What is the industry doing to gear itself up for pensions dashboard connection?
Background
There was quite a lot of activity in relation to pensions dashboards prior to Summer (see our earlier blog for a summary of that). However, the last few months have been relatively quiet on the dashboards front, other than the publication by the Local Government Pension Scheme (LGPS) of its “Pensions Dashboard connection guide for LGPS administering authorities” for LGPS employers and pension funds in England and Wales (see our blog on that here).
However, that does not mean there has not been a lot of action beneath the surface! The image of ducks serenely bobbing across a pond whilst their webbed feet are furiously paddling underneath the water springs to mind….
As a reminder, the pensions dashboard staging timeline runs from April next year until 31 October 2026, with “connect by” dates dependant on pension scheme size and type and the number of “relevant scheme members” as at scheme year end 23/24.
How is the pensions industry preparing?
The industry has been working very hard behind the scenes gearing up for pensions dashboard connection.
Firstly, there has been a huge amount of industry engagement activity by consultancies in terms of hosting webinars on dashboards in order to ready their clients for dashboard connection which have all been incredibly useful (and some of which the Pensions Regulator has participated in) and which have provided helpful insight as to their expectations.
The Pensions Dashboard Programme (PDP) has been continuing its invaluable work in getting the industry dashboard ready and has just published an updated version of its “Code of Connection”.
Providers and administrators meanwhile have been focussing on getting their administration and data systems geared up to be “data ready”. One of their main activities just now is liaising with their pension scheme trustee clients to resolve any member data issues as soon as possible. As part of that, trustees should be interrogating the data quality to make sure the member data they hold is fit for purpose and meets the standards published by the PDP (which were updated in May this year following industry consultation and engagement in 2022 and 2023). And also to assess the digital accessibility of the data that will be provided to scheme members.
We are aware that trustees are also now being asked to review and approve their scheme administrator’s “matching approach” for pensions dashboards. Matching is the process by which a member, when they use a pensions dashboard, will be asked to enter specific information (e.g. NINO, DOB, surname and postcode) which will then be sent to the pension scheme’s provider(s) in order to “find” the member. The information submitted by the member will then be verified by the PDP identity service and the provider will use this data to search their records and determine if they have a pension for the member.
For schemes that are quite far down the road on the way to buy-out, trustees should have already considered (with input from their legal advisers as appropriate) and decided on whether an extension to the pensions dashboard connection deadline was appropriate to be sought. The deadline for application for deferral of dashboard connection has now passed (8 August).
There are, as would be expected, a whole host of other issues for trustees to consider in connection with pensions dashboard connection, including: -
- Engagement with scheme members – pension schemes may expect to receive significantly more requests from its members once pensions dashboards are launched. Trustees should think about updating their cyclical member comms to cover dashboards – e.g. how they will work and what information members will be able to see when they access them.
- Outsourcing arrangements – if not already done so (and we anticipate that trustees should have done or be doing this presently), trustees should review any arrangements/contracts with third parties whom the trustees will be relying upon in order to meet their dashboard compliance requirements.
- Updating the pension scheme’s risk register to include risks associated with compliance with the pensions dashboard requirements and any new risks arising out of it, e.g. data protection and cyber security (see below for more on those risks).
Data protection risks
Good data, already a key priority/objective for pension scheme trustees as part of overall good scheme governance, will only become even more important with the launch of pensions dashboards.
As mentioned above, trustees should already be liaising with their administrators in relation to the assessing the quality of their scheme data and whether their scheme is “data ready” and alongside that they should also be considering the data risks incumbent in compliance with dashboard requirements.
There are two main risks from a Trustee perspective in relation to pensions dashboards. The first is the ever-increasing risk of scams which is both a joint cyber and data protection risk. And the second is the risks associated with uploading member data to the dashboard ecosystem.
Trustees should (re)consider their obligations as data controllers under the GDPR Regulations and should review and update the provisions of their scheme administration contract in connection with pensions dashboards. It will be important for trustees to be satisfied that the data protection obligations in the contract will capture pensions dashboard connection and are flowed down to the scheme administrator. And more generally that the data protection obligations are fit for purpose in the context of the new pensions dashboard ecosystem environment.
It is worth noting that pension scheme trustees will still remain the data controller even though they are passing information into the dashboard ecosystem.
Cyber risks
Whilst member information held on pensions dashboards is deleted once the member logs-off, meaning that it is not stored on the dashboard, there are still cyber risks to think about as mentioned above.
Schemes are responsible for protecting personal data with adequate security measures.
PDP, in its work on “Consumer protection for pensions dashboards”, noted that “We identified risks of personal data being mis-used and the risks of inappropriate entities gaining access to the ecosystem. This is where the security and governance of our ecosystem is important to ensure only legitimate parties can connect to the pensions dashboards ecosystem.”
PDP addresses this in its Code of connection dated November 2022 which contains a section on “Security standards”. It notes that these Standards “… ensure the appropriate level of security, following National Cyber Security Centre standards and best practice. They detail the technical authentication requirements for communication between parties within the ecosystem, encryption requirements for all data in transit across the ecosystem and the requirements for security-testing interfaces to the ecosystem.”
The standards set out in the Code of Connection are to be implemented for both the PDP central digital architecture platform and for all connecting pension providers.
What’s next?
Administrators will be pressing on with dashboard connection preparation activities, including continuing to agree data matching approaches with trustees as mentioned above and trustees will be getting to grips with that, and all the other equally important actions outlined above.
LGPS administering authorities will be familiarising themselves with the LGPS Pensions dashboard connection guide and working their way through that.
Meanwhile, more widely, the pensions industry will be hosting a Pensions Dashboards Week in September, with the objective of the industry coming together to discuss key issues surrounding the launch of Pensions Dashboards and what the future might look like.
The event will be taking place virtually between 23 - 27 September. The initiative, led by Bravura, will look to help firms progress their connection and readiness journeys ahead of the first stage of PDP connection deadlines in April next year.
Comment
It is important that trustees are quite well advanced in their dashboard connection readiness. It may seem like there is still some time until the first connection deadlines dates, but there is a huge amount of preparatory work to be done by the industry before then to ensure systems are ready and tested before connection.
TPR has been clear that it will use all of the powers available to it to take regulatory action, should pension schemes fail to comply with dashboard connection duties and connection deadlines.
If you would like any assistance in relation to your pension scheme’s compliance with pensions dashboard requirements or indeed any of the other points/issues mentioned above, please do get in touch, either with your usual Burges Salmon pensions contact or Richard Pettit, pensions partner. We have already been advising trustees on their dashboard connection obligations and have been assisting trustees with reviewing their administrator’s suggested data matching approach.