Global menu

Our global pages

Close

Dashboard compliance - a dash too much?

  • United Kingdom
  • Commercial litigation
  • Pensions
  • Data centers

15-02-2022

The Government has started consulting on draft regulations that put some much needed flesh on the bones of how pension dashboards will work and what trustees and administrators need to do. The FCA is also consulting on new rules which set out similar details for personal pension providers but this briefing focuses on the requirements for occupational pension schemes.

The timetable is incredibly tight. Schemes with 1000 or more members will need to connect to the dashboard ecosystem and comply with the new requirements from a date between June 2023 and October 2024 – the exact date depending on scheme size and type. 

There’s a lot of work that trustees and administrators need to do before this will be possible. It’s important to work out what needs to be done and by when.  

Trustees need to think about:

  • the information they will need in order to match individuals with benefits

  • the benefit information they will need to provide and how much of this they would currently be able to provide

  • how to comply with UK GDPR and the ICO’s data sharing code of practice and how to ensure that member data is kept secure and that third party providers also keep it secure

  • how to address any potential trustee liability in the event that something goes wrong

  • where they are (or are considering) changing administrators, the timing of service transition and ensuring that dashboard compliance is addressed up-front

  • the complexity of the dashboard requirements and the data handling and searching that will need to be done (this means that the majority of schemes will outsource this and UK GDPR rules about appointing processors and doing security due diligence on them will apply)

From an administrator’s perspective, the proposed timeframes and limited opportunities for extensions mean that they and other providers will be under pressure to meet deadlines.

Despite the draft regulations being ‘indicative’ at this stage, assuming that the proposed phasing will remain broadly the same, trustees must act now to ensure that they have sufficient time to work with external advisers, administrators and other IT providers to scope and contract for the support that will be required for dashboard compliance.

This briefing is a practical guide to help you to meet these challenges.

The dashboards – an overview

Before looking at the detail, it is useful to have a general understanding of how the dashboard ecosystem is intended to work:

The Finder and Identity Service and CAS are all the responsibility of the Money and Pensions Service (MaPS).

When will schemes need to be ready for the dashboards?

A pension scheme will need to connect to the dashboard’s digital architecture from its staging date. The proposed staging dates for occupational pension schemes (including master trusts) are broadly as follows:

  • large schemes (1000+ members) - April 2023 – September 2024

  • medium schemes (100-999 members)  - October 2024 – October 2025

  • small and micro schemes (below 100 members) - not in these draft regulations but expected to stage from 2026

There is a more detailed timetable in the draft regulations which starts with large master trusts with 20,000+ members, who must connect by 30 June 2023. Pensioners are out of scope of the dashboards and do not count as members for these purposes.

A scheme can apply to defer its connection deadline for up to 12 months in very limited circumstances – largely linked to where they are changing administrator at the same time.

Once a scheme has connected to the dashboard ecosystem, it will always need to be ready to receive ‘find data’ (that is the data supplied by the ecosystem to identify whether they hold benefits for an individual). A scheme cannot withdraw from the ecosystem once it has connected unless it is no longer in scope of the dashboard requirements (e.g. all members are pensioners).

Data issues for trustees

The data requirements will, for many schemes, prove very challenging. A particular challenge will be getting enough find data from a person to make sure they are giving information to the right person, whilst keeping the matching process manageable.  

To help trustees, PASA has issued guidance on the matching criteria that schemes might adopt.

Something that trustees will also need to give thought to is the ‘view data’ they will need to provide to the dashboards to enable members to see what benefits they have in the scheme. 

There are three broad categories of view data that will need to be provided:

  • Administrative data – this includes information about the scheme, including if the individual is an active or deferred member, the date they joined and the type of benefits provided, contact information for the administrator and, where available, the name of the employer and the dates of employment. In most cases, this information will need to be provided immediately

  • Signpost data – information that the scheme already hosts on a public website, for example information on member-borne costs and charges, the SIP, and the implementation statement. This information will also need to be provided immediately

  • Value data – information about accrued and projected pension values, which will vary depending on the benefit type.  Members will also need to be given some background information (e.g. whether pensions increase in payment and if there are any dependants’ benefits) to help them understand what their benefits are.

In a DC scheme, members will need to be given the accrued value of their DC account and an illustration of their benefits on retirement – this can be taken from a statutory money purchase illustration issued in the last 12 months.  They will also need to be given the annual income that their pot would currently provide.   

In a DB scheme:

    • active members will need to be given a statement of their accrued benefits at the illustration date and an illustration of their benefits on retirement (assuming they stay in service to normal pension age and receive no salary increases) based on calculations within the last 12 months

    • deferred members will need to be given their accrued benefits revalued to the illustration date. This will be particularly challenging for schemes that do not currently provide annual statements to deferred members

The timings are very tight. Where value data has been calculated or appears on a statement issued in the last 12 months, it will need to be returned immediately.  In any other case, if the information relates to a DB or hybrid scheme, it will need to be returned within 10 working days from receipt of the ‘find request’ and in the case of any other scheme, within 3 working days.

Compliance and reporting

Registration: Trustees will need to register with a new “Governance Register”. Guidance to be issued by MaPS will set out when registration will be required and the information which will need to be provided. As part of this process, trustees will need to provide technical information about how they will connect to the ecosystem.

Reporting: The draft regulations allow MaPS and/or the Pensions Regulator to set reporting standards, which might include information about the number of ‘find requests’ received by a scheme; the number of positive and possible matches and how quickly any possible matches were resolved; the number of ‘view requests’ received, and the time taken to respond to each; and contacts received from individuals. If schemes become disconnected from the ecosystem for any reason, they will also need to report that to MaPs.

MaPS: Trustees will have a general duty to cooperate with and to provide information to MaPS to aid them in the exercise of their functions relating to establishing, maintaining and managing the digital architecture.

Pensions Regulator: The Regulator will be able to issue compliance notices and penalties in relation to dashboard compliance. Penalties would be up to £5000 for an individual and £50,000 in any other case.

Administrators and administration contracts

The complexity of the dashboard requirements and the data handling and searching that will need to be done means that we expect the majority of schemes to outsource this. Even those schemes with in‑house administration functions are likely to engage third party providers to help them establish and test the required systems and processes.

There are a number of issues that trustees will need to consider when discussing this with their administrators (including internal administration teams) or other third party providers over the coming months:

  • Technology solution: How will the scheme work with MaPS and other dashboard providers? Is the administrator planning to develop its own solution or leverage a third party system? If the administrator is developing its own solution, will there be any technical impacts on performance of existing IT systems (for example, resulting from additional automated requests made via dashboards)?

  • Compliance with technical and security standards: How will the trustee/third party provider agreement cater for ongoing compliance as new standards and guidance are published by MaPS and the Regulator from time to time? Will the administrator be obliged to ensure compliance with new standards within timeframes mandated by MaPS and/or the Regulator? What remedies will trustees have for delays or compliance failures?

  • Management information and reporting: The draft regulations include detailed reporting requirements that will need to be factored into administration agreements. The current proposals include onerous obligations to report on actual and planned connection issues (e.g. changes in connection arrangements, periods of scheduled maintenance and unplanned events such as cyber-attacks). Depending on the level of automation achieved, these may add to the administrator’s existing compliance and reporting activities

  • Data cleansing: Who will be responsible for ensuring that any data cleansing and mapping is undertaken? Will this work be undertaken as part of any other planned data cleansing or mapping exercises?  Note that UK GDPR will apply to the processing of personal data about members and cleansing is a type of processing – see below

  • Risk allocation: Although the primary responsibility for compliance remains with the trustees or manager of the scheme, the draft regulations include powers for the Regulator to issue compliance notices (and potentially fines) directly to administrators. Trustees and administrators alike will need to consider if existing agreements contain appropriate allocation of responsibility, in particular, if the administrator is required to implement changes resulting from a compliance notice that have not been priced into its services

  • Cost: Does the administrator intend to charge for dashboard integration either on an up-front project basis or through ongoing additional fees? Are there any pre-agreed approaches to cost allocation in the administration agreement relating to changes in law or regulation that would apply here?

Data protection and cyber security issues

Two regulatory regimes will meet. In principle, it should be possible to meet dashboard duties and comply with UK GDPR. However, there is a real potential for tension between trustees’ UK GDPR duties and their dashboard duty of having to match and return an individual’s data to them.

As the consultation paper puts it: ‘If schemes set their matching criteria so tightly that they fail to match, they may meet their UK data protection legislation duties, but are likely to fail to meet their dashboard duty which is subject to regulatory compliance action”. 

For trustees, there will be a very delicate balance to strike. If a member complains to the Information Commissioner and if the ICO (the relevant regulator) investigates the trustees, or if a member exercises UK GDPR statutory rights against them for e.g. alleged unlawful sharing/processing of data, it is unlikely to be of interest to the ICO, the Court or the member that the trustees were trying their best to meet dashboard duties.

As trustees will be processing ‘find information’ about a large number of individuals and providing ‘view information’ about individual benefits where they identify a match, there are a number of cyber data protection risks that they will need to address. Three examples of GDPR points to watch out for are:

  • making sure that the trustees and their providers (e.g. administrators, and any third party they engage to help them with dashboard compliance) comply with data protection requirements. This includes adhering to the ICO’s statutory code of practice on data sharing and checking/updating privacy notices and scheme administration contracts

  • at any point an individual can withdraw their consent to their data being shared in finding/returning their pension information (this consent withdrawal would likely be through the CAS). Trustees will need to be vigilant because, if that happens and if they’re made aware of that moments before they (or their provider) plan to share the information requested, trustees (as data controllers) have UK GDPR risk if their outsourced provider (or the scheme administrator) still hits ‘send’

  • when an individual chooses to access the information, the dashboard will pull it directly from the scheme. Cyber security will be paramount. Trustees will need to be sure that the interface their scheme has with the commercial dashboard provider won’t leave them vulnerable to attacks from cyber criminals/cyber security breaches

Next steps

There is a lot for trustees and administrators to do, and only limited time to do it. Trustees should start working with their administrator, and any third parties they appoint to support their dashboards work.

Key focus areas are whether they have all the data they need, whether it is in a searchable format, how they can provide the required ‘view data’, and the technology infrastructure they will need to be able to do all of this.

Trustees also need to be alive to the data protection and security issues and give careful consideration to issues such as liability in the event that incorrect data is shown on the dashboards or it is provided to the wrong person (indeed, to a cyber criminal).

The ‘indicative’ Regulations include a lot of detail, but they are obviously not in their final form. They also do not contain everything. There is detail in a number of other documents – e.g. the technical standards and guidance issued by the Pensions Dashboards Programme (which have also not been finalised yet).

Given the amount of work / tight timings, trustees cannot afford to wait for these documents to be in final form before getting ready for dashboards, but equally trustees will need to keep an eye on how those documents/law develop.

Jeremy Goodwin, Partner
Charlotte Cartwright, Partner
Simon Lightman, Partner
Lorna Doggett, Legal Director

< Go back

Print Friendly and PDF

© Eversheds Sutherland 2023. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities.

Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.