Everyone else is talking about Brexit (the vote in the UK to leave the EU), why should the NASPP Blog be left out of the conversation? For today’s entry, I discuss what Brexit might mean for your stock plans.
Don’t Panic—Yet
The good news is that the vote is advisory, so it isn’t as if the UK has immediately exited the EU. They are still part of the EU for the short-term. The UK government and the EU have to come to an agreement about how the exit plan will work and various experts have indicated that this could take two years or more.
How Will Stock Plans Be Impacted?
By now, we are all too familiar with the EU Directives that impact stock compensation. While the Directives are complicated enough, in and of themselves, if the UK leaves the EU, things could get a lot more complicated. The UK will have it’s own rules that may or may not be the same as the rules in the Directives. A recent alert by Baker & McKenzie summaries a number of areas in which stock compensation offered to employees in the UK could be affected.
Securities Laws: The EU Prospectus Directive (including both the filing requirement and exemptions) will no longer apply in the UK. This could turn out to be better or worse than the way things are now: the UK could require companies offering stock compensation to file a prospectus (probably worse), could provide an exemption for stock plans (probably the same as now for many companies, depending on the requirements for exemption), or could recognize prospectuses filed in the EU (or even in countries outside of the EU, such as the United States) (the same or better).
Data Privacy: The EU Data Privacy Directive would also no longer apply in the UK. The EU has proposed new rules for this directive, so right now, we don’t know what the final rules will be for any countries in the EU, much less the UK. But once the UK has left the EU, they can determine their own rules; maybe these rules would be similar to the rules that the EU adopts, maybe not. One bit of good news is that Baker & McKenzie notes that “It would be surprising … if the UK would not consider consent to be a valid ground to collect, process and transfer personal data.” Since that is how most companies comply with the EU Data Privacy Directive for their stock plans, little may change here.
Discrimination: There are a number of EU Directives that prohibit discrimination against specified groups of employees. Those Directives would also no longer apply in the UK, but the UK would be free to adopt its own rules on discrimination. Baker & McKenzie notes that they do not expect to see substantial changes here.
Social Insurance, Too
An alert by EY notes that Brexit may also impact the social insurance obligations of mobile employees, their employers’ compliance obligations, and the benefits mobile employees are entitled to. Currently, the EU governs how social insurance applies when employees move between countries in the EU. Unless the UK comes to an agreement with the EU that the EU rules still apply to employees moving between the UK and other EU countries, individual agreements would have to be put in place between the EU and all the EU countries. Some of these agreements exist, but they haven’t been updated since the EU established its rules. Many have expired or don’t address how mobility works in today’s world. This could get ugly.
What About Companies that Don’t Have Stock Plan Participants in the UK?
For those companies, there shouldn’t be any direct impact to their stock plans (other than the impact of stock price volatility resulting from the economic uncertainty caused by Brexit). But, if you are a US-based company with a multi-national stock plan, chances are that you have stock plan participants in the UK. In the NASPP/PwC Global Equity Incentives Survey, the UK is second only to the US in terms of countries where respondents have employees and offer stock compensation.
More to Come
I’m sure there will be more implications to think about as the UK’s exit looms closer. At this year’s NASPP Conference, our perennially popular session, “Around the World in 60 Minutes: Key International Updates” will most certainly have a lot to say about Brexit, as will the session “Making Sense of Europe.” Be sure to attend one or both of these sessions so you are up-to-date on how your stock plan participants in the UK will be affected.
This past summer, the NASPP and Solium co-sponsored a quick survey on global stock plan administration. We asked companies about the technological challenges they experience when it comes to administering global stock plans, focusing on 12 primary challenges related to tax compliance, financial reporting, and other administrative matters. Close to 70% of respondents indicated that they struggle with four or more of the challenges identified and several noted that they struggle with nine or more of the challenges.
For today’s blog entry, I highlight five things I learned from the survey:
1. There are still a lot of manual processes out there.
Two-thirds of respondents say they spend too much time on manual processes. This is a high-risk proposition: it is difficult to implement adequate controls over processes and calculations performed in a spreadsheet. This seems especially concerning given that the SEC is in the process of adopting rules requiring recovery of compensation for all material misstatements, even if due to inadvertent error (see “SEC Proposes Clawback Rules,” July 7, 2015). One incorrect calculation discovered too late could result in recoupment of bonuses and other incentive compensation paid to executive officers.
2. Tax compliance is a top concern for companies.
This really isn’t a surprise—let’s face it, tax laws outside the United States are a hot mess. Every country does something different. Some countries change their laws every few years (I’m looking at you, Australia and France) and grandfather in old awards. Some countries have different rules for social insurance taxes vs. income taxes. Add in mobile employees and, well, you have a lot of work for tax lawyers.
3. Regulatory compliance is also a challenge.
56% of respondents cite keeping up with regulatory changes as a top challenge and 45% cite regulatory requirements in other countries. Regulatory compliance goes beyond tax laws to include things like securities laws, data privacy (a hot topic these days, see “Data Privacy Upheaval,” December 3, 2015), labor laws, currency restrictions and a host of other issues. It’s hard to stay on top of it all.
4. It’s the participants that suffer.
Ultimately, in the struggle to administer a global stock plan, something has to give and that something is usually the participant. Only 50% of respondents offer a qualified plan in countries where they could; the hurdle of regulatory compliance gets in the way. And 75% of respondents said that they would focus more on employee education if they could just spend less time on basic administration.
5. Expectations are low.
When we asked companies what is on their wish list for their administrative system, I was surprised at how low some items ranked (it was a “check all that apply” question, I thought everyone would want just about everything). For example, despite the fact that 71% of respondents reported tax-compliance for mobile employees as a top challenge, only 64% wanted a system that could calculate tax liabilities for mobile participants. It left us wondering if companies need to dream bigger for their administrative platforms.
Check out the White Paper and Survey
If you haven’t had a chance to read it yet, check out the white paper on the survey results and download the full results from the Solium website.
If you are a company with employees in the European Union (EU) or European Economic Area (EEA), you’ve likely long been aware of the stringent data privacy requirements surrounding the transmission and protection of data for those residing in that region of the world. To facilitate compliance with certain aspects of data privacy requirements, some companies relied (in all or part) upon the EU-US Safe Harbor Privacy Program (“Safe Harbor program”), which allowed for transfers of personal data for EU/EEA residents to US companies registered under the program. On October 6, 2015, the European Court of Justice ruled the Safe Harbor program invalid. What is the impact of this ruling on data transfers relative to stock plans? I’ll explore this question today’s blog.
If your company is a US based company, it’s likely that most or all of your stock plan data is housed in the US. This means that if your plan includes participants in the EU/EEA, their data needs to be sent to the US to be recorded and maintained in the stock plan recordkeeping system. That recordkeeping system could be maintained in-house, or externally via a third party, who also likely maintains data within the US. Additionally, there may be a need to transfer participant data to other third parties who support the company’s stock plans beyond recordkeeping services.
According to the Baker & McKenzie client alert,
“The impact of the ruling on the personal data collection /processing / transfer activities of US multinationals in the context of offering of equity compensation programs to European employees depends upon whether the company had relied on Safe Harbor in this context – or, instead, relied on an alternative method for managing data privacy considerations (e.g., relying on express consent obtained from participants, either through acceptance of its equity award agreements or provided as part of the local new hire on-boarding process). If alternative methods have been relied upon, the ruling is unlikely to have any impact on the equity program. If the company relied on Safe Harbor, it will likely need to start relying on an alternative method.”
The transfer of data provided to brokers is unaffected by this ruling, because financial institutions were never eligible to register under the Safe Harbor program, and as a result, it was never possible to rely on that program to transfer employee data to a broker. Companies had to find an alternate, permissible means of transferring data to brokers. Considering the now-invalidated Safe Harbor program, that is good news for data transfers to brokers or financial institutions, because they were never covered under the program and should remain unaffected by the ruling.
Is Our Stock Plan Affected?
If you have no stock plan participants in the EU/EEA, then this ruling does not affect your stock plans. This only applies to the data of those residing in that region of the world.
For companies that do have stock plan participants in the EU/EEA, the answer to that question is “it depends.” It depends on how the company was complying with data transfer requirements prior to the ruling, as described above. If your company relied on the Safe Harbor program in any capacity, then an alternate method for transferring that data will need to be used.
If your company has no participants in the EU/EEA, but decides to offer equity in that region in the future, it’s important to know that the Safe Harbor program will not be available as a means of compliance with data transfer requirements.
What’s Next?
This ruling has created a wave of turmoil, and not just for equity plans. It’s likely other company functions such as Human Resources are impacted, too. Baker & McKenzie’s suggestion is that “Companies should review their practices with regard to data privacy, including in the context of operating their equity compensation programs. Even if the ruling does not have any direct impact on the equity program, data privacy requirements around the globe are tightening and a regular review of your company’s approach to data privacy is highly recommended.”
There is also talk of a Safe Harbor 2.0, with no telling on a timeline or potential for success of such an initiative. It’s important that companies recognize the implication of this ruling beyond the immediate affect on employee data transfers. The action of invalidating the entire EU/US Safe Harbor program seems to suggest that the EU has broader concerns about the US’s ability to protect the data of their residents, and it’s possible that other methods of complying with data transfers may follow in being evaluated for efficacy of protecting privacy. Expect the topic of data privacy to be a hot one for 2016.
California is serious about privacy–so serious that it’s an “inalienable right” in the California constitution. This should give consumers–and employees–in California an extra bit of confidence that their own personal information won’t fall into the wrong hands. It does, however, create some rather frustrating experiences when a California resident actually wants his or her personal information to be transferred out of the state. For example, if you are a resident of California you may find yourself at an out-of-state bank branch talking to a perfectly nice teller who insists you don’t have an account until you admit you are from California at which point he will say, “Oh…California. Why didn’t you say so?” In this respect, California may have more in common with the EU or Japan than with the rest of the United States.
Aside from the quirky anecdotes that data privacy laws provide, there are serious considerations for companies with international (or California) subsidiaries. HR, payroll and equity compensation practices must ensure that the very essential, but also very private, employee data is transmitted without violating applicable laws. Payroll considerations can be accomplished with relative simplicity compared to equity compensation by virtue of local payroll processing. The distinct difference for HR and stock plan management is that most companies want to house relevant information in one central location or database.
Consent
Just like my fun bank experience, this is an instance when employees should want to have their information transmitted–after all, it’s going to create a tangible asset for them. But, operating on the idea that you have a right to access the necessary information to create and manage grants for your employees isn’t enough. In many locations, employees must actually consent to have their personal information sent to you and also sent on to the broker who will ultimately facilitate transactions for them.
Compliance
The burden for ensuring your company policies compliant with data protection laws hopefully falls on your legal team. However, ensuring that equity compensation practices adhere to the policies is an ongoing consideration for stock plan management teams. Here are three important areas to consider when it comes to data privacy:
Incoming data -exactly what information about employees you collect and house in your stock plan administration database and how you access that information
Outgoing data – each instance where individual private information must be transmitted out of the stock plan administration database
Communications practices – when and how you are sending personal information back to your employees
Once you have established that your current practices are compliant, keep data protection in mind any time you are going to engage in a one-off situation involving the transmission of personal information. If you are in a merger situation, have opened a new office, or are partnering with another department to perform a data audit, these are all examples of situations where taking a moment to confirm that you are maintaining compliance with data privacy laws is a good idea.
Resources
The NASPP’s Global Stock Plans portal has several matrices that include data privacy issues companies should consider internationally. They can be found along the left column of the portal. We also have an update from Latham & Watkins on data privacy and protection in Germany, the UK, and Spain prompted by the draft Federal Data Privacy Act being considered in Germany. The Act could place more tringent qualifications on obtaining employee consent to collect and distribute personal information.
Stock plan management teams are responsible for handling a significant amount of confidential data. Access control procedures are essential to maintaining an appropriate level of security to ensure that confidential information remains confidential. In creating an access control policy, both inadvertent and intentional access must be considered. There are data privacy laws both in the U.S. and internationally that dictate how data is transmitted. Confirming with your legal team that your company’s practices adhere to privacy laws is crucial. However, there are daily practices and considerations that are easy to overlook and could compromise the integrity of your practices by weakening the controls in place to limit data access. Here are my top three “hidden” areas to focus on when considering your department’s access control practices.
Workspace
Because the stock plan management team will be working with and talking about confidential information, the actual location of the team is crucial to access control. For example, desks should be located in a space where both printed material and computer monitors cannot be easily viewed by other employees and confidential conversations won’t be overheard.
It’s also important to know that access to the stock plan management work area can be prohibited when none of the members of the team are present. In many companies, the stock plan management team shares office space with another department. If this is necessary, it is best that the other employees sharing that space have access to equally sensitive information so that they are familiar with the company’s data privacy practices.
Archives
Administering stock plans can generate a bulk of both hard-copy and electronic documents that need to be retained on site or in archives. Just like the general workspace, the location of these document files is an essential consideration for access control. Both hard copy and electronic documents can be safeguarded not only by locks (or passwords) but also by their location. Access control for hard copy documents stored on location can be maintained simply by placing locked filing cabinets in a room that also can be locked. However, if the volume of hard copy documents requires off-site storage archiving, make sure that there are controls in place for who in the company can request access to the archives.
Electronic documents, especially in the form of spreadsheets, often contain a higher volume of confidential information than do paper documents. In addition, data stored electronically is far more likely to be a part of daily procedures. Access control for archived electronic documents is just as straight-forward as it is for paper documents: they should be password protected and housed in folders and/or servers where access can be limited. With current documents, on the other hand, that are needed for daily processes it is much easier to let access control slip. It’s important to maintain password protection, even on active documents, and avoid saving documents in unprotected locations–especially on a laptop that may be removed from the workspace.
Distributed Materials
Distributed materials present the biggest challenge to maintaining access control. The stock plan management team can’t avoid sharing certain confidential information with external partners or other departments. The key is to establish how to ensure that the shared data doesn’t ultimately become available to parties that should not have access to it. If regular data sharing is required, establish an automated process that transmits data between systems or a protocol for file exchange. It’s best if confidential information never be sent via email, even internally and even if it is password protected.
Your company’s IT and legal teams can help you establish the best protocol for data privacy, but insufficient access controls can undermine those practices. As with all processes, document your access control procedures and make sure that everyone who does have access to confidential information understands the importance of those procedures. For more on internal controls, visit our Internal Controls Portal .
-Rachel