Since our last Pensions Dashboards Update in June and our consideration of the industry’s preparation for connection there have been further developments which trustees and scheme managers should be aware of.

The Pensions Regulator’s Compliance and Enforcement Policy

On 5 September 2024 the Pensions Regulator (TPR) published its pensions dashboards compliance and enforcement policy aimed at governing bodies of occupational pension schemes and the third parties that schemes will rely on, alongside its consultation response on the draft policy (the consultation ran from November 2022 to February 2023 and since then the government has amended the dashboards regulations and published new connection timeline guidance).

TPR noted that key areas of concern from consultation responses included third-party co-operation, scheme-specific issues and differing interpretations of the policy intent and TPR’s remit.

TPR sets out that its approach will be risk-based and proportionate and that it is focussed on outcomes for savers. TPR will take a pragmatic approach to compliance but will take a robust enforcement approach where there is wilful or reckless non-compliance. TPR will focus on scheme data quality and governance and will use its powers against third parties where necessary (recognising that schemes will be highly dependent on certain third parties to comply with their duties).

TPR will focus on areas it perceives pose the biggest risk to savers’ ability to receive a complete and accurate picture of their pensions and accordingly their ability to make appropriate decisions.  There will be a strong focus on connection compliance including schemes not connecting by the connection deadline, the ability to demonstrate regard to the connection guidance and schemes failing to fully connect or remain connected to dashboards in line with the regulations and MaPS’ standards.  TPR will be particularly interested in schemes incorrectly failing to find a pension for a saver (i.e. failing to return a match or possible match), returning data to the wrong saver, failing to provide data in line with legal requirements and providing out of date values.

TPR expects that governing bodies will have considered and implemented TPR guidance where appropriate along with the standards and guidance issued by the DWP and MaPS. TPR notes that its expectations on governance and internal controls are set out in the general code of practice and includes keeping records, having a risk management function with appropriate internal controls, having appropriate controls when selecting, appointing and managing service providers, assessing the quality of data (and continuously improving it) and having processes in place to identify (and where necessary report) breaches of the law.

TPR expects schemes to have clear audit trails in relation to dashboards compliance (including keeping a record of compliance as set out in MaPS’ reporting standards, along with a record of actions taken to resolve issues), a record of their matching policy and action taken to improve data quality. TPR also expects third parties to support schemes in meeting their duties, for example employers and AVC providers providing schemes with required information. 

TPR will receive regular data from the dashboards system run by MaPS which will help TPR identify breaches and consider any relevant trends. TPR may also look to gather information from schemes and through whistleblowing reports, regulatory partners and supervisory engagement.  In the appendix to the policy TPR provides a number of scenarios (including missing the connection deadline, failure to maintain connection, failing to match savers to their pensions and failure to return value data appropriately) to illustrate how its risk-based and proportionate approach to enforcement might work in practice. TPR will consider a range of factors before deciding on any action including: the nature and scale of impact on members; number of members affected; circumstances around / reasons for the breach; investigations and any corrective action; a scheme’s compliance history; duration of breaches; consideration of DWP, MaPS and TPR guidance and the extent of co-operation with TPR.

TPR notes that it may issue compliance notices (or third party compliance notices) for non-compliance with the legislation and penalty notices for a breach of legislation or failure to comply with a compliance notice. TPR further notes that it may also use its existing powers such as statutory information requests and the power to suspect, prohibit or appoint a trustee.

The policy sets out how TPR will work with partner agencies and registers and notes that TPR may publish reports of its enforcement activities. 

TPR blog to support its Compliance and Enforcement Policy

TPR’s blog Act now on pensions dashboards so we don’t have to was published alongside the compliance and enforcement policy and suggests nest steps for trustees to prepare for dashboards including:

• Reading the guidance
• Connecting promptly in a staged and orderly manner
• Managing resources and service providers appropriately 
• Reviewing and improving the quality of member data 
• Identifying, evaluating, and recording risks, and putting controls in place 
• Continuously reviewing, adjusting and improving controls 
• Keeping robust records of decisions made and advice received
• Reporting and mitigating breaches promptly

TPR points towards its preparation checklist to assist with compliance. 

Pensions Dashboard Programme - Technical Standards and Code of Connection

The Pensions Dashboard Programme (PDP) has also published updated draft versions of its dashboards technical standards and the code of connection which are available here.

Technical Standards

The technical standards set out how data and dashboard providers will interface with the central digital architecture and each other. The technical standards include:

• Connectivity mechanisms
• Information sharing protocols
• The methodology for the generation of pension identifiers, tokens and globally unique identifiers used in ecosystem transactions
• Rules for registration of pension identifiers for pensions found
• Definitions of APIs to be used by ecosystem participants
• Details of how the APIs must be used during the expected functioning of the ecosystem

It is noted that further items will be included in later versions of the technical standards.

Code of Connection

The code of connection, issued by MaPS, sets out the security, service, and operational standards required to connect to and remain connected to the pensions dashboards ecosystem. This will ensure that the system provides a secure and effective service, enabling multiple dashboards to operate and creating scope for innovation. 

The standards apply to the trustees or managers of occupational pension schemes, the managers of stakeholder and personal pension schemes and to qualifying pensions dashboards services which are required to connect to the dashboards ecosystem.  These stakeholders are responsible for compliance notwithstanding much of the implementation of the standards will be carried out by third parties (e.g. administrators or software providers) on behalf of their clients.

PDP Confirms Identity Service Provider

The PDP has recently confirmed that Gov.UK One Login will be the identity service provider for dashboards, meaning that users who have registered to use government services through this will not have to prove their identity again when registering to use a pensions dashboard.            

Trustees should by now be well underway with their pensions dashboards preparation and should be progressing their project plans to ensure that they are able to connect in line with the connection timetable. TPR’s expectations are clear and trustees should be keeping audit trails of the steps they are taking to comply with their duties.

If you would like any advice or assistance with dashboards compliance, we are very well placed to help. Please do contact Andy Prater, Susannah Young or your usual Burges Salmon Pensions and Lifetime Savings team contact.