Download a PDF of this piece

For this edition of the Take 5 for financial services, we focus on a number of very well-publicized issues. The tidal wave of sexual harassment allegations that followed the Harvey Weinstein revelations has drawn the attention of companies, their human resources departments, and employment lawyers. The rule on chief executive officer (“CEO”) pay ratio disclosure, which goes into effect in 2018, is a required focal point that garners significant interest in an industry that is all about money. The hyper-charged political climate has brought social activism and heated political discussions into the workplace with increasing frequency—and with potential employment law implications. A heightened legislative focus on eliminating at least one recognized source of the gender pay gap has resulted in new rules that prohibit very common inquiries about past compensation during the interview process. Finally, data leaks are a mounting threat and cybersecurity is a growing concern throughout an industry that is saturated with the highly sensitive, and sometimes personal, financial information of its clients.

We address these important issues and what financial services employers should know about them:

  1. The Weinstein Effect: #MeToo Allegations in the Financial Services Industry
  2. CEO Pay Ratio: It’s Not Too Late to Calculate!
  3. Managing Employees’ Political and Social Activism in the Workplace
  4. Equal Pay Update: The New York City and California Salary History Inquiry Bans
  5. Insider Threats to Critical Financial Services Technologies and Trade Secrets Are Best Addressed Through a Formalized Vulnerability and Risk Assessment Process

For the latest employment, labor, and workforce management news and insights concerning the financial services industry, please visit and subscribe to Epstein Becker Green’s
Financial Services Employment Lawblog.

By Nathaniel M. Glasser

Since news of the Harvey Weinstein scandal broke on October 5, 2017, Hollywood and the entertainment industry have been the focus of media attention about the prevalence of workplace harassment in the industry and how to deal with it. But financial services firms should be aware that sexual harassment is not an issue that is limited to Hollywood. As U.S. Equal Employment Opportunity Commission (“EEOC”) Acting Chair Victoria Lipnic recently said in an interview with Law360, “We see this everywhere. This happens to women in workplaces all over the place.”

Financial firms also have been forced to confront allegations of sexual harassment publicly. For example, Social Finance Inc. (“SoFi”), an online lending firm, has been sued by a former employee alleging that CEO Mike Cagney “fosters a sexually charged corporate culture that condones unlawful conduct.” While Mr. Cagney did the right thing in response by issuing a memorandum to SoFi employees announcing that an internal investigation would occur and promising “severe action” if the lawsuit’s allegations proved true, Mr. Cagney later resigned as questions over his own behavior mounted.

Over the last two months, Fidelity Investments has dismissed two portfolio managers—one manager was terminated following allegations that he made inappropriate sexual comments at work and another manager was fired after allegations surfaced that he sexually harassed a female junior employee. In response, Fidelity’s CEO, Abby Johnson, in a video speech delivered to the firm’s 40,000 employees, stated, “We have no tolerance at our company for any type of harassment. We simply will not, and do not, tolerate this type of behavior, from anyone.” Ms. Johnson echoed those remarks in a speech given to the Securities Industry and Financial Markets Association (known as “SIFMA”) the following day. She has responded to these matters in textbook fashion after they became public, first by taking prompt remedial action against the offenders and then by making it clear that sexual harassment will not be tolerated by the upper echelons of management.

It is clear by the recent outpouring of support for victims of sexual harassment and the creation of the #MeToo movement that this is an issue that cannot be ignored by companies and should be proactively addressed. Unfortunately, a recent study by theBoardlist and Qualtrics says that 77 percent of corporate boards “had not discussed accusations of sexually inappropriate behavior and/or sexism in the workplace.” Less than 20 percent of the 400+ people surveyed had reevaluated their company’s risks regarding sexual harassment or sexist behavior, even in light of the recent revelations in the media. (The survey was conducted over the summer, before the Weinstein allegations came to light).

Consequences for Failing to Adequately Respond to Harassment Allegations

There are significant consequences for failing to implement a plan for preventing sexual harassment in the workplace, and for failing to adequately respond once a complaint of sexual harassment has been filed. While sexual harassment claims may originate as internal complaints, they may result in a charge of discrimination filed with the EEOC or the corresponding state or local agency. Since fiscal year 2010, roughly 30 percent of the approximately 90,000 charges of discrimination received by the EEOC each year have alleged sex-based discrimination, and, during that same time period, the number of charges alleging sex-based harassment has gradually increased from just below 13 percent to just above 14 percent.

Sexual harassment claims may also lead to litigation, which can be expensive and time-consuming. In the Harvey Weinstein matter, for instance, Mr. Weinstein’s former company, The Weinstein Co., has been named in a $5 million civil suit alleging that executives of the company did nothing to protect women who did business with Mr. Weinstein, despite being aware of his inappropriate behavior. Additionally, the New York attorney general’s office is investigating The Weinstein Co. for potential civil rights violations in relation to its handling of claims of sexual harassment.

Aside from litigation, financial firms may face increased scrutiny from regulators. SoFi, for example, would like to expand its offerings to credit cards and checking accounts. But the allegations of sexual harassment, among other things, could negatively impact the opinions of the regulators that will decide whether SoFi is entitled to the state bank charter and federal deposit insurance needed to increase its offerings.

What Employers Should Do Now

The recent publicity regarding sexual harassment claims does not mean that financial service firms need to fear a return to the “boys club” atmosphere of the 1980s and 1990s. Financial services firms should take the following tangible actions to combat sexual harassment in the workplace:

  • Create and publicize a robust complaint procedure. Sexual harassment at work often goes unreported. According to the EEOC, as many as three-quarters of harassment victims do not file workplace complaints against their alleged harassers. Make sure that you have robust reporting mechanisms in place to receive complaints and consider allowing employees to complain directly to human resources, to a supervisor, or to an anonymous hotline.
  • Promptly investigate complaints. Once a complaint is made, promptly and thoroughly investigate the complaint, making sure that your employees do not retaliate against the alleged victim or any person who cooperates in the investigation.
  • Conduct an independent investigation. A hallmark of a competent investigator is someone who acts and appears impartial. In certain cases, that may mean hiring an outside consultant or legal counsel—someone unaffiliated with you—to conduct the investigation.
  • Communicate with complainants. A common objection asserted by complainants is that they are not informed about the status of the investigation. While complainants need not (and should not) be informed about the details or even given regular status reports concerning the investigation, they should be informed that an investigation will occur, and a firm should provide closure—regardless of the outcome of the investigation.
  • Be proactive. Consider conducting employee engagement or climate surveys, or hiring a consultant, to better understand the work atmosphere, rather than simply reacting to workplace complaints. Before doing so, consult with counsel to determine whether and how such a survey may be conducted under the self-critical analysis privilege.
  • Don’t expect HR (or even legal) to be the savior. To foster an atmosphere of inclusiveness and prevent sexual harassment, a firm cannot be solely reactionary to workplace complaints. Therefore, make sure that your top-level management is involved in setting the tone and effecting positive change. Also consider creating a task force to root out and address inappropriate conduct.
  • Design effective training. While most employers conduct some form of anti-harassment training (and those that don’t offer training, should), make certain that your training is designed to effectively combat sexual harassment. Tailor the training to your specific workplace and audience, teach employees (using real-world examples) about what is—and is not—harassment, and make sure that managers know how to spot potential issues and respond to any and all complaints.

By Andrew E. Shapiro

It is now all but certain that for the 2018 proxy season, most U.S. public companies will be required to provide an additional disclosure regarding their CEO pay ratio. The new rule, which is contained in Item 402(u) of Securities and Exchange Commission (“SEC”) Regulation S-K, requires public companies to disclose the ratio between (i) the median of the annual total compensation of all employees (except the CEO) and (ii) the annual total compensation of the CEO (the “CEO Pay Ratio”). In addition, companies will be required to briefly describe the methodology and assumptions utilized to calculate their CEO Pay Ratio.

Contrary to many people’s expectations, recent survey data from the consulting firm Mercer suggests that CEO Pay Ratios (as calculated pursuant to the proscribed rules) are lowest among banking and financial firms and highest among retailers and wholesalers of consumer goods, which tend to employ more part-time workers with low wages. The survey data suggests that banking and financial firms have estimated their CEO Pay Ratio at mostly 200:1 or less, while retailers and wholesalers of consumer goods have estimated their CEO Pay Ratio at mostly 400:1 or more.

What Employers Should Do Now

As financial companies prepare to comply with this new CEO Pay Ratio disclosure rule, we offer the following practical guidance:

  • Identify the team. Ensure that your company has an appropriate team assembled to calculate the CEO Pay Ratio and related disclosure, as well as to establish the appropriate messaging to your company’s workforce, the media, investors, and other stakeholders. It is generally recommended that individuals from the company’s human resources, accounting, payroll, legal, investor relations, and corporate communications functions be involved in the process. It may also be appropriate, depending on the complexity of the company and any company-specific factors, to involve outside legal counsel and/or external compensation consultants.
  • Prepare preliminary calculations. Recent guidance from the SEC confirmed that companies have a wide range of flexibility in calculating their CEO Pay Ratio. Be aware of the various alternatives available to your company and how these alternatives may impact the calculation of its CEO Pay Ratio. We recommend that your company prepare preliminary calculations of its CEO Pay Ratio to gain an expectation of what it ultimately will be. By doing so, your company will be better informed of how its CEO Pay Ratio may compare to its peers, how it may be impacted by using alternative methods of calculation, and what types of communication and messaging will be required.
  • Compare to peers. After preparing preliminary calculations, we recommend that your company gain an understanding of how its CEO Pay Ratio may compare to its peers and others within the financial services industry. Since a company will generally have limited insight into what the median pay might be at its peers until it is disclosed in their filings, it may be difficult to obtain an exact understanding. However, survey data and custom research is generally accessible through outside third parties. Your company may also be able to obtain a rough sense of how its CEO Pay Ratio may compare to its peers by comparing your company’s internally calculated median pay against the latest publicly available CEO pay of its peers (e.g., as disclosed in their latest Summary Compensation Table).
  • Start thinking about the disclosure and messaging. While CEO Pay Ratio disclosures are not expected to inform proxy advisory firm voting recommendations or institutional investor voting decisions this year, it is expected that these disclosures will be a point of focus for labor groups and the media. As such, consider whether to provide additional ratios, supporting data, or narrative discussion within the context of your company’s CEO Pay Ratio disclosure. Also consider developing an overall communication plan to employees to limit potential issues associated with the fact that one-half of your company’s employee population will learn that they are compensated less than the median disclosed employee.
  • Keep in mind the corporate governance process. Given this is a new disclosure requirement, it is important to keep management and the compensation committee informed about the process, methodology, disclosures, anticipated communications, and potential risks associated with the CEO Pay Ratio disclosure requirement.

While the new rule goes into effect right around the corner, it is not too late to take the necessary steps to ensure that your company is prepared for the possible implications of the CEO Pay Ratio disclosure requirement.

By Laura C. Monaco and Amanda M. Gómez

In this increasingly polarized and highly charged political environment, employers may face challenges in figuring out how to maintain a professional atmosphere and further their business interests without infringing on their employees’ rights to express their views on a wide range of political and social issues. This can be especially challenging in the financial services industry, where the workforce tends to be smart, well informed, and assertive. There are, however, some best practices that employers can follow in navigating the potential minefield of managing their employees’ political and social activism in the workplace.

Know—and Train Managers About—Applicable Laws

Employers should be aware that regulating their employees’ political speech and activity can implicate a variety of legal liability concerns, as well as reputational considerations among consumers and communities. As we have explained previously, the National Labor Relations Board’s General Counsel has issued a “Guidance Memorandum” concluding that employee action to “improve their lot as employees through channels outside the immediate employee-employer relationship” is protected concerted activity under Section 7 of the National Labor Relations Act, so long as it has a direct connection to the employees’ working conditions. In some circumstances, therefore, an employer could face an unfair labor practice charge if it punishes employees who skip work to attend a pro-immigration rally—but takes no action against other employees who call out on a sunny summer Friday to head to the beach.

Moreover, although there is no federal law that prohibits discrimination against private-sector employees based on their political activity or affiliation, many states (including California and New York) and the District of Columbia have such laws. Several states also have laws that protect employees from discrimination or harassment based upon their lawful off-duty conduct, which would extend to their off-duty political activity or social activism. In California, for example, an employer cannot discriminate or retaliate against employees because of their off-duty lawful political activities. Similar legal protections exist in several other states (including Colorado, Louisiana, and New York). Nevertheless, even if an employee’s political participation is a protected activity, employers may still regulate the activity through “lawful and neutrally applied work rules.”

Employers must therefore make supervisors and managers aware of what they can—and cannot—do when employees engage in political activity that may affect the workplace and ensure that such training addresses any applicable state-specific limitations and requirements.

Apply Work Rules in a Neutral, Consistent Manner

Employees’ political or social activism may be exhibited in a variety of ways that impact the financial services workplace, such as unexcused absences (so that an employee can attend a protest or rally), or violations of the cell phone use policy (by employees who use their phones to tweet in support of social causes while on the job). In the case of public-facing employees who may deal with bank customers, for example, dress code infractions (such as wearing a button or pin with a political message) may also present challenges. The best way for employers to manage these issues, and to remain legally compliant, is to apply work rules and policies consistently.

For example, if an employer regularly applies its attendance policies to discipline employees for unexcused absences, the employer need not refrain from disciplining an employee who skips work to attend a political rally. Similarly, an employer that consistently prohibits its employees from using their cell phones to access social media during their work shift does not have to allow those employees to tweet in support of a political cause on work time. If, however, that employer sometimes lets its employees off the hook for unexcused absences, or occasionally allows employees to use their cell phones to check Facebook while at work, it should be wary of applying its work rules to penalize employees who are absent or using their cell phones during work time to support a political or social cause.

The safest course for employers is to apply their work rules neutrally and avoid penalizing groups of employees based on the “message” of the political or social cause those employees choose to support. An employer that declines to discipline an employee for taking an unscheduled day off to attend a pro-choice rally, for example, may trigger a discrimination claim if it then disciplines a different employee for taking an unscheduled day to attend a pro-life event. Understanding that the line between political speech and protected comments related to the terms and conditions of employment may sometimes be hard to draw, employers can help ensure that employees’ discussions about politics do not become heated by neutrally enforcing work rules and policies that prohibit fighting, bullying, or harassment, and that prohibit employees from engaging in conduct that is loud or distracting or that otherwise impinges upon productivity.

What Employers Should Do Now

Our tumultuous political and social environment does not show any signs of cooling down in the near future. Therefore, an employer needs to be prepared to address and manage its employees’ political and social activism and to protect and further its business interests, while at the same time ensuring that its employees’ rights and morale do not suffer. Specifically, an employer should do the following:

  • Put clear policies in place regarding how to address employee requests for time off.
  • Ensure that rules are being applied consistently and neutrally.
  • To maintain morale, consider engaging with the social issues affecting your employees through activities such as employee forums or community service events.

By Lauri F. Rasnick and Ann Knuckles Mahoney

Recently, there has been a tremendous focus on equal pay issues across many industries. Proponents of equal pay have focused, among other things, on the use of prior compensation to determine future compensation, believing that doing so maintains existing pay inequities. To prevent such results, the newest trend in equal pay has included salary history inquiry bans. Both New York City and California have recently enacted laws that prohibit employers from asking for a job applicant’s salary history and from relying upon that history unless it is voluntarily provided.[1] The New York City law became effective on October 31, 2017, and the California law becomes effective on January 1, 2018. With these new laws, and financial services being heavily represented in both regions, financial services firms should take a hard look at their current hiring and compensation practices to avoid unwittingly violating the law.

Both the New York City and California laws prohibit seeking salary and other compensation information directly from employees and from recruiters or other sources (such as Internet searches and the like). Thus, it is important for the compliance effort to encompass the appropriate individuals who may be involved in the process to make them aware of the new laws.

Key Differences Between the New York City and California Salary History Inquiry Bans

The New York City law expressly allows employers to initiate discussions regarding an applicant’s salary expectations and desires. Further, the New York City law allows employers to ask whether an applicant will have to forfeit deferred compensation or unvested equity as a result of the applicant’s resignation from his or her current employer. In addition, in New York City, employers may ask about employee production and experience, such as revenues, sales, deals, and contacts. These questions may be key for financial services employers hiring revenue producers and other front-line personnel. New York City employers may also ask about the value and structure of the deferred compensation or unvested equity, request documentation to verify the applicant’s representations, and consider such information in making the applicant an offer. The California law is silent on all these issues.

The California law requires that, upon reasonable request, employers provide a pay scale to applicants. The California law also reaffirms an aspect of California’s Equal Pay Act that prohibits employers from justifying a pay disparity on prior salary alone. Thus, while employers may consider voluntarily disclosed salary information, they may not rely on salary history alone to justify pay discrepancies between workers of different genders or ethnicities who are performing substantially similar work. The New York City law does not contain this same restriction. Further, to the extent that there is a voluntary disclosure in California, employers may not rely on the salary history information in deciding whether to hire the individual.

What Employers Should Do Now

To ensure compliance with the new bans on salary history inquiries, employers should take the following steps:

  • Remove questions about salary history from employment applications, background check forms, and any other applicable forms or policies used during the hiring process.
  • Train human resources staff, managers, recruiters, and any other individuals who may interview the candidates to not seek salary history information during discussions with candidates.
  • Ensure that any disclosure of salary history, if it occurs, is purely voluntary and without prompting. This means that it is not permissible to pose a question about an applicant’s salary history with a caveat that answering the question is not mandatory.
  • Create a “memo to file” if a voluntary disclosure is made, noting the voluntary disclosure and the circumstances under which it was made.
  • Coordinate with any external background-checking vendors to ensure that background check forms do not request salary history and that a vendor does not request salary history when confirming prior employment.
  • Synchronize with external recruiters and headhunters to make sure that they will not provide an applicant’s salary history.
  • Consider amending contracts with external recruiters to place them on notice about their obligations under the new laws, require compliance with the laws, and provide for indemnification for claims made against you based on the external party’s violation of the laws.
  • If your organization operates in California, prepare pay scales for open job positions and identify the objective factors (such as training, education, and experience, provided that they are required for the position) that will determine where within the applicable range an offer will be made.
  • If your organization operates in multiple locations, decide whether to adopt a nationwide or location-specific approach:
    • While adopting a nationwide approach for administrative or public policy reasons may simplify matters, determine whether it would also lead to problems, such as the creation of unnecessary obligations or the denial of business salary information that your organization could otherwise have access to in jurisdictions where there is no such law.
    • If adopting a nationwide approach, consider including a caveat in certain forms or training materials (where permitted) that, at a minimum, reserves the right to seek salary history information in any jurisdiction where these questions are allowed.
    • If you take a location-specific approach, make sure that electronic onboarding and other tools do not inadvertently continue to ask for (or store) salary history from applicants based in New York City or California.

By Brian G. Cesaratto and Robert J. Hudock

The pace of innovative financial services technology is accelerating. Firms are investing heavily to develop the next cutting-edge financial services applications that will drive future growth. Industry efforts have expanded the “attack surface” of these new technologies to dishonest employees and other malicious insiders. As the scope and criticality of these information systems increase, there is a corresponding increase in the number of employees and other individuals (e.g., a vendor’s workers) who have or may seek to gain access for a financial motive or other illegitimate purposes. Indeed, over this last year, in separate criminal matters, two computer engineers were arrested by federal authorities and charged with alleged attempted theft of trade secrets comprised of a proprietary computer code used to run the trading platforms of their respective financial services employers.

Financial services firms are, therefore, well served by utilizing a formalized vulnerability and risk assessment process to identify the insider threats to the confidentiality, integrity, and availability of their most critical technologies and systems and to address the risks. New York State registered or licensed financial services firms are required to conduct vulnerability assessments biannually and risk assessments on a periodic basis. FTC-regulated financial institutions are also required to conduct risk assessments relevant to safeguarding non-public customer information.

Firms should identify their critical information systems and the supporting hardware and interconnected communication systems. The job roles associated with those systems—i.e., any insider who by virtue of his or her job position will be granted access—should be identified. In particular, managerial and other roles that involve privileged access to the systems should be pinpointed (e.g., database or network administrators). A map, chart, or other representation of the systems, data, and insiders should be made so that the organization can thoroughly understand the interconnectivity of personnel and key systems.

The insider threats to these systems for all roles should be identified and evaluated—e.g., is there a greater threat from temporary workers or third-party contractors not presently subjected to background checks as compared with full-time employees who undergo pre-employment credit and criminal background checks? The current level and strength of existing physical, administrative, and technical controls should be identified. An essential task is to determine if the principle of least privilege is being followed and enforced—e.g., for each identified role, does the insider have only the level of access required to accomplish the job responsibilities and nothing more?

What Employers Should Do Now

  • Conduct a vulnerability assessment identifying reasonably anticipated insider threats.
  • Next, conduct a well-documented risk assessment to assess the likely impacts (i.e., probable losses) that may result from an attack depending on the level of existing controls or those that are planned.
  • Consider whether to add to or strengthen your insider threat controls consistent with your business needs, risk tolerance, and a cost-benefit analysis. Usually, for high-impact “critical” systems, the full range of available, most protective physical, administrative, and technical insider threat controls, consistent with applicable law, should at least be considered.
  • Plan and implement a “defense in depth,” selecting the proper combination of technical controls and workforce management practices and policies pursuant to a well-thought-out strategy of risk reduction. Consider, for example, a combination of enhanced background and credit checks, electronic system monitoring, rigorous mobile device and remote access management, protective provisions in vendor contracts, encryption, multi-factor authentication, biometric identification, human resources data/event logging, employee training, penetration testing, and/or technical controls (e.g., blocking access by employees to file-sharing cloud-based websites (like Dropbox)).
  • Put in place a written formalized incident response plan in case an insider threat materializes. The plan should be tested through table-top exercises and should be a key component of your efforts.
  • Ensure that vulnerability and risk assessments of insider threats are conducted periodically and as financial services technologies evolve.

* * * *

For additional information about the issues discussed above, please contact the Epstein Becker Green attorney who regularly handles your legal matters, or any of the authors of this Take 5:

Brian G. Cesaratto
New York

Nathaniel M. Glasser
Washington, D.C.

Amanda M. Gómez*
New York

Robert J. Hudock
Washington, D.C.

Ann Knuckles Mahoney
New York

Laura C. Monaco
New York

Lauri F. Rasnick
New York

Andrew E. Shapiro
New York

*Not admitted to the practice of law.


[1] San Francisco also adopted a salary history inquiry ordinance similar to the New York City law that becomes effective on July 1, 2018.


Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.