UK Pensions Briefing: Turning up the heat on compliance: the Pensions Regulator's "super" Code

New code on its way

Think you know how to run a pension scheme? Think again. As you may know, the Pensions Regulator is rationalising 10 of its existing Codes of Practice as one single “super” Code, which was published in draft for consultation in March 2021. We don’t yet know when it is going to be finalised: the Regulator has been considering more than 10,000 responses to its consultation. We do therefore expect some changes from the draft, but there is still no getting away from the fact it is coming.

It’s clear the Regulator is turning up the regulatory heat, and trustees and sponsoring employers will be expected to be more disciplined in their approach to running a pension scheme, whether it be defined benefit, defined contribution or a mix of both. There’s a lot to absorb and to implement. Even the most experienced and sophisticated of trustee boards will have to make changes; at the small scheme level the changes may have to be seismic.

The new Code will require much greater focus on having clear policies, processes and controls on managing risk, taking decisions and communicating with members and the Regulator. Trustees and managers need to review how their pension scheme is governed and brush up their processes and policies to be compliance-ready.

The Code reflects a raft of recent legislative changes which increase the amount of reporting and responsibility required of trustees. There are brand new requirements sitting alongside a general raising of the bar on expected standards of behaviour.

This briefing is the first in a series on aspects of the proposed new Code to give you an overview of the principal new expectations of trustees and administrators and how best to go about complying. We will focus here on one of the biggest changes of approach: the new(ish) universal obligation to have an effective system of governance.

Effective system of governance

Did you know you had to have an “effective system of governance” (or ESOG) for your scheme? The old requirement to have “internal controls” was beefed up under EU law to become an ESOG in January 2019 for almost all  occupational pension schemes. The exception is authorised master trusts which have their own supervisory regime. 

While UK schemes may have considered that they already had pretty clear governance requirements and there wouldn’t be much to do to implement this one last pre-Brexit change, the Regulator thinks otherwise and the draft Code is saturated with references to ESOG requirements. 

What’s an ESOG?

An effective system of governance has to cover these minimum requirements:

• Provide for sound and prudent management of activities.
• Include an adequate and transparent organisational structure with a clear allocation and appropriate segregation of responsibilities.
• Include an effective system for ensuring transmission of information.
• Include an effective internal control system*.
• Ensure continuity and regularity in the performance of its activities, including the development of contingency plans.
• Include consideration of environmental, social and governance factors related to investment assets in investment decisions.
• Be subject to regular internal review.

*Internal controls cover: 

• Arrangements and procedures for administration and management.
• Systems and arrangements for monitoring administration and management.
• Arrangements and procedures for safe custody and security of assets.

These are all sensible ideas and you might think you have a perfectly good ESOG already. The existing guidance on internal controls already covers a lot of the same principles. However, the Regulator is adding a lot more detail in the Code, including a raft of policies, procedures and protocols that trustees are now expected to establish and maintain. 

The key to reading the Code is to remember that how you go about compliance can be “proportionate to the size, nature, scale and complexity of the activities of the occupational pension scheme”. You would be forgiven for not realising that from the draft Code itself. We hope that the final Code will look more closely at what that might mean. 

Extra duties for schemes with 100 members or more

If your scheme has more than 100 members then the ESOG duties expand, as does the paperwork.

Extra ESOG duties for larger schemes

• Clear identification of who does what: who is responsible for risk management, who for delivering internal evaluation of the adequacy and effectiveness of your system of governance and who for actuarial work?
• Clear outsourcing processes.
• Written policies for both of the above which are approved by the trustees and reviewed at least every three years.
• Remuneration policies for trustees and staff.
• Regular own-risk assessment process (see more below).

How to get ahead on your ESOG

• Think about the level at which you need to pitch compliance for your scheme. Take account of the Code in current business plans and allocate appropriate resources.
• Undertake a gap analysis of the draft Code against existing policies. This will allow any areas in which the scheme falls short to be addressed promptly.
• You should start talking now to the scheme sponsor to see whether its own governance processes could be used in any way to help ensure compliance.
• Consider whether you need bespoke training on the Code.
• Record, and be ready to explain, your conclusions.
• What does compliance look like for your scheme? Think about priorities as against the specific risks faced by the scheme and its members, budgets, internal and external resources available to help, costs, the scope to engage third party providers with scheme policies, and a sensible timetable for review by the trustee board of individual elements.
• Are particular trustee board members particularly suited to take on particular elements to update and/or supervise?
• Set up a timetable to review each element for its fitness for purpose against the risks you have identified.

Own risk assessment to track your ESOG

Schemes with 100 members or more are expected to perform “an own-risk assessment of [their] system of governance”. That means being able to document and evidence all aspects of your ESOG and test just how effective they really are.

The draft Code went all-in on what the Regulator expected of such an own-risk assessment (or ORA). The Regulator subsequently admitted in an interim response to its consultation that this was an area where respondents had raised concerns about the amount of work it would entail, the timeframe, what the finished product would look like and the burden it would place on smaller schemes.  A future  briefing will look at what an ORA might look like and how you can get ahead on putting documentation in place to help you with that process.

Time to get on with it

The Code certainly provides trustees and sponsors with plenty to think about. On the plus side, the pensions industry will be focused on good scheme governance. In the case of smaller schemes particularly, the new expectations should either drive better accountability and improved outcomes for members, or consolidation into larger schemes better able to deliver compliance. On the flipside, we are all going to be busy - significant trustee engagement and administrative and professional support will need to be directed to gap analysis and compliance. 

The Code will have the same status as existing Codes of Practice. That means that although it will not actually be law and no direct penalties apply for failing to follow it, the Regulator may rely on it in legal proceedings as evidence of non-compliance with a requirement. Expectations set out in the new Code may be cited if the Regulator seeks to enforce improvement or compliance.

We are still waiting for the final version of the Code, but the underlying law is already in place. As a result we strongly recommend that you get ahead and check what you have, what you will need and what you will need to do to be compliant. We can help you with that gap analysis, and with getting your policies, procedures and protocols aligned to the new expectations.