10 actions for getting to grips with pensions dashboards

Overview

The Government intends pensions dashboards to bring about a fundamental change in the way individuals access information about their pensions, allowing people to see all of their future pension entitlements in one online place.

The public will not be able to access the dashboard until at least 2024, but large and medium-sized schemes will need to connect to the online system between June 2023 and October 2025 (depending upon their size and type).

Before they are required to connect to the dashboards, trustees will need to ensure the scheme's data and infrastructure are in good shape and ready for connection. The Pensions Regulator has urged trustees and scheme managers to start getting ready now.

When the systems go live, trustees will need to be ready to receive significantly more data requests from members (via dashboard providers). They will need to respond to these within a very short timeframe. They will also need to be ready for the wider implications of dashboards including the broader effect they may have on the way members interact with their schemes, and the changes in data and other legal risks that this implies.

This briefing outlines the proposed regime as it will affect occupational pension schemes, together with 10 key actions for scheme agendas:

  1. Identifying your staging deadline
  2. Getting your data in order
  3. Getting ready to connect
  4. Getting ready to match and respond
  5. Preparing to engage with members outside the dashboard
  6. Checking your outsourcing arrangements
  7. Considering data protection and cyber security risks
  8. Monitoring and managing risks
  9. Setting up systems for record keeping and reporting
  10. Monitoring industry developments
What are pensions dashboards?

The Pensions Dashboards Programme describes dashboards as "public facing user interfaces that will enable individuals to access their pensions information online, securely and all in one place, thereby supporting better planning for retirement".

The Money and Pensions Service (MaPS) will provide a non-commercial dashboard. Other (commercial) entities will also be able to provide dashboards, where authorised by the Financial Conduct Authority (FCA).

Dashboards are an opportunity to reconnect members with their savings, encourage consolidation of small pots, increase member awareness and engagement, and, ultimately, enable them to make better-informed choices about their pensions. Like automatic enrolment, dashboards have the potential to transform the pensions industry and improve member outcomes.

Introducing dashboards (and getting schemes ready to connect with them) is, nevertheless, a complex and ambitious project. There are significant challenges, tight deadlines and many potential pitfalls.

It is important to note that final pensions dashboards regulations are not expected to be published before summer 2022. However, the Government has consulted on "indicative" draft regulations. These provide enough information for schemes to start getting ready and our comments in this note are based on the indicative draft regulations. At the Pensions Administration Standards Association (PASA) annual conference 2022, David Fairs of the Pensions Regulator encouraged schemes to get this process underway as soon as possible.


Which schemes are in scope?

Schemes in scope, at least for now, are all UK schemes registered with HMRC and with at least 100 active and deferred members (i.e. not including pensioners and survivors) as at their scheme year end date that fell between 1 April 2020 and 31 March 2021. Other schemes can connect to dashboards voluntarily, with permission: they may be required to connect from 2026 but this is not in the draft regulations. There are provisions regarding schemes with fewer than 100 relevant members that grow and so fall into scope later.


How will pensions dashboards work?

The dashboard system will not itself hold information. Rather, it will process "find and view" requests:

  • A "find request" is generated when an individual uses a dashboard.

  • All occupational pension schemes connected to the dashboard infrastructure will then be sent an individual's personal information from the "find request" and must seek to "match" the individual, i.e. check if that person is an active or deferred member of their scheme. They must do this based on matching criteria that they have decided in advance (see Action 4 (Getting ready to match), below).

  • If there is a match, the scheme must create and register a "pension identifier" (or "PeI").

  • The scheme must then return "view data" in respect of the member for display on the dashboards, after checking view request permissions against a "consent and authorisation service" ("CAS") provided by MaPS.

  • If there is a partial match then the individual must be invited to contact the scheme so that this can be investigated.

State pension information should be available from the outset. It appears that PPF compensation will not be included. 


What actions should schemes have on their agendas now?
Action 1: Identifying your staging deadline

Occupational pension schemes will become subject to the connection requirement on the following dates:

  • 30 June 2023 – master trust schemes with 20,000+ relevant members
  • 31 July 2023 – defined contribution (DC) automatic enrolment schemes with 20,000+ relevant members
  • 30 September 2023 – DC automatic enrolment schemes and master trust schemes with 10,000 to 19,999 relevant members
  • 30 October 2023 –DC automatic enrolment schemes and master trust schemes with 5,000 to 9,999 relevant members
  • 30 November 2023 – defined benefit (DB) schemes (with the exception of public service schemes - see below) with 20,000+ relevant members and other DC schemes with 20,000+ relevant members
  • 31 January 2024 – DC automatic enrolment schemes and master trust schemes with 2,500 to 4,999 relevant members
  • 29 February 2024 – DC automatic enrolment schemes and master trust schemes with 1,000 to 2,499 relevant members.
  • 31 March 2024 – DB schemes with 10,000 to 19,999 relevant members and other DC schemes with 10,000 to 19,999 relevant members
  • 30 April 2024 – public service pension schemes and collective money purchase schemes
  • 30 June 2024 to 30 September 2024 - DB with 1,000 to 9,999 relevant members and other DC schemes with 1,000 to 9,999 relevant members
  • 31 October 2024 to 31 October 2025 – "medium" DB and DC schemes (i.e. those with 100 to 999 relevant members)

Staging dates have not yet been set for small and micro schemes (with fewer than 100 members), although the Government has indicated that this is likely to be from 2026.

A hybrid scheme's staging date is the earlier of what would otherwise be its DC and DB staging dates, for the whole scheme. (A scheme with DB benefits in which all the DC benefits derive from additional voluntary contributions is treated as DB rather than hybrid.)

Early connection is possible, with the permission of MaPS (which will consult with the Pensions Regulator). Certain schemes may be able to postpone in some exceptional circumstances - but only once, and the application must be made within 12 months of the regulations coming into force: here permission must be granted by the Secretary of State, after consultation with the Pensions Regulator and MaPS (see Action 6 (Outsourcing arrangements), below).

Action 2: Getting your data in order

Dashboards will only be as useful as the data available to them. Good data is already central to trustee duties and will become even more so when dashboards go live.

Schemes therefore need to understand what data they will need to provide, audit whether they have that data in a "dashboard ready" format and fill any data gaps. Guidance from the Pensions Administration Standards Association (PASA) has stressed that data will need to be:

  • accessible automatically,
  • accurate; and
  • available digitally.

Schemes will have to supply four main categories of data:

  1. "Administrative data", including (among other things) the name of the scheme, the nature of the benefit, member status and normal pension age.

  2. "Contextual information", including (among other things) as to survivor benefits and pension increases.

  3. "Signpost data" for a website where (to the extent required by law) information on costs and charges, the scheme's statement of investment principles and its implementation statement can be viewed.

  4. "Value data", which is the core data relating to the accrued (and projected) value of the member's own benefits. The "value data" information to be returned is different in respect of money purchase and non-money purchase benefits:
Money purchase

Here, the information that must be returned is:

  1. An accrued pot value.
  2. An annualised income value (ignoring future contributions and growth).
  3. (If held) the pot value projected to normal pension age.
  4. A projected annualised income value.

The last three of these only need to be provided from 1 October 2023 and once a statutory illustration has been produced. A future update of the Financial Reporting Council's (FRC) actuarial standard TM1, concerning statutory money purchase illustrations, will address how the projections are to be made. The FRC has consulted on this.

Projections are not required if the member is within two years of normal pension age and in some circumstances where the pot value is less than £5,000.

Non-money purchase

Here, the "value data" information that must be returned is:

  1. For active members, an accrued value as at the illustration date and a projected value for service to normal pension age but with no salary increases. No projection is required for members within two years of normal pension age.
  2. For deferred members, an accrued value, valued to the illustration date. There may be the option for an alternative approach where the scheme does not revalue annually: in any event, schemes which only calculate revaluation at retirement, which is all that the law requires, might need to create new processes in order to be able to comply. No projected value is required for deferred members.

The "value" here refers to the annual pension figure and any separate pension commencement lump sum.

There are separate provisions for cash balance and collective money purchase benefits.

In all cases, the figures can be up to 12 months old: this is to allow existing calculation processes to be used. If such figures are not already available, there is a three-day deadline for providing money purchase data and a ten-day deadline for non-money purchase data.

Schemes are no longer required to provide information once benefits have begun to be paid, even in part. The exception is where a member has taken only an uncrystallised funds pension lump sum (UFPLS).

Action 3: Getting ready to connect

Occupational pension schemes will be required to register and cooperate with MaPS in connecting with the dashboard infrastructure and responding to "find and view" requests (see above). Schemes should be in contact with their administrators or software providers about how to do this. We do not yet know the deadline for this but it is not necessarily linked to the scheme's staging date. 

There is a one-month window in advance of a scheme's staging date for schemes to connect to the system, by registering the software and interfaces they will use (three months for the largest master trusts, who are the first to stage). The software and interfaces will need to meet the Pensions Dashboards Programme's published standards, having regard to guidance published by MaPS and/or the Pensions Regulator.

Schemes will need to comply with pre-connection steps, which will also be set out in MaPS standards.

Action 4: Getting ready to match and respond

Once individuals start accessing the dashboards, schemes will need to be able to match "find" requests from dashboard users against their records, identify relevant individuals and send data back to dashboards within the prescribed response times (see Action 2 (Data), above).

Ahead of this, schemes will need to decide on their criteria for matching find requests. PASA data matching convention guidance will help with this. The Secretary of State or Pensions Regulator will also publish guidance on matching.

PASA have suggested that, based on current practice, many (but not all) schemes will decide to match based on three core data elements: surname, date of birth and National Insurance Number. Some schemes may add the user's first name as a fourth data element.

Schemes will need to be confident that any data elements they use are accurate. This is likely to be challenging where they rely on third parties, such as employers, deferred members or previous administrators. Wider data protection and security considerations will also be highly relevant here (see Action 7 (Data protection and cyber security), below).

Action 5: Preparing to engage with members outside the dashboards

Schemes could face significantly more requests from members once dashboards are launched. This could take the form of members seeking to correct their personal data so their pensions can be found, requests for more accurate retirement figures or transfer value quotations or follow-up queries from members who have been reconnected with their pensions. Schemes will need to check that administrators have capacity to deal with these demands (see Action 6 (Outsourcing arrangements), below).

If schemes (particularly DB schemes) find that they are receiving greater demands from members to transfer their benefits after accessing a dashboard, both trustees and scheme sponsors may want to review the support they provide for these decisions together with their existing transfer processes (including scams checks and nudges to pension guidance, where applicable).

Communications strategies may also need to be updated to cover dashboards – including to explain what members can expect to see and do through the dashboards platform. For example, in many cases dashboards will not be able to fully reflect a member's actual pension entitlement under a scheme because of the various benefit complexities that may exist (such as underpins, tranches of benefits, early and late retirement options, etc). Managing member expectations and the risk of legal liability arising from reliance on figures given via the dashboards will be critical.

Action 6: Check your outsourcing arrangements

Most schemes will require input from third party service providers to ensure they can meet the new dashboard requirements. In particular, schemes may need assistance in establishing access to scheme data via the dashboards, developing search functionality and ensuring that new systems and processes are appropriate and robust.

In the first instance this is likely to involve conversations with scheme administrators and software providers to explore project plans and identify any additional resource or support requirements and any need for further expertise to be brought in. A key part of this assessment will be a review of the terms of existing outsourcing contracts to ensure they remain fit for purpose once the dashboards regime is in place. As a minimum, this review should cover the following:

  • Service descriptions – are these sufficiently broad to capture the transition to dashboards and compliance with the regulatory framework? Even if the answer is yes, should service descriptions be updated to reflect the detail of the regime or a change to existing practice?

  • Service levels – should existing KPIs be updated (or supplemented) to align with:

    • regulatory obligations in relation to the quality of data and acceptable response times?
    • new standards and guidance issued by MaPS or the Pensions Regulator, including obligations to retain management information (see also Action 9 (Record keeping and reporting) below)?
    • changes to the scheme's own risk management processes or other policies?

Any updates need to be realistic, both in view of the provider's resources and technological expertise and the likely uptick in member requests (see also Action 5 (Preparing to engage with members) above).

  • Cost allocation - what are the costs of providing any new services? Does the contract provide any guidance on how the costs should be allocated between the parties and/or any associated protections (e.g. caps, benchmarking rights)? How could the costs change as the regime evolves?

  • Liability – how will the risks associated with the new regime (e.g. regulatory fines or other costs associated with any breach) be allocated between the scheme and the provider? What steps should the parties take to mitigate the risk of any such liabilities arising?

  • Implementation – is the provider planning to use a third party solution or develop its own in-house? What milestones or other controls should be in place to give the trustees confidence that the implementation project is on track and that development work will not compromise service standards in the meantime?

  • Data - What new data protection and cyber security risks will arise under the new arrangements and how will these be addressed and apportioned (see also Action 7 (Data protection and cyber security?) below)?

By their nature, any changes to the outsourcing arrangements will need to be made in collaboration with the service providers. Trustees should engage with administrators and IT suppliers at an early stage to understand their technical proposals for connecting to the dashboard ecosystem.

Schemes that are considering changing administrator will also need to consider how this could affect their ability to comply with the new regime. The Government is proposing to allow schemes some flexibility to defer a staging deadline by up to 12 months where it would be disproportionately burdensome to comply as a result of a procurement process for a new administrator (or administration system) which had begun before the dashboard regulations were in force. However, that extension is unlikely to be granted where the incoming administrator is already "dashboard-ready".

Action 7: Consider data protection and cyber security risks

Schemes will need to comply with their responsibilities as data controllers under the UK General Data Protection Regulation (UK GDPR) and the guidance set out in the Information Commissioner's statutory code of practice on data sharing and consider the following:

  • Legal basis for processing – there must be a legal basis for each processing activity. MaPS (through CAS) will obtain an individual's consent to their data being sent to the scheme to search for that individual's benefits following a find request. Consent can be withdrawn and, while this process is likely to be managed centrally through CAS, schemes will need to ensure that no further data is shared if this occurs. In responding to the find request, schemes should be able to rely on the legal basis of "compliance with a legal obligation" to match the individual and then return view data to them (on the basis of its regulatory obligation to respond to a request) or, alternatively, "legitimate interests". Once the regime has been clarified, schemes should assess the most appropriate legal basis on which to rely.

  • Transparency obligations – schemes will need to update privacy policies to cover all requirements of UK GDPR, including reflecting the legal basis for processing and data sharing arrangements.

  • Accurate data – a key risk for schemes from a data protection perspective is the disclosure of data to the wrong person and, in setting their matching criteria, schemes will need to balance duties under the UK GDPR with obligations under the new dashboard regime (see Action 4 (Getting ready to match) above). This ultimately comes down to getting your data in order (Action 2 (Data)): the more accurate the data that the scheme holds, the better the prospect of complying with both regimes.

  • Security – schemes are responsible for protecting personal data with adequate security measures. The cyber security standards with which those connecting to the dashboards must comply are yet to be published but are expected to be robust. Prior to sharing data, schemes may wish to carry out a data protection impact assessment (DPIA) to ensure that risks are identified and mitigated accordingly (especially in view of sensitivity of data to be disclosed). The DPIA to be published by the Pensions Dashboards Programme for the dashboard ecosystem should help with this.

  • Managing processors – while it is unclear what data sharing agreements, if any, will be managed centrally, schemes will need to work with administrators and software providers to ensure that new requirements are reflected adequately under the relevant contracts (see Action 6 (Outsourcing arrangements)).
Action 8: Monitoring and managing risks

Existing scheme risk management processes should be reviewed and updated to ensure that they will:

  • comply with the new dashboard requirements;
  • address new risks concerning data protection and cyber security (see Action 7 (Data protection and cyber security), above); and
  • consider how dashboards could affect member outcomes more generally, both in the context of pension scams and where members may make significant financial decisions based on the information they receive from the dashboard.

The Pensions Regulator will be the supervising authority and will be able to issue compliance notices and penalties in relation to dashboard compliance. Penalties would be up to £5,000 for an individual and £50,000 in other cases. Penalties are discretionary, not compulsory, but can apply per instance of a breach of a relevant provision, i.e. potentially per individual member.

Dashboards have the potential to foster member engagement and improve decision-making, but only if full and accurate data is provided to the right recipients. It will be important to ensure that the scheme's matching criteria are sufficiently robust to prevent fraud and pension scams. This needs to be balanced against the need to ensure members receive information on all their pension entitlements when they submit a request.

The Pensions and Lifetime Savings Association (PLSA) has emphasised that schemes need to have certainty where legal financial responsibility will rest should the user take action, or fail to take action:

  • in light of their pension not being shown; or
  • where the pension actually paid is different from an amount that appeared on a dashboard in the past.

The dashboards regime does not change the ordinary legal liability principles that apply whenever benefit information is provided to a member. However, the greater ease and speed with which members will be able to request data will introduce a marked change in the practical risk of omissions or inaccurate data being provided.

Schemes will also need to consider how dashboards will display and caveat the data they provide. They will have less control over how information is presented than they do when communicating with members directly. They may therefore want to manage this risk through their own communications strategy (see Action 5 (Preparing to engage with members) above).

Action 9: Setting up systems for record keeping and reporting

Schemes will need to keep records of a range of “management information” for at least six years. This includes the number of "find and view" requests received, their matching process and the time taken to respond to each view request. Trustees must provide this information to MaPS, the Pensions Regulator or the FCA on request.

Action 10: Monitoring industry developments

The Government expects to lay the final regulations before Parliament in autumn 2022, though they should be published in the summer. The FCA has consulted on corresponding rules for personal pension providers and will consult in the summer on its rules for dashboard providers.

Both MaPS and the Pensions Regulator are expected to issue guidance standards later in 2022. In the meantime, the Pensions Dashboards Programme (PDP) has published the following new documentation to accompany the Government consultation. These relate to the standards that it will be issuing on behalf of MaPS under the above regulations:

  • Data usage guide.
  • Design standards scope.
  • Reporting standards scope.
  • Technical standards.
  • Code of connection guide.

The links can all be found here.

In terms of other resources, in addition to the PASA guidance (mentioned above), the PLSA has produced "Pensions dashboards A to Z", a useful guide for the pensions industry, and a summary checklist of actions schemes should take now.

Back To Top