Penalties include fines and/or up to 10 years in jail.
Steps for Employers
To comply with SOX, employers should:
- Establish different avenues through which employees may report concerns about improper conduct. These avenues may include a toll-free hotline, a drop box, a third-party service provider or other means by which employees can report their concerns anonymously. While publicly traded companies must establish a complaint procedure for whistleblowers, it is a best practice for all organizations to have one.
- Develop and distribute a Code of Conduct that:
- Outlines the different avenues for reporting alleged violations;
- Defines the process of investigating allegations; and
- Reinforces the employer's commitment to not retaliate against the reporting employee.
- Be prepared to promptly and thoroughly investigate all alleged violations.
- Train employees, especially supervisors, on the Code of Conduct. This training should include guidance on how to recognize protected whistleblower activity, instructions on how to lodge complaints, and a clear explanation of the anti-retaliation policy that includes a discussion of what is prohibited.
The Dodd-Frank Act Expands Congress's Anti-Retaliation Mandates
In addition to broadening the protections of SOX, the Dodd-Frank Act creates sweeping new whistleblower protections for employees in the financial services industry. As almost any employer in the financial services industry now faces the possibility of being subject to one or more federal or state whistleblower statutes, it has become necessary to create compliance programs and train the workforce on them.
Overall Scope of Dodd-Frank
In addition to amending SOX, the Dodd-Frank Act creates incentives to report securities and commodities law violations and protections for whistleblowers in those arenas. It also prohibits retaliation against employees who report violations of the Consumer Financial Protection Act of 2010 (contained in the Dodd-Frank Act) or any other law within the jurisdiction of the Consumer Financial Protection Bureau (CFPB).
Consumer Financial Protections
To protect consumers, the Dodd-Frank Act prohibits retaliation against employees for reporting fraudulent or unlawful conduct related to financial products or services. This prohibition extends to banks, nonbank financial service providers, mortgage lenders and servicers, providers of financial advisory services, consumer reporting agencies, money transmitters, providers of prepaid cards, payday lenders, credit counselors and debt settlement providers and debt collectors.
Employees generally engage in protected activity when they disclose to certain entities or persons information concerning fraudulent or unlawful conduct related to financial products or services. The protected disclosures include those made internally to the employer or externally to the CFPB or any other government authority or law enforcement agency. Protected activity also includes initiating proceedings under any federal consumer financial law; testifying in proceedings involving any laws, rules or regulations within the CFPB's jurisdiction; or objecting to or refusing to participate in any conduct reasonably believed to violate any law, rule, order, standard or prohibition within the CFPB's authority.
Employees must subjectively and objectively believe that the conduct was illegal. It does not matter if the employee was ultimately mistaken or wrong. Employees do not have to wait for a violation to occur. A report about a future violation qualifies as protected activity.
Prohibited Forms of Retaliation
Financial services industry employers are not allowed to terminate, demote, suspend, threaten, harass (directly or indirectly) or otherwise discriminate against the whistleblower in the terms and conditions of his or her employment.
Resolution of Claims - Scope and Procedure
To bring a claim of retaliation in violation of the consumer financial protection laws, the employee must file a complaint with the federal Department of Labor within 180 days of the violation. Resolutions of a claim may include reinstatement at the same seniority level, back pay with interest, and reasonable attorney fees and related costs.
Financial services industry employers may not require employees to waive, release or limit their rights under the Dodd-Frank Act (e.g., in severance agreements). While some commentators have suggested that this law also bars predispute agreements requiring whistleblower retaliation claims under the Dodd-Frank Act to be submitted only to arbitration, some courts have found that the anti-retaliation provision of the Dodd-Frank Act permits such agreements.
Securities Whistleblower Protections
In addition to creating consumer financial protections, the Dodd-Frank Act modifies the Securities and Exchange Act of 1934 (the 1934 Act or SEA) to prohibit retaliation against whistleblowers. According to at least one court, prohibited retaliation is not limited to employment actions, but extends to actions taken by the employer after the whistleblower's employment ends (e.g., blacklisting the whistleblower or terminating a business relationship with the whistleblower's new employer).
Protected activity includes making disclosures required or protected under SOX, the 1934 Act, 18 U.S.C. § 1513(e) or any other law, rule or regulation within the SEC's jurisdiction. To be protected by Dodd-Frank's antiretaliation provisions, a whistleblower must have made the disclosure to the SEC; disclosures to the employer do not qualify as protected activity. See Digital Realty Trust v. Somers, +2018 U.S. Lexis 1377 (U.S. 2018).
Also, the whistleblower must have a subjectively and objectively reasonable belief that the alleged conduct was illegal. It does not matter if the employee was ultimately mistaken or wrong. Employees do not have to wait for a violation to occur. Reports about future violations qualify as protected activity.
Relief - Scope and Procedure
Whistleblowers, or the SEC, may file a civil lawsuit for remedies. Available remedies include reinstatement at the same seniority level, double back pay with interest, and reasonable attorney fees and related costs. In addition, the securities whistleblower can go straight to court without first stopping at the SEC or another government agency.
Unlike other types of whistleblowers, securities whistleblowers have a long time in which to bring retaliation claims. These claims must be filed within six years of the retaliatory act or within three years of when the employee knew or should have known facts material to the claim, but not more than 10 years after the underlying securities violation.
Securities whistleblowers also have a right to a jury trial, and the SEC prohibits employers from requiring their staff to waive or limit their rights under the Dodd-Frank Act. While some commentators have suggested that predispute agreements that require securities whistleblower retaliation claims to be submitted exclusively to arbitration are unenforceable, some courts have disagreed and enforced such agreements.
In the Dodd-Frank Act, Congress also created a controversial incentive for securities whistleblowers to go directly to the SEC without first reporting their concerns internally. This program allows monetary rewards, or bounties, to those who voluntarily provide the SEC with original information that leads to its successful enforcement of a court or administrative action that culminates in sanctions of $1 million or more. In these instances, the whistleblower may be eligible for 10 to 30 percent of the sanctions obtained as a result of the information provided.
As this program allows the whistleblower to remain anonymous if certain conditions are met, it provides an unusually attractive avenue for whistleblowers to report their concerns confidentially.
So far, it appears to have been increasingly successful. The SEC reports that it has awarded more than $175 million to whistleblowers since the inception of its whistleblower program in 2011, adding that enforcement actions from whistleblower tips have resulted in more than $1 billion in financial remedies. In its 2017 report to Congress, the SEC's Office of the Whistleblower reported that it issued nearly $50 million to 12 whistleblowers in FY 2017 alone. While its largest award, $30 million, was issued in 2014, in early 2017, the SEC awarded two whistleblowers $7 million and $5.5 million, respectively.
Notably, in April 2015, the SEC awarded more than one million dollars to a compliance professional that provided information that assisted an enforcement action against the whistleblower's employer. This award was notable because it marked the first time the SEC applied the "substantial injury" exception to the general bar against rewarding compliance or internal audit professionals. The agency applied the exception in this instance because it found the individual had a reasonable belief that the information had to be disclosed to prevent substantial injury to the employer or its investors.
The SEC also issued in 2015 its first anti-retaliation award - totaling more than $600,000.
This ongoing pattern incentivizes whistleblowers to report their concerns to the SEC without first reporting them internally to their employer.
Confidentiality Agreements and SEC Rule 21F-17(a)
The SEC has also taken other steps to encourage whistleblowers to come forward. For example, it has become more aggressive in enforcing SEC Rule 21F-17(a), which bars employers from taking any action to prevent or discourage someone from communicating with the SEC about possible securities law violations. In doing so, the SEC has been reviewing standard confidentiality agreements and policies, nondisclosure agreements, as well as severance and settlement agreements, to ensure they do not constrain whistleblowers from reporting possible securities law violations to the SEC. In 2016, the SEC ordered a company to remove language from its severance agreements that prevented employees from accepting monetary awards for whistleblower complaints and fined the company $265,000. In its 2016 report to Congress, the SEC confirmed that these assessments will continue to be a top priority. As a result, employers should carefully scrutinize their agreements, policies, procedures, and forms to ensure they, and any related employee training, do not violate SEC Rule 21F-17(a). See also SEC Announces First Whistleblower Action Addressing Confidentiality.
In addition to the SEC, OSHA released in 2016 its own set of guidelines for private settlement agreements in whistleblower actions pending before the agency. OSHA's guidelines virtually mirror the SEC's concerns about settlement agreements that discourage whistleblowers from communicating their concerns to the government and limit their financial incentive to report them.
The SEC also plans to continue efforts to protect investors by examining the cybersecurity policies, procedures and controls of employers in the securities industry. These policies and procedures must be reasonably designed to prevent violations of the securities laws. To that end, the SEC has been encouraging employers to address cybersecurity risks in their compliance programs. The agency suggests a particular focus on identity theft, data protection, fraud and business continuity, as well as other disruptions in service that could affect, for example, the ability to process shareholder transactions. Such compliance programs should be customized to the nature and scope of the business and extend to third-party service providers who help the employer carry out its operations to ensure that they, too, have acceptable safeguards in place.
Commodities Futures Whistleblower Protections
Commodities whistleblowers now have protections akin to those of securities whistleblowers. The Dodd-Frank Act added to the Commodities Exchange Act (CEA) a prohibition against retaliation for providing the Commodities Futures Trading Commission (CFTC) with information that relates to a potential violation of the CEA.
Most of the protections are parallel to those created for securities whistleblowers. For example, commodities whistleblowers also have a private right of action and may go directly to court to obtain relief. Commodities whistleblowers also may participate in a bounty program like the one available to securities whistleblowers. Essentially, persons who voluntarily provide original information to the CFTC that leads to a successful award or resolution of a CFTC judicial or administrative action may get a bounty. If the CFTC obtains sanctions over $1 million, the bounty may be as much as 10 to 30 percent of those sanctions. To date, the CFTC has issued one whistleblower award in the amount of $240,000 in 2014.
Unlike securities whistleblowers, however, a commodities whistleblower must bring his or her claim within two years of the alleged adverse action.
FDIA Whistleblower Protections
The Federal Deposit Insurance Act (FDIA), which governs the Federal Deposit Insurance Corporation (FDIC), provides limited whistleblower protections to employees of FDIC-insured institutions and certain federal agencies (i.e., Section 5328 applies to federal banking agencies, federal home loan banks, the federal reserve bank and anyone working for the FDIC, either directly or indirectly). Whistleblowers employed by the private institutions on the list are protected against retaliation for reporting to a federal banking agency or the attorney general possible violations of any law or regulation, gross mismanagement, gross waste of funds, an abuse of authority, or a substantial and specific danger to public health or safety by the institution or any of its directors, officers or employees. Significantly, unlike securities and commodities whistleblowers, there is no bounty program for FDIA whistleblowers. If the FDIA whistleblower protection law is violated, a court may order reinstatement of the whistleblower, as well as compensatory damages, and/or other appropriate remedial actions.
State Whistleblower Protections
Some states have whistleblower laws that apply to private employers.
In October 2015, the Connecticut Supreme Court reached a seminal decision for whistleblowers when it held that an employee of UBS had a right under the state constitution to be protected from retaliation for reporting overstatements of the bank's real estate and mortgage investments. The court concluded that whistleblowers are entitled to such protection as long as their speech concerns matters of significant public concern (e.g., dishonest or dangerous practices) and does not undermine the employer's legitimate interest in maintaining discipline, harmony and efficiency in the workplace. See also Employee Discipline: Connecticut.
Pay Ratio Rule
The Dodd-Frank Act also requires most publicly traded companies to disclose the ratio of the annual total compensation paid to the company's chief executive officer (CEO) to the median of other employees' annual compensation. Such companies must state this ratio in certain filings, such as proxy and information statements, annual reports and registration statements, no later than their first fiscal year in 2017.
The SEC tried to provide some flexibility in calculating the ratio. For example, companies may use statistical sampling and may exclude employees outside the US from the calculation if disclosure might violate a foreign country's data privacy laws or those non-US employees account for five percent of the company's total employees or fewer, with certain limitations.
General Best Practices for Corporate Compliance Programs after Dodd-Frank
By following some practical steps, employers can put themselves in the best possible position for dealing with potential whistleblower or retaliation claims and can go a long way toward preventing such claims:
- Create a Culture of Ethics and Compliance
- Leadership commitment to whistleblower rights and a non-retaliatory environment.
- A true "speak up" culture, which encourages reporting of wrongdoing, fair evaluation of such reports and effective resolution of concerns. In other words, the employer must assure employees that internal reporting is safe, effective and appreciated.
- Independent Complaint Review Process and Reporting Line, Which Can Reach the Employer's Board or Oversight Body, if Necessary
- The system should include clearly defined roles, responsibilities and expectations for top leaders, managers, compliance and legal staff, and HR and labor relations.
- The procedures should be known and accessible to all.
- For workers: training should include employee's rights and available internal and external protection programs.
- For managers: training should encompass the employee's training and the employer's anti-retaliation policy and anti-retaliation skills. Anti-retaliation training should address what constitutes retaliation and how to prevent and address it.
- Monitor and Measure the Program's Progress and Efforts
- Program monitoring and measuring should be done in a way that does not suppress reporting.
- Independent Audits to Determine if the Program Is Working
- Are workers coming forward, unafraid of retaliation?
These elements are often adjusted based on the organization's size and history. See also Whistleblowing Best Practice Manual.
Dodd-Frank's Impact on Incentive Compensation at Financial Institutions
The Dodd-Frank Act changes and even eliminates, in some instances, the type of incentive-based compensation arrangements that certain financial institutions can offer employees. Congress adopted these measures because these plans rewarded employees for taking actions that generated short-term profits, but also exposed the institution to unnecessarily high risk and contributed to the Great Recession.
Section 956 of the Dodd-Frank Act, which awaits issuance of final regulations to become effective and applies to only a small group of institutions (i.e., financial institutions, such as depository institutions, depository institution holding companies, registered broker-dealers, credit unions and certain investment advisors, with total assets of at least $1 billion), will impose two requirements on incentive-based compensation arrangements. First, it will prohibit incentive-based payment arrangements that encourage inappropriate risks:
- By providing an executive officer, employee, director or principal shareholder with excessive compensation, fees or benefits; or
- That could lead to material financial loss to the financial institution.
Second, it will require disclosure to federal regulators of the structure of any incentive-based compensation arrangements (but not the actual amount of such compensation) so they can determine whether the arrangement provides excessive compensation, fees or benefits, or could lead the institution to incur a material financial loss.
The Volcker Rule
The Volcker Rule, which was named for former Federal Reserve Chairman Paul Volcker, generally prohibits banking entities (which includes banks and their affiliates) from engaging in proprietary trading, but allows them to conduct underwriting, market-making and risk-mitigating hedging activities so long as certain requirements are met. This includes a requirement that the individuals performing those activities be compensated in a way that does not reward them for, or incentivize them to engage in, prohibited proprietary trading.
The Volcker Rule may be modified or even rescinded by the Trump administration.
In the meantime, while the Volcker Rule and its implementing regulations provide little guidance on how to structure an appropriate incentive compensation arrangement, the commentary accompanying the pending regulations provides some guidelines.
In terms of underwriting activities, it suggests that compensation incentives be structured to reward customer revenue and effective service by, for example, considering revenue resulting from price movements in the underwritten securities, but only to the extent such revenue reflects the effectiveness of the employee's management of the underwriting risk. Thus, a compensation plan should not simply reward speculation in, and appreciation of, the market value of the underwritten securities. Nor should it be based solely on net profit and loss, without consideration for inventory control or the risk taken to achieve them.
The commentary contains similar guidance for structuring incentive compensation plans for individuals who engage in market-making activities. For these activities, it is recommended that such incentives likewise reward customer revenues and effective customer service, for example, through effective and timely intermediation and liquidity services to customers, and not reward speculation in, and appreciation of, the market value of a position held in inventory. As with underwriting incentive compensation, the commentary indicates it would be inappropriate for such incentives to be based solely on net profit and loss, without consideration for inventory control or the risk taken to achieve them.
As for employees engaged in risk-mitigating hedging, the commentary suggests it would be inappropriate to reward them with incentive compensation based primarily on whether their positions appreciated in value as opposed to whether their positions reduced or mitigated risks.
Executive Compensation Clawbacks
The SOX Act also seeks to deter financial reporting improprieties by publicly traded companies by requiring such companies to recover or "claw back" certain forms of executive compensation. For example, if a publicly traded company's financial statements must be restated because misconduct caused material noncompliance with financial reporting rules under federal securities laws, SOX requires that the chief executive officer and chief financial officer repay their bonuses, incentive- or equity-based compensation and any profits realized from the sale of company stock during the 12-month period following the company's filing of the financial statements with the SEC, whether or not they were directly involved in the financial reporting misconduct.
The Dodd-Frank Act expanded clawbacks by broadening the circumstances that trigger them and the list of executives subject to them. For example, clawbacks are now required without regard to whether the accounting restatement is due to misconduct. Moreover, publicly traded companies are expected to claw back compensation from any current or former executive who received incentive-based compensation (including stock options) during the three-year period before the company must prepare an accounting restatement.
The Dodd-Frank Act also authorized the SEC to implement rules that require publicly traded companies to develop and enforce written policies requiring recovery of erroneously awarded incentive-based compensation in the event of accounting restatements.
Bonuses and Commissions
In addition to a weekly salary or an hourly pay rate, it is quite common for financial services industry employers to offer bonuses and, in some cases, commissions.
Bonus plans and policies should be drafted and referred to carefully to accurately depict how eligibility and amounts are determined. For example, some bonuses are discretionary and based solely on company performance. Some are based on a mixture of company and individual performance, while others are based solely on individual performance.
In addition, some employers tie the amount of the bonus to past performance but pay it only to incentivize employees to continue that high level of job performance. These employers often seek to withhold payment of a bonus if the employee terminates employment before the bonus is scheduled to be paid. While bonuses are often regulated by state law, most states require that the terms be spelled out clearly in advance to ensure the employee had adequate notice of them.
Is the Bonus Truly Discretionary?
If the employer wants to maintain sole discretion to determine whether or not to pay a bonus to all or some of its employees, it should consider the following steps:
First, make sure that any documents referring to the bonus, whether they are an employment offer letter, in an employee handbook or elsewhere, state unequivocally that payment of a bonus is completely discretionary. Bonuses that are tied to an employee's achievement of certain sales targets should state clearly whether or not the bonus is guaranteed upon their achievement or remains subject to the employer's discretion.
The following sample language denotes a discretionary bonus: "The Company reserves exclusive discretion to determine eligibility and the amount of any bonuses."
Second, in the context of an offer letter or employment agreement, it may be wise to state that the agreement supersedes all other prior agreements, written or oral. This provision is sometimes referred to as a merger clause. A merger clause can help eliminate claims that are based on oral promises to pay a bonus.
The following is a sample merger clause in a discretionary bonus agreement: "The terms and conditions of this written agreement constitute the entire agreement between you and the Company concerning any bonuses, and supersede any prior agreements, promises or understandings (written or oral) concerning them."
Conditioning a Bonus on Employment Through the Date It Is to Be Paid
Many states permit employers to condition payment of a bonus on an employee's continued employment or satisfactory performance through the date the bonus is to be paid. To be enforceable, these conditions may need to be documented and communicated to the employee in advance.
The following language conditions payment of a bonus based on continued employment: "A bonus is not deemed earned until the bonus is distributed to the employee. You must be employed with the Company on the date bonuses are distributed to be eligible for a bonus."
Also, in some states, the employer may be required to pay the bonus if the employer terminates the employee without cause after the bonus period ends but prior to the bonus distribution.
An employee's eligibility for commissions and the amount of those commissions can become hotly disputed, particularly in the absence of clear documentation outlining when a commission becomes earned and how it is to be calculated and paid. Many states have wage payment laws that strictly require employers to timely pay all earned wages, which may include commissions. In these states, once a commission becomes earned, the employer may be required to pay it in full, whether or not the employee is still working for the company and even if the underlying transaction is later reversed.
Some states, such as California and New York, require written commission agreements that are signed by both the employer and employee. Among other things, these commission agreements must define when commissions become earned and specify what happens should the employee leave the company for any reason before they are due to be paid.
Avoiding Unlawful Commission Deductions
Employers often wish to avoid paying commissions on transactions before those transactions can no longer be reversed. To avoid this problem, it is wise to state clearly that a commission is not deemed earned until a certain amount of time elapses after receipt of payment from the client. If the transaction is reversed before this time expires, the employer may avoid payment of the commission because it has not yet been earned.
The following sample language denotes the delay in earning a commission: "Commissions are not deemed earned until 60 days have passed after receipt of payment from the client without reversal of the transaction."
The employer may choose the number of days, but the number should be tied reasonably to the circumstance of the underlying transaction and not be extraordinarily long. Also, if the employer provides advances on commissions, it should state clearly in writing the extent to which these advances may be subject to clawback in the event the commission is not ultimately earned. In these cases, the employer should ensure that the clawback arrangement does not run afoul of any applicable state laws.
The following sample language denotes a commitment to pay commission advances on sales before the commission is earned: "Because commissions are not deemed earned until the 60th day after receipt of payment from the client without reversal of the transaction, the Company reserves its exclusive right to provide an advance of the anticipated commission before the commission becomes earned."
Avoiding Post-Termination Commission Payments
Courts periodically find employees are entitled to post-termination commissions on pre-termination transactions when the documents describing the commission arrangement fail to state clearly when the employee earned the commissions. To avoid unintended commission liability, a commission agreement should clearly communicate the extent to which employees are eligible for post-termination commissions.
The following language limits the obligation to pay post-termination commissions: "In order to earn a commission, the employee must be employed with the Company on the date the commission becomes due under the terms of this Agreement."
The following language describes what happens upon termination of employment: "Termination of Employment: Only commissions earned under this Agreement on or before the date of employment termination will be paid to departing employees. Such commissions shall be paid in compliance with applicable law."
Federal Contractors and Pay Discrimination
In light of certain regulatory priorities, federal contractors in the financial services industry should consider having legal counsel conduct a privileged investigation to confirm compliance with their federal contractor obligations. In its 2017 budget justification, the Department of Labor's Office of Federal Contract Compliance (OFCCP) indicated its top priorities will include addressing systemic pay discrimination, particularly in the financial services industry. This means the OFCCP will likely increase its scrutiny of financial institutions with federal share and deposit insurance through, for example, the Federal Deposit Insurance Corporation (FDIC), whom the OFCCP considers to be federal contractors.
In a related development, the OFCCP implemented a rule in 2016 that prohibits most federal contractors from discriminating against any employee or applicant for inquiring about, discussing or disclosing their or another individual's compensation. The rule does not, however, allow employees with on-the-job access to others' compensation data to disclose that pay data to persons who do not have access to it, unless:
- In response to a formal complaint or charge;
- In furtherance of an internal or external investigation, proceeding, hearing or action; or
- Consistent with the federal contractor's legal duty to furnish information.
The OFCCP also requires such contractors to include its Pay Transparency Nondiscrimination Provision in their employee handbooks and post it on their career webpage or conspicuously within their facilities.
Understanding the Foreign Corrupt Practices Act (FCPA)
Enacted by Congress in 1977, the FCPA prohibits providing something of value (e.g., a bribe or corrupt payment) to one or more foreign officials to advance an organization's business interests. Increased government enforcement activities over the past several years have made this a high-risk area for employers that do not take adequate steps to prevent conduct that could lead to liability.
The FCPA specifically prohibits offering, giving or promising to give any money or anything else of value, or authorizing such payment or gift, to any foreign official for the purpose of:
- Influencing that official to take any act or make any decision or inducing that official to take or not take an action in violation of his or her lawful duty; or
- Inducing that official to use his or her influence with the foreign government to affect or influence a decision by that government that relates to the organization obtaining or retaining business.
Who Does the FCPA Apply to?
The FCPA applies to three categories of entities:
- Issuers of securities in the US: This means any company with securities listed on a domestic securities exchange or with a class of securities quoted in a domestic over-the-counter market, even if they are not a domestic company.
- Domestic Concerns: This means any citizen, national or resident of the United States, as well as any corporate entity organized under US law or that has its principal place of business in the US. Corporate Domestic Concerns may be liable for acts of their foreign subsidiaries.
- Foreign nationals or entities that either directly or through an agent engage in any act in furtherance of any of the conduct prohibited by the FCPA while in the territory of the US.
The FCPA also applies to the officers, directors, employees, agents and shareholders of those corporate entities who are covered by the Act. It does not matter whether the unlawful conduct takes place inside or outside the US.
What Is a Bribe or Corrupt Payment?
The FCPA takes a broad view of what constitutes a bribe. It includes:
- Payment of cash or cash equivalents, such as gift cards;
- Payment of travel expenses not directly related to a business purpose;
- Gifts with a value beyond typical logoed and marketing items and other small value items, such as chocolates;
- Extravagant entertainment activities;
- Awarding contracts to entities in which the foreign official has an interest;
- Charitable donations to entities affiliated with the foreign official; and
- Providing any of the above benefits to a family member of the foreign official.
While it is relatively easy to identify the payment of cash as improper, the line between legitimate marketing/relationship building activities and illegal conduct is often hard for employees to distinguish. This can often be further complicated when certain conduct, which may be illegal under the FCPA, is viewed as customary in certain countries. As employers in the financial services industry often do business outside the US, their HR departments should be equipped to provide specific guidance, when necessary.
For example, in August 2015, BNY Mellon agreed to pay $14.8 million to settle charges that it violated the FCPA by providing internships to family members of foreign officials of a sovereign fund after the SEC alleged that these internships were provided to unqualified persons outside standard hiring procedures in exchange for the fund's continued business with BNY Mellon.
Who Is a Foreign Official?
The FCPA also takes a broad view of who qualifies as a foreign official. Naturally, it includes anyone employed by a foreign government, from a head of state, to a ministry head, to elected officials and administrative agency employees. However, it also includes many others who are not, strictly speaking, associated directly with the government. This includes:
- Employees of state owned or controlled entities, such as public utilities, hospitals and transportation systems;
- Political parties and their representatives;
- Candidates for elective office; and
- Employees of public international organizations, like the International Monetary Fund, the World Trade Organization, the World Bank and the Organization of American States.
Liability for Acts of Third Parties
There is a common misconception that if an employer has a third party act as an intermediary with the foreign official, or if the employer can plausibly claim that it was unaware of the third party's conduct on its behalf, the employer may be insulated from FCPA liability for any violations by that third party. This is not the case.
The FCPA expressly prohibits corrupt payments made through third parties. For example, it specifically prohibits payments "to any person, while knowing that all or a portion of such money or thing of value will be offered, given or promised, directly or indirectly" to a foreign official. The federal government takes a broad view of the term "knowing." It may be met when the person is aware there is a high probability that his or her payment would be used for a corrupt payment to a government official. It may also be met when the person purposefully avoids knowledge of the possibility it will be used for a corrupt payment. The Department of Justice (DOJ) and SEC specifically recommend that companies in the financial services industry practice risk-based due diligence on associated third parties and be on the lookout for "red flags," such as:
- Excessive commissions;
- Large discounts to distributors;
- Consulting agreements with vague descriptions of services;
- Service contracts that are outside the third party's normal line of business;
- Close relations between the third party and a government official; and
- Payment of fees to bank accounts in other jurisdictions.
Mergers and Acquisitions
The DOJ and SEC have also issued specific guidance for mergers with, and acquisitions of, companies associated or doing business with foreign officials. The following activities may be appropriate steps following a merger or acquisition:
- Conduct thorough risk-based FCPA and anti-corruption due diligence;
- Quickly implement anti-corruption policies and procedures for the newly acquired business;
- Train directors, officers and agents of the newly acquired business on the FCPA and the company's ethics and compliance programs;
- Conduct an FCPA-specific audit of newly acquired businesses as quickly as practicable; and
- Disclose any corrupt payments discovered in due diligence.
If the acquiring entity takes these steps, the DOJ and SEC may be less inclined to bring an enforcement action against it for pre-acquisition or pre-merger violations by the acquired or merged entity.
A Narrow Exception from Liability
The FCPA has narrow exceptions for facilitating or expediting payments. These are payments made to foreign officials in furtherance of routine governmental actions over which the foreign official has no discretion. Examples of nondiscretionary acts include:
- Processing governmental papers, such as visas;
- Issuing permits, licenses and other official documents; and
- Supplying utilities, such as water or telephone service.
The FCPA generally permits small payments to expedite these kinds of services. They may be illegal, however, if local law does not permit them. Moreover, simply calling something a "facilitating payment" will not shield a party from liability if the overall facts suggest influence is being sought. While the size of the payment, in and of itself, is not determinative, the larger it is, the harder it is to characterize it as a facilitating payment.
While the FCPA permits facilitating payments, many employers maintain policies that prohibit even these kinds of payments to help create a bright-line test for what is acceptable under company policy. Even employers that do permit facilitating payments should create a review process that ensures they truly are facilitating payments.
Both companies and the individuals engaged in conduct prohibited by the FCPA may be subject to significant sanctions. These include:
- Fines on companies up to $2,000,000;
- Fines on individuals up to $100,000; and
- Imprisonment of individuals for up to five years.
The US government's increased enforcement of the FCPA has led to a dramatic rise in the amount of collected penalties (including settlements). In 2002, the government assessed $2.7 million in total fines against companies for FCPA violations. Today, that figure appears inconceivably small. From 2008 through 2011, FCPA penalties have averaged more than $900 million each year. In the last several years, the heavy fines and settlements have continued - increasing $259.4 million in 2012, $731.1 million in 2013, and $1.56 billion in 2014. Although these numbers dropped in 2015 to $140 million, the upward trend resumed in 2016, with fines and settlements rising to a new height: $2.6 billion.
Global Trends Against Corruption
When the FCPA was enacted in 1977, the US stood as an outlier in its efforts to combat this type of corruption. For many years, domestic corporations complained that the FCPA created a competitive disadvantage. Today, much of the world has caught up, and in some cases surpassed the US in this area. For example, in 2010, the UK enacted the UK Bribery Act, which not only prohibits bribing foreign officials, but also bars commercial bribery and facilitating payments and heightens the standards on liability for a third party's actions. Increased enforcement actions have also been seen in high risk countries like China and Brazil, where the perception of corruption continues to undermine their economic development.
Given the global enforcement climate, employers in the financial services and other industries are increasingly taking steps to mitigate their risk by:
- Instituting anti-corruption policies that strictly prohibit bribery;
- Training employees on their obligations and limitations in connection with transacting business with foreign officials; and
- Developing internal controls and testing procedures to detect potential unlawful activities.
Employee Communications With Clients Through Social Media
Social media has undeniably transformed the way financial services industry employers communicate with their clients - whether it is via Facebook, Twitter, LinkedIn, blogs, etc. In one instance, it may entail premature release of information from earnings reports. In another, a broker may be recommending certain securities before the organization issues its recommendations publicly. As a result, various governmental agencies have published guidance on the proper use of, and management of risks associated with, social media by certain financial institutions.
SEC Guidance to Investment Advisors
The SEC's Office of Compliance Inspections and Examinations published in 2012 a National Examination Risk Alert (Risk Alert) on investment adviser use of social media. The Risk Alert was drafted not as a list of rules when using social media, but rather as a set of guidelines on how to utilize social media in compliance with the Investment Advisors Act of 1940 (Advisors Act) and federal security laws.
In a follow-up to the Risk Alert, the SEC's Division of Investment Management published in March 2013 a Guidance Update (Guidance Update) that clarifies when certain interactive content published on social media forums must be reported to the SEC or other federal regulators.
Addressing Use of Social Media in a Compliance Program
Investment advisers are generally required to adopt and implement written policies and procedures for their employees to follow to prevent violations of the Advisors Act. The Risk Alert recognized that some, but not all, investment advisers had policies or procedures addressing use of social media, but many were too vague about what is prohibited or permitted. The Risk Alert recommends that investment advisers consider the following nonexhaustive list of factors when evaluating whether their compliance programs effectively address use of social media:
If the investment adviser permits its employees to access social media sites, it should consider whether this access poses a conflict of interest or information security risks. If access would create an information security risk, the employer should consider adopting policies and procedures to create appropriate firewalls between sensitive customer information, the firm's proprietary information and any social media site.
Investment advisers should consider whether they need guidelines for their employees on the appropriate use of social media, including restrictions and prohibitions on the use of social media sites. These types of guidelines have become increasingly subject to scrutiny by the National Labor Relations Board (NLRB). The NLRB has sought to carefully curtail any perceived restrictions on employees' ability to discuss with each other their wages, hours or working conditions, whether the employees are unionized or not.
Employers should also consider the extent to which they will allow third parties to post on their social media sites. Some investment advisers limit third-party postings to authorized users and prohibit posting by the general public. Others post disclaimers on their sites, advising that they do not approve or endorse any third-party postings.
Content Standards and Approval
Investment advisers owe their clients a duty of loyalty and may not engage in activities that conflict with a client's interests without the client's consent. They are expected to take this fiduciary duty and the Advisors Act rules into account when establishing content guidelines for social networking sites. For example, some investment advisers may decide, based on the security risks involved, to prohibit the sharing of investment recommendations on social networking sites.
Investment advisers are also subject to certain rules when advertising. For example, advertisements may not contain untrue statements, be misleading, use or refer to client testimonials, or refer to past, specific recommendations that were profitable, unless the advertisement meets certain conditions. The Risk Alert specifically advises that the use of social plug-ins, such as the "Like" button on Facebook, could be deemed a testimonial if it is an explicit or implicit statement of a client's experience with an investment adviser. For example, if the public is invited to "Like" an investment advisor's biography posted on a social media site, that election could be viewed as an inappropriate or paid testimonial.
To promote compliance and prevent violations of federal securities laws and the investment adviser's internal policies, the Risk Alert recommends that investment advisers consider training employees on the proper use of social media.
Monitoring and Frequency of Monitoring
Investment advisers should also consider how to effectively monitor their employees' usage of third-party social media sites or third parties' access to their social media site. Additionally, the investment adviser should consider the frequency with which this monitoring is done and whether to require that content be preapproved before it is posted. Post-hoc content review may not always be reasonable because it may not timely catch violations of the investment adviser's fiduciary obligations.
Investment advisers also have certain recordkeeping requirements, which generally entail preserving required records in an accessible place for at least five years. Required records include written communications that contain an employee's recommendation or advice. In terms of electronically storing these records, the rules require maintaining and preserving records:
- In a manner that reasonably safeguards them from loss, alteration or destruction;
- While limiting access to properly authorized personnel and the SEC; and
- Reasonably ensuring that any reproduction is complete, true and legible.
Communications through social media platforms that fall within the definition of required records should be preserved in accordance with the usual recordkeeping requirements. To ensure they are sufficiently captured, HR should work with management to review existing policies and procedures to ensure they address the following:
- Determining whether the social media communication is a required record, and if so, the applicable retention period and the accessibility of the records;
- Maintaining social media communications in electronic or paper format (e.g., screen print or PDF of social media page, if practicable);
- Conducting employee training on recordkeeping requirements, including those for storage in an electronic format;
- Periodic test checking of compliance with the recordkeeping requirements; and
- Using third parties to assist with compliance with the recordkeeping requirements.
In the Guidance Update, the SEC's Division of Investment Management announced that the following interactive content published by investment advisers in social media forums do not have to be reported to the SEC and/or other federal regulators:
An incidental mention of a specific investment company or family of funds, unrelated to a discussion of the investment merits of the fund.
Example: "Fund X Family of Funds invites you to their annual benefit for XYZ Charity."
Example: "Consumer Reports has written an article in which it mentions our Brand X Rewards Card. Are you a card member?"
The incidental use of the word "performance" in connection with a discussion of an investment company or family of funds, without specific mention of some or all of the elements of a fund's return.
Example: "We update the performance of our funds every month and publish the results on <website URL>."
Example: "Click on this link <website URL> where we provide full details of our yearly performance since inception."
A factual introductory statement forwarding or including a hyperlink to a fund prospectus or to other information already filed in accordance with the Advisors Act or other federal securities laws.
Example: "The new ABC ETF Strategy Report is now available through this link: <website URL>."
Example: "We launched two new emerging market funds this week. More info about them is available here <website URL>."
An introductory statement not related to a discussion of the investment merits of a fund that forwards or includes a hyperlink to general financial and investment information such as discussions of basic investment concepts or commentaries on economic, political or market conditions.
Example: "The 'low volatility anomaly' is explained in our latest white paper: <website URL>."
Example: "The election is over, what is next for our economy? See our report analyzing the elections. <website URL>."
A response to an inquiry by a social media user that provides discrete factual information that is not related to a discussion of the investment merits of the fund (for example, directing the social media user to the fund prospectus).
- Inquiry: "What is the better investment, buying real estate or buying a REIT?"
- Fund's posted response: "There are a lot of things to consider when choosing between the two options. The answer depends on your goals and risk tolerance and whether you want to invest in a REIT, a fund that invests in REITs or real property. While we can't talk about specific funds on [social media], please give us a call at [insert phone number] and we will be happy to talk to you in more detail about this."
- Inquiry: "What was the NAV for ABC fund on Friday?"
- Fund's posted response: "$xx.xx."
Per the Guidance Update, the following interactive communications generally should be reported to the SEC and/or another federal regulator:
A discussion of fund performance that provides specific mention of some or all of the elements of a fund's return (e.g., one-, five- and 10-year performance) or promotes a fund's returns.
Example: "Our quarter-end returns have exceeded our expectations!"
Example: "Fund performance rebounded strongly during the third quarter of 2016."
Example: "The fund slightly underperformed its benchmark, the S&P 500 Index, during the quarter that ended September 30, 2016."
A communication initiated by the issuer that discusses the investment merits of the fund.
Example: "As you plan for retirement, consider our new lifecycle fund <website URL>."
Example: "Our ABC Fund was included in the list of best new funds recently published by Morningstar. <website URL>."
Federal Financial Institutions Examination Council (FFIEC) Guidance on Social Media
The FFIEC released guidance to help its members' regulated financial institutions (e.g., banks, savings associations, credit unions and nonbank entities supervised by the Consumer Financial Protection Bureau and state regulators) understand its expectations regarding their use and management of social media. The final guidance does not impose any new requirements on the regulated financial institutions. It helps financial institutions identify potential risk areas and provides considerations that the regulated financial institutions may find useful in conducting risk assessments and crafting and evaluating policies and procedures regarding social media.
The FFIEC is composed of six members (the Agencies):
- The Office of the Comptroller of the Currency;
- The Board of Governors of the Federal Reserve System;
- The Federal Deposit Insurance Corporation;
- The National Credit Union Administration;
- The Consumer Financial Protection Bureau; and
- The State Liaison Committee, which is composed of representatives of five state agencies that supervise financial institutions and was established to encourage the application of uniform examination principles and standards by state and federal supervisory agencies.
Identification of Social Media Risks
The final guidance identifies the following risks raised by social media:
- Compliance and legal risks: These are the risks that arise from the potential violations of, or nonconformance with, laws, rules, regulations, etc. The final guidance provides a nonexhaustive list of laws and regulations that may be relevant to a financial institution's social media activities, such as:
- Truth in Savings Act/Regulation DD and Part 707;
- Equal Credit Opportunity Act/Regulation B and Fair Housing Act;
- Truth in Lending Act/Regulation Z;
- Real Estate Settlement Procedures Act;
- Fair Debt Collection Practices Act;
- Electronic Fund Transfer Act/Regulation E;
- Bank Secrecy Act/Anti-Money Laundering Program;
- Gramm-Leach-Bliley Act Privacy Rules and Data Security Guidelines; and
- The Fair Credit Reporting Act.
- Reputational risk: This is the risk arising from negative public opinion to the reputation and standing of the financial institution, even if the financial institution has not violated any law.
- Third-party risk: This includes the risks posed by working with third-party social media vendors that provide social media services.
- Operational risk: This is the risk of loss resulting from inadequate or failed processes, people or systems, which includes the risks posed by a financial institution's use of information technology (which includes social media).
Considerations and Expected Action Steps
The FFIED expects regulated financial institutions to have a risk management program that allows them to identify, measure, monitor and control the risks related to social media. The size and complexity of the risk management program should be commensurate with the institution's use of the medium. For example, a financial institution that has made a significant investment in the use of social media to attract and acquire new customers should have a more extensive program than one that uses social media to a very limited extent.
A risk management program is expected to include the following components:
- A governance structure with clear roles and responsibilities whereby the board of directors or senior management direct how using social media contributes to the strategic goals of the financial institution and establish controls and ongoing assessment of risk in social media activities;
- Policies and procedures regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations, and incorporation of guidance as appropriate. Policies and procedures should incorporate methodologies to address risks from online postings, edits, replies and retention;
- A risk management process for selecting and managing third-party relationships in connection with social media;
- An employee training program that incorporates the institution's policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities;
- An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party;
- Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate; and
- Parameters for providing appropriate reporting to the financial institution's board of directors or senior management that enable periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.
Even a financial institution that has chosen not to use social media at all is expected to consider the potential for negative comments or complaints that may arise within any of the social media platforms and, when appropriate, evaluate what, if any, action it will take to monitor for such comments and/or respond to them. And while financial institutions are not expected to monitor all communications about the institution on internet sites other than those maintained by or on behalf of the institution, the FFIEC expects them to take into account the results of their own risk assessments in determining the approach to take regarding monitoring of, and responding to, such communications.
To avoid reputation risk and/or third-party risk, the FFIEC recommends that a financial institution:
- Conduct an evaluation and perform due diligence appropriate to the risks posed by a prospective social media service provider prior to engaging that provider;
- Regularly monitor the information it places on social media sites;
- Have appropriate policies in place to monitor and address in a timely manner the fraudulent use of the financial institution's brand, such as through "phishing" or "spoofing" attacks;
- Have procedures to address risks from occurrences such as members of the public posting confidential or sensitive information - such as account numbers - on the financial institution's social media page or site;
- Take into account the results of its own risk assessments in determining the appropriate approach to take regarding monitoring of, and responding to, consumer disputes (e.g., a billing error);
- Consider whether and how to respond to communications disparaging the financial institution on other parties' social media sites (for example, by monitoring questions and complaint forums on social media sites to ensure that such inquiries, complaints or comments are reviewed, and, when appropriate, addressed in a timely manner); and
- Evaluate the risks of employees' communications via social media and determine appropriate policies to adopt in light of those risks.
Employee-to-Employee Communications on Social Media and Elsewhere
During the Obama administration, the National Labor Relations Board (NLRB), an independent federal agency, issued rulings and guidance that profoundly impacted both union and nonunion workplaces. For example, the NLRB took aim at employment policies that can be read to unduly restrict nonunion employees from exercising their rights under the National Labor Relations Act (NLRA) to discuss their wages, hours and working conditions. Although the NLRB has not yet directed its efforts at employers in the financial industry, its rules will often apply, and advance compliance with them may help prevent unionization.
In addition, the NLRB held in late 2014 that employees who have access to their employer's email system in the course of their work must be allowed to use that email system during nonwork time for union organizing and discussions with other employees about the terms and conditions of their employment. However, the new General Counsel of the NLRB has signaled that he may pursue an alternative analysis going forward.
While the Obama administration's NLRB also scrutinized various employers' social media, acceptable conduct and confidentiality policies to ensure they do not chill employees' rights under the NLRA, the newly constituted NLRB under the Trump administration appears intent on scaling back some of those decisions. For example, in late 2017, the NLRB rejected a ruling it previously issued during the Obama administration establishing that a workplace policy will violate the NLRA if a reasonable employee would construe it to prohibit him or her from exercising NLRA rights. According to the Trump administration's NLRB, the nature and extent of the policy's potential impact on employees' NLRA rights must be weighed against the employer's legitimate justifications for that policy.
Even though the financial industry is not traditionally unionized, poorly crafted policy statements may still have an impact on unionization efforts, particularly in light of the NRLB's "quickie" or "ambush" election rules. By ensuring their employment policies conform to the NLRB's expectations, financial industry employers may help keep any potential unionization efforts from becoming prolonged and harmful. See The Unionization Process: Federal.
Severance and Post-Employment Health Care
In the event of a termination of employment without cause or a change of control at the company, it is not uncommon for executives in the financial services industry to have in place agreements that entitle them to severance pay (lump sum or salary continuation). These agreements often require the employee to sign a release of claims against the employer and may provide for subsidies to cover some or all of the cost of continued health insurance. The terms of these arrangements may vary, even within the same company. While these terms may be necessary to recruit and retain top talent, there can be unforeseen pitfalls. Without delving into the specific requirements imposed by certain laws, like the federal Older Workers' Benefit Protection Act, here are some of the less widely known dangers.
Severance and ERISA
One of the potential pitfalls concerns the extent to which certain severance benefits are unexpectedly governed by the Employee Retirement Income Security Act of 1974 (ERISA). This could expand the scope of employees to whom the employer must offer those benefits. If the severance benefit requires ongoing administration and/or discretion in the determination of benefits, it may be subject to ERISA. Ongoing administration may entail severance payments that are made over a period of time as opposed to a one-time, lump sum payment.
There are other disadvantages - and advantages - to having the severance benefit covered by ERISA. The chief disadvantages are ERISA's strict reporting and disclosure obligations for which steep penalties may be imposed for noncompliance. One advantage is the extent to which ERISA preempts, or supersedes, claims brought by an employee under state or local law to obtain the benefits following termination. Another advantage, in the event there is a written severance benefit plan that sufficiently explains the eligibility requirements and other facets of the benefit, is that employers can include in it an internal claims and appeals process, subject to limited judicial review, to help limit the risk of litigation in court over one's eligibility for the benefit.
Severance and Section 409A of the Internal Revenue Code
Severance can take many different forms. For example, it can be paid as a lump sum or in installments. When severance is paid in installments that continue beyond one year, it may qualify as deferred compensation (i.e., income earned in one year but not subject to taxation until subsequent years). This deferred compensation may be subject to Section 409A of the Internal Revenue Code (Section 409A). Section 409A creates rules governing the time and form of payment of deferred compensation. Failure to comply with these rules may result in severe tax consequences, such as immediate taxation of the deferred amounts plus an additional 20 percent penalty and interest.
Not all severance payments are subject to Section 409A, however, as there are two significant exceptions:
- Short-term deferral: If the severance payments are made within 2.5 months after the end of the tax year in which the employee terminates, the requirements of Section 409A may not be triggered.
- Separation pay plan: Section 409A may not be triggered if: (A) the total severance payments are less than (i) twice the employee's final, annualized compensation, and (ii) the annual compensation limit for qualified retirement plans (which varies from year to year, and is $275,000 for 2018); and (B) the employee was terminated involuntarily.
Post-Employment Health Care and COBRA
It is important to coordinate post-employment health care insurance subsidies with the requirements of the federal Consolidated Omnibus Budget Reconciliation Act (COBRA) and the terms of the group health plan document. Below are two typical ways in which post-employment health care insurance subsidies may be coordinated with COBRA.
Keep in mind that under COBRA, individuals covered under most group health plans can continue health care coverage if certain triggering events, such as termination of employment, cause them to lose health coverage. COBRA continuation coverage is generally available for 18, 29 or 36 months (depending upon the circumstances) from the date of the triggering event, unless the plan document provides that the COBRA period is measured from the date coverage is lost. Most group health plans provide that the right to COBRA continuation coverage commences with the triggering event. For that reason, it is generally assumed that a termination of employment automatically triggers a right of COBRA continuation coverage. However, that is not always the case.
Continued "Active" Coverage Under the Group Health Plan
In some cases, employers agree to simply continue the former employee's coverage under their group health insurance plan, at "active" employee rates, for a fixed number of months or even years. An employer would do this because "active" coverage is generally less expensive than COBRA coverage for the former employee.
Under this scenario, the former employee does not have a COBRA continuation right upon termination of employment because there is no loss of coverage at that time. Whether the former employee will have a COBRA continuation coverage right at all depends on: (a) when coverage at the active rate ends; and (b) the terms of the health plan. If the plan provides that the COBRA period is measured from the date coverage is lost, the former employee must be given the opportunity to elect COBRA continuation coverage for 18 months when coverage at the active rate ends (18 months is the COBRA period for terminations of employment). If, however, the plan provides that the COBRA period is measured from the date of the triggering event, the former employee will have the right to elect COBRA continuation coverage if coverage at the active rate ceases within 18 months from the termination of employment, but only for the remaining months of the 18-month period. The former employee will not have a right of COBRA continuation coverage if health coverage at the active rate ends more than 18 months after the termination of employment.
An employee, who is covered under the employer's group health plan, terminates employment for a reason other than gross misconduct. The employer allows the former employee to continue coverage under the group health plan, under the same terms and conditions, for three months following termination of employment. If the plan provides that the COBRA period is measured from the date of the triggering event, the former employee can elect COBRA continuation coverage for 15 months, beginning with the fourth month following termination of employment. If the plan provides that the COBRA period is measured from the date of loss of coverage, the former employee can elect COBRA coverage for 18 months, beginning with the fourth month following termination of employment.
Before agreeing to continue "active" coverage following termination of employment, employers should carefully review their group health plan documents to determine whether the COBRA period commences with the triggering event or the loss of coverage. If the employer represents to the former employee that the COBRA period commences with the loss of coverage, and the plan documents provide otherwise, there may be a problem. If the health coverage is insured, the insurer may deny claims incurred more than 18 months after the termination of employment. In those circumstances, the employer could be forced to self-insure the former employee for the duration of the promised coverage period. If the health plan is already self-insured and the employer has stop-loss insurance coverage (i.e., insurance that is triggered when the dollar amount of benefits reaches a certain threshold), the stop-loss insurance carrier may deny coverage if the policy has not been drafted or amended to allow coverage of the former employee during the promised coverage period.
In addition, there may be tax consequences for continuing coverage of former employees as if they were "active" staff under the group health plan. These consequences may vary depending upon whether the group health plan is insured or self-insured.
Subsidizing the Former Employee's COBRA Payments
In other instances, the employee becomes eligible for continued health care insurance under COBRA upon the termination of employment and the resulting loss of "active" coverage under the group health plan. In these instances, some employers agree to subsidize the former employee's costs of continued coverage under COBRA by paying them directly to the insurer. Before agreeing to provide subsidies, employers should first understand the potential tax consequences, which may vary depending on whether the group health plan is self-insured or fully insured.
Employers should be careful not to offer benefits under a self-insured health plan that discriminate in favor of highly compensated employees. For purposes of self-insured health plans, the Internal Revenue Code defines a highly compensated employee as one who is paid more than 75 percent of the company's other staff, is one of the five highest paid officers of the company or is a shareholder who owns more than 10 percent of the company's stock.
An employer may violate this nondiscrimination rule by allowing only its most highly compensated former employees to continue coverage at "active" employee rates, which tend to be lower than former employee rates. An employer may also violate it by paying a top executive's COBRA premiums for all 18 months of the COBRA continuation period, but not paying them for lower-paid former employees.
A violation of the nondiscrimination rule generally triggers a tax penalty.
Fully Insured Plans
Until recently, the nondiscrimination rule did not apply to fully insured health care plans. In 2010, the federal Affordable Care Act (ACA) extended the nondiscrimination rule to most insured group health care arrangements. However, it exempts grandfathered health care plans (i.e., those in existence on March 23, 2010), which have not been altered in certain ways since that time.
Although the nondiscrimination rule for nongrandfathered health care plans was to become effective on January 1, 2011, the IRS postponed the implementation date. The rule now goes into effect on the first day of the plan year following the year in which the IRS issues its nondiscrimination regulations. For example, if the IRS issues regulations in 2018, the nondiscrimination rule for nongrandfathered insured health care plans will not be effective before January 1, 2019. To date, the IRS has not yet issued these regulations.
The penalty for failing to comply with the nondiscrimination rule for nongrandfathered group health insurance plans often falls on the employer, not the employee. In general, an employer can be fined $100 per disadvantaged employee for each day of noncompliance, up to $500,000 or 10 percent of the employer's total health care costs for all of its group health plans during the preceding tax year, whichever is less.
Severance Agreements, COBRA and Drafting Issues
Employers should be cautious when drafting severance agreements, particularly those in which the employer promises to subsidize the employee's cost of continued group health insurance under COBRA. In those instances, the agreement should: (a) state that termination of employment causes a loss of coverage for COBRA purposes, so long as this accurately reflects the terms of the applicable group health plan document; and (b) require that the former employee timely elect continued coverage under COBRA. Employers also should consider whether or not subsidizing the employee's cost of continuing coverage under COBRA may impair the employee's ability to secure new insurance through the ACA when the subsidy ends.
Notice Issues That May Arise from Office Closures and Other Mass Terminations
In the event of a substantial workforce downsizing, HR should be aware of the requirements of the federal Worker Adjustment and Retraining Notification Act (WARN) and corresponding state mini-WARN laws (e.g., California, Hawaii, Illinois, Iowa, Maine, Massachusetts, New Hampshire, New Jersey, New York and Wisconsin).
The WARN Act essentially requires employers with 100 or more employees to give at least 60 days' notice before undertaking a plant closing in which 50 or more employees at a single site (or an operating unit within a single site) will be terminated. It also requires the same 60 days' notice before a mass layoff that involves either 500 employment terminations at a single site of employment within a certain time frame, or, if fewer, 50 or more employment terminations if they constitute at least 33 percent of those working at the site.
Failure to abide by WARN's notice requirements may subject the employer to serious penalties. These penalties include:
- 60 days' back pay plus benefits for all affected employees;
- $500 for each day notice was not provided, payable to the local government where the reduction in force occurred; and
- Attorney fees.
Although the concept is relatively simple (provide 60 days' notice before implementing a large layoff), WARN and the mini-WARNs are both vague and complex. In September 2003, the federal Government Accounting Office (GAO) issued a report critical of the confusion created by WARN and its associated regulations. The frustration articulated by the GAO is a reflection of the frustration that many employers experience when trying to interpret and apply WARN and the mini-WARNs to impending layoffs. The complexity of these laws, and the recent wave of state legislation imposing similar (but not quite the same) requirements, illustrate the need for HR to be mindful of them and to seek appropriate legal advice before attempting to comply with them.
As the number of laws and rules applicable to the financial services industry continues to grow, it is vital for HR professionals to increase organizational awareness of them. By taking steps proactively to ensure continued compliance, HR can greatly assist their organization and mitigate its overall risk of civil and/or criminal liability for noncompliance.
In January 2017, President Trump signed an executive order requiring that executive agencies that are currently engaged in the rulemaking process ensure that all proposed regulations are cost-neutral and identify two regulations that can be repealed to help offset the costs of any new significant regulatory action. This order does not apply to independent agencies, such as the National Labor Relations Board (NLRB) or Equal Employment Opportunity Commission (EEOC), which are "encouraged" to identify regulations that, if repealed or revised, would achieve cost savings that fully offset the costs of new significant regulatory actions.
In addition, President Trump directed the new Treasury Secretary to review and report on a host of laws and regulations that affect the financial services industry, including regulations issued under the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. In October 2017, the Treasury Department issued a report on how to reform the regulatory system for the capital markets. It included recommendations to repeal certain provisions of Dodd-Frank, but not its whistleblower provisions. More developments are expected.