The response to our consultation on the draft pensions dashboards compliance and enforcement policy, and examples of breaches of law.
Published: 5 September 2024
Introduction
With record numbers of people saving for retirement, it is even more important that people understand their pensions and can prepare for financial security for later life.
Pensions dashboards will allow individuals to see their pensions information, including their State Pension, for free in one place online at a time of their choosing. Pensions dashboards will also reunite savers with lost or forgotten pensions. The ability to access information easily alongside an increase in individuals’ awareness and understanding of their pension information could also support people with better planning for their retirement.
Background
The government introduced the Pensions Dashboards Regulations 2022 (the dashboards regulations), and corresponding legislation has been made for Northern Ireland under the Pensions Dashboards (No. 2) Regulations (Northern Ireland) 2023, to enable pensions dashboards services. The government policy intent behind this initiative is to enable pension savers to have access to their pensions information in one online place and be better informed about their retirement savings.
We are responsible for driving compliance, and taking enforcement action relating to non-compliance, with duties under the dashboards regulations by trustees and scheme managers of relevant occupational pension schemes.
We consulted on our proposed approach to compliance and enforcement between November 2022 to February 2023.
Since the consultation, the government has made amendments to regulations and published new connection timeline guidance. Our policy has considered both the responses to the consultation, and the amendments to regulations.
Consultation responses
We received 48 responses from a wide range of stakeholders. We would like to thank those who took part, as their feedback has helped us clarify aspects of the policy.
Key themes
We found most respondents agreed with the principles, key risk areas and our approach, and that they understand our expectations and regulatory considerations.
There were, however, a number of concerns raised. It was evident we needed to provide more explanation and clarity in certain areas of the policy. For example, there were comments around:
- ongoing concerns in respect of third-party co-operation
- a number of scheme-specific issues
- differing interpretations of the policy intent and our remit
In addition, owing to the legislative change and developments in the dashboards programme, some of the comments we received were no longer applicable. However, we recognise the need for clarity in response to those changes.
We have used this feedback to finalise our approach, and to clarify our final compliance and enforcement policy. These changes are explained further in the focused sections below.
As with the policy, we use the term ‘schemes’ to refer to the governing bodies of occupational pension schemes.
Comments received and how we have responded to them
Question 1
We asked:
Do you agree with the policy principles we have set out in this compliance and enforcement policy?
You said:
- Most respondents agreed with the policy principles we set out, including acknowledgement that we will be pragmatic when considering the use of our powers. However, where we see wilful or reckless non-compliance, we will take a robust enforcement approach. We also received requests to explain the extent of our pragmatism.
- The reliance on third-party providers was a concern raised. Some respondents asked for clarity on responsibilities between the schemes and third parties. Many respondents understood the importance of scheme governance. They also noted that third parties will be supporting them to comply with duties.
- With data being an ongoing concern, respondents asked for a better understanding of the data quality principle. For example, pre-1990 records being poor quality or non-existent may impact compliance.
- Some respondents also requested we have a dialogue with them during and after testing.
Our response:
We are pleased that most respondents agreed with the policy principles and that there was recognition of our principle about taking a pragmatic approach. We recognise the need for clarity around this principle and provide this with illustrative scenarios in our policy.
We will continue to engage with industry during and after testing, and support them to devise common solutions where issues arise.
While we recognise the challenges raised by respondents, the success of dashboards depends on schemes and third parties working together. Any potential liabilities will depend on the nature and circumstance of the breach and because of this, we are unable to provide a definitive list.
However, we have used case scenarios to clarify our approach to third parties that have caused a breach. We also stress the importance of good scheme governance, internal controls and audit trails.
All schemes need to have systems of governance and internal controls in line with applicable legal requirements. We have updated the final policy to reflect that good governance is important both in the run-up to duties taking effect and for ongoing compliance, with reference to our code of practice and having regard to the connection guidance.
Quality data is important not just for dashboards but for the everyday running of a scheme. We have set expectations around data quality in our code of practice and associated guidance, and will continue to work with schemes in this area.
Question 2
Do the key risk areas, within our regulatory remit, align to your understanding of where risks may exist for the saver?
You said:
- Many respondents agreed with our proposal of where the key risks for savers might exist. For example, focusing on the impact to the saver was seen as the right approach, but with an emphasis on us being pragmatic.
- Respondents recognised the importance of quality data and how it is used for matching. They also understood the value in an achievable connection plan. All were seen as key factors to mitigate many risks.
- There were concerns with how matching may work. Respondents commented that it could cause confusion to members if only some pension information was returned. There were concerns that certain data items were not mandatory, such as National Insurance numbers. Respondents also worried that data quality could be impacted by a lack of co-operation from third parties, especially employers.
- Respondents stressed that this was a complicated initiative with new IT systems, limited resource and reliance on third parties. They also requested that integrated service providers (ISPs) and administration or software suppliers were vetted.
- There were concerns over the risks created from a perceived lack of testing opportunities.
- Some respondents said that during testing and when dashboards go live, it’s important to keep risks under review. They highlighted the uncertainty around resource and flagged it as a particular risk.
- Some respondents let us know about risks the dashboard may create for savers. This included scams, personal ID theft and fraud. They gave us suggestions as to how we should include this in our enforcement policy.
- Respondents also said there could be a risk of members not understanding the information displayed to them on dashboards, which could lead to poor decisions. They suggested we are responsible for educating savers. Respondents also said we should raise this issue with the Money and Pensions Service (MaPS) ahead of their communications to members.
Our response:
We recognise that some requirements following connection may be challenging for industry to meet during the user testing stage, and there will be developments in risk areas following testing and use of the system. We acknowledge this in our principles and commit to keeping these risks under review. We are pleased that there was agreement with most of the focus areas.
It is critical that a scheme is able to rely on its data to match a request for information to the correct person. It also needs to provide the member with this data in an accurate and timely manner. We have set out that data quality, including data controls, is an area of interest to us in the final policy. The government set out that matching policies are to be decided on by the schemes, as they are best placed to understand the data they hold. Dashboards will not mandate that users provide their National Insurance number, but they will be encouraged to do so.
We have added reference to the key risk of being unable to demonstrate how a scheme has had regard to the guidance on connection. This is due to the change in legislation and to reflect the risks of not connecting by the dates in the guidance.
We thank respondents for providing their thoughts on further risks to savers, for example the potential for scams and the importance of clear and appropriate messaging when dashboards are available to the public. We will work with partner agencies to address these risks as far as we are able to do so, within our regulatory remit.
Some of the responses requested actions that are outside of our regulatory remit. These included vetting ISPs, administrator and software providers, and addressing the lack of testing opportunities. We recognise the concern and are supporting the DWP and Pensions Dashboards Programme (PDP) to identify suitable mitigating actions and encourage schemes to connect in line with guidance to maximise their testing opportunities.
Question 3
We asked:
Does the policy provide sufficient clarity on our expectations of governing bodies (trustees and scheme managers) and third parties?
You said:
- Most respondents agreed that these were appropriate expectations from us and should be achievable for schemes already operating a good governance framework.
- A number of responses from third parties recognised their role in supporting schemes with compliance and didn’t think expectations were unachievable. However, there were comments from other respondents that stressed the difficulties they were facing with third-party providers. For instance, with employers providing data and specific challenges around additional voluntary contributions (AVCs).
- Most agreed it’s important to maintain an audit trail of due diligence and decisions made. They also said they have established systems and processes in these areas. There were, however, a small number of respondents that said audit trails were expensive. They also said this increased duties expected of trustees.
- There were a number of requests to clarify the approach to orphan schemes. This included making our expectations clear and what the process should be for administrators.
Our response:
We were pleased that most respondents felt we had provided sufficient clarity on our expectations. We were also happy to hear that these expectations had emphasised the need for administrators and the schemes to work together. In some cases, this made engagement easier.
We recognise there are still challenges with schemes and third parties working together. We have made changes to the final policy to reflect concerns raised. For example, we added explicit reference to AVC providers in the list of third parties we may use our powers against, where they are responsible for a breach by the schemes. To address comments around roles and duties and working with providers, we updated our guidance in March 2023. We will also keep the guidance under review.
In response to the change in the legislative framework, we have added that we expect schemes to be able to demonstrate how they have 'had regard' to the guidance on connection.
We have updated the policy to make direct reference to the code of practice which was not yet in force when we consulted.
We acknowledge the challenges of dashboards for providers with orphan schemes. The policy intent of dashboards is to enable savers to be better informed of their pension. This also gives members of orphan schemes an opportunity to engage with their savings and contact the providers. It would not be appropriate for us to address the challenges for orphan schemes as part of the compliance and enforcement policy. We are, however, inviting providers of orphan schemes to work with us proactively on required technical aspects.
Question 4
We asked:
Does the policy provide sufficient clarity on how we will monitor compliance?
You said:
- The majority of respondents agreed that the policy gave sufficient clarity on how we would monitor compliance. Many comments agreed with our focus on wilful or reckless non-compliance. However, there were also requests for reassurance that this is how it will be applied in practice.
- Many respondents understood we will monitor compliance using data from dashboards which will enable us to identify breaches, trends and any continuous failures. Additionally, we may also carry out thematic reviews and can use existing powers such as information gathering exercises.
- However, some respondents requested information about timescales and expectations in this area.
- Where respondents disagreed with the level of clarity we gave, this was mainly around data quality. Alongside this was a request for more information as to how this would be assessed. For example, some respondents requested that we establish an expectation on matching rates. There were requests for more clarity on triggers and how this will work in practice. This included how we would approach breach of law reports.
- Though it was agreed our policy gave clarity on our approach, there was also a request for clarification on the connection process. There was also a request for clarity on how things will work in general. This included how information will be provided by any pensions dashboard other than MaPS.
- Some respondents raised concerns around information breaches. They also asked what happens if data is returned to the wrong person, including a request for details on how this is reported.
- There was a suggestion to have a dashboards forum, open to everyone involved in dashboards, as a place to discuss any issues and help with consistency.
Our response:
We would like to thank respondents for their useful suggestions on how we may give more clarity on how we will monitor compliance. We have updated examples of dashboard breaches in the final policy. It shows how schemes and providers can use the existing ‘breach of law’ approach (traffic light system) to report breaches to us and what our actions might be.
We were pleased that many respondents understood the different ways we can monitor compliance. This included using thematic reviews and our existing regulatory powers and initiatives. The regular data we will receive from dashboards includes the information from qualifying pension dashboard services.
Since the consultation, there have been developments with the build of the dashboard, and we commit to keeping our approach under review. We will be following the lessons that can be learnt through testing the system. Through our guidance, we will give more information on how things will work in practice when they are available, for example on the connection process and user journey.
There were requests for us to give a benchmark for matching rates, but it would not be appropriate for us to do so at this time. This is because it depends on the data quality of each scheme. We do, however, expect schemes to perform matching to the best of their ability, including using partial matches. We will investigate concerning trends and expect schemes to explain these to us. We will also be expecting actions to be taken following their data improvement plans. We commit to reviewing whether benchmarking would be helpful and deliverable, in light of best practice, once dashboards are up and running.
There were a small number of questions on the process of monitoring a data breach. We think this is adequately addressed where we explain how we will work with the Information Commissioner’s Office. There are existing obligations when it comes to a breach of law, and we have stated in the policy that schemes should follow the existing reporting expectations set out in our code of practice.
Question 5
We asked:
Does the policy provide sufficient clarity on our approach to non-compliance?
You said:
- Most responses said there was clarity on how we will approach non-compliance. Many respondents were encouraged by the focus on wilful and reckless non-compliance. They also felt reassured by our approach being decided for each individual case.
- Respondents agreed with the risk-based approach and that outcomes should focus on the best experience for the saver, for example that data is provided accurately.
- A number of respondents found the scenarios helpful to show the principles of our approach. But there were requests for more specific examples and to show a consistency of approach when applying this to real life, for example around multiple breaches and circumstances outside of the scheme’s control.
- Some respondents indicated that the approach focused too much on enforcement and that there was more clarity needed around encouraging compliance.
- Respondents agreed with the approach in principle, but also wanted us to test-and-learn, and to adapt our approach based on this experience.
Our response:
We are encouraged that most respondents agreed that we were clear in our approach. This was supported by comments regarding our focus on wilful non-compliance and that we’ll use our discretion. We acknowledge the request for further information on our approach to where there might be multiple breaches, but stress that matters like this will be dealt with on a case-by-case basis. We reiterate that we are committed to being pragmatic in our approach to compliance. We would also respond based on the nature and circumstance of the breaches. We highlight the need for schemes to be able to demonstrate they have a system of governance and internal controls. They must also provide transparency around issues that may occur.
Many respondents agreed in principle, but did not give full agreement until there was more information about how matters would work in practice. We appreciate that since the consultation there has been a change to legislation. We continue to encourage compliance, writing to relevant schemes and continue to update our guidance. We invite schemes to stay engaged with this guidance.
Question 6
We asked:
Does the policy provide sufficient clarity on the elements we may take into consideration?
You said:
- Many respondents agreed that the policy provided sufficient clarity and recognised this is not an exhaustive list.
- There was disagreement to this question with respondents highlighting their existing obligations of protecting people’s data. Respondents highlighted the challenges with balancing this with dashboards compliance. It was requested we take this into account when considering non-compliance.
- A number of respondents suggested we consider how bullet points of considerations are written. For example, it appeared that the number of members was more of a priority than the context of the breach, conflicting with earlier messaging.
- Some respondents asked for more information once we learn how dashboards perform in practise. This includes being updated when we gain a clearer view on non-compliance.
Our response:
We thank respondents for letting us know their challenges and for suggesting how we can be clearer about our considerations. We are pleased that respondents recognise that this was not an exhaustive list of elements we may take into consideration. We accept feedback that these might have been seen in an order of priority and we have addressed this in small changes to the policy, stating that they are not listed in order of priority. We’d like to make it clear that we would not assess these considerations without looking at the context of the case. This includes us looking at risk factors and underlying causes, as well as impacts to members.
Dashboards legislation has been designed to be consistent with existing data protection obligations. While we do not envisage that conflicts will arise in practice, we will continue to work with industry to identify and resolve and issues which may arise.
To reflect changes to legislation, we have added reference to our focus for schemes to have had regard to the DWP’s guidance on the staged connection. They must also keep related audit trails. This includes their decision-making process, risk elements considered, and monitoring progress of these plans.
Question 7
We asked:
Does the policy provide sufficient clarity on the regulatory options and powers available to us?
You said:
- Most respondents felt that the policy provided clarity on the options and powers available to us, but also added comments on how these would be applied in practice.
- Some respondents asked for clarity that if we impose any financial penalties, that the cost cannot be passed onto schemes, including any trustee indemnities.
- There was a request for more information on how regulatory powers would be applied to third parties.
- Most comments said that the options and powers available to us seemed clear, but respondents were also interested to see how they are used once dashboards go live.
Our response:
We are pleased that the policy provided clarity on the range of regulatory options available to us, including new and existing powers. Based on these responses, and given that the legislative amendment has not changed our regulatory options, we will not be making changes to this section of the policy. However, we will respond to a few of the comments and questions.
- Our regulatory remit applies to schemes based in the UK. We have the option of using third-party powers if an error or omission by the third party has caused the trustee to be in breach of their duties.
- In response to questions around financial penalty costs being passed to the scheme, the government introduced the Pensions Dashboards (Prohibition of Indemnification) Act 2023. This makes it a criminal offence for pension scheme trustees or managers to be reimbursed, either directly or for example by purchase of an indemnity policy, using the assets of the pension scheme for penalties imposed under the dashboards regulations.
Question 8
We asked:
Do the scenarios we have included help with your understanding of our approach to compliance and enforcement? Are there others we can include to provide clarity?
You said:
- There were many comments that said it was very helpful to have case scenarios. Respondents asked us to consider updating these based on our experience with dashboards up and running.
- Most respondents said that the case scenarios were a helpful addition to the policy and that they provided good context as to how the policy may be put into practice. However, a number of respondents said that these were simple scenarios, and in reality there would be many more considerations to take into account.
- The majority of respondents understood that the compliance scenarios were only examples and that it could not be a complete list. A number of respondents, however, wanted reassurance that we would remain pragmatic in real-life circumstances.
- There were many requests for scenarios to explore, some with general concerns and others with scheme-specific issues.
Our response:
We are pleased that many respondents found the scenarios helpful to understand the policy intent. We appreciate that some respondents may be cautious of how the policy may work in practice. However, the intention of the scenarios is to show the behaviours considered on a high-level basis, while looking at the context of a breach. We commit to reviewing the scenarios as part of the policy review.
We are grateful for the many suggestions of more scenarios to look at. We have responded to this with updates to the final policy.
Question 9
We asked:
Are there any aspects of our expectations that you think would discriminate against, disadvantage or present an additional or exceptional challenge to anyone with a protected characteristic?
You said:
- Concerns were raised that there could be age discrimination, and that the definition of a member in the regulations could leave out certain benefits.
- Potential issues were raised about the use of a binary matching system. For example, not showing possible matches could disadvantage groups. There were also questions around inclusion and that spelling mistakes could be more likely.
- Respondents highlighted it will be important for us to carefully monitor proposals once dashboards are live. We should also take action if any risks are identified.
- It will be important to share feedback once savers access pensions dashboards. This is so we and industry can quickly respond if we are aware of such discrimination.
- Respondents identified that users without access to the internet may have challenges with information not being immediately available, for example possible matches or a wait time for value data.
- Issues were raised around the ability of the public to understand the information being displayed to them.
Our response:
We are grateful for the thoughtful responses to this question. Some of the issues identified, while important, were outside of the scope of the compliance and enforcement policy. This included, for example, points around legal definitions, matching requirements, and potential discrimination of those without access to the internet or an understanding of technology.
We fully take on board the suggestion for us to keep any impacts under review and will endeavour to take action if any adverse impact is identified on groups with protected characteristics, as well as informing the DWP of any issues identified.
We recognise the arguments for proper member education on the provision of dashboards, how to use them and what to use them for, and we will take this into consideration in our future work.
Question 10
We asked:
Do you have any other comments on our draft compliance and enforcement policy?
You said:
- Respondents requested more information around saver complaints and how to filter or signpost these.
- Some respondents were surprised at a lack of comments on cyber security/scams/fraud.
- Regarding matching, many respondents raised concerns that their data will not be in a good place (and possibly never will be) and the impact this will have on compliance. There were requests for us to set out a framework or a ‘bar’ in terms of acceptable matching rates, based on scheme type and size.
- Some respondents stressed that it was crucial that there is a strong but also cohesive approach across regulators and other bodies involved in delivering dashboards. There was some feeling that, at that moment, it was very light.
- Concerns regarding third parties were raised throughout the responses but reiterated for this question. Some schemes would welcome targeted communications to providers, administrators, employers etc.
- In general, there was support for the vision and purpose of dashboards, but stressing that a pragmatic approach is required from us.
- Finally, there were a small number of comments that the overall scope of the dashboards project is unachievable.
Our response:
We found that most responses to this question had been raised elsewhere in the consultation. However, we recognise that this is likely to be because of the strength of concerns about the topics raised, for example around reliance on third-parties and the achievability of data quality. Our position on these issues is set out in the relevant sections above.
We are pleased to see that most comments were based on the user experience, such as routes for complaints and issue resolution. This is an important aspect of dashboards, which will be informed by ongoing user testing work on this topic, which we are working closely on with PDP and the DWP.
Additionally, we are grateful for the number of concerns raised around the potential for scams and fraudulent activity, along with the importance of cyber security. The security of members’ data, their benefits, and wider wellbeing has been a core concern in developing pensions dashboards and we will continue to work with our key stakeholders regarding these issues. We will keep industry updated on any key messages through our guidance.
Finally, we recognise the request for us to be pragmatic in our approach to compliance, and we would reiterate that we do recognise the challenges to industry and will use our discretion, focusing on wilful or reckless non-compliance.
There were a small number of comments that suggested compliance with the requirements for pensions dashboards was simply unachievable, which was disappointing. The dashboards initiative was introduced by the government to enable savers to have a better understanding of their income at retirement, have better access to planning, and to reunite them with their lost pots. We are pleased that most respondents recognised the benefits this will have for their members, and the active considerations and efforts being made to achieve this.
Appendix: List of respondents to the consultation
We received 48 responses in total. 31 of the respondents gave their consent to be listed, with 17 either requesting confidentiality or not specifying consent at all.
- Alstom
- Aon
- Aviva
- BT Pension Scheme Management
- Church of England Pensions Board
- Civica
- David Downes
- Gary Edward Saunders
- Hampshire County Council
- Jeremy Hall
- Local Government Association (LGA) and the Local Government Pensions Committee (LGPC) in respect of the Local Government
- Pension Scheme (LGPS) in England & Wales
- Mark Bishop
- Mercer
- NatWest Pension Fund
- NEST Corporation
- NHS Business Services Authority
- Pensions Administration Standards Association
- Pensions and Lifetime Saving Association
- People’s Partnership
- PMC Pension Trustees
- Qualter Hall & Company Limited
- Railpen Limited and Railways Pension Trustee Company Limited
- Scottish Widows
- Sean Kelly
- Smart Pension Limited
- Stephen Walker
- The Association of British Insurers
- The Association of Pension Lawyers
- The Investing and Saving Alliance
- The Society of Pension Professionals
- West Yorkshire Pension Fund
- Willis Towers Watson
- XPS Administration