FCA consultation on the proposed regulatory framework for pensions dashboard service firms

Background

The FCA has issued a consultation paper on its proposed regulatory framework for pension dashboard service firms.

In this response

• Responses to specific consultation questions and related comments

Responses to specific consultation questions and related comments

We welcome the opportunity to respond to this consultation. We have not sought to answer every question in the consultation but have limited our responses to those areas which are pertinent to our practice.

Specific questions

Q1: Do you agree with the way in which we propose to apply the Senior Management Arrangements, Systems and Controls (SYSC) sourcebook to pensions dashboard service (PDS) firms?

This is outside our area of expertise but it seems sensible to approach PDS firms in line with your approach to all FCA regulated firms, as you are proposing to do (para 3.22).

Q3: Do you agree with our proposed application of existing Supervision manual (SUP) rules to PDS firms?

This is outside our area of expertise but your approach of applying notification, reporting and record-keeping requirements in the SUP rules seems sensible (paras 3.43 to 3.47).

Q4: Do you agree with our proposed approach to notification requirements?

We agree with the proposed additional PDS-specific notifications set out in para 3.52.

Q5: Do you agree with our proposed approach to regulatory reporting?

Your approach seems sensible, as does the proposal in paragraph 3.56 to potentially turn record-keeping requirements into regulatory reporting requirements “in the future as the market develops”.

Q6: Do you agree with our record‑keeping proposals?

We don’t have any comments on the record-keeping requirements themselves.  We agree with PDCOB 14.1.3R that PDS firms must not keep personal data as part of these requirements unless necessary (para 3.66).

Q7: Do you have any comments on our proposal to apply the same approach to enforcement investigations and actions to PDS firms as we do to other regulated firms, as set out in our Enforcement Guide (EG)?

Whilst we don’t have any comments on the FCA’s particular enforcement policy (see para 3.67-3.81), we would note that the Pensions Regulator will have a standalone dashboard compliance and enforcement policy. It would therefore be helpful for the industry if TPR and the FCA have ongoing communications on their approach to dashboard enforcement to ensure consistency where appropriate and to make their joint approach public.

Q8: Do you have any comments on our proposal to follow the same procedures for decision‑making and imposing penalties in relation to PDS firms and individuals set out in our Decision Procedure and Penalties Manual (DEPP)?

See our comment regarding liaising with TPR in question 7 above.

Q9: Do you agree with our proposed prudential requirements for PDS firms?

Whilst we acknowledge that PDS firms will not be holding client money, we note that they could potentially hold a great deal of financial and personal data about individuals.  This means there is a risk of a personal data breach or wider unauthorised access to financial data.  In these cases, there is the potential for the ICO to issue large fines to data controllers (currently up to £17.5 million or 4% of the total annual worldwide turnover).  We are concerned that the current proposals would not require PDS firms to have sufficient funds for fines, even those that are much lower than the maximum.  We are concerned that this may mean they don’t place sufficient weight on their data protection requirements.

Similarly, we also concerned with the FCA’s pragmatic approach to professional indemnity insurance and cyber insurance cover.  Whilst we acknowledge that there may be difficulties pending a market emerging for these in the dashboards arena, it will be a concern for data providers, such as pension scheme trustees, knowing they have to share data with firms that don’t have these protections in place.  One of the comforts of such insurance is that it generally encourages firms to have good processes in place, particularly in the case of cyber insurance, to benefit from a more competitive premium.  We feel that the obligation on firms to obtain these insurances should be much stronger, even if the FCA feels it cannot make it an absolute requirement in the current environment.  (We are not in a place to opine on how difficult it would be to obtain these protections at present.)

(Paras 4.1-4.19)

Q10: Do you have any suggestions for how we might develop the capital resources requirement going forward, in particular to calibrate it to PDS firms as the market develops?

See Q9 above.

Q11: Do you think there should be a liquidity requirement for PDS firms going forward and, if so, how this might be calculated?

See Q9 above.

Q12: Do you agree with our proposed approach to wind‑down procedures for PDS firms?

Yes this seems a reasonable approach (paras 4.20-4.22).

Q13: Do you agree with our proposals on general conduct of business rules?

Yes we agree with your proposals (para 5.8).

Q14: Do you agree with our proposals on disclosures, signposts and warnings?

We agree that a PDS firm must display disclosures, signposts and warnings every time an individual uses dashboard services, rather than just the first time (para 5.11).

Whilst we see the benefits of allowing PDS firms to choose the format of disclosures, signposts and warnings, there should always be a text-only option available, so the individual can view them even with limited data on a device or when their volume is off (para 5.12).

We welcome the reminder that PDS firms need to consider their duties under the Consumer Duty when considering how to communicate the disclosures, signposts and warnings (para 5.14), particularly as the FCA is not proposing exact wording.

We also agree that PDS firms must carry out testing and monitoring in relation to the communications and for them to improve such communications if there are “common areas of misunderstanding among retail customers” (para 5.17).

In terms of the content of the disclosures, signposts and warnings (paras 5.19-5.28), we have the following comments:

• We are concerned that the warnings in 5.26 are DC specific, particularly the third bullet. For example, stating that the figures may be influenced by changes in investment performance and contributions.  We suggest that there is also a bullet covering specific DB risks.
• Whilst data providers are under duties to ensure the data is accurate, there is always a risk that the data provided could be wrong. At the moment, there doesn’t appear to be anything covering that risk.  Although the warnings say that the figures are not guaranteed, this should go further to confirm that they “cannot be relied upon”.  This is in keeping with the language used on DC modellers and benefit statements.
• We would also suggest adding a warning reminding individuals that their actual benefits are as set out in their scheme’s governing documentation, not those set out in the dashboard. For example, “the dashboard does not give you any right to benefits.  Your benefits are those set out in the governing documentation of the relevant pension scheme”.   Again, this is in keeping with language used in scheme documentation, eg member guides.

Whilst we appreciate that individuals may want to collapse or hide the warning (para 5.28), it is important that individuals don’t just see the warnings as akin to a “cookie pop-up” where they just click to minimise the box without reading the contents.  We would suggest that the warning is included in the main webpage, with the option to minimise at the end of the warnings, to encourage people to read them.  However, we would be open to this being explored further in testing, with the route that encourages the most overall engagement ultimately being adopted.

We agree with the FCA’s concerns in para 5.29 about consumers making poor decisions and that warnings relating to this should be added.  However, we are concerned that the current wording in PDCOB 5.5.1R would suggest that a customer could make a financial decision using dashboard data when they have taken investment advice in relation to that data.  Given the nature of DB benefits and the potential limitations on the information provided to the dashboard, we do not feel that individuals should be making any financial decision based on that data.  They (or the investment adviser) should have to contact the scheme for more accurate figures before making any financial decision.

Q15: We want disclosures, signposts and warnings to be displayed at the most important moment for consumers. Do you have any evidence as to when PDS firms should communicate these disclosures, signposts and warnings?

No, we don’t have any evidence, but agree that research, testing and the evidence resulting from them should be used to determine when to display disclosures, signposts and warnings.

Q16: Do you agree with our approach to outsourcing?

We agree that the PDS firm must remain responsible for complying with all regulatory responsibilities, even when outsourcing operations (paras 5.32-16).

There is no reference to data protection requirements here – is this because the FCA is of the view this would be covered under the UK GDPR obligations as a data controller to data processor relationship?

Q17: Do you agree with our proposals relating to where third parties make dashboard services available?

See Q16 above.

Q18: Do you agree with our proposal that data should only be exported to either the customer, the PDS firm, or a firm in the same group as the PDS firm with permission to give investment advice?

Yes, however, we feel that any data export to a firm in the same group should be restricted to those in the UK, given the data protection implications of transferring personal data abroad (para 5.49-5.54).

Q19: Do you agree that the requirements we propose to place around how data is exported and processed ensure an appropriate degree of consumer protection?

We agree with the protections that have been suggested and welcome the reminder in PDCOB 9.2.4G that any export is data processing and that firms will need to comply with data protection legislation.

Our understanding of the dashboard ecosystem is that the PDS firm will not be storing data, ie as soon as the individual logs out of the dashboard, the data is deleted.  Para 5.101 says PDS firms can offer individuals the option of storing their data for a future browsing session for up to 30 days.  We can see this is reflected in PDCOB 9 (data export to the firm).  However, we think it would be helpful to include an express provision making it clear that the default is that PDS firms must not store any personal data / pensions information without the customer’s consent.

We would also flag that we cannot see a section dealing with data protection when the customer initially signs up.  Although firms have to comply with data protection legislation, we feel the FCA rules should set out exactly what the member is consenting to, given how complex the dashboard ecosystem is.  Our understanding is that the individual is not consenting to sharing personal data with data providers, as their legal basis for processing data is legal obligation but it would be helpful if the FCA (in liaison with the ICO, MaPS and TPR) could confirm this.

Q21: Do you agree with our proposals on marketing?

We agree with the cautious approach to marketing and with your reasoning in para 5.114 and 5.116.

Given efforts to increase industry and member awareness of pension scams, (para 5.124), there is a risk that allowing a PDS firm to market directly to individuals (para 5.120) could result in dashboards being perceived negatively.  However, if your work with the industry has demonstrated that there would be very limited interested in the dashboard provider market without this concession then we understand your approach.  If it hasn’t been discussed / tested in any detail then we suggest it is not allowed at this stage and explored as part of further testing.

Q22: Do you agree with our proposals on cookies and similar tracking technologies?

We agree with the proposals that PDS firms must not give prominence to one cookie option over another to get consent (although we would also be happy if the default was to only use essential cookies, but we imagine the PDS firms would object to this).  We also agree with the proposal to ban firms from requiring individuals to accept non-essential cookies (paras 5.124-5.129).

Q23: Do you agree with our proposals to protect dashboard users from scams?

Yes, we agree with the proposals for specific warnings, including in relation to screen sharing and third party control of devices.  We also agree with the requirement to notify the FCA of any scams.  Looking at the FCA draft rules, and given the potential risks to the customer from scams, we feel the additional guidance in PDCOB 5.3.4G should be a requirement, rather than just guidance.

We would query whether the obligation to notify should be when a PDS is aware of a potential scam, as the potential detrimental impact on individuals sharing personal data with a scammer is huge so needs to be dealt with as soon as possible (rather than the PDS spending time investigating the potential scam before reporting).

We would also suggest that there are reporting procedures for scams in place between the FCA, MaPS, TPR and the ICO to co-ordinate any response, given the potential reputational impact on dashboards as a whole (paras 5.130-5.141 and the table on page 26).

Q24: Do you agree with our proposal to apply the Senior Managers and Certification Regime (SM&CR) to PDS firms?

Yes (para 6.34).

Q27: Do you agree with our proposals to apply our complaint handling rules and guidance in the Dispute Resolution: Complaints Sourcebook (DISP), including the compulsory jurisdiction of the Financial Ombudsman Service, to PDS firms?

Yes (paras 7.13-7.16).

Q28: Do you agree with the Financial Ombudsman Service’s proposals to exclude activities relating to pensions dashboard services from the voluntary jurisdiction?

Yes, on the understanding that they are covered under the compulsory jurisdiction (paras 7.16-7.19).

Q29: Do you agree with our complaints reporting proposals for PDS firms?

We don’t have any comments on the proposed approach (paras 7.20-7.24).

However, we would suggest including something to cover what a PDS firm is expected to do when it receives a complaint that is (i) not the responsibility of the PDS or (ii) is potentially the responsibility of another party, as well as the PDS firm.  Your consultation notes at para 7.5 that an individual may complain about a dashboard issue to the PDS firm, as they have a direct relationship with them, even if the PDS is not responsible for the issue at hand.  We suggest that there is an agreed approach between the FCA, MaPS, TPR and the ICO for how such cases should be handled and the process for dealing with them, especially as tight timescales can apply to reporting requirements affecting certain breaches (eg for UK GDPR purposes).  We imagine that it will also be extremely frustrating for the individuals, who are unlikely to have a deep understanding of how the wider dashboard ecosystem is set up, so they could feel as though they are just being passed from pillar to post.  This in turn, could adversely impact the reputation of dashboards as a whole.

Q30: Do you agree with our approach to redress?

We don’t have any comments on the proposed approach (paras 7.25-7.26).

Q31: Do you agree with our approach to the Financial Ombudsman Service’s fees and levy?

We don’t have any comments on the proposed approach (paras 7.27-7.30).

Q32: Do you agree with our proposed approach to authorising international PDS firms?

We don’t have any comments on this approach, other than to say the data protection aspect would need to be considered and they will need to ensure they are complying with UK GDPR (paras 8.9-8.12).