10 actions for getting to grips with pensions dashboards

The Government intends pensions dashboards to bring about a fundamental change in the way individuals access information about their pensions, allowing people to see all of their future pension entitlements in one online place.

The public will not be able to access the dashboard until at least 2024, but large and medium-sized schemes may need to connect to the online system before then (depending upon their size and type).

The first connection deadline is currently 31 August 2023. However, on 2 March 2023, the Department for Work and Pensions (DWP) announced that connection deadlines are set to change to allow more time to prepare for the arrival of pensions dashboards. A further update is expected in summer 2023.

When the systems go live, trustees will need to be ready to supply specific types of information to members (via dashboard providers) within a very short timeframe. They will also need to be ready for the wider implications of dashboards including the broader effect they may have on the way members interact with their schemes, and the changes in data and other legal risks that this implies.

This briefing outlines the proposed regime as it will affect occupational pension schemes, together with 10 key actions for scheme agendas:

Identifying your staging deadline
Getting your data in order
Getting ready to connect
Getting ready to match and respond
Preparing to engage with members outside the dashboard
Checking your outsourcing arrangements
Considering data protection and cyber security risks
Monitoring and managing risks
Setting up systems for record keeping and reporting
Monitoring industry developments

What are pensions dashboards?

The Pensions Dashboards Programme (PDP) at the Money and Pensions Service (MaPS) describes dashboards as "public facing user interfaces that will enable individuals to access their pensions information online, securely and all in one place, thereby supporting better planning for retirement".

MaPS will provide a non-commercial dashboard. Other (commercial) entities will also be able to provide dashboards, where authorised by the Financial Conduct Authority (FCA).

Dashboards are an opportunity to reconnect members with their savings, encourage consolidation of small pots, increase member awareness and engagement, and, ultimately, enable them to make better-informed choices about their pensions. Like automatic enrolment, dashboards have the potential to transform the pensions industry and improve member outcomes.

Where are we now?

Introducing dashboards (and getting schemes ready to connect with them) is, nevertheless, a complex and ambitious project. There are significant challenges, tight deadlines and many potential pitfalls. At the Pensions Administration Standards Association (PASA) annual conference 2022, David Fairs of the Pensions Regulator encouraged schemes to get this process underway as soon as possible.

The Pensions Dashboards Regulations 2022 came into force on 12 December 2022, following the release of two Government consultation responses in July and October 2022. The FCA has issued corresponding rules for personal pension providers and has issued a consultation on its rules for dashboard providers, which will close on 16 February 2023.

The final regulations confirm that the Government will provide at least six months' notice before the "dashboards available point" occurs and dashboards become available to the public (rather than 90 days, as proposed originally).

See Action 10 (Monitoring industry developments), below, for further detail on the latest standards, guidance and policies from the PDP and the Pensions Regulator.

Which schemes are in scope?

Schemes in scope, at least for now, are all UK schemes registered with HMRC and with at least 100 active and deferred members (i.e. not including pensioners and survivors) (described in the new regime as "relevant members") as at their scheme year end date that fell between 1 April 2020 and 31 March 2021. Other schemes can connect to dashboards voluntarily, with permission. There are provisions regarding schemes with fewer than 100 relevant members that grow and so fall into scope later.

There are also certain limited exceptions where entire schemes are in PPF assessment before their staging deadline.

How will pensions dashboards work?

The dashboard system will not itself hold information. Rather, it will process "find and view" requests:

A "find request" is generated when an individual uses a dashboard.
All occupational pension schemes connected to the dashboard infrastructure will then be sent an individual's personal information from the "find request" and must seek to "match" the individual, i.e. check if that person is an active or deferred member of their scheme. They must do this based on matching criteria that they have decided in advance (see Action 4 (Getting ready to match), below).
If there is a match, the scheme must create and register a "pension identifier" (or "PeI").
The scheme must then return "view data" in respect of the member for display on the dashboards, after checking view request permissions against a "consent and authorisation service" ("CAS") provided by MaPS.
If there is a partial match then the individual must be invited to contact the scheme so that this can be investigated.

State pension information should be available from the outset. It appears that PPF compensation will not be included.

Now Reading

Action 1: Identifying your staging deadline

The current connection deadlines for occupational pension schemes are listed below. However, these are set to change following the announcement by the DWP in March 2023 that additional time was needed for connection. A further update is promised in summer 2023.

31 August 2023 – master trust schemes with 20,000+ relevant members
30 September 2023 – defined contribution (DC) automatic enrolment schemes with 10,000+ relevant members and master trusts with 10,000 to 19,999 relevant members
31 October 2023 –DC automatic enrolment schemes and master trust schemes with 5,000 to 9,999 relevant members
30 November 2023 – defined benefit (DB) schemes (with the exception of public service schemes - see below) with 20,000+ relevant members and other DC schemes with 20,000+ relevant members
31 January 2024 – DC automatic enrolment schemes and master trust schemes with 2,500 to 4,999 relevant members
29 February 2024 – DC automatic enrolment schemes and master trust schemes with 1,000 to 2,499 relevant members.
31 March 2024 – DB schemes with 10,000 to 19,999 relevant members and other DC schemes with 10,000 to 19,999 relevant members
30 April 2024 - collective money purchase schemes
30 June 2024 to 30 September 2024 - DB schemes with 1,000 to 9,999 relevant members and other DC schemes with 1,000 to 9,999 relevant members
30 September 2024 - public service pension schemes
31 October 2024 to 31 October 2025 – "medium" DB and DC schemes (i.e. those with 100 to 999 relevant members)

Staging dates have not yet been set for small and micro schemes (with fewer than 100 members), although they can connect voluntarily and Government had previously indicated that staging might be from 2026.

In a change to the original proposals, a hybrid DB/DC scheme's staging date is the date that would apply if the scheme were entirely DB, based on the total number of relevant members across both DB and DC. (A scheme with DB benefits in which all the DC benefits derive from additional voluntary contributions is treated as DB rather than hybrid.)

Early connection is possible, with the permission of MaPS (which will consult with the Pensions Regulator). Certain schemes may be able to postpone in some exceptional circumstances. The regime currently only provides for postponement to occur once, and that the application must be made by 11 December 2023: here permission must be granted by the Secretary of State, after consultation with the Pensions Regulator and MaPS (see Action 6 (Outsourcing arrangements), below). The Government has issued guidance on applying for postponed connection.

Note that connection dates must be agreed with MaPS and will normally fall within connection window ending on the staging date (five months for the very first schemes to stage, one month for others). There is likely to be high demand as staging dates approach, so schemes may need to connect earlier than their staging date.

Action 2: Getting your data in order

Dashboards will only be as useful as the data available to them. Good data is already central to trustee duties and will become even more so when dashboards go live. The Pensions Regulator has emphasised that "[r]obust and accessible data and failsafe systems are essential to ensuring pensions dashboards offer savers the information they need to make informed decisions about their retirement savings."

Schemes therefore need to understand what data they will need to provide, audit whether they have that data in a "dashboard ready" format and fill any data gaps. Guidance from the Pensions Administration Standards Association (PASA) has stressed that data will need to be:

accessible automatically,
accurate; and
available digitally.

Schemes will have to supply four main categories of data:

"Administrative data", including (among other things) the name of the scheme, the nature of the benefit, member status and normal pension age.
"Contextual information", including (among other things) as to survivor benefits and pension increases.
"Signpost data" for a website where (to the extent required by law) information on costs and charges, the scheme's statement of investment principles and its implementation statement can be viewed.
"Value data", which is the core data relating to the accrued (and projected) value of the member's own benefits. The "value data" information to be returned is different in respect of money purchase and non-money purchase benefits:

Money purchase

Here, the information that must be returned is:

An accrued pot value.
An annualised income value (ignoring future contributions and growth).
(If held) the pot value projected to normal pension age.
A projected annualised income value.

The last three of these only need to be provided from 1 October 2023 and once a statutory illustration has been produced. A future update of the Financial Reporting Council's (FRC) actuarial standard TM1, concerning statutory money purchase illustrations, will address how the projections are to be made. The FRC has consulted on this.

Projections are not required if the member is within two years of normal pension age and in some circumstances where the pot value is less than £5,000.

Non-money purchase

Here, the "value data" information that must be returned is:

For active members, an accrued value as at the illustration date and a projected value for service to normal pension age but with no salary increases. No projection is required for members within two years of normal pension age.
For deferred members, an accrued value, valued to the illustration date. The Government has announced it will allow schemes to adopt a simplified alternative approach where the scheme does not revalue annually, but this will only be available for up to two years after the scheme's connection date. In any event, schemes which only calculate revaluation at retirement, which is all that the law requires, might need to create new processes in order to be able to comply. No projected value is required for deferred members.

The "value" here refers to the annual pension figure and any separate pension commencement lump sum.

Additional voluntary contributions (AVCs)

The Government proposed, in its first consultation response, that schemes would be able to decide whether to allow AVC providers to send the data separately or for the trustee or manager to gather the data from the AVC provider to present alongside scheme benefits. In practice the Government expects the data will be made available to dashboards by whomever administers the AVC (which may be a commercial AVC provider). The PDP's Data Standards allow a pension provider to send its main pension provider benefits and a separate provider of the AVCs could also send in AVC data. However, trustees remain legally accountable for ensuring that this happens and will need to work with their AVC provider accordingly.

There are separate provisions for cash balance and collective money purchase benefits.

In all cases, the figures can be up to 13 months old: this is to allow existing calculation processes to be used. If such figures are not already available, there is a three-day deadline for providing money purchase data and a ten-day deadline for non-money purchase data.

The rules also provide that value data must be provided to new scheme members (including those whose benefits have transferred from another scheme) as soon as is practicable, but no later than the sooner of: (i) the point at which the first statement has been produced for that member; or (ii) within 12 months of the end of the first full scheme year of which the member was a part of the scheme.

Although schemes in winding-up will still be required to connect (where they have a sufficient number of relevant members) they will only be required to provide value data (and corresponding contextual and signpost information) if they consider it appropriate to do so.

Schemes are no longer required to provide information once benefits have begun to be paid, even in part. The exception is where a member has taken only an uncrystallised funds pension lump sum (UFPLS).

Action 3: Getting ready to connect

Occupational pension schemes will be required to register and cooperate with MaPS in connecting with the dashboard infrastructure and responding to "find and view" requests (see above). Schemes should be in contact with their administrators or software providers about how to do this.

There are two connection options: connecting directly or connecting via a third party. The PDP expects that most schemes will connect via a third-party data provider, which will mean that they can register their connection to the existing endpoint provided by that third party. It states in the "Connection process and guidance" that schemes "should allow up to 30 working days to complete registration and connection via an already-connected third party". However, if schemes intend to connect directly by setting up a new live endpoint, the PDP recommends that they should start this process six to nine months before their staging deadline.

There is a one-month window in advance of a scheme's staging date for schemes to connect to the system, by registering the software and interfaces they will use. This window is five months for the largest master trusts, who are the first to stage. Under the current legislative framework connection may begin from 1 April 2023, although this appears likely to change following the DWP'S announcement that connection deadlines will be delayed. The software and interfaces will need to meet the PDP's published standards, having regard to guidance published by MaPS and/or the Pensions Regulator. As noted above, schemes need to agree their connection date with MaPS and this may have to be earlier than the staging date.

Schemes will need to comply with pre-connection steps. The PDP has issued "Code of Connections" standards, which set out its expectations on security, service and operational standards, alongside recommended or best practice guidance and "Early connection guidance" (see Action 10 (Monitoring industry developments), below).

Action 4: Getting ready to match and respond

Once individuals start accessing the dashboards, schemes will need to be able to match "find" requests from dashboard users against their records, identify relevant individuals and send data back to dashboards within the prescribed response times (see Action 2 (Data), above).

Ahead of this, schemes will need to decide on their criteria for matching find requests. PASA data matching convention guidance (updated in August 2022) will help with this. The Pensions Regulator's guidance also addresses matching, which suggests that schemes may wish to refer to PASA's guidance when deciding on their approach to matching.

PASA has suggested that, based on current practice, many (but not all) schemes will decide to match based on three core data elements: surname, date of birth and National Insurance Number. Some schemes may add the user's first name as a fourth data element.

Schemes will need to be confident that any data elements they use are accurate. This is likely to be challenging where they rely on third parties, such as employers, deferred members or previous administrators. Wider data protection and security considerations will also be highly relevant here (see Action 7 (Data protection and cyber security), below).

Action 5: Preparing to engage with members outside the dashboards

Schemes could face significantly more requests from members once dashboards are launched. This could take the form of members seeking to correct their personal data so their pensions can be found, requests for more accurate retirement figures or transfer value quotations or follow-up queries from members who have been reconnected with their pensions. Schemes will need to check that administrators have capacity to deal with these demands (see Action 6 (Outsourcing arrangements), below).

If schemes (particularly DB schemes) find that they are receiving greater demands from members to transfer their benefits after accessing a dashboard, both trustees and scheme sponsors may want to review the support they provide for these decisions together with their existing transfer processes (including scams checks and nudges to pension guidance, where applicable).

Communications strategies may also need to be updated to cover dashboards – including to explain what members can expect to see and do through the dashboards platform. For example, in many cases dashboards will not be able to fully reflect a member's actual pension entitlement under a scheme because of the various benefit complexities that may exist (such as underpins, tranches of benefits, early and late retirement options, etc). Managing member expectations and the risk of legal liability arising from reliance on figures given via the dashboards will be critical.

Action 6: Check your outsourcing arrangements

Most schemes will require input from third party service providers to ensure they can meet the new dashboard requirements. In particular, schemes may need assistance in establishing access to scheme data via the dashboards, developing search functionality and ensuring that new systems and processes are appropriate and robust.

In the first instance this is likely to involve conversations with scheme administrators and software providers to explore project plans and identify any additional resource or support requirements and any need for further expertise to be brought in. A key part of this assessment will be a review of the terms of existing outsourcing contracts to ensure they remain fit for purpose once the dashboards regime is in place. As a minimum, this review should cover the following:

Service descriptions – are these sufficiently broad to capture the transition to dashboards and compliance with the regulatory framework? Even if the answer is yes, should service descriptions be updated to reflect the detail of the regime or a change to existing practice?
Service levels – should existing KPIs be updated (or supplemented) to align with:
- regulatory obligations in relation to the quality of data and acceptable response times?
- new standards and guidance issued by MaPS or the Pensions Regulator, including obligations to retain management information (see also Action 9 (Record keeping and reporting) below)?
- changes to the scheme's own risk management processes or other policies?

Any updates need to be realistic, both in view of the provider's resources and technological expertise and the likely uptick in member requests (see also Action 5 (Preparing to engage with members) above).

Cost allocation - what are the costs of providing any new services? Does the contract provide any guidance on how the costs should be allocated between the parties and/or any associated protections (e.g. caps, benchmarking rights)? How could the costs change as the regime evolves?
Liability – how will the risks associated with the new regime (e.g. regulatory fines or other costs associated with any breach) be allocated between the scheme and the provider? What steps should the parties take to mitigate the risk of any such liabilities arising?
Implementation – is the provider planning to use a third party solution or develop its own in-house? What milestones or other controls should be in place to give the trustees confidence that the implementation project is on track and that development work will not compromise service standards in the meantime?
Data - What new data protection and cyber security risks will arise under the new arrangements and how will these be addressed and apportioned (see also Action 7 (Data protection and cyber security?) below)?

By their nature, any changes to the outsourcing arrangements will need to be made in collaboration with the service providers. Trustees should engage with administrators and IT suppliers at an early stage to understand their technical proposals for connecting to the dashboard ecosystem.

The Pensions Regulator has warned trustees that "[w]hile you can use third parties to help you meet your duties, you will ultimately remain accountable for ensuring that your scheme is connected to dashboards on time and that you are (and remain) compliant with the requirements."

Schemes that are considering changing administrator will also need to consider how this could affect their ability to comply with the new regime. The Government is proposing to allow schemes some flexibility to defer a staging deadline by up to 12 months where it would be disproportionately burdensome to comply as a result of a procurement process for a new administrator (or administration system) which had begun before the dashboard regulations were in force. However, that extension is unlikely to be granted where the incoming administrator is already "dashboard-ready".

Action 7: Consider data protection and cyber security risks

Schemes will need to comply with their responsibilities as data controllers under the UK General Data Protection Regulation (UK GDPR) and the guidance set out in the Information Commissioner's statutory code of practice on data sharing and consider the following:

Legal basis for processing – there must be a legal basis for each processing activity. MaPS (through CAS) will obtain an individual's consent to their data being sent to the scheme to search for that individual's benefits following a find request. Consent can be withdrawn and, while this process is likely to be managed centrally through CAS, schemes will need to ensure that no further data is shared if this occurs. In responding to the find request, schemes should be able to rely on the legal basis of "compliance with a legal obligation" to match the individual and then return view data to them (on the basis of its regulatory obligation to respond to a request) or, alternatively, "legitimate interests". Once the regime has been clarified, schemes should assess the most appropriate legal basis on which to rely.
Transparency obligations – schemes will need to update privacy policies to cover all requirements of UK GDPR, including reflecting the legal basis for processing and data sharing arrangements.
Accurate data – a key risk for schemes from a data protection perspective is the disclosure of data to the wrong person and, in setting their matching criteria, schemes will need to balance duties under the UK GDPR with obligations under the new dashboard regime (see Action 4 (Getting ready to match) above). This ultimately comes down to getting your data in order (Action 2 (Data)): the more accurate the data that the scheme holds, the better the prospect of complying with both regimes.
Security – schemes are responsible for protecting personal data with adequate security measures. The cyber security standards with which those connecting to the dashboards must comply are yet to be published but are expected to be robust. Prior to sharing data, schemes may wish to carry out a data protection impact assessment (DPIA) to ensure that risks are identified and mitigated accordingly (especially in view of sensitivity of data to be disclosed). The DPIA to be published by the PDP for the dashboard ecosystem should help with this.
Managing processors – while it is unclear what data sharing agreements, if any, will be managed centrally, schemes will need to work with administrators and software providers to ensure that new requirements are reflected adequately under the relevant contracts (see Action 6 (Outsourcing arrangements)).

Action 8: Monitoring and managing risks

Existing scheme risk management processes should be reviewed and updated to ensure that they will:

comply with the new dashboard requirements;
address new risks concerning data protection and cyber security (see Action 7 (Data protection and cyber security), above); and
consider how dashboards could affect member outcomes more generally, both in the context of pension scams and where members may make significant financial decisions based on the information they receive from the dashboard.

The Pensions Regulator will be the supervising authority and will be able to issue compliance notices and penalties in relation to dashboard compliance. Penalties would be up to £5,000 for an individual and £50,000 in other cases. Penalties are discretionary, not compulsory, but can apply per instance of a breach of a relevant provision, i.e. potentially per individual member.

Dashboards have the potential to foster member engagement and improve decision-making, but only if full and accurate data is provided to the right recipients. It will be important to ensure that the scheme's matching criteria are sufficiently robust to prevent fraud and pension scams. This needs to be balanced against the need to ensure members receive information on all their pension entitlements when they submit a request.

The Pensions and Lifetime Savings Association (PLSA) has emphasised that schemes need to have certainty where legal financial responsibility will rest should the user take action, or fail to take action:

in light of their pension not being shown; or
where the pension actually paid is different from an amount that appeared on a dashboard in the past.

The dashboards regime does not change the ordinary legal liability principles that apply whenever benefit information is provided to a member. However, the greater ease and speed with which members will be able to request data will introduce a marked change in the practical risk of omissions or inaccurate data being provided.

Schemes will also need to consider how dashboards will display and caveat the data they provide. They will have less control over how information is presented than they do when communicating with members directly. They may therefore want to manage this risk through their own communications strategy (see Action 5 (Preparing to engage with members) above).

Action 9: Setting up systems for record keeping and reporting

Schemes will need to keep records of a range of “management information” for at least six years. This includes the number of "find and view" requests received, their matching process and the time taken to respond to each view request. Trustees must provide this information to MaPS, the Pensions Regulator or the FCA on request.

Action 10: Monitoring industry developments

The DWP has committed to provide an update on changes to connection deadlines in summer 2023, after the PDP has developed a new plan for delivery.

The Pensions Regulator has published guidance and updated it after the Government published its first response to the consultation on the regulations. It has also published a consultation on its dashboards compliance and enforcement policy, which runs until 24 February 2023.

In November 2022, the PDP published revised standards and statutory guidance on connecting to the dashboards ecosystem. These include:

Code of connection (including security, service and operational standards);
Technical standards;
Data standards;
Reporting standards;
Early connection guidance; and
Data standards usage guide.

The PDP also opened a consultation on design standards, which will set mandatory standards for how information and pension values will be presented, which closed on 16 February 2023. The PDP has also issued notes on its approach to the governance of standards and the connection process and guidance.

In terms of other resources, in addition to the PASA guidance (mentioned above), the PLSA has produced "Pensions dashboards A to Z", a useful guide for the pensions industry, and a summary checklist of actions schemes should take now.

Read Nick Brady Profile