(Bloomberg Gadfly) -- The giant Equifax data breach shows once again that the talons on corporate clawback policies remain tiny.
Equifax disclosed earlier this month that a hack of its database may have exposed sensitive personal information including credit card and social security numbers of as many as 143 million consumers. On Friday, the credit-reporting agency said that two executives, its chief security officer, Susan Mauldin, and chief information officer, David Webb, would be leaving the company "effective immediately." Nonetheless, neither Mauldin, Webb, nor other executives at Equifax are likely to experience a direct financial hit, or punishment, from the hacking incident itself, at least not anymore than shareholders. (The Justice Department has opened a criminal investigation into whether three other top officials violated insider-trading laws when they sold stock before the company disclosed the hack, Bloomberg News reported on Monday.)
Despite the size of the hack and the huge hit the continuing scandal is having on Equifax's reputation and stock price, it's apparently not significant enough to trigger the company's clawback policy, which Equifax described earlier this year in its proxy statement as "rigorous." In fact, like most other publicly traded companies, Equifax says it will only claw back performance pay when the company is forced to make a material restatement of its past results and when that misstatement is clearly the result of fraud. Even then, it's up to the board to decide whether to actually trigger the clawback. Most often, boards do not.
One of the few exceptions was Wells Fargo. Its board did eventually claw back $136 million in pay from its former CEO, John Stumpf, and former head of consumer banking, Carrie Tolstedt, after the bank admitted that millions of accounts were opened without customers' knowledge. Wells Fargo's clawback provision, though, allowed the company to recoup pay from an executive whose conduct resulted in reputational damage to the bank, or if the executive had missed or not managed risks in her division.
If the market is any judge, the reputational hit to Equifax -- whose stock has plummeted 34 percent since the hack was disclosed, cutting its market cap by more than $5 billion -- has been even worse than the phony accounts were to Wells Fargo. Nonetheless, Equifax's clawback policy requires a restatement, which is highly unlikely. But even if the company did, it's not clear Mauldin or Webb would walk away with any less. Both executives, according to the company's press release, were allowed to retire instead of being fired for misconduct, meaning at least for now the company is not contending that the two executives most responsible for protecting the company from hacks did anything wrong. The company did not respond to requests for comment.
It's not clear how much Mauldin or Web were paid, but other Equifax executives have been highly compensated. The company's CEO, for instance, has received $44.1 million for the past three years, according to Bloomberg pay data. None of that, as of now, can be clawed back by the board, either. And Equifax is by no means an anomaly. A 2015 study, the most recent I could find on the topic, by compensation consultant Frederic W. Cook & Co. found that just 12 percent of 250 top companies had clawback policies that covered reputational damage or anything other than a financial restatement.
And even when companies say they will claw back pay in the case of financial restatements, most companies, like Equifax, require that the restatement be "material." Perhaps unsurprisingly, accounting research firm Audit Analytics has found that the number of financial restatements that companies deem material has dropped precipitously in the decade since clawback provisions have become common. Last year, just 22 percent of all financial restatements by public companies were deemed material, down from 67 percent in 2005, according to the firm.
A few years ago, after the financial crisis, there was a push to strength clawback provisions. Dodd-Frank called on the Securities and Exchange Commission to consider a rule that would make clawbacks mandatory. But a review by Harvard last year found that shareholder interest in clawbacks and other similar provisions had waned. The SEC, too, has yet to finalize a clawback rule, and under the anti-regulation push of the Trump administration, it is unlikely to do so.
So it's little wonder that clawback provisions have done little to improve corporate behavior, like the price hikes and secret distribution network at Valeant, Roger Ailes's odious reign at Fox News, or the protection of consumer data at Equifax. Pay-for-performance means little when the definition of poor performance is so narrow and the opportunity for damage is so wide.
This column does not necessarily reflect the opinion of Bloomberg LP and its owners.
Stephen Gandel is a Bloomberg Gadfly columnist covering equity markets. He was previously a deputy digital editor for Fortune and an economics blogger at Time. He has also covered finance and the housing market.