Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.

Ignore

This website requires cookies. Your browser currently has cookies disabled.

Dashboards compliance and enforcement policy: consultation document

Consultation document and the draft policy for the pension dashboards compliance and enforcement policy consultation.

You can save the contents of this page as a PDF using your web browser. Open the print options and make sure the destination/printer is set as 'Save as PDF':

Instructions about how to save the page as a PDF

Who this consultation is for

This consultation is for the trustees and scheme managers of occupational pension schemes in scope of the Pensions Dashboards Regulations 2022, as well as their advisers, service providers, relevant employers and anyone who may be subject to our policy.

We welcome comments on any aspect of the draft content of the policy and have provided specific questions on certain areas of interest. Thank you in advance for your time and consideration.

Consultation context

Pensions dashboards are digital services – apps, websites or other tools – which savers will be able to use to see their pension information in one place.

The Pensions Dashboards Regulations 2022 introduced new duties on certain trustees and scheme managers to enable dashboards to function and new powers for The Pensions Regulator (TPR) to regulate these duties.

In addition, the legislation includes new powers for TPR to pursue third parties where we are of the opinion that they have caused the scheme to be in breach of Dashboards Regulations.

The draft compliance and enforcement policy is intended to set out expectations for trustees and scheme managers to achieve compliance, as well as provide clarity on our approach to enforcement in the event of a breach of legislation.

This consultation will close on 24 February 2023 and we aim to publish the final policy in spring 2023.

Government consultation principles

This consultation paper follows the government consultation principles.

The key principles state that consultations should:

  • be clear and concise
  • have a purpose
  • be informative
  • be only part of a process of engagement
  • last for a proportionate amount of time
  • be targeted
  • take account of the groups being consulted
  • be agreed before publication
  • facilitate scrutiny
  • be responded to in a timely fashion
  • not be launched during local or national election periods

Responding to the consultation

We are conducting this consultation in a digital format and encourage you, where possible, to use our online survey to respond to the consultation.

If you are unable to use this format, please use the options below to respond. Note that we are not providing a separate form to complete (other than the online survey).

You can email your response to pensionsdashboards@tpr.gov.uk.

Or send it by post to:

Sarah Harvey
The Pensions Regulator
Napier House
Trafalgar Place
Brighton
BN1 4DW

If you have any questions about the consultation process, please contact Sarah Harvey, tel: 01273 349355.

When responding, please confirm whether you are responding as an individual or on behalf of an organisation and, if on behalf of an organisation, whether only the views of the individual or of the organisation are expressed in the response.

You should also provide:

  • your name
  • the type and size of your scheme (or schemes)
  • organisation name and type (if applicable)
  • job title
  • email address
  • telephone number
  • confirmation of whether we can list you or your organisation as a respondent

If you wish part or the whole of your response to remain confidential, you should specify this and let us know why.

Consultation questions

  • Do you agree with the policy principles we have set out in this compliance and enforcement policy?
  • Do the key risk areas, within our regulatory remit, align to your understanding of where risks may exist for the saver? Are there any which are missing?
  • Does the policy provide sufficient clarity on our expectations of governance bodies (trustees and scheme managers) and third parties?
  • Does the policy provide sufficient clarity on how we will monitor compliance?
  • Does the policy provide sufficient clarity on our approach to non-compliance?
  • Does the policy provide sufficient clarity on the elements we may take into consideration?
  • Does the policy provide sufficient clarity on the regulatory options and powers available to us?
  • Do you find the scenarios we have included assist with your understanding of our approach to compliance and enforcement?
  • Are there any other key scenarios which you feel we need to include to provide additional clarity (bearing in mind we cannot give scheme specific advice)?
  • Are there any aspects of our expectations you think would discriminate against, disadvantage or present an additional or exceptional challenge to anyone with a protected characteristic?
  • Do you have any other comments on our draft compliance and enforcement policy?

Annex: Draft dashboards compliance and enforcement policy

About this policy

Introduction

We are responsible for the compliance and enforcement of occupational pension schemes in respect of their duties under the Pensions Dashboards Regulations 2022. This document sets out our proposed policy for compliance and enforcement of these duties, for consultation.

This policy sits alongside other relevant policies and procedures including our:

Pensions dashboards are digital services – apps, websites or other tools – which savers will be able to use to see their pension information in one place.

The Pensions Dashboards Regulations 2022 introduced new duties on certain trustees and scheme managers to enable dashboards to function. They will be required to:

  • register with the Money and Pension Service (MaPS)
  • connect to the infrastructure established by MaPS by a specific deadline
  • receive personal information on savers, and search and match savers to their pensions (‘find requests’)
  • provide members with information about their pensions through the dashboard of their choosing (‘view requests’)
  • co-operate with MaPS when preparing to connect, maintain records and report certain information to us and MaPS.

You can find out more about the duties, and who they apply to, in pensions dashboards: initial guidance.

Who this policy is for

This policy is aimed at governing bodies (trustees and managers) of occupational pension schemes in respect of their duties under the Pensions Dashboards Regulations 2022. In this document we use the term ‘schemes’ to refer to the governing bodies of occupational pension schemes.

In order to connect to dashboards, schemes will rely on a number of third parties, such as employers, administrators, and Integrated Service Providers (ISPs). The legislation includes new powers for us to pursue these third parties where we are of the opinion that they have caused the scheme, wholly or partly, to be in breach of Dashboards Regulations. Therefore, this policy is also aimed at them.

The Financial Conduct Authority (FCA) has made rules for, and regulate, the compliance of FCA-regulated pension providers with their separate obligations in relation to dashboards in respect of personal and stakeholder pension schemes, and these are not in scope of this policy.

Policy principles

Our proposed approach is driven by the following principles:

  • We are risk-based and proportionate, targeting our resources according to the level of risk and intervening only to the extent necessary to address the harm or reduce the risk.
  • We are focused on outcomes for savers. We aim to maximise compliance with duties so that savers can get a full and accurate picture of their pensions.
  • We recognise that delivering pensions dashboards is a huge challenge for industry. We will be clear in our expectations and provide tools and education to help people meet their duties. We will take a pragmatic approach to compliance and will work with schemes to reach the best outcome for the saver. However, where we see wilful or reckless non-compliance, we will take a robust enforcement approach.
  • We believe that industry is best placed to devise common solutions and we will support them in doing so. We will work with industry to resolve issues as they arise.
  • We will focus on the quality of the data held by schemes, as the success of dashboards relies on the quality of this data, both in terms of finding savers but also making sure that savers can trust the information presented to them.
  • We will also focus on the governance of schemes as robust internal governance is key for ongoing compliance, which will enable the scheme to identify issues and risks early and put in place mitigations accordingly.
  • We acknowledge that schemes will be highly dependent on third parties in order to comply with their duties and will consider using our powers against these third parties where necessary to do so.
  • We will monitor the effectiveness of our regulatory interventions and adapt these in light of the lessons we learn.

Key risk areas we will focus on

In monitoring compliance and taking action, we will focus on the behaviours or breaches we consider pose the greatest risk to a savers' ability to receive a complete and accurate picture of their pensions, and therefore make appropriate decisions.

This section sets out particular areas of interest to us. However, it is not an exhaustive list and we will continue to monitor and take action in other areas. Governing bodies should consider how they may mitigate these risks and ensure they have robust internal mechanisms to detect and deal with any that may transpire.

Schemes' connection to MaPS is necessary for savers to be able to find and view all their pensions. We will focus strongly on connection compliance, including but not limited to:

  • the scheme not connecting by its statutory deadline
  • the scheme only connecting part of their membership/entitlements to the system (eg their active members but not their deferred members, their main defined benefit (DB) benefits but not their additional voluntary contribution entitlements)
  • the scheme failing to remain connected to the dashboards in line with MaPS' standards

Once connected, schemes will need to find savers and return data as expected. In particular it is critical that schemes connect the right pensions to the right saver. We will be interested where a scheme is failing to find a pension for a saver when they should (failing to return a match made or a possible match), and when a scheme returns data to the wrong saver.

When a member has been found, they need to be confident that the data returned to them is accurate. We will be particularly interested where schemes fail to provide data in line with legal requirements, in particular where the value provided is not sufficiently recent.

Compliance with Regulations

What we expect

We expect that governing bodies will have read, considered and implemented our guidance where appropriate, as well as standards and guidance issued by MaPS. They may also wish to consider industry guidance regarding good practice.

We expect schemes to operate adequate internal controls in line with our code of practice. This includes but is not limited to:

  • reviewing and assessing the quality of their data from multiple dimensions, and putting adequate controls around them for continuous improvement
  • having appropriate controls when selecting, appointing and managing service providers
  • having risk management processes in place, including processes for monitoring the resolution of issues between the scheme and any relevant third parties
  • having processes in place to identify breaches of the law and, if necessary, report them to us

We expect schemes to keep clear audit trails of how they took steps to prepare to comply with these duties, to keep a record of compliance as set out in MaPS’ reporting standards and keep a record of steps taken to resolve any issues that arose, such as communications with third parties. We expect them to keep records of their matching policy, and the steps taken to improve their data. These records would help provide us with a rounded and transparent view of their efforts to comply with legislation.

We expect third parties to help and support schemes in meeting their duties appropriately. This includes employers providing schemes with the required information to enable them to perform their duties.

How we will monitor compliance

We will put in place a framework for monitoring and identifying risk of non-compliance, using multiple sources of evidence.

We will receive regular data from the dashboards system run by MaPS – data captured by the system itself (eg the connection status of schemes) and data sent through by schemes to the system (as per reporting standards), which will flow through to us.

This data will help us identify breaches (such as failing to connect by the deadline), look at trends across the landscape (eg in schemes all using the same third-party provider), and whether the same scheme fails to meet MaPS’ service levels repeatedly. In some cases, the data will flag where there is a potential risk for us to explore further (for example if a scheme does not return the number of matches we might expect from a scheme of that size).

We may request additional information from schemes where we identify concerns or where we are looking to identify best practice. This includes gathering information on a number of schemes on a thematic basis, for example through a thematic review.

Existing duties around breach of law reports continue to apply. We may also gather information through whistleblowing reports, supervisory engagement with schemes and through our regulatory partners.

Our approach to non-compliance

Where there has been a breach or suspected breach of legislation, we will consider if an investigation is appropriate and, if necessary, take regulatory action (including enforcement). We have been given discretion in the Regulations over our approach in respect of dashboards and we will consider on balance any action we may take against the outcomes we may achieve.

Broadly, the more serious the matter the more likely it is that action will follow. Consequently, breaches of the law that are persistent, intentional, wilful or indicate dishonesty are likely to be a higher priority for us.

Throughout the course of an investigation or regulatory action, we will adopt a risk-based and proportionate approach to enforcing the law, giving full consideration to the particular circumstances and context of each case.

We may seek information, documentation or an explanation from governing bodies or any other person, including a third party, if we believe they may be in possession of relevant information or documents. We may use our existing information-gathering powers where applicable, and we will gather evidence in a reasonable and proportionate way in pursuit of our functions. See scheme management enforcement policy for an overview of our approach.

We provide a number of scenarios in the appendix to illustrate how our approach might work in practice.

Elements we may consider

We will consider a range of factors before deciding whether regulatory action is necessary. These factors may include but are not limited to:

  • the nature and scale of the impact on the member(s)
  • the number of members affected
  • whether a breach is the result of wilful non-compliance or if there are circumstances outside the scheme’s control
  • a scheme’s compliance history and the duration of any breaches
  • consideration of MaPS’ and our guidance
  • their openness and co-operation with The Pensions Regulator (TPR)

Our regulatory options

Compliance notices

We have been given new powers in respect of the Dashboards Regulations in order to maximise compliance and act as a deterrent to non-compliance.

For any instance of non-compliance with the Regulations, we will have the option to issue a compliance notice to the trustees or managers of occupational pension schemes.

The purpose of a compliance notice is to remedy non-compliance and where appropriate avoid repeating it. It is a legal notice in which we require the trustees or managers to take, or refrain from taking, steps we specify in the notice. We will explain in the notice which breach has occurred in our opinion, the evidence we used to come to this conclusion, and we may include a timeframe in which we expect schemes to comply. We may also require the trustees or managers to provide us with information relating to the breach, or to keep us informed of how they are complying with the notice.

We have a similar power available to us to issue a compliance notice to a third party (a ‘third party compliance notice’), where we consider that they have caused a trustee or manager, wholly or partly, to breach the legislation.

Penalty notices

We will be able to issue a penalty notice to a trustee or scheme manager where they breach the regulations or fail to comply with a third party compliance notice. We can also issue penalties to third parties where they have failed to comply with a compliance notice. We can issue penalty notices on an individual liability basis – this means we can issue penalty notices to some of the trustees but not all, for example if a breach took place prior to a trustee joining the board.

Where we issue a penalty notice, the amount of the penalty will be set in line with our existing monetary penalties policy. Each penalty can be up to £5,000 for an individual and up to £50,000 in other cases (for example a corporate trustee). In the event of continued non-compliance we can issue another penalty notice.

We can include more than one penalty at a time. In some cases, we may be able to issue penalties for a number of breaches simultaneously (eg where a scheme failed to match or respond to requests for data for several members). In these cases, we will also consider the total amount of penalty issued in light of the circumstances of the breaches and the impact they have had.

Our existing powers may also be used, including statutory information requests (s72 of the Pensions Act 2004) and the power to suspend, prohibit or appoint a trustee (s3-9 of the Pensions Act 1995). Where we uncover wider issues such as failures of governance and internal controls, we may open a separate case under our existing compliance policies.

Challenging enforcement action

The recipient of any notice which falls under the Pensions Dashboards Regulations 2022 may make a written application for us to review it within 28 days.

Following a review, or if we decide not to carry out a review, the recipient can appeal to the Upper Tribunal or First-Tier Tribunal depending on the Tribunal Procedure Rules. You can obtain further information on the appeal process from the Tribunal’s website.

Working with partner agencies and regulators

Money and Pensions Service (MaPS)

MaPS (through its Pensions Dashboard Programme (PDP)) has put in place the pensions dashboards technological infrastructure and governance framework. The PDP is responsible for issuing standards, specifications and technical requirements which set out how schemes must connect to the system and behave when connected.

MaPS will send us data from the system to assist us in performing our compliance and enforcement functions. We may also request information from MaPS, for example to support an investigation.

We will share data with MaPS to enable them to undertake scheme connections and where it is relevant to MaPS oversight of the healthy functioning of the pensions dashboards system overall.

Financial Conduct Authority (FCA)

We regulate the compliance of governing bodies of occupational pension schemes as set out in the dashboards Regulations. The FCA recently made similar rules for, and regulate the compliance of, the providers of personal and stakeholder pension schemes.

Many operate in both the occupational and personal pension sphere – for example an FCA-regulated personal pension provider may also operate a master trust (regulated by us). Therefore, to the extent permitted by law, TPR and FCA may exchange information where it is of interest to the other party, for example if issues in one regulatory sphere indicate issues in the other.

Such parties may end up breaching both FCA rules and the regulations, for example by failing to connect the personal pension schemes they operate and their master trust by the deadlines. These are independent breaches and can be regulated independently by us and the FCA. Where appropriate, we may share information on investigations with the FCA and discuss the steps we propose to take.

Information Commissioner's Office (ICO)

The ICO is the cross-sectoral regulator for data protection legislation. This includes regulating the compliance of trustees and scheme managers (as data controllers) and their service providers (as data processors). We therefore share a common interest in the controls put in place by schemes to ensure data is accurate and used appropriately, and where we become aware of data breaches (eg where someone’s data is sent to the wrong person).

Both TPR and the ICO are risk-based regulators, targeting action where we perceive the greatest risk to savers. We both use our enforcement powers only when it is required and always in a proportionate way.

We work with the ICO and we may share information as and when necessary in the pursuit of our respective functions. There may be areas in which we have complementary functions and powers. We will endeavour to ensure that in these cases, the most appropriate body or bodies leads investigations and regulatory action. We will be proportionate in our regulatory approach and take the ICO’s actions into account as appropriate.

Publishing information

We put great emphasis on preventive actions; providing guidance, and encouraging and building good practice in collaboration with those we regulate. In that context, we believe that publishing the outcomes of our enforcement activity helps to improve standards and drive good saver outcomes by raising awareness of both good and poor practices.

We may publish reports of our enforcement activities and issue publications or press releases to raise awareness of our expectations, and to serve as a deterrent.

A decision to publish a report about our considerations in any particular case is taken on a case-by-case basis in line with our publication policy in the essential guide to how we publish information about cases.

Reviews and updates to this policy

We will regularly review this policy and update it as required, including in light of our regulatory experience. We will consult on any substantive changes to the policy.

Appendix: Scenarios

These scenarios are illustrative. They are not to be interpreted as a definitive indicator of the action we will take, which will be dealt with on a case-by-case basis.

Missing the connection deadline

Scheme A misses its connection deadline. The trustees are issued with a compliance notice which they fail to comply with, and the scheme remains unconnected. Upon investigation, the trustees are unable to demonstrate how they met the steps to prepare for their duty, or evidence any attempts to secure a connection to the system.

Action: We issue the trustees with a penalty and consider opening a governance case as we are concerned that the trustees don’t have effective internal controls or the right level of knowledge and understanding to run a scheme.

Scheme B misses its connection deadline. The trustees are issued with a compliance notice. The trustees reach out to us and explain that connection is delayed due to an issue with testing, but this is expected to be resolved within the next two weeks. They are able to evidence active engagement with the Integrated Service Provider (ISP) to resolve the issue. The trustees fail to comply by the deadline set in the compliance notice, but connect shortly afterwards.

Action: We do not proceed with issuing a penalty, as this would not achieve anything further.

Failure to maintain connection

Scheme C connected on time but since then has been disconnected repeatedly. Upon investigation we determine that this issue affects a number of schemes, all using the same ISP. The trustee of scheme C has made regular contact with the ISP to try and find out more detail around the IT issue and has sought timescales for resolution, but the ISP has not been responsive. The trustee provided a message to savers on the scheme’s website and the scheme administrator is aware and prepared for saver queries. We seek to engage with the ISP to identify the scope/scales of impact of failures but there is little cooperation.

Action: We issue a third party compliance notice to the ISP relating to each scheme we have identified as impacted.

We take no action in respect of the trustees as we are satisfied that they sought to resolve the issue and mitigate the risk to their members, to the extent that it was possible for them to do so.

Scheme D connected on time but had one instance of a short-term disconnection, which was unexpected and lasted for several days. This was due to a stand-alone IT issue which was resolved promptly, as the trustees and IT provider worked together to take quick action to identify the root cause and provide mitigations against future issues. There is no history or pattern of similar issues for this scheme.

The trustee notified MaPS of the outage. In addition, the trustees and provider were able to provide us with evidence of lessons learned and resulting updates to their processes.

Action: We do not proceed with a compliance notice as this would not achieve anything further. The trustee has assurances that the issue has been resolved and it is clear they have robust internal controls.

Failing to match savers to their pensions

We receive a whistle-blower report from a member of scheme E who did not receive a match or a possible match when they used the dashboard. Using trend analysis of our data, we find that the scheme does not seem to ever have returned any possible matches. We investigate and confirm that the scheme is using a binary matching policy, which does not allow for possible matches – only full matches. The trustees explain that they did not look at possible matches as ‘it seemed too complicated’ and are dealing with challenges from savers who haven’t been found as and when they arise.

Action: As not matching savers is a breach, and their binary matching policy might be causing this to happen, we issue a compliance notice for the scheme to review its matching policy to ensure it is appropriate.

We become aware that scheme F is facing a number of data issues, which impact their ability to match savers to their pensions. The scheme has a number of data gaps they have been trying to improve and they can demonstrate the steps they have taken. They have been working with employers to solve data gaps.

In a number of cases, the employer no longer exists, and despite previous tracing exercises they have a number of records for which they do not have a first name (only initials) or a national insurance number. They have taken account of this in their matching policy and intend to use address history and initials to identify possible matches, and improve their records through user contact.

One particular large employer has not been providing the scheme with the information they need, despite repeated attempts of the trustees to engage. The employer is unable to provide a reasonable explanation for this to us.

Action: As the trustees have taken reasonable action, we do not take further action against them at this time. We issue a third party compliance notice to the employer to provide the data required by the scheme, in line with their legal obligations. The employer does not carry out the actions in our compliance notice within the time set out in the notice and is unable to provide a reasonable explanation, so we issue them with a penalty notice.

Failure to return value data appropriately

We receive a whistle-blower report from a saver in scheme G who has been provided with value data outside of the timescales they were informed this would be returned to them. We contact the scheme to obtain an explanation as to why this is late.

The scheme acknowledges that the value data was provided out of time but reached out to the member to explain this would be late. They are able to explain to us that the delay was because the actuary had to perform additional calculations owing to this member’s non-standard benefit structure, to ensure that the information provided was accurate, and they provided the information as soon as they could.

The trustee is actively working to improve response times for other savers in a similar position by performing revaluations.

Action: We do not take further action as the saver has been provided with the information as soon as was possible and the scheme reached out to them, and the trustee is working to improve the times in which they can provide data in future.

We reach out to scheme H as we are concerned about a pattern of complaints and missing value information which is reported to us through the system.

Upon investigation, the scheme is found to have large amounts of out-of-date data. Instead of putting in place a plan to improve the data or systems to automate calculations, they decided to deliver value ‘on demand’, but they underestimated demand and are not able to process queries in time. In addition, there is a history of issues with compliance for this scheme.

Action: We open a governance case to investigate the scheme’s data, internal controls and what they more they could be doing.