Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.

Ignore

This website requires cookies. Your browser currently has cookies disabled.

Set your privacy preferences

We use necessary cookies to make our website work. Cookies are small files stored on your device. We also use optional cookies to improve our services and tell us if you have seen our advertising. The data we collect is anonymised. Are you happy to accept these cookies?

Guide to completing the systems and processes questionnaire

Published: October 2018

Last updated: May 2024

30 May 2024

Made minor amends and merged in 'Additional systems and processes guidance for new master trusts' PDF.

Using this guide

This guide is for those filling in our systems and processes questionnaire (DOC, 785KB, 51 pages) for master trust authorisation. The applicant will be the scheme trustee.

This guide will help you understand what evidence is more likely to satisfy us that your master trust has adequate systems and processes in place and will run effectively. You should refer to this guide when completing our systems and processes questionnaire.

Completing your application: systems and processes

When applying for authorisation, and throughout supervision, you're legally required to demonstrate and evidence how your master trust meets the systems and processes requirements set out in Schedule 4 of the Occupational Pension Scheme (Master Trust) Regulations 2018 (‘the Regulations’) and our Code of practice 15: Authorisation and supervision of master trusts (‘the code’).

These requirements reflect our expectations of any well-run scheme. Master trusts should be able to provide evidence that systems and governance processes meet these requirements.

In the questionnaire, you should provide clear, detailed explanations of how your scheme meets each of the requirements. You should support your answers with indexed documents and specify which sections, pages or paragraphs of these documents are relevant to each requirement.

Completing the systems and processes questionnaire

Using the questionnaire, you should describe how your master trust meets each of the requirements laid out in our code. Make sure you highlight specific evidence supporting your response to each question. 

The questionnaire will help you:

  • identify the specific requirements that need to be met
  • describe how your master trust meets that requirement
  • create an index referencing the specific sections (pages, paragraphs, sentences) of your supporting evidence, which relate to each specific requirement
  • explain how any control objectives tested in independent external assessment reports are relevant to evidence against certain requirements

The answers and evidence submitted as part of an application must be clear, relevant and user-friendly (for example, by using highlighting, tabs, and cross-referencing).

We will not be able to assess whether and how you meet the requirements unless we can answer the following questions against each requirement.

  • Does the system functionality exist?
  • How does it work?
  • How is it reviewed and monitored by the trustees to ensure it is effective over time?

The role of assurance, accreditation and other independent external assessments

The ability to demonstrate that a robust and independent external assessment has been carried out with a sufficient degree of scrutiny will greatly improve the strength of evidence in an application. This is not a mandatory requirement. However, any in-house analysis, such as internal audit processes, will be expected to demonstrate an equivalent level of robustness and scrutiny.

For certain requirements, we prefer that you have an independent external assessment in place. This external assessment should have tested the existence and effectiveness of the IT system requirements, and administration and governance processes. In our questionnaire, we've indicated the specific requirements where our preference is for an independent external assessment to have been carried out.

If external assurance reports are submitted that use a Type 1 and Type 2 approach (for example, master trust assurance), these should have been conducted as a Type 2 report as these assess the operational effectiveness of the controls, in addition to the controls which have been put in place.

Where evidence of independent external assessment is submitted, ideally the report should have been signed off by the trustees and reporting accountant within six months of the application date. If this is not possible the accompanying narrative should set out any changes or issues that have occurred since the report and actions that have been taken where issues were raised.

We especially want to understand how trustees are comfortable that nothing adverse has happened since the report was signed off. We'll consider reports as part of a suite of evidence - you may wish to provide an update from a reporting accountant or an appropriately qualified person from the service provider where a report is more than six months old.

If any significant changes or material failures have occurred since a report was produced, for example a change of administrator or IT system, we expect you to provide us:

  • an updated report
  • a bespoke review against agreed upon procedures
  • an explanation of any alternative work that has been undertaken to give the trustees comfort on their systems and processes

Our understanding is that the frequency of other forms of assessment varies (ISO reviews are typically carried out every three years, for example). However, we expect these to be treated in the same way if the significant change or material failure has occurred which affects the results of the review.

We're aware of various forms of independent external assessments available to and used by master trusts. These include:

  • assurance testing, such as AAF 01/20 and the master trust assurance framework
  • quality standards, such as ISO assessments of IT security and delivery
  • accreditations, such as those offered by the Pensions Administration Standards Association and the Pensions Quality Mark (PQM Ready)

The scope of any such review is not standardised but is defined by the entity being assessed. For example, control objectives can be removed by trustees from the scope of a master trust assurance assessment and report. Similarly, the scope of an ISO 27001 assessment is agreed before a review is carried out and therefore may vary between master trusts. Trustees in receipt of an AAF 01/20 report from their scheme administrator might find that some, or all, of their master trust arrangements or processes are not within the scope of the report.

Additionally, we’ve noted that the depth and quality of the methodologies used in assessing against these standards can also differ greatly. We’ve seen examples where reporting accountants reviewing against the same control objective have generated vastly different levels of useful evidence, depending on their methodology. Therefore, we have not stated which independent external assessment framework would apply to our requirements.

You may wish to take advice on how far any existing assurance or accreditation supports your application for authorisation from the individual or organisation that carried out the assessment. For example, if you (or your third-party administrator) have been subject to AAF 01/20, your reporting accountant would be able to provide you with a view on whether the external assessment demonstrates that the requirements are met, or whether supplementary material is needed.

In relation to any independent external assessment report, we'll want to understand the methodology used by the assessor to carry out the review against each standard or control objective (this is a standardised approach to an AAF report, for example). We also need to understand what evidence the assessor is relying on in carrying out the review and coming to their conclusion.

Assurance reports will normally include a series of control objectives against which the reporting accountant (or other type of assessor) will assess your scheme, processes and systems. The objectives may not match the specific requirements laid out in the code. However, there may be overlap between certain control objectives and the requirements (either in the control objective itself, or in what has been assessed by the reporting accountant).

Where this is the case, it is imperative that you describe in your questionnaire how the control objective is relevant to the requirement. Use your written answers to detail how your master trust meets that requirement.

We’ve included a table in our questionnaire against each relevant requirement for you to provide evidence for how the cited control objectives support your written answer. 

Master trust assurance

If you've been through the master trust assurance framework process (AAF 05/20), you will not automatically satisfy us that your systems and processes are sufficient to run your scheme effectively.

However, we've liaised with a significant part of the market that has been through the master trust assurance framework process. We believe schemes that have been through this assessment are in a much better position to provide the evidence required than those who haven’t. Those who have master trust assurance are more likely to:

  • already have strong evidence to demonstrate that they meet some (but not all) of the expectations set out in our code
  • have a better understanding of how, in practice, to provide a strongly evidenced explanation of how they meet each expectation

It's also important to stress that if any existing master trust assurance reports contain any qualifications or exceptions, these will need to be considered and addressed in your application.

Requirements and supporting evidence

Below we have listed the requirements set out in legislation and our code. Each requirement has been given a number, which corresponds to those used in the questionnaire and should be used to submit your narrative and indexed evidence.

We also provide clarification against each requirement to show how you can demonstrate that your master trust meets it.

We recognise the potential challenges and limits of the evidence that can be provided where a new master trust is not currently functioning. Where possible, evidence should include successful use of third-party administrator systems in other relevant contexts, such as delivering administration services to existing clients.

Key considerations

When preparing your application, you should bear the following three considerations in mind.

  • We expect you to provide all the evidence we need to make our assessment.
  • Our assessment will be predominantly desk based. Therefore, all information needs to be documented in an accessible format, clearly indexed and signposted, and contain a description of how you undertake your work.
  • You'll need to satisfy us that all necessary systems and processes are in place, are effective in practice, and are monitored over time to identify and resolve any errors that might arise.

Understanding the structure of your master trust

When assessing the evidence presented with the systems and processes questionnaire, it's useful for us to understand the structure of your master trust. Please provide a structure chart that includes your scheme administration, IT service providers, investment management and trustee board (plus any other governance committees). This is particularly important where your master trust has any of these features:

  • multiple administrators (potentially with different IT systems in operation)
  • complicated governance structures, with multiple committees or boards which support either the scheme strategist or trustee board (or both)
  • multiple investment managers and or investment platform providers

Functionality and maintenance of IT systems

1. Administration system payments [1]

1a The default is for all payments in and out of the master trust to be made electronically and that any manual payments are made by exception.

We prefer that you provide an independent external assessment report that demonstrates that a reporting accountant has visited your premises and has tested the IT system.

If other assessment testing has been carried out, this is also likely to be fit-for-purpose evidence. Where no testing has been carried out, you should provide other evidence, which could include:

  • copies of communications to employers when on-boarding, which would describe default payment methods for paying contributions
  • evidence of when manual payments may be made and have been actioned in practice (like details of the system specifications or evidence of the administrator’s processes, which might demonstrate that manual payments are made by exception, and screenshots or a redacted accounts statement being made where relevant)
  • relevant management information and reporting which shows the volumes of manual and electronic payments

1b The IT system has the capability to accept contributions from a range of sources and caters for different sizes of employers.

Sources may include multiple employers’, payroll systems, and individuals, if applicable. You may provide us with copies of contribution monitoring reports, management information that allows tracking against payment schedules, or other governance reporting.

Screenshots may also be useful here, but be aware that we also need a written explanation to provide context.

1c There is a capability for the transfer of data and monies from and to employers (including third party payroll or other providers acting on behalf of employers), administration systems (whether in-house or third party), investment managers and investment platform providers.

We prefer that you evidence this requirement as part of an independent external assessment. We'd expect that the master trust provider would be tracking the flow of money between various parties involved in product delivery.

To do this, management information needs to be generated, which allows this tracking or monitoring to take place. A combination of system screenshots and management reports used for ongoing monitoring should be provided.

You can support this information with a clear explanation of how these screenshots and reports show that the IT system has the required capabilities, and that it's monitored to ensure it remains effective over time. 

2. Administration system records [2]

2a The IT system has the capability to record members’ benefits correctly, including identifiers, contributions, investments, payments and transfers.

Trustees should be able to demonstrate the sufficiency of any third-party administrator’s system, using reference to member data processed on behalf of other clients using the same administration system.

We wish to see examples of how the data is managed and monitored, including examples of administration reports and data sampling exercises. Note that members’ personal data should be redacted.  

2b The IT system contains the functionality to record member contributions and generates reporting on historic contributions, including each pay period, the amount, when it was received and invested, how it was invested and unitisation.

We prefer that this requirement is evidenced as part of independent external assessment.

Evidence might also include copies of contribution monitoring reports, management information which allows tracking against payment schedules, or other governance reporting.

3. Administration system transactions [3]

3a The IT system has the capability to process financial transactions, including core transactions automatically and securely, and calculating accurate investments and disinvestments. This needs to be the case where there is a member instruction or a default is used.

3b The system has the capability to carry out reconciliations of data against transactions and investments held and there is capacity for the reconciliation to be carried out against all members and multiple cycles.

3c There is a process for rectifying any errors identified.

We prefer that you provide evidence as part of an independent external assessment that is submitted as part of your application. This should include evidence that the assessor has performed an onsite test of these system functionalities and processes.

These requirements are expanded further below. 

3d There is segregation of duties in the administration system to encompass a more junior level of clearance to input data and request payments or investment changes, and a more senior level to authorise changes and transactions.

3e There are authorisation levels in the administration system to prevent payments of certain sizes exceeding those allowed by the trustee mandate.

‘Segregation of duties’ (for example, which individuals or teams have access to which areas and functions of the administration system for security purposes) may not be based on the levels of seniority referenced above.

You should:

  • demonstrate that there are policies in place outlining who has access to what, in terms of the IT system and functionality
  • evidence why these different levels of access have been agreed
  • evidence how compliance with these processes is monitored

Documentation provided by administrators may include most of this information. We will expect a written explanation that fills any gaps. The following evidence could be sought by trustees from the scheme’s proposed administrator.

  • Administrators should have process documents describing how system functions work in practice. This includes details of responsibilities for managing and implementing these processes, and how they will be monitored to ensure that errors are identified and addressed and do not recur.
  • Third-party administrators should have historical data related to other clients which demonstrate these processes working in practice. This should include examples of quarterly administration or stakeholder reports, which are sent to trustees to allow them to oversee scheme administration on an ongoing basis.
  • All providers of third-party administration services should engage an auditor to carry out an annual assessment of their systems and, critically, their management of core transactions, against the control objectives set out in AAF 01/20. Trustees should ask their administrator for this document and seek to understand the scope and methodology used by the Reporting Accountant who carried out this testing.
  • Any administrator should be able to provide you with internal process documents detailing how duties are segregated. We expect trustees to demonstrate why these processes are fit for purpose and an understanding of how they work.

We also need to see evidence of the monetary amount of financial payments over which the trustees would need sign off (referred to here as the ‘trustee mandate’). You should be able to show that this is recorded in the documented processes for governance and monitoring of scheme administration (covered further in sections 9 and 10 below).

We also need to understand how this amount was assessed and agreed as the acceptable level at which trustees must give authorisation. 

4. Planning for change [4]

4a Evidence is provided of how known changes to the system are planned and executed, and this is reflected in the business plan.

We will not expect to see all the changes that have been proposed or will be made in the near future. Instead, we want to understand and assess how the planning, decision-making processes, and resourcing of systems changes will function This should include descriptions of how:

  • system changes are identified to trustees, strategists, funders, and promoters (if applicable)
  • it is agreed who will pay for these changes (and whether there will be any impact on the business plan – applicable to the scheme strategist)
  • the trustees ensure that any additional expense to scheme members is assessed so that it represents value for members (as assessed in the annual DC chair’s statement)
  • any proposed changes are reflected in the trustees’ annual business planner (such as the business plan used by trustees to plan their own activities, rather than the formal ‘Business plan’ referred to elsewhere in our code)
  • completion of changes (and other tasks related to these changes) are monitored to ensure quality
  • the trustees ensure that the system remains fit for purpose as the business grows (for example, through acquisition) 

4b Evidence is provided to show that the system is able to be updated. There is evidence of a robust methodology for releasing changes to systems, along with a portfolio of ongoing change to systems for the period of the business plan.

4c There is an IT process for making scheduled and known changes, including annual updates and changes in tax thresholds.

4d There are adequate and sufficient resources, with appropriate skills and resources, to carry out the work.

4e There is evidence that the IT system can meet the physical system requirements anticipated in the business plan and that it has the funds to meet those requirements.

Our preference is for these requirements to have been tested as part of independent external assurance. We do not believe that onsite testing is necessary. However, we are keen to see that a reporting accountant, or similar, has been provided access to these processes to carry out an assessment. 

Evidence may take the form of a statement from your IT provider (or administrator, if they own the IT system). As part of your written explanation of how you meet these requirements, you should describe how the trustees are confident that any such statements are correct.

4f The business plan accounts for how planned and potential future upgrades can be managed within the administration system and the strategist and trustee are satisfied that the system can be upgraded to meet the needs of the master trust.

4g There is a policy in place for maintaining, upgrading, and replacing hardware and software and that this is accounted for in the business plan.

In developing your business plan, you will need to demonstrate that you have considered potential future upgrades and maintenance to IT systems. Your business plan should outline whether these upgrades are the responsibility of the master trust provider or of a third-party administrator or service provider.

Once these activities have been agreed and the costs accounted for in the business plan, you need to provide evidence that the consideration of, and planning for, upgrade and maintenance work is accounted for in ongoing governance and monitoring activities.

We suggest that a documented process and plan is owned by either the scheme strategist or the trustees. This plan should detail:

  • when IT system reviews take place
  • what considerations are part of IT system reviews
  • who is responsible for delivering any proposed changes to IT systems
  • how you will fund changes to IT systems  

5. Protecting data [5]

Industry practice in this area has advanced significantly in recent years. The management of a cyber-attack is as critical, if not more critical, than attempts to mitigate or defend against attacks - which is becoming increasingly difficult.

For this reason, we have published guidance for trustees on cyber security principles for pension schemes. This guidance will strongly inform the evidence required as part of an application for authorisation. Your answer should clearly outline how your evidence meets the expectations set out in this guidance.

The following are key to demonstrating that your plans and activities in this area are fit for purpose.

  • A cyber defence strategy with responsibility allocated to appropriately skilled individuals, which is reviewed to ensure it stays current and effective.
  • A cyber resilience strategy, which explains how the organisation will react to any cyber threats and attacks, as per our guidance. We'll need to understand how this strategy and the activities detailed are tested to ensure they are effective in reacting to problems if they arise.
  • Your plans to revisit and refresh these strategies.

A third-party administrator or IT provider will already have data protection and disaster recovery strategies and processes in place, and these are likely to have been tested against industry standards.

An in-house administrator may already have such processes, and we will expect to see that policies addressing the requirements laid out in our code are in place and plausible. The trustees should similarly have a clear approach to monitoring compliance, and a timetable for obtaining independent assurance. 

5a There are cyber defence strategies in place, including firewalls and intrusion detection systems.

Your cyber defence and resilience strategies may comprise multiple information security policies and procedures. This can include:

  • an information security policy
  • acceptable use policy
  • business continuity plan
  • incident management policy

Please provide a description of how your policies are structured to aid our understanding of them for the purpose of the assessment. Make sure to include:

  • a diagram of your network, including where firewalls and intrusion detection systems are placed within your network - typically, a security architecture document can be used for this purpose
  • screenshots or similar evidence detailing firewall implementation and key security features and configuration, such as an evidence of intrusion detection systems (IDS) or intrusion prevention systems (IPS)
  • evidence to show how your strategy extends and incorporates to include your third-party suppliers
  • roles and responsibilities assigned to ownership of the strategy

5b There are procedures and protocols in place for governance, the identification of risks and breaches, and responding to cyber incidents.

You should provide:

  • well maintained procedures with clearly assigned roles and responsibilities
  • evidence that procedures are reviewed regularly
  • evidence to show that procedures are tested regularly 

5c There are roles assigned to manage these protocols and procedures.

You should provide evidence of clearly defined roles and responsibilities assigned to persons with sufficient knowledge and experience in their field.

5d Scheme and member data should be backed up at least daily, with back-up servers at an external location and an offline backup.

We expect to see policies and supporting documentation that governs effective back up processes. These should include:

  • backup schedules
  • recovery point objectives
  • secure backup data storage
  • disposal processes for backup media that consider the risk of data loss or theft

An ‘external location’ could be anywhere that is outside of the premises of the master trust provider, including virtual and cloud-based storage. You'll need to demonstrate how data backup strategies have been developed and agreed to ensure there is a good understanding of the benefits of the back-up option in use.

Further evidence should include:

  • detailed descriptions of the backup and secure disposal process
  • descriptions of the security controls in place for backup data in transit and at rest
  • backup logs to show that the policy is adhered to

If offline backup storage is located outside the UK, we'll want to see consideration of the how the requirements of the EU General Data Protection Regulations and the Data Protection Act 2018 are met in terms of any personal data stored or transferred. This will also need to cover any guidance issued by the UK Information Commissioner’s Office. 

5e There is a disaster recovery process in place with roles assigned and it is tested every six months, or over a longer period if appropriate for the scheme and the risk being managed.

We prefer that an independent external assessment has been carried out in this area. We believe this kind of assurance forms part of multiple independent external assessment frameworks.

There may also be scope for IT security assessment standards such as ISO27001 or ISO22301 to play a role. However, this only applies if an external audit or review of some kind was to form part of the methodology employed to carry out or review the findings of the assessment.

You will need to provide evidence of how operational issues and failures are addressed at a business continuity level. You also need to outline the level at which a disaster recovery process would operate or become operative. There are two key points of interrogation here.

  • There need to be plans in place to identify and react to issues arising at the master trust provider (potentially the scheme strategist) level. This is especially relevant for scheme administration.
  • The trustees’ scrutiny and quality control over these plans, as part of their internal controls framework.

We suggest that you provide both the business continuity and disaster recovery plans in place at a provider level. You should support these plans with a description of how they have been assessed by the trustees to ensure they are fit for purpose. You should also explain how frequently these plans and processes are assessed to ensure they remain up-to-date and fit for purpose.

You should be clear about who holds responsibility for carrying out any actions cited in these plans. We need to see clear allocation of roles and responsibilities for activities included in business continuity and disaster recovery plans. 

Legal references for this section

  • [1] Paragraphs 1 to 3 of Schedule 4 to the Regulations.
  • [2] Paragraph 4 of Schedule 4 to the Regulations.
  • [3] Paragraph 1 of Schedule 4 to the Regulations.
  • [4] Paragraph 3 of Schedule 4 to the Regulations.
  • [5] Paragraphs 2 and 8 of Schedule 4 to the Regulations.

Processes and how they're governed

6. Reconciliations

We expect to see evidence of independent external assessment in relation to requirements 6a and 6b below. Any in-house or third-party administrator should be able to demonstrate that their IT and administration systems meet our expectations in this area.

6a The process demonstrates how reconciliations will be completed and by who.

Regular reconciliations are good practice for pension scheme management. We need to see your existing procedures about how this process functions. It should also be clear that it was part of the evidence submitted to your reporting accountant or assessor.

A procedure owned and used by a third party provider or administrator would be acceptable, along with evidence that this has been subject to independent external assessment.

6b Reconciliations are completed at least once a month.

This information should be included in the documented process or policy described above and tested through independent external assessment. We'll need to understand how delivery against these timescales is monitored over time.

6c The process sets out the action that will be taken to put members in the correct position if errors or inconsistencies are found and how under/over allocations of units will be treated and funded.

You should provide the documented process/policy which sets out how errors are addressed. Examples of how errors have been rectified in the past would strengthen the evidence base against this requirement.

In situations where financial compensation may be required, you should explain not only who would be responsible for paying any compensation, but also demonstrate how the funds would be made available. This information may also be found in the business plan. If this is the case, then a link to the relevant section of the business plan is acceptable evidence, if referred to in your explanation of how your master trust meets this requirement.

7. Record-keeping [6]

We expect record-keeping and related processes to be subject to independent external assessment. This may either be assessment carried out on the master trust itself or the scheme administrator if it is a third party.

You should demonstrate that the assessment is related to the specific systems and processes which will be used to administer your master trust. Third-party administrators can run multiple administration systems used by different clients. Ensure that you clarify with your third-party administrator that their AAF 01/20 applies to the administration platform which you are using and evidence this in your application.

We expect third-party service providers, including those providing administration services, to be able to provide examples of their current processes and procedures as part of their tendering process.

In-house administration services should have a clearly demonstrable plan for meeting our expectations in this area, as laid out in the code. Evidence provided by the trustees should include reasons any in-house service provision was preferred to outsourcing.

Our focus in terms of understanding the quality of your record-keeping will be on the processes and monitoring of data quality, with an accompanying plan in place to address data issues.

7a The process directs how records are kept up-to-date and that exception reporting is in place to ensure that errors and gaps, once identified, are reported to the relevant governance function.

Reporting around scheme administration happens at two levels.

  • Regular reports are sent to trustees for discussion (typically the quarterly administration report).
  • The administrator will run their own detailed monitoring of data held to identify issues and produce plans to rectify them.

We need to understand both levels of governance and monitoring to carry out our assessment.

We do not expect trustees or providers to replicate the processes and monitoring of the administrator, but rather to understand and be able to describe how it works and why they consider it to be effective.

7b There is a plan to rectify data errors, and the business plan and continuity strategy reflect the impact of the data quality within the scheme.

If errors are identified using the processes referenced above, you will need to demonstrate how these are reported, addressed and monitored to ensure that:

  • they're resolved
  • if the same errors are identified again, the root cause is found and addressed

You should give examples of how errors have been identified, addressed and resolved (including trustee oversight measures), what lessons were learned and how these were implemented. Any instances of errors not being identified, or identified but not rectified, should also be given where known. This will allow us to assess how issues are managed in practice.

Root cause analysis is a standard procedure in pension scheme administration and, as such, we expect to see documented the process used by each administrator, provider or scheme.

It's important that you set out clearly how the business plan or continuity strategy demonstrate that funds are available to rectify significant data errors, should they occur. 

7c Evidence of service provider agreements that include provisions, roles, responsibilities and source of funds for resolving errors that impact members.

We understand that IT systems and the processes that monitor their effectiveness could be provided from various sources within the overall structure of a master trust. This could be from a dedicated IT provider, the scheme administrator, internally within the provider business, or elsewhere.

Firstly, it is important that you provide a written explanation and supporting evidence that outlines who your relevant service providers are. We do not expect all service providers to be included in this assessment - only those which are critical to IT service delivery. This includes those administrators (both third party and internal), IT service providers and potentially those carrying out, or involved in, investment activity.

In terms of demonstrating you have met this requirement, we will need to see that the set up agreements with whoever is providing the IT system have a clear owner (or owners) who has responsibility for provision and ongoing monitoring. This information may be found within provider contracts if outsourced, or internal service agreements if provided in-house.

Rectification of issues, once identified, can be expensive. For this reason, you should explain where the funds would be found to pay the cost of rectifying errors and how those responsible are checking that these funds continue to be available over time. 

8. Maintaining contributions [7]

8a There is a process for ensuring the master trust can accept contributions from new employers.

8b The scheme is able to quickly identify missing contributions and there is an effective process in place to chase them.

8c See 8c below

8d There is a process for rectifying the missing contributions, ensuring minimal financial detriment to the member.

8e There is a log of missed contributions, which includes actions taken in response to the missed contributions and any member detriment noted and acted upon.

Our code of practice outlines our expectations regarding how contributions should be received and monitored. It also covers how missing contributions should be reported to us and followed up with employers. We expect to see adequate evidence that these regulatory expectations have been met.

You should provide evidence of the risk-based processes used for monitoring the receipt of contributions. Further to this, you also need to explain and evidence how trustees are confident that these processes are:

  • based on the correct management information from the various parties involved
  • monitored over time to ensure that they remain effective

This would include describing how the trustees ensure contribution amounts are being correctly calculated by the employer.

Furthermore, you should evidence the documented policies and procedures that describe:

  • how and when an employer is alerted where a payment failure is identified
  • an approach to resolving payment failures, obtaining overdue payments from the employer and rectifying administrative errors

8c In the event of an employer insolvency or redundancy payment service, there is a process for reclaiming the contributions from the employer assets.

In this case, the relationship we are most interested in is that of the trustees and insolvency practitioner representing the employer who has experienced an insolvency event. We expect to see a documented process in place related to insolvency.

This process should outline how the trustees will engage with the insolvency practitioner for any employer who has gone into administration or become insolvent when there is or may be a claim. You will also need to explain the follow-up process in place to allocate or re-allocate any funds that are returned via the insolvency practitioner.

9. Trustee recruitment and standards [8]

9a It is clear who is responsible for the recruitment and selection process and the input that is required from other parties.

To evidence that this requirement is met, we expect you to be able to produce a documented process that outlines the responsibilities for selection and recruitment of trustees. This will need to include reference to potential risks in terms of trustee selection such as:

  • possible conflicts of interest
  • whether the trustee has a specific role (such as member or employer-nominated trustees)
  • how these risks are identified and managed over time

You will also need to explain how recruitment processes take account of the skills, knowledge and competence needed by the trustee board as a whole.

9b It is understood which skills and competencies need further development on the trustee board as a whole, and how this is monitored over time.

There should be evidence that master trusts have assessed the skills, knowledge and competencies necessary to properly govern their scheme over time. Our regulatory guidance on scheme management skills outlines the knowledge, skills and competencies master trusts should have in more detail.

The trustee governance policy and process should include a skills and competencies matrix. This matrix should be supported by an analysis to demonstrate which of these skills, knowledge and competencies were provided by the trustees on an individual basis.

The analysis should also cover which gaps in skills, knowledge and competencies may be filled, either on a short or long-term basis, by advisers or other individuals. These may include representatives of the scheme strategist, funder, promoter or marketer. The analysis should also include professional development plans for each individual trustee.

We also need to see that the trustees’ annual business planner includes reference to regular dates for trustee appraisals. It should also have regular dates for re-assessing training needs, training and development plans and other related activities.

In drafting your chair’s statement you'll already need to demonstrate that you're meeting a similar requirement, which is best achieved by using this two-step process.

  1. Demonstrate an understanding of the key skills, knowledge and competencies required to run your scheme.
  2. Demonstrate how these skills, knowledge and competencies are present either on the trustee board, or supported by other individuals or entities, including advisers, by scheme strategist or funder, or from elsewhere.

9c There is a succession plan in place to maintain the skills and competencies needed by the board.

The analysis of skills, knowledge and competence referred to above, along with the documented selection and recruitment process (these could all form part of the same document) will need to include a description of succession planning. This helps ensure that critical skills are not missing from, or unavailable to, the trustee board for prolonged periods.

9d The principles for determining trustee remuneration are assessed and agreed.

While the function of the trustees and the trustee board is to ensure members’ interests are considered and the risk of detriment is monitored and managed, trustee services in most master trusts are provided at a cost to the master trust and therefore, in most cases, the member.

All member-borne charges should be considered as part of the value for members’ assessment in the annual chair’s statement or equivalent document . This assessment should include adequate evidence of the assessment of trustee remuneration for the master trust.

Here, our focus is on how trustees assess the levels of remuneration, rather than what the levels of remuneration are. You should also provide evidence that any assessment of trustee remuneration has been agreed. To demonstrate this, an excerpt from the minutes of the trustee board meeting where the chair’s statement was discussed and signed off by the trustees should be included. 

9e Fitness and propriety is assessed on an ongoing basis, along with any potential conflicts of interest and how these are managed or resolved.

You should have (either in the ‘selection and appointment policy’ or elsewhere) a documented policy for assessing the fitness and propriety of new trustees. This should include how you assess candidates prior to formal appointment.

We'll assess the fitness and propriety of existing trustees as part of the authorisation application. Trustees appointed to a master trust post-authorisation must also meet the fitness and propriety requirement.

To evidence this, you should describe and evidence how the master trust assesses new trustee appointments against the fitness and propriety requirements outlined in the Regulations in terms of honesty and integrity, competence and conduct.

We expect that trustees’ policies and procedures for checking fitness and propriety align to our own requirements for authorisation. These can be found in our Code of practice no: 15 (authorisation and supervision of master trusts).

Once again, this will need to be fully documented for us to be able to make an assessment of the robustness of this policy as part of our scrutiny of your application.

Your evidence should also clearly outline your conflicts management processes. In doing so, we would suggest that you provide both your conflicts of interest policy and your conflicts register. Our view is that well-run schemes will already have these in place. It is important that we can understand how conflicts are addressed and managed, as well as how they are recorded.

We also have further guidance on conflicts of interests for trustees.

9f A resignation and removal policy is in place which provides clarity on who can remove a trustee, under what circumstances and the steps for doing so.

A description of the trustee removal process (including grievance and appeal processes, or similar) should be included in the documented selection and appointment process (or elsewhere if more appropriate).

10. Trustee governance [10]

10a The frequency of trustee meetings and under what circumstances this may change.

10b The circumstances where extraordinary meetings may be called and how.

10c Expectations of trustees in preparing for meetings and actions needed in between them.

10d Who has responsibility for setting the agenda and frequency of trustee meetings and who else is consulted in the development of an agenda (for example trustees, strategist, funder, advisers).

10e Standing agenda items.

10f The number of trustees required to be present for the trustees to be considered quorate.

To properly understand and assess how trustee governance functions within your master trust, you should submit a trustee governance policy or process as a minimum to demonstrate compliance of this element.

In some cases, this may be maintained by a trustee secretariat or pensions management function but owned by the trustees themselves. This is entirely acceptable where it's clear how the trustees maintain signoff and oversight of this delegated function.

Trustees are entitled to delegate the responsibility for carrying out tasks, but they will always retain accountability. This policy or process should provide a detailed description of the how the requirements above (10a-f) are met.

Further to this, you should include evidence of the effective running and decision-making of your trustee board. Including the following as part of your application would strengthen your application.

  • Examples of trustee minutes for a 12-month period.
  • Examples of the management information or evidence which the trustee board would use to inform discussion and make decisions.
  • A case study of where trustees have considered, made and actioned a significant decision.

When submitting this type of information, you'll need to include a written explanation that gives context for doing so. For example, if a service provider or adviser review has been discussed, explain and evidence the context for the discussion, signpost the evidence used to assess provider or adviser performance, provide some insight into the discussion itself and finally use minutes to show the outcome of the review and how actions were allocated and tracked to completion.

10g The extent to which the trustee can influence or direct scheme strategist and funder in making decisions which may have material consequences for the business.

10h It is clear who is able to make a decision in a scenario where the interests of the strategist and funder may be in conflict with the interests of scheme members. In this scenario, there should be a clear process for trustees to make known and record their views and decisions.

It's critical that you demonstrate how trustees manage and mitigate the risk that others involved in the provision of the scheme make decisions that may not necessarily be in the best interests of scheme members. This may include roles without direct fiduciary obligations to members, such as the strategist, funder or promoter.

The best evidence to demonstrate that this requirement has been met would be a documented sign-off process (possibly a joint policy or side letter) agreed by the trustees and any business representatives. The sign-off process should outline a hierarchy of decision-making where such a document is available.

This document needs to clearly demonstrate that the trustees have discretion or the ability to veto in decision-making to mitigate the risk that any commercial strategies or activities may conflict with members’ best interests.

10i There is a process for trustees to be notified of breaches and a corresponding process for monitoring breaches of the law and determining whether they are reportable to TPR.

Reporting breaches to us is a key part of the trustee role. You should include a documented process which explains how possible and perceived breaches are assessed by trustees, how trustees identify whether breaches are materially significant, and how they are reported to us where required.

Schemes using a third-party administrator should demonstrate how they can identify and report breaches through to the trustee board. We expect to see a documented process from the administrator demonstrating how this process will work.

We also need to see a formal process document describing the actions the trustee board would take if they received a notification of a breach from their administrator.

11. Managing service providers [11]

We would regard ‘service providers’[12] for the purposes of an application for authorisation as any company carrying out work for, or providing services to, the master trust.

However, not all of these are critical services to the delivery of the pension product. If a critical service (for example scheme administration) is provided in-house, we consider it is essential for trustee boards to have in place similarly robust controls in terms of:

  • availability of resources
  • skills
  • competencies
  • fitness and propriety of relevant staff members
  • ensuring the ongoing quality of services provided

‘Service providers’ would also include advisers, both to trustees and others involved in running the scheme.

Please make sure it's clear which service providers you're including in your evidence when completing this section. Evidence should include the companies (or teams, if services are provided internally) that provide the following key services:

  • scheme administration
  • advice (both to trustees and other entities including scheme strategist and funder)
  • IT software and services
  • investment management, including platform providers
  • ember communications.

However, there are likely to be more service providers that might also play a significant role in the delivery of your scheme or product. The above list is not intended to be exhaustive. You must include evidence related to all these significant service providers, whether internal or external.

Once again, please provide a pictorial representation of the structure of your scheme which demonstrates who, from an organisational and governance perspective, is involved in the running of the master trust. 

11a Service providers are assessed in advance of appointment, including access to due diligence carried out as part of the appointment process.

All processes for selection and management of service providers should be documented in the trustee governance policy and process document.

It's standard industry practice to ensure there is proper due diligence before appointing any service providers. You'll need to provide evidence of what due diligence was carried out, by whom and according to what criteria.

We're more likely to be satisfied if we are provided not only with the due diligence process, but also an explanation and evidence of the considerations that informed the choice of any service providers.

It would help demonstrate compliance to submit any documents sent to potential key service providers when they were asked to tender for their appointment. Applicants should redact any commercially sensitive information relating to third parties from such materials where not necessary for the purpose.

Where service provision is carried out internally within the business (for example in insurers, administration, and consultancy businesses) we expect instead that service levels would have been agreed for the provision of these services. We also expect the relevant evidence of this to be submitted, with a clear written explanation for context.

The trust deed and rules of master trusts cannot, by law, prohibit trustees from changing service provider (even if services are currently provided in-house). Therefore, we'd expect the ongoing monitoring of internal services to be performed with the same level of scrutiny and accountability of those that are outsourced.

11b Performance indicators were agreed on appointment and there is accountability within the service provider for ensuring these are met, with escalation points. This should include a process for managing investment advisers and recording decisions taken.

This expectation involves two activities and evidence for each is likely to be found in a different source.

Firstly, we expect trustees to identify the performance indicators key service providers would be expected to meet, and for these to be found in the contracts agreed on appointment. While performance indicators agreed with service providers may have broad coverage, we're only interested in those directly related to the provision of member benefits and the delivery of the business plan.

Given the varied structures and types of master trusts, this list of indicators is likely to vary greatly from master trust to master trust. We're therefore unable to provide examples for this requirement. You should understand your structure and activities and therefore be best placed to decide what is and is not relevant.

You should also explain and evidence how the trustee board, or other entities on their behalf, will monitor the ongoing quality of the delivery of these services to ensure the performance indicators are being met on an ongoing basis. The governance activities relevant here will be contingent on the performance indicators identified above.

You should explain how trustees (or those monitoring on their behalf) will use internal controls to identify failures in delivery against these performance indicators. You should also address how trustees have reassured themselves that they are satisfied with the performance indicators agreed and the effectiveness of controls and processes in place to monitor their delivery.

You should present this in such a way that both the criteria used to monitor the performance of each service provider, and how this monitoring is carried out, is clearly identifiable.

11c These performance indicators are considered regularly by an appropriate person, the outcomes are recorded and all actions are allocated and tracked.

11d Service providers and advisers are kept under review, including detailed criteria for assessment (and key performance indicators (KPIs) and service level agreements (SLAs) if they apply).

To meet regulatory expectations on scheme governance related to the managing advisers and service providers section of our code of practice, trustees will have a documented process which includes a description of how the quality of advice and service provision is monitored over time.

This should include the levels of quality agreed on appointment and the regularity of reviews. This evidence should be submitted as part of your application, along with a clear written explanation of how this process is reviewed over time to ensure its ongoing effectiveness and relevance.

You'll need to provide narrative and evidence demonstrating how roles and responsibilities are allocated for the ongoing assessment of providers and advisers. This will also need to cover how trustees have identified who is responsible for generating the management information required to carry out quality reviews, and how is it ensured that the agreed management information continues to be correct over time.

Finally, you should describe and evidence how any actions and decisions resulting from provider or adviser reviews are executed and tracked to completion. How regularly are progress reports requested from owners of actions? What is the escalation process if issues are not being resolved within the agreed timescales? Please provide a clear written explanation of this with examples, including relevant sections of meeting minutes.

11e Trustees can demonstrate how they establish that their service providers are fit and proper and the methodology for doing so. This may include evidence of the checks carried out by service providers on new staff and how tender processes are operated.

We expect that thorough due diligence is carried out before appointing a service provider to carry out activities on behalf of the master trust. This includes ensuring that those acting on behalf of the master trust meet the appropriate standards of fitness and propriety, as per common industry practice.

Please ensure you explain and evidence the checks are carried out by (or on behalf of) trustees, including what elements of integrity, competence and conduct are included in checks, how information is sourced to perform these checks and what sign-off and approval is required once the checks have been carried out.

11f The role of the trustee board, strategist and funder is clear if a decision is needed to replace any service provider.

As with other critical decisions on changes to the overall roles and responsibilities for running the master trust, you should demonstrate the hierarchy of decision making. This is covered in detail in the earlier section on trustee governance (section 10).

11g There is a clear process for ensuring information relating to the performance, evaluation and ongoing fitness and propriety of service providers, including any issues or concerns, is brought to the attention of the trustees in a timely manner.

To evidence that this requirement is met, you should explain and evidence the following:

  • What types of issues are considered significant enough to be reported to trustees?
  • How they are reported, by whom, and when?
  • How are the trustees expected to react to ensure issues are discussed promptly between trustees and any other relevant parties? How can you ensure action is taken to resolve these issues in a reasonable timeframe?

You will need to describe the data and management information used to identify, review and escalate issues and decide how this information is made available as required.

11h Trustees can demonstrate they understand and are familiar with the contracts/agreements (and any impacts on service/ability to act) in place with all service providers to the master trust. There should also be a written process documenting how these can be updated and agreed.

A scheme’s trust deed and rules cannot constrain trustees from deciding to replace a service provider at any time. So, you need to demonstrate that you have considered whether there are any other scenarios where clauses in contracts or agreements with service providers could potentially interfere with your decision-making about appointments or replacements.

This also applies to situations where you could potentially be unable to act in the best interests of members.

You should consider and explain any potential impact on service because of your ability to intervene, which might be found in contracts and agreements. To evidence this, you must provide a clear written explanation and supporting evidence that describes:

  • how you have carried out this analysis
  • what the outcomes were
  • any actions required to manage or mitigate the identified risks

12. Risk management [13]

12a There is an ongoing process for the identification, measurement, monitoring, prioritisation and resolution of risks, including investment risks.

Risk management is an essential aspect of running a master trust.

We expect trustees and providers to demonstrate that they have systems and processes in place to ensure compliance with the requirements of the master trust legislation itself. This should address the five statutory criteria for authorisation, which are:

  • the people running the master trust are ‘fit and proper'
  • systems and processes are robust
  • there is a scheme funder who will be able to financially support the scheme
  • the scheme is financially sustainable with sufficient funds
  • there is a continuity strategy in place that will help protect members’ benefits if certain circumstances occur that put the scheme at risk

You should give evidence of the adequacy of your risk management, including operational, financial, regulatory and compliance risks. You should also identify the relevant risks under each of these risk types to include in your master trust’s risk management framework.

You should provide a clear written explanation and supporting evidence that describes the key operational, financial, regulatory and compliance risks identified for inclusion on the risk register, along with commentary on:

  • how these risks have been identified, assessed and rated
  • how they are to be mitigated, managed or monitored over time (including the management information required to facilitate this where appropriate)
  • who owns each risk
  • what plan would need to be executed were each risk to manifest
  • how and how often the risks on the risk register are reviewed and refreshed to ensure they are current

We expect you and other relevant parties to demonstrate you have identified all potential risks that may affect the ongoing effectiveness and running of the master trust.

In addition to submitting a risk register, you will need to explain and evidence how particular risks are identified and how they are managed. You should also describe how trustees know who is managing key risks to members. Make sure to outline how trustees demonstrate that they have considered whether this individual or organisation has the necessary skills, knowledge and resources to be the appropriate owners of this risk.

You should outline:

  • the evidence and management information trustees use to monitor and manage risks of various types
  • how trustees ensure they are getting this information from the relevant source

You must provided a detailed written explanation of how risk identification, monitoring and management works in practice, along with all relevant documentary evidence.

We'd typically expect the trustee board to be at the centre of, and ultimately responsible for, these activities. However, we also understand that there may be other risk management activities that take place elsewhere in the structure of the master trust (perhaps by scheme strategist, funder, promoter or marketer).

Where this is the case, please ensure you provide a clear written explanation and supporting evidence related to both the other parties’ risk management activities and of the trustees’ scrutiny of those activities.

12b The scheme strategist has considered and documented actual and perceived risks to the delivery of the business plan and has documented mitigations or processes for monitoring and managing each of these risks.

Our code sets out what a business plan should contain. Beyond this, the scheme strategist will need to be able to track the successful delivery of that business plan to ensure that any underperformance is identified as early as possible. They should also be sure that appropriate mitigating action can be taken.

Therefore, you should provide evidence of a process which identifies any individuals responsible for tracking the business plan against actual performance, including frequency and scope of reviews.

We're also more likely to be satisfied where evidence is presented that the scheme strategist has considered what mitigating actions might be taken if the business plan is at risk of not being delivered. This is especially true where this might represent a risk to members’ benefits, or the ongoing financial strength and sustainability of the provider or scheme.

12c There are appropriately skilled individuals taking responsibility for the management of risk monitoring against the business plan, and those individuals have access to the necessary management information and intelligence to properly carry out this task.

The individuals mentioned above will require certain skills to be able to properly carry out this task.

You should submit evidence identifying these skills and how they have been obtained (including any relevant qualifications). You should also describe how staff are monitored to ensure these skills are available.

12d Information and relevant data is regularly (at least quarterly) received from the responsible parties (funder, strategist, administrator, investment manager etc) to enable the risk register to be properly updated.

Evidence will need to be prepared and submitted which demonstrates that the trustees:

  • know what data and management information will be required to properly carry out risk management activities
  • can access this information when required

A documented agreement between the trustees and those who would need to provide the data would be sufficient evidence to demonstrate that this requirement has been met. The agreement should reference any penalties that could be levied if data and management information are not made available to trustees in a timely manner.

12e The trustees have documented how issues identified through risk management will be managed to resolution, including processes for allocation of owners and a responsible party for monitoring the resolution of issues in between trustee meetings, particularly if the resolution is the responsibility of the scheme administrator, strategist or funder.

As referenced earlier, it will not be sufficient for applicants to simply document, mitigate and monitor against risks. You should describe and evidence how those running the scheme will respond should any key risks materialise. We do not expect this to be done for every granular risk which is being monitored.

There will be key risks which, having been assessed by trustees or others, have either a significant impact or are more likely to occur. We want to see evidence of these key risks in a management plan. You should identify which risks are considered ‘key risks’ within your scheme.

13. Risk register

13a There is a risk register to support the ongoing monitoring of risks and it has been considered and agreed by the scheme strategist, funder and by the trustee board.

13b The risk register is regularly reviewed in detail by trustees, with considerations and decisions being documented and ownership and actions attributed, along with timelines for delivery.

See requirement 12a under Risk management.

13c An annual review is conducted to ensure that there have been no additional risks arising which should be included on the risk register.

You'll need to describe the methodology which has been agreed and used to assess the risks monitored through the risk register to ensure this is robust. Include reference to the evidence used to carry out these assessments.

14. Planning resources effectively [14]

14a All key administration tasks, including the timely sending of notifications and documents to us, are fully documented, with detailed end-to-end processes.

14b These process documents and maps are subject to regular review, particularly after system or process change to ensure human resources allocated remain sufficient.

14c Key resources, with the necessary skills and experience to deliver the objectives in the business plan, have been identified and there is a plan in place to ensure continuity of service.

14d There is awareness of the timeframes required to bring new human resource onboard and what contingency is in place to mitigate any under-resource due to increase in work volumes or the loss of staff.

It's likely that this evidence also exists in documents prepared by your scheme administrator, whether they be an external, third-party provider, or in-house. For third-party providers this may be evidence as to how their processes work for other clients.

Beyond submitting copies of these processes and plans, you should also consider two further questions when outlining how your master trust meets these requirements.

  • How are these processes and plans reviewed and approved by the trustees (or others on behalf of the trustees) to ensure they are appropriate?
  • What is the overlap between operational planning of this type and the strategist’s documented business plan?

15. Communicating with members [15]

Member communication and engagement is a vital part of running a pension scheme and industry practice in this area has made many positive developments in recent years.

To evidence you are meeting requirements 15a to 15g, you will need to provide a documented engagement plan (including realistic timescales for delivery). This should include evidence that the trustees or provider have the relevant skills and competencies to plan and carry out this work. If the trustees and providers themselves do not do so, then you should be able to demonstrate that advisers, other organisations, or individuals can carry out your engagement plan instead.

The engagement plan should outline how all relevant communications will be developed, signed off, distributed and monitored once the scheme begins to operate.

You should also provide a detailed written explanation of how the quality of processes, policies and member communications will be monitored and improved over time. Include any associated documents or other evidence to support your answer.

15a There is a communications plan in place dealing with how to improve or maintain member engagement with the master trust.

15b The communication plan covers the methods that will be used to improve/maintain member engagement. This should include the standards and timing of regular and scheduled communications with members. There is a process to ensure members receive timely investment information.

15c There is a process for members’ views to be heard by the trustees at board level.

15d Trustees and the strategist respond to member feedback and take appropriate action.

15e The communication plan includes provision for regular reviews for effectiveness, including updates to reflect changes to the scheme and/or membership profile.

15f There are processes in place to identify issues and gather feedback from members.

15g There are processes in place for escalation of issues or complaints to the relevant decision-maker and to resolve the root cause of the issue.

It would be beneficial to consider how your internal dispute resolution procedure operates and whether it is relevant to the operation of any of your member feedback processes.

We will also need to see your complaints management procedures. These should include reference to root cause analysis of member and customer complaints and details of the arrangements to encourage members’ views to be put forward on matters relating to the scheme.

Further information on our expectations of trustees in this area can be found in the communications and disclosure section of our code of practice.

Legal references in this section

  • [6] Paragraphs 4 and 10 of Schedule 4 to the Regulations.
  • [7] Paragraphs 1 and 4 of Schedule 4 to the Regulations.
  • [8] Paragraph 5 of Schedule 4 to the Regulations.
  • [9] See regulation 4(3) (b) — where regulation 23 of the Occupational Pension Schemes (Scheme Administration) Regulations 1996 do not yet apply to a master trust scheme, an application must contain a document describing how the scheme meets, or is intended to meet, the requirements set out in that regulation.
  • [10] Paragraph 5 of Schedule 4 to the Regulations.
  • [11] Paragraph 6 of Schedule 4 to the Regulations.
  • [12] Regulation 2 of the Regulations.
  • [13] Paragraph 7 of Schedule 4 to the Regulations.
  • [14] Paragraphs 1, 4, 9 and 10 of Schedule 4 to the Regulations.
  • [15] Paragraph 11 of Schedule 4 to the Regulations.
Back to top