Content

Introduction

At first glance the Pensions Regulator’s draft “super” Code of Practice is alarming in its documentation requirements. We counted just under 30 “policies”, nearly 40 “processes” and another 16 specific registers, reports and strategic documents, and that’s not including the suite of investment requirements. We’ve given you a couple of checklists at the end of this briefing to test against your own suite of governance documents. 

However, the majority are more just about putting down on paper what you are already doing (and why) to allow you to flush out whether anything is missing or not actually as good as you thought it was. In this briefing, we look at some of those you may not yet be familiar with. We consider what trustees will need to get to grips with; what you can recycle from the policies you already have, and what needs looking at afresh. 

This is the third in our series of briefings on the Pensions Regulator’s draft Code – please see the end of this briefing for links to the others.

Remuneration policy

Schemes with 100 or more members (excluding public service and master trust schemes) are expected to maintain a written remuneration policy in respect of those people undertaking scheme activities paid for by the trustees or the sponsoring employer. That includes both in-house members of staff and external administration, actuarial, legal advisory and investment services.

This expectation seems to assume that trustee boards have insight and/or some influence over the remuneration of in-house staff and appointments and that there is value in having an overarching policy for how to pay external providers. Authorised DC master trusts are already subject to similar requirements but we question whether this policy has any real role to play outside the commercial provider arena. However, we have set out the high level requirements below for you to consider how you might comply. 

The policy should be proportionate to the size, scale, nature and complexity of the scheme’s activities. It should include measures to mitigate potential conflicts of interest, particularly with regard to in-house roles like trustees, trustee secretary, administration and sub-committees. It should explain the decision-making process for levels of remuneration and why you think they are appropriate.

The Regulator expects you to review this policy every three years as a minimum, although it may well be more practical to review it annually (or immediately following any significant changes in the scheme’s governing arrangements). You’ll also be expected to publish the policy on the scheme’s website or otherwise make it available to members.

Financial transactions

There is already a legal requirement for DC schemes to maintain processes around core financial transactions. However, the Regulator believes that these principles are equally valuable to all schemes and it has seized this opportunity to extend their application to all types of scheme.

Contingency planning

Disaster recovery should already be part of your data risk management arrangements, not least in the aftermath of the COVID-19 pandemic. However, there is a much greater focus in the draft Code on more general continuity or contingency planning as part of your effective system of governance (ESOG). 

We have another new acronym – the business continuity plan or BCP. It’s a good time to focus on this element of your ESOG while everyone’s memories of lockdown are fresh, including on how much can, or can’t, be achieved out of the office. 

The Regulator expects trustees to: 

  • Seek to ensure continuity and regularity in the performance of the activities in the scheme.
  • Have a resilient BCP that sets out key actions in case of a range of events occur that impact the scheme's operations.
  • Make sure member data and general scheme administration are included in the BCP.
  • Ensure advisers and service providers also have a BCP in place to maintain services to the scheme.
  • Choose how to rely on reports and information about their service providers' BCP arrangements.
  • Set out roles and responsibilities within the plan, and agree these with service providers.
  • Regularly review process documents and maps, particularly after system or process change.
  • Prioritise scheme activities in the event of the BCP being triggered, for example pensioner payments, retirement processing and bereavement services.
  • Ensure continued access to resources, services and communications with key parties.
  • Have an awareness of the timeframes required to bring new resources on board.
  • Understand what contingency is in place to mitigate any under-resource due to, for example, increase in work volumes or the loss of staff.
  • Seek to identify any events which may reasonably occur that may require additional resources.

Cyber security and IT systems

Cyber security has been important for a while now and we already have the Regulator’s 2018 guidance on cyber security. The draft Code elevates some of that guidance to Code status, with the rest presumably staying as just guidance.  

The Regulator expects you to:

  • Understand the need for confidentiality, integrity and availability of your systems and services for processing personal data, and the personal data processed within them.
  • Receive regular reports from staff and service providers on cyber risks and incidents.
  • Maintain a cyber-incident response plan as part of your continuity plan in order to safely and swiftly resume operations. 

Our August 2021 briefing “Taking action on pension scheme cybersecurity” sets out the main cyber threats to pension schemes and outlines the steps that trustees can and should take to protect their schemes’ and members’ interests.

Governance policies and what to put in them

The checklists at the end of this briefing itemise all the governance documentation expected by the draft Code. We would recommend setting up and running a single governance policy to cover most of the trustee and administrative aspects of the draft Code, with the equivalent of an operating manual for the more detailed processes. A single governance policy keeps everything together for the trustee board, gives you something to share with your service providers and advisers to make sure they work with your policies, and also simplifies the process of scheduling reviews of elements as they fall due. If you have sub-committees, use the same document to centralise terms of reference and any delegated powers.

Action points

The new regime may seem overwhelming but it’s best taken in stages, and in manageable chunks. We’ve set out below some pointers for trustees: 

  • Identify your existing written policies and line them up against the Regulator’s expectations – which ones are missing or need brushing up? Use the checklists at the end of this briefing. 
  • Which policies does your scheme actually need?
  • What does compliance look like for your scheme? Think about priorities as against the specific risks faced by the scheme and its members, budgets, internal and external resources available to help, costs, the scope to engage third party providers with scheme policies, and a sensible timetable for review by the trustee board of individual elements. 
  • Are particular trustee board members particularly suited to take on particular elements to update and/or supervise? 
  • Set up a timetable to review each element for its fitness for purpose against the risks you have It’s marked to show where the requirement only applies to larger schemes or particular types of scheme. Use it as your checklist to work out which elements you need to prioritise.

Previous briefings in this series

Our July 2022 briefing, “Turning up the heat on compliance: the Pensions Regulator’s “super” Code”, explained how the Regulator will expect trustees and sponsoring employers to be much more disciplined in their future approach to scheme management. We focused on the new requirement for trustees to develop an “effective system of governance” (or ESOG). 

In our August 2022 briefing, “Own risk assessments: the Pensions Regulator’s “super” Code part 2”, we turned to the requirement for all schemes with 100 or more members to prepare an “own risk assessment” (or ORA) within 12 months of the new Code coming into force. We looked at the essential elements of the ORA and gave some practical pointers on how trustees could tackle its production.

The Pensions Regulator’s draft Code: checklists for your policies and processes

Policies for trustee business 

Appointment processes:

  • Written processes for exercising powers to recruit/appoint trustees/directors
  • Arrangements for member-nominated trustees/directors
  • Compliance with any scheme rules or regulation requiring representation of particular bodies or groups on trustee board
  • Appointment of chair*†
Remuneration policy

Meeting processes:

  • Written meeting records
  • Planning and running meetings
  • Rescheduling postponed meetings

Policy on managing actual and perceived conflicts of interest

Register of trustee interests

Policy on role of the trustee board, building and maintaining knowledge and governance of knowledge and understanding (TKU)

Plan for maintenance and development of TKU
Resignation and removal policy on who can remove a trustee board member, under what circumstances and steps for doing so
Exercise of discretionary functions policy
Gifts and hospitality
Operational policies of sub-committees
Policies for risk management
Risk management policies for:
  • Identifying and assessing risks facing the scheme
  • Internal controls and procedures
  • Management of internal conflicts of interest, and conflicts with participating employers and service providers
  • Prevention of conflicts of interest where the employer and governing body use the same service provider
  • Continuity planning
Risk register

Processes for:

  • Identifying managing risk
  • Risk assessment
  • Monitoring, recording and mitigating risk
  • Establishing ownership and a responsible party for monitoring risk and issues between meetings of the governing body

Policy on:

  • The risk-management function
  • The function which internally evaluates adequacy and effectiveness of the system of governance
  • The actuarial function

Internal control processes for:

  • Escalation and decision-making
  • Ensuring IT systems are able to meet the scheme’s current needs and legal requirements
  • Facilitating monitoring of contributions and transmission of payment information between the employer, member and scheme administrator
  • Ensuring the scheme can accept contributions from existing and, if necessary, new employers
  • Checking contributions due to the scheme and to reconcile them with what is actually paid
  • Identify whether a payment failure is of material significance
  • Enable members to demonstrate compliance with HMRC tax requirements
Policy on integration of risk assessment and mitigation into management and decision-making processes
Own risk assessment
Policy on reviewing elements of the ESOG
Business continuity plan
Policies for administrative processes

Appointing advisers/providers

Processes for:

  • Tender process for appointment of advisers/providers
  • Selection, appointment, management and replacement of advisers and service providers
  • Continuity on change/failure of provider
Process to authorise financial transactions

Internal dispute resolution procedure

Process to investigate and decide pension scheme disputes quickly and effectively
Processes for reporting breaches
Policy on maintaining, upgrading, and replacing hardware and software
Value for members assessment
Policy on outsourcing activities
Policies for the use of devices, and for home and mobile working
Policies on information management

Processes to:

  • Manage member data in line with data protection legislation (including collection, access, protection, use and transmission)
  • Record member benefits, identifiers, contributions, investments, member decisions, payments and transfers
  • Monitor data
  • Maintain accurate and up-to-date records
Policy on assessing whether data protection breaches need to be reported to the information commissioner

Processes to:

  • Enable participating employers to provide timely and accurate data
  • Respond where an employer fails to meet their legal duties to the scheme in relation to data
Policy to encourage members to speak up about matters that affect them*
Policy on public provision of information and information given on request

* DC schemes for non-associated employers
† Schemes with 100 members or more
 Only schemes offering DC arrangements (other than AVCs)



Contacts

Lesley Browning
Lesley Browning
Partner
Email
lesley.browning@nortonrosefulbright.com
T: +44 20 7444 2448 / +44 77 1030 3311
Shane O'Reilly
Shane O'Reilly
Partner
Email
shane.o'reilly@nortonrosefulbright.com
T: +44 (20) 74443895

Industry:

Practice area:

Recent publications

Oil tanker operation at oil and gas terminal

Publication

Tariffs 101: What you need to know about tariffs in the new Trump era

On November 25th, President-elect Trump pronounced via social media that he plans to impose a 25% tariff on all products imported into the United States from Canada and Mexico, among other countries, as one of his first executive orders on January 20, 2025.

Canada | January 8, 2025

WTO and international trade
office building

Publication

Tips for top circular disclosure in 2025

The Canadian Coalition for Good Governance (CCGG) has published its annual Best Practices guide, which includes examples of what it considers to be excellent proxy circular disclosure by Canadian reporting issuers.

Canada | January 8, 2025

Corporate governance

Publication

Spain

Over the past two years, Spain has significantly strengthened its foreign investment screening mechanism, and all acquisitions by foreign investors (as defined below) of a Spanish entity active in a strategic sector are subject to prior authorisation by the Ministry of Industry, Commerce and Tourism (“MoICT”).

Global | January 2025

Litigation and disputes
Site search

Subscribe and stay up to date with the latest legal news, information and events . . .

Register now