Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.

Ignore

This website requires cookies. Your browser currently has cookies disabled.

Set your privacy preferences

We use necessary cookies to make our website work. Cookies are small files stored on your device. We also use optional cookies to improve our services and tell us if you have seen our advertising. The data we collect is anonymised. Are you happy to accept these cookies?

Pensions dashboards compliance and enforcement policy

About this policy

Introduction

We are responsible for the compliance and enforcement of occupational pension schemes in respect of their duties under the Pensions Dashboards Regulations 2022 and the Pensions Dashboards (No. 2) Regulations (Northern Ireland) 2023.

This document sets out our policy for compliance and enforcement of these duties.

This policy sits alongside other relevant policies and procedures including our:

Pensions dashboards are digital services – applications (apps), websites or other tools that savers will be able to use to see their pension information in one place.

Part 3 of the Pensions Dashboards Regulations 2022 sets out duties for certain trustees and scheme managers to enable dashboards to function.

You can find out more about the duties and who they apply to in pensions dashboards: initial guidance.

Who this policy is for

This policy is aimed at governing bodies (trustees and managers) of occupational pension schemes in respect of their duties under the Pensions Dashboards Regulations 2022, and corresponding regulations for Northern Ireland. In this document we use the term ‘schemes’ to refer to the governing bodies of occupational pension schemes.

To connect to dashboards, schemes will rely on third parties such as employers, administrators and integrated service providers (ISPs). The legislation includes powers for us to pursue these third parties where we are of the opinion that they have caused the scheme, wholly or partly, to be in breach of the dashboards regulations. Therefore, this policy is also aimed at them. The Financial Conduct Authority (FCA) has made rules for the compliance of FCA-regulated pension providers with their separate obligations for dashboards. This concerns personal and stakeholder pension schemes and are not in scope of this policy. We address how we work with other regulators later in this policy.

Policy principles

In no order of priority, our approach is driven by the following principles.

  • We are risk-based and proportionate, targeting our resources according to the level of risk and intervening only to the extent necessary to address the harm or reduce the risk.
  • We are focused on outcomes for savers. We aim to maximise compliance with duties so that savers can get a full and accurate picture of their pensions.
  • We recognise that delivering pensions dashboards is a huge challenge for industry. We will be clear in our expectations and provide tools and education to help people meet their duties. We will take a pragmatic approach to compliance and will work with schemes to reach the best outcome for the saver. However, where we see wilful or reckless non-compliance, we will take a robust enforcement approach.
  • We believe that industry is best placed to devise common solutions and we will support them in doing so. We will work with industry to resolve issues as they arise.
  • We will focus on the quality of the data held by schemes, as the success of dashboards relies on the quality of this data, both in terms of finding savers but also making sure that savers can trust the information presented to them.
  • We will also focus on the governance of schemes, as robust internal governance is key for initial and ongoing compliance. This will enable the scheme to identify issues and risks early and put in place mitigations accordingly.
  • We acknowledge that schemes will be highly dependent on third parties to comply with their duties, and we will use our powers against these third parties where it is necessary to do so.
  • We will monitor the effectiveness of our regulatory interventions and adapt them in light of the lessons we learn.

Key risk areas we will focus on

In monitoring compliance and taking action, we will focus on the behaviours or breaches we think pose the greatest risk to savers’ abilities to receive a complete and accurate picture of their pensions, and therefore make appropriate decisions.

This section sets out areas of interest to us. However, it is not an exhaustive list and we will continue to monitor and take action in other areas. Schemes should consider how they may mitigate these risks and ensure they have robust internal mechanisms to detect and deal with any that may become known.

Schemes' connection to the Money and Pensions Service (MaPS) is necessary for savers to be able to find and view all their pensions. We will focus strongly on connection compliance including, but not limited to the:

  • scheme not connecting by the connection deadline
  • governing body being unable to demonstrate they have regard to the guidance on connection
  • scheme failing to fully connect or remain connected to dashboards in line with the regulations and MaPS' standards

Once connected, schemes will need to find savers and return data as expected. It is critical that schemes connect the right pensions to the right saver. We will take an interest where a scheme is failing to find a pension for a saver when they should (failing to return a match made or a possible match), and when a scheme returns data to the wrong saver.

When a member has been found, they need to be confident that the data returned to them is accurate. We will be particularly interested where schemes fail to provide data in line with legal requirements, and where the value provided is not sufficiently recent.

Good quality data and data controls are vital to ensure schemes comply with these duties.

Compliance with regulations

What we expect

We expect that governing bodies will have read, considered and implemented our guidance where appropriate, as well as standards and guidance issued by the Department for Work and Pensions (DWP) and MaPS from time to time. They may also wish to consider industry guidance regarding good practice.

All schemes need to have systems of governance and internal controls in line with applicable legal requirements. Our expectations on this are set out in our code of practice. This includes but is not limited to the following.

  • Keeping records about any decisions taken by scheme, including related advice or information received.
  • Having a risk management function in place, including identifying, evaluating and recording risks, with appropriate internal controls to mitigate the key risks and monitor them.
  • Having appropriate controls when selecting, appointing and managing service providers, including any substantial change, such as a change of administrator.
  • Reviewing and assessing the quality of their data from multiple dimensions and putting adequate controls around them for continuous improvement.
  • Having processes in place to identify breaches of the law and if necessary, reporting them to us.

We expect schemes to keep clear audit trails of how they took steps to prepare to comply with these duties. This includes monitoring their progress and success, keeping a record of compliance as set out in MaPS’ reporting standards and keeping a record of actions taken to resolve any issues, such as communications with third parties. We expect them to keep records of their matching policy and the steps taken to improve their data. These records will help give us a rounded and transparent view of their efforts to comply with legislation.

We expect third parties to help and support schemes in meeting their duties appropriately. This includes employers and additional voluntary contribution (AVC) providers providing schemes with the required information to enable them to perform their duties.

How we will monitor compliance

We will use multiple sources of evidence to monitor and identify the risk of non-compliance.

We will receive regular data from the dashboards system run by MaPS. This will include data captured by the system itself (for example the connection status of schemes), data sent through dashboard services to the system, and data sent by schemes to the system (as per reporting standards), which will flow through to us.

This data will help us identify breaches (such as failing to connect by the deadline), look at trends across the landscape (for example in schemes all using the same third-party provider), and whether the same scheme fails to meet MaPS’ service levels repeatedly. In some cases, the data will flag where there is a potential risk for us to explore further (for example if a scheme does not return the number of matches we might expect from a scheme of that size).

We may request additional information from schemes where we identify concerns or where we are looking to identify best practice. This includes gathering information on a number of schemes on a thematic basis, for example through a thematic review.

Existing duties around breach of law reports continue to apply, and schemes should follow the existing reporting expectations as set out in our code of practice. We may also gather information through whistleblowing reports, supervisory engagement with schemes and through our regulatory partners.

Our approach to non-compliance

Where there has been a breach or suspected breach of legislation, we will consider if an investigation is appropriate and, if necessary, take regulatory action (including enforcement). We have discretion over our approach in respect of action on compliance with dashboard regulations and we will consider on balance, any action we may take, against the outcomes we may achieve.

Throughout the course of an investigation or regulatory action, we will adopt a risk-based and proportionate approach to enforcing the law, considering the circumstances and context of each case.

We may seek information, documentation or an explanation from schemes or any other person, including a third-party, if we believe they may be in possession of relevant information or documents. We may use our existing information gathering powers where applicable, and we will gather evidence in a reasonable and proportionate way in pursuit of our functions. See scheme management enforcement policy for an overview of our approach.

We provide a number of scenarios in the appendix to illustrate how our approach might work in practice.

Elements we may consider

We will consider a range of factors before deciding whether regulatory action is necessary. These factors may include, but are not limited to (and in no order of priority):

  • the nature and scale of the impact on the member(s)
  • the number of members affected
  • whether a breach is the result of wilful or reckless non-compliance, or if there are circumstances outside the scheme’s control
  • whether prompt and effective action is taken to investigate and correct the breach and its causes
  • a scheme’s compliance history and the duration of any breaches
  • consideration of the DWP’s, MaPS’ and our guidance, and management of any applicable risks
  • their openness and co-operation with us

Our regulatory options

Compliance notices

For any instance of non-compliance with the regulations, we will have the option to issue a compliance notice to the trustees or managers of occupational pension schemes.

The purpose of a compliance notice is to remedy non-compliance and, where appropriate, avoid repeating it. It is a legal notice where we require the trustees or managers to take, or refrain from taking, specific steps in the notice. We will explain in the notice which breach in our opinion has occurred, the evidence we used to come to this conclusion, and we may include a timeframe in which we expect schemes to comply. We may also require the trustees or managers to provide us with information relating to the breach, or to keep us informed of how they are complying with the notice.

We have a similar power available to us to issue a compliance notice to a third party (a ‘third-party compliance notice’), where we consider that they have caused a trustee or manager, wholly or partly, to breach the legislation.

Penalty notices

We will be able to issue a penalty notice to a trustee or scheme manager where they breach the regulations or fail to comply with a compliance notice. We can also issue penalties to third parties where they have failed to comply with a third-party compliance notice. We can issue penalty notices on an individual liability basis. This means we can issue penalty notices to some of the trustees but not all, for example if a breach took place prior to a trustee joining the board.

Where we issue a penalty notice, the amount of the penalty will be set in line with our existing monetary penalties policy. Each penalty can be up to £5,000 for an individual and up to £50,000 in other cases (for example a corporate trustee). In the event of continued non-compliance, we can issue another penalty notice.

We can include more than one penalty at a time. In some cases, we may be able to issue penalties for a number of breaches simultaneously (for example where a scheme failed to match or respond to requests for data for several members). In these cases, we will also consider the total amount of penalty issued in light of the circumstances of the breaches and the impact they have had.

Our existing powers may also be used, including statutory information requests (section 72 of the Pensions Act 2004) and the power to suspend, prohibit or appoint a trustee (sections 3-9 of the Pensions Act 1995). Where we uncover wider issues such as failures of governance and internal controls, we may open a separate case under our existing compliance policies.

Challenging enforcement action

The recipient of any notice that falls under the Pensions Dashboards Regulations 2022 may make a written application for us to review it within 28 days.

Following a review, or if we decide not to carry out a review, the recipient can appeal to the First-Tier Tribunal or Upper Tribunal depending on the Tribunal Procedure Rules. You can obtain further information on the appeal process from the Tribunal’s website.

Working with partner agencies and regulators

Money and Pensions Service (MaPS)

MaPS, through its Pensions Dashboard Programme (PDP), has put in place the pensions dashboards technological infrastructure and governance framework. The PDP is responsible for issuing standards, specifications and technical requirements which set out how schemes must connect to the system and operate when connected.

MaPS will send us data from the system to assist us in performing our compliance and enforcement functions. We may also request information from MaPS, for example to support an investigation.

We will share data with MaPS to enable them to undertake scheme connections and, where it is relevant, to MaPS' oversight of the healthy functioning of the pensions dashboards system overall.

Financial Conduct Authority (FCA)

We regulate the compliance of governing bodies of occupational pension schemes as set out in the dashboards regulations. The FCA has similar rules for the compliance of the providers of personal and stakeholder pension schemes.

Many operate in both the occupational and personal pension areas. For example, an FCA-regulated personal pension provider may also operate a master trust (regulated by us). So, to the extent permitted by law, TPR and the FCA may exchange information where it is of interest to the other party, for example if issues in one regulatory area indicate issues in the other.

Such parties may end up breaching both the FCA rules and the regulations. This could be by failing to connect the personal pension schemes they operate and their master trust by the deadlines. These are independent breaches and can be regulated independently by us and the FCA. Where appropriate, we may share information on investigations with the FCA and discuss the steps we propose to take.

Information Commissioner's Office (ICO)

The ICO is the cross-sectoral regulator for data protection legislation. This includes regulating the compliance of trustees and scheme managers (as data controllers) and their service providers (as data processors). We therefore share a common interest in the controls put in place by schemes to ensure data is accurate and used appropriately, and where we become aware of data breaches (for example where someone’s data is sent to the wrong person).

Both TPR and the ICO are risk-based regulators, targeting action where we perceive the greatest risk to savers. We both use our enforcement powers only when it is required and always in a proportionate way.

We work with the ICO and we may share information as and when necessary, in the pursuit of our different functions. There may be areas in which we have complementary functions and powers. We will endeavour to ensure that in these cases, the most appropriate body or bodies leads investigations and regulatory action. We will be proportionate in our regulatory approach and take the ICO’s actions into account as appropriate.

Publishing information

We put great emphasis on preventive actions, providing guidance, and encouraging and building good practice in collaboration with those we regulate. We believe that publishing the outcomes of our enforcement activity helps to improve standards and drive good saver outcomes by raising awareness of both good and poor practices.

We may publish reports of our enforcement activities and issue publications or press releases to raise awareness of our expectations, to provide education, and to serve as a deterrent.

A decision to publish a report about our considerations is taken on a case-by-case basis in line with our publication policy in the essential guide to how we publish information about cases.

Reviews and updates to this policy

We will regularly review this policy and update it as required, including taking into account our regulatory experience. We will consult on any substantive changes to the policy.

Appendix: Scenarios

These scenarios are illustrative. They should not be taken as a definitive indicator of the action we will take. Each case will be dealt with on an individual basis.

Missing the connection deadline

Scheme A and scheme B have missed the connection deadline of 31 October 2026.

Scheme A reported the breach to us on 31 October 2026. They have already contacted us and the PDP to confirm they were in the process of buyout and all members were due to be bought out by an insurer by early October 2026. The process is nearly complete, but they are still waiting for a small number of members who have been traced and chased to sign off contracts. This is expected to be resolved in the next few weeks, and they have provided their audit trails of communication with these members.

Action: We do not proceed with issuing a compliance notice, as the scheme is able to demonstrate that they have a workable plan in place to complete the buyout process in a reasonable amount of time.

We receive a system notification that scheme B failed to connect by the connection deadline and did not report this breach to us. We issue a compliance notice to the trustees of scheme B. The trustees reach out to us and explain that they were unable to find an ISP to support them with connection. Upon investigation, the trustees are unable to demonstrate how they took the steps to prepare for their duties and their attempts to secure connection to the system appears to have started a month before the deadline. They are unable to evidence their decision-making process, or an effective system of governance.

Action: We issue the trustees with a penalty for the breach and open a governance case, as we are concerned that the trustees don’t have effective internal controls or the right level of knowledge and understanding to run a scheme.

Failure to maintain connection

Scheme C and scheme D have not met the ongoing connection requirement.

Scheme C had one instance of an unexpected disconnection that lasted for several days longer than the requirements set out in MaPS’ Code of Connection. This was due to a stand-alone IT issue which was resolved promptly, as the trustees and IT provider worked together to quickly identify the root cause and provide mitigations against future issues. There is no history or pattern of similar issues for this scheme. The trustee notified MaPS of the outage and reported the breach to us. The trustees and provider were able to provide us with evidence of lessons learned and resulting updates to their processes.

Action: We do not proceed with a compliance notice as this would not achieve anything further. The trustee has assurances that the issue has been resolved and it is clear they have robust internal controls.

Scheme D has been disconnected repeatedly. The trustees of scheme D have made regular contact with the ISP to find out more details about the IT issue. They have asked for timescales to solve the problem for resolution, but the ISP has not been responsive. The trustees report this breach to us and provide a message to savers on the scheme’s website. They also ensure that the scheme administrator is aware and prepared for saver queries. Upon investigation, we determine that this issue affects a number of schemes, all using the same ISP. We seek to engage with the ISP to identify the scale of the issue but there is little co-operation.

Action: We issue a third-party compliance notice to the ISP relating to each scheme we have identified as impacted. We take no action in respect of the trustees of scheme D as we are satisfied that they tried to resolve the issue and mitigate the risk to their members as much as they could.

Failing to match savers to their pensions

Scheme E and scheme F do not return any possible matches to their find requests.

While pensions dashboards are still in user testing, scheme E sets a tight matching policy, as their administrator advised they would be unable to handle the volume of queries arising from ‘possible matches’ due to limited resource. This is caused by large data gaps in members’ first names and National Insurance numbers. The administrator has already put in place an improvement plan for these data gaps, but one large employer has not been providing the information they need, despite repeated attempts to engage. As not matching savers is a breach, the trustees reported this breach to us. Upon investigation, the employer is unable to provide a reasonable explanation for this to us.

Action: We issue a third-party compliance notice to the employer to provide the data set out in their legal obligations, which is needed by the scheme. We follow up with the trustees of scheme E to ensure that the matching policy is reviewed once the issue is resolved and monitor the volumes of possible matches to confirm.

Trend analysis of the system data over several months after public launch identified that scheme F does not seem to have returned any possible matches. We investigate and confirm that the scheme is using a binary matching policy, which does not allow for possible matches – only full matches. The trustees are unable to provide any explanation as to why they are only allowing for full matches.

Action: As not matching savers is a breach, and their binary matching policy might be causing this to happen, we issue scheme F with a compliance notice for the scheme to review its matching policy to ensure it is appropriate.

Failure to return value data appropriately

Scheme G and scheme H receive a high number of complaints that the time taken to return the value data is longer than the maximum 3 or 10 days (the number of days set is dependent on the type of scheme).

Scheme G is aware that the value data was provided out of time and reported this breach to us. The delay was because the actuary had to perform additional calculations to make sure the information they gave was accurate. This is because members have a non-standard benefit structure. Scheme G reaches out to these members to explain the delay and used the appropriate flags available on dashboards. The scheme also provides the information to members as soon as they can. The trustee is actively working to improve response times for other savers in a similar position, by performing revaluations.

Action: We inform the trustee that we will keep this under review, as the members have been provided with the information as soon as possible. The scheme reached out to them, and the trustee is working to improve the times they can provide data in future. We notice a reduction in the number of complaints because of these improvements and take no further action.

We reach out to scheme H as we are concerned about a pattern of complaints and missing value information which is reported to us through the system. We have not received any reporting from the scheme. Upon investigation, the scheme is found to have large amounts of out-of-date data. Instead of putting in place a plan to improve the data or systems to automate calculations, they decided to deliver value ‘on demand’, but they underestimated demand and are not able to process queries in time. In addition, there is a history of issues with compliance for this scheme.

Action: We open a governance case to investigate the scheme’s data, internal controls and what more they could be doing.

Alerts following errors in data fields

Scheme I and scheme J experience a high number of error codes in the fields of data being returned to members. We contact the schemes for an explanation on the number of system alerts.

Scheme I responds promptly as their internal controls already alerted them to this issue and they had been preparing to report to us with their remediation actions. The scheme has investigated the source, which is due to an error in their system where codes have mis-matched. They have spoken to their IT supplier and seek assurances that this error will be corrected.

Action: we take no further action for the scheme as this would not achieve anything further. Scheme I has taken reasonable steps to resolve the issue.

The trustees of scheme J are unaware of the extent of the issue and claim that their ISP are responsible for this. The ISP has already reported the system failure to us as it affected a number of schemes. The ISP also confirmed that they reported the issue to affected trustees and offered to work with trustees to solve the issue. Although many other affected schemes have worked with the ISP and rectified this problem, scheme J has not taken any actions yet. We also find that the trustees do not have procedures in place to monitor reports from the system or their providers.

Action: We monitor the situation with the ISP and impacted schemes, and as the error is corrected promptly, we do not proceed with further actions for them. We open a governance case against the trustees of scheme J as we are concerned that the trustees don’t have effective internal controls or the right level of knowledge and understanding to run a scheme.

Back to top