TPR consultation on its Dashboards compliance and enforcement policy
The Pensions Regulator (“TPR”) has issued a consultation on its draft Dashboards compliance and enforcement policy.
In this response
We welcome the opportunity to respond to this consultation. In addition to answering specific consultation questions which are pertinent to our practice, or which we believe could give rise to difficulties in practice for our clients, we have provided some initial general comments.
We welcome TPR’s proportionate and pragmatic approach in this draft policy. As we are all aware, pensions schemes, particularly the ones with the early staging dates, have a huge amount to do in a tight timescale and your suggested approach appears to recognise this. The examples at the end also help give context to your approach, which will be of use to clients.
Question 1. Do you agree with the policy principles we have set out in this compliance and enforcement policy?
As you recognise, dashboards is a huge challenge for the industry, so we agree with your policy principles that any approach to enforcement should be risk-based, proportionate and pragmatic.
We also agree with the focus on savers. We assume this means that TPR will be focusing most of its enforcement energy (and penalties) after the Dashboards Available Point, ie when dashboards go live to the public and before that point TPR’s focus will be on working with schemes to help them comply, rather than issuing penalties. If so, it would be helpful if this could be made more explicit in the policy.
We also agree with the acknowledgement that schemes are dependent on third parties. Although it is mentioned later in the policy, we think it would be helpful for schemes if the principle itself explains that any failure by a third party would be taken into account in respect of a scheme’s compliance.
Question 2. Do the key risk areas, within our regulatory remit, align to your understanding of where risks may exist for the saver? Are there any which are missing?
Yes, the key risk areas cover our main areas of concern, which are within TPR’s remit.
We note that one of the key risks is members not understanding the figures provided and making poor decisions based solely on this information. However, we appreciate this falls more under the FCA’s remit than TPR so there may be little that TPR can do on this front sadly.
Question 3. Does the policy provide sufficient clarity on our expectations of governance bodies (trustees and scheme managers) and third parties?
We think TPR’s expectations of governance bodies are generally clear. However, it would be helpful if:
- the expectations on third parties could be expanded, particularly to clarify the extent of those expectations in respect of data, eg improving data quality and accuracy
- the expectation on trustees to monitor third parties that they have a contractual relationship with and what trustees should do if those parties (eg a legacy AVC provider) refuse to engage with the trustees or listen to their views. For example, if the administrator gives the trustees a set of “matching” criteria for find requests and not offering any flexibility to the trustees in changing those criteria
- guidance could be given on what trustees should do where they have no direct relationship with a third party who they are reliant on (eg where their administrator engages an ISP, and that ISP fails to connect).
Question 4. Does the policy provide sufficient clarity on how we will monitor compliance?
Yes. We understand from the policy that you will gather information on potential non-compliance from a variety of sources, including through any whistleblowing reports. Is TPR proposing to act as the contact point for all complaints about dashboards? If so, we envisage that could put a resourcing strain on TPR. See our response to question 11 below for more thoughts on dashboard complaints.
Question 5. Does the policy provide sufficient clarity on our approach to non-compliance?
Question 6. Does the policy provide sufficient clarity on the elements we may take into consideration?
Our understanding is that the third bullet (“whether a breach is the result of wilful non-compliance or if there are circumstances outside the scheme’s control”) would cover a breach due to the actions / omissions of a third party but it would be helpful if the bullet were to make this absolutely clear. We don’t have any other comments on the elements.
Question 7. Does the policy provide sufficient clarity on the regulatory options and powers available to us?
We note that the guidance states that:
“We can include more than one penalty at a time. In some cases, we may be able to issue penalties for a number of breaches simultaneously (eg where a scheme failed to match or respond to requests for data for several members). In these cases, we will also consider the total amount of penalty issued in light of the circumstances of the breaches and the impact they have had.”,
It would be helpful if this could be expanded to give further guidance on when TPR may issue multiple monetary penalties for breaches arising from the same underlying cause. In particular, whether TPR has in mind any levels of or a cap on any such monetary penalties, given the potential for virtually unlimited fines in the case of a breach that affected tens of thousands of members. Not only would this help trustees’ understanding of the scope of the fines, it will also help schemes manage their related trustee protections.
Question 8. Do you find the scenarios we have included assist with your understanding of our approach to compliance and enforcement?
Yes, however, we were a bit concerned on “scheme c”, in which the “trustee had provided a message to savers on the scheme’s website” regarding a connection issue. This will not be possible for schemes that do not have a website. What would TPR’s expectation be in such cases? For example, contacting members individually could result in a great deal of administrative work.
Question 9. Are there any other key scenarios which you feel we need to include to provide additional clarity (bearing in mind we cannot give scheme specific advice)?
As mentioned in Question 7, it would be useful to have more guidance on when multiple monetary penalties may be imposed. To that end, a key scenario on this would be helpful.
We also think it would be helpful to include scenarios on the following:
- non-compliance resulting from the action of the third party that the trustee does not have a direct relationship with
- any non-compliance during a transition to a new administrator (eg when a transition plan is in place but something expected goes wrong).
Question 11. Do you have any other comments on our draft compliance and enforcement policy?
We welcome the section on how TPR will work with the ICO. Whilst we understand it will depend on the facts of a case as to which body will lead an investigation, it would be helpful to understand in a bit more detail how TPR and ICO intend to work together on dashboard-related data breaches (whether in this policy or in a separate joint statement).
We suggest that there is an agreed approach between the FCA, MaPS, TPR and the ICO for how any complaints should be handled and the process for dealing with them, especially as tight timescales can apply to reporting requirements affecting certain breaches (eg for UK GDPR purposes). We imagine that it will also be extremely frustrating for the individuals, who are unlikely to have a deep understanding of how the wider dashboard ecosystem is set up, so they could feel as though they are just being passed from pillar to post. This in turn, could adversely impact the reputation of dashboards as a whole.