UK Pensions Briefing - Scheme policies and what to put in them: the Pensions Regulator’s “super” Code part 3

Introduction

At first glance the Pensions Regulator’s draft “super” Code of Practice is alarming in its documentation requirements. We counted just under 30 “policies”, nearly 40 “processes” and another 16 specific registers, reports and strategic documents, and that’s not including the suite of investment requirements. We’ve given you a couple of checklists at the end of this briefing to test against your own suite of governance documents. 

However, the majority are more just about putting down on paper what you are already doing (and why) to allow you to flush out whether anything is missing or not actually as good as you thought it was. In this briefing, we look at some of those you may not yet be familiar with. We consider what trustees will need to get to grips with; what you can recycle from the policies you already have, and what needs looking at afresh. 

This is the third in our series of briefings on the Pensions Regulator’s draft Code – please see the end of this briefing for links to the others.

Remuneration policy

Schemes with 100 or more members (excluding public service and master trust schemes) are expected to maintain a written remuneration policy in respect of those people undertaking scheme activities paid for by the trustees or the sponsoring employer. That includes both in-house members of staff and external administration, actuarial, legal advisory and investment services.

This expectation seems to assume that trustee boards have insight and/or some influence over the remuneration of in-house staff and appointments and that there is value in having an overarching policy for how to pay external providers. Authorised DC master trusts are already subject to similar requirements but we question whether this policy has any real role to play outside the commercial provider arena. However, we have set out the high level requirements below for you to consider how you might comply. 

The policy should be proportionate to the size, scale, nature and complexity of the scheme’s activities. It should include measures to mitigate potential conflicts of interest, particularly with regard to in-house roles like trustees, trustee secretary, administration and sub-committees. It should explain the decision-making process for levels of remuneration and why you think they are appropriate.

The Regulator expects you to review this policy every three years as a minimum, although it may well be more practical to review it annually (or immediately following any significant changes in the scheme’s governing arrangements). You’ll also be expected to publish the policy on the scheme’s website or otherwise make it available to members.

Financial transactions

There is already a legal requirement for DC schemes to maintain processes around core financial transactions. However, the Regulator believes that these principles are equally valuable to all schemes and it has seized this opportunity to extend their application to all types of scheme.

Contingency planning

Disaster recovery should already be part of your data risk management arrangements, not least in the aftermath of the COVID-19 pandemic. However, there is a much greater focus in the draft Code on more general continuity or contingency planning as part of your effective system of governance (ESOG). 

We have another new acronym – the business continuity plan or BCP. It’s a good time to focus on this element of your ESOG while everyone’s memories of lockdown are fresh, including on how much can, or can’t, be achieved out of the office. 

The Regulator expects trustees to: 

• Seek to ensure continuity and regularity in the performance of the activities in the scheme.
• Have a resilient BCP that sets out key actions in case of a range of events occur that impact the scheme's operations.
• Make sure member data and general scheme administration are included in the BCP.
• Ensure advisers and service providers also have a BCP in place to maintain services to the scheme.
• Choose how to rely on reports and information about their service providers' BCP arrangements.
• Set out roles and responsibilities within the plan, and agree these with service providers.
• Regularly review process documents and maps, particularly after system or process change.
• Prioritise scheme activities in the event of the BCP being triggered, for example pensioner payments, retirement processing and bereavement services.
• Ensure continued access to resources, services and communications with key parties.
• Have an awareness of the timeframes required to bring new resources on board.
• Understand what contingency is in place to mitigate any under-resource due to, for example, increase in work volumes or the loss of staff.
• Seek to identify any events which may reasonably occur that may require additional resources.

Cyber security and IT systems

Cyber security has been important for a while now and we already have the Regulator’s 2018 guidance on cyber security. The draft Code elevates some of that guidance to Code status, with the rest presumably staying as just guidance.  

The Regulator expects you to:

• Understand the need for confidentiality, integrity and availability of your systems and services for processing personal data, and the personal data processed within them.
• Receive regular reports from staff and service providers on cyber risks and incidents.
• Maintain a cyber-incident response plan as part of your continuity plan in order to safely and swiftly resume operations. 

Our August 2021 briefing “Taking action on pension scheme cybersecurity” sets out the main cyber threats to pension schemes and outlines the steps that trustees can and should take to protect their schemes’ and members’ interests.

Governance policies and what to put in them

The checklists at the end of this briefing itemise all the governance documentation expected by the draft Code. We would recommend setting up and running a single governance policy to cover most of the trustee and administrative aspects of the draft Code, with the equivalent of an operating manual for the more detailed processes. A single governance policy keeps everything together for the trustee board, gives you something to share with your service providers and advisers to make sure they work with your policies, and also simplifies the process of scheduling reviews of elements as they fall due. If you have sub-committees, use the same document to centralise terms of reference and any delegated powers.

Action points

The new regime may seem overwhelming but it’s best taken in stages, and in manageable chunks. We’ve set out below some pointers for trustees: 

• Identify your existing written policies and line them up against the Regulator’s expectations – which ones are missing or need brushing up? Use the checklists at the end of this briefing. 
• Which policies does your scheme actually need?
• What does compliance look like for your scheme? Think about priorities as against the specific risks faced by the scheme and its members, budgets, internal and external resources available to help, costs, the scope to engage third party providers with scheme policies, and a sensible timetable for review by the trustee board of individual elements. 
• Are particular trustee board members particularly suited to take on particular elements to update and/or supervise? 
• Set up a timetable to review each element for its fitness for purpose against the risks you have It’s marked to show where the requirement only applies to larger schemes or particular types of scheme. Use it as your checklist to work out which elements you need to prioritise.

Previous briefings in this series

Our July 2022 briefing, “Turning up the heat on compliance: the Pensions Regulator’s “super” Code”, explained how the Regulator will expect trustees and sponsoring employers to be much more disciplined in their future approach to scheme management. We focused on the new requirement for trustees to develop an “effective system of governance” (or ESOG). 

In our August 2022 briefing, “Own risk assessments: the Pensions Regulator’s “super” Code part 2”, we turned to the requirement for all schemes with 100 or more members to prepare an “own risk assessment” (or ORA) within 12 months of the new Code coming into force. We looked at the essential elements of the ORA and gave some practical pointers on how trustees could tackle its production.

The Pensions Regulator’s draft Code: checklists for your policies and processes

* DC schemes for non-associated employers
† Schemes with 100 members or more
‡ Only schemes offering DC arrangements (other than AVCs)