Member Article

On 10 January 2024, the Pensions Regulator’s General Code of Practice was laid in Parliament, 2 years and 9 months after it was first published for consultation. The road to this point has been a long one, but what does the final code say, and how does it differ to the version we saw back in March 2021?

Final consultation response

On the same day that the General Code was laid in Parliament, the Pensions Regulator (TPR) published its final consultation response summarising the main changes made since its interim consultation response in August 2021. 

Structure and content of the General Code

The General Code consolidates 10 of TPR’s existing codes of conduct. The content of those codes is largely the same (with some updates to reflect changes to the law and regulatory environment), so there is no significant change in TPR’s regulatory approach. However, the format of the new code is different to what we are used to seeing.

The General Code moves away from TPR’s current separate and unconnected PDF format, and instead adopts a web based modular approach. Content is split into easy to navigate modules with links to relevant content elsewhere in the code, and the final version will also have links to other TPR guidance and external sources, for example DWP guidance.

TPR says that the new code will make it much easier for users to distinguish between legal duties and TPR’s compliance expectations, which can sometimes be challenging. It’s an important distinction because breach of a legal duty can have significant consequences, including a prison sentence, whereas breach of one of TPR’s compliance expectations generally carries no specific penalty (though the failure can be used as evidence in any subsequent action TPR might bring).  

What has changed

The draft code contained 51 modules. TPR’s consultation response acknowledged that some topics were artificially split into multiple modules or unnecessarily given a standalone module, which in either case made TPR’s expectations unclear. As a result, some modules have been merged or removed to provide additional clarity to the code.
TPR says that many of the suggestions and comments it received in consultation feedback are reflected in the final version of the code. There have been a significant number of minor changes throughout the code, but the rest of this article covers just a few of the more material ones. 

Scheme Governance and Own Risk Assessment

In 2017 a European Directive known as IORP II came into force  and was adopted into UK law via regulations in 2018 (which came into force in 2019). This introduced wide-ranging requirements for the effective management and governance of UK occupational pension schemes.   Under the requirements, trustees of most occupational pension schemes are required to establish and operate an effective system of governance (ESOG) which includes internal controls and is proportionate to the size, nature, scale and complexity of the activities of the scheme.  The regulations required TPR to set out the detailed ESOG and Own Risk Assessment (ORA) requirements in a new Code of Conduct, namely the General Code.

In the draft code, TPR proposed that trustees (or governing bodies as they are referred to in the code) would be required to carry out an ORA every year, with the first ORA being due within one year of the code coming into force. TPR’s interim response in August 2021 highlighted concerns raised by respondents who said that annual ORAs would be too onerous, and that TPR’s expectations went considerably further than the 2018 regulations, which only required an ORA at least every three years. 

In its final consultation response, TPR reported that respondents also pointed out that as previously drafted, the ORA would have required governing bodies to redo work that had already taken place, either because of the ESOG requirements or through regular governance work that was already being undertaken.

TPR now acknowledges that the original wording in the draft code suggested, perhaps misleadingly, that the work involved in producing the ORA would be significant. This was aimed at those governing bodies who are not meeting expected governance standards, however the wording used did not convey this. TPR says that in its final form, the ORA should be a straightforward project for well-run schemes. 

TPR has scrapped the annual ORA requirement. Instead, schemes will be able to carry out an ORA on their own timetable, in part or in whole, provided it is carried out in its entirety at least every three years. So in effect, schemes could split the ORA process over a three-year period to better manage governance priorities. The ORA will be able to reuse material that examines the same areas covered by a schemes existing risk assessment processes provided that the material is within a timeframe relevant to the production of the ORA. 

TPR will not be providing further guidance for completing the ORA or a template ORA, which some respondents requested. It says that the implementation of an ESOG and its assessment via the ORA is so scheme specific that it is difficult to envisage which areas might need further guidance, and that a template would do no more than repeat the topic headings from the General Code module itself. 

The new governance requirements are more relaxed for schemes with less than 100 members. These smaller schemes are required to maintain an ESOG, but they do not have to have the same risk management functions in place as larger schemes do, and they are not required to carry out an ORA.

Managing advisers and service providers

In the draft code, this module set out TPR’s expectations on schemes with 100 or more members that are required to maintain an ESOG in selecting and appointing their advisers and service providers. They included running a tender process when making those appointments and reviewing appointments every two years. TPR suggested that schemes with less than 100 members should consider the processes outlined in the module as good practice.

Some respondents felt that two years was not sufficient time for a service provider to become established, or for issues that were identified to be fully challenged and remedied before the next appointment review. Others raised concerns that over the potential for it to lead to a revolving door approach to appointing service providers, with few opportunities for any to settle.

TPR has agreed that the two-year period for reviewing appointments is too short and could lead to a spiral of poor service, with members bearing the brunt of any shortcomings. The period has instead been extended to three years.  In our experience, most trustees undertake a form of adviser review on a three-year basis.

Remuneration and fee policy 

One of the new requirements introduced by the General Code is the requirement for schemes with 100 or more members (except public service schemes and authorised master trusts) to prepare a remuneration policy which explains the decision-making process behind remuneration levels for all parties involved with their scheme’s activities, and why that remuneration is appropriate. The draft code also originally required the governing body to make that policy available to the scheme’s members on a website or by some other means. 

TPR received a considerable amount of feedback in this area. Respondents felt that the requirements were very broad and that not all remuneration covered would be in the control of the governing body. Service providers were additionally concerned that disclosing levels of remuneration might breach of confidentiality provisions, be anti-competitive, or be used as a basis on which to attack the work of the governing body.

TPR says it has revised the requirements so that the scope of each remuneration policy is likely to be much more specific to each scheme that the draft code envisaged. It has also made clear in the revised module that the policy is a framework for assessing whether governing bodies are receiving value for money and does not require them to disclosure specific remuneration figures. That clarification renders previous concerns about making such disclosures available irrelevant, but TPR has decided to scrap the publication requirement anyway.

Cyber

When we were discussing our initial predictions for the pensions industry in 2024, we considered the possibility of some changes to the General Code’s cyber module, in light of high-profile cyber incidents affecting in the pensions industry in 2023. However, that is not the case. The changes to the cyber module are relatively minor. 

The General Code incorporates TPR’s 2018 guidance on cyber risk. The substantive guidance in the draft code has not changed radically, but there has been a marked shift in emphasis. Where the 2018 guidance was geared to avoiding cyber-attacks altogether, the draft code’s cyber controls module focussed on reducing the risk of a cyber-attack and requires governing bodies to include risk reduction measures in the ESOG.

This shift reflects the simple fact that times have changed. Technology has advanced since 2018, and thanks in part to the Covid-19 pandemic, much more of our day-to-day activities take place online. As a result, we now live in a “when” not “if” world when it comes to cyber-crime.

Responses on this topic really focused on the need for governing bodies to rely on third parties, either in the application of cyber controls themselves, and in testing, validating, and assessing those controls. Some respondents thought TPR should go further in its guidance by highlighting specific issues or mitigating steps governing bodies should take.

TPR had very little to say on this topic in its final response, which is perhaps surprising given the events of last year and the overall risk presented to the pensions industry by cyber issues. It says that it has clarified the module to make clear that it does not necessarily expect the governing body to have the requisite expertise, and that reliance on third parties is entirely acceptable, however it has not gone so far as to say that reliance on third parties is recommended.

TPR has acknowledged that there is a lot more to be said on the issue of cyber security. However, it says that other bodies have greater expertise in this area, and the web version of the General Code will highlight organisations and resources that are useful when considering cyber security.

What happens next?

In a press release on 10 January, TPR challenged governing bodies to use the introduction of the General Code as an opportunity to ensure their scheme is fit for the 21st century. That opportunity will present itself on 27 March 2024, being the date that the General Code is expected to come into force.

TPR says that the new format of the General Code will be easier to keep up to date that the previous codes it consolidates. It is keen to emphasise that this does not mean the code will be updated without warning or in secret, as updates will be subject to the usual consultation process before being laid in parliament for 40 days.

For most Schemes, the General Code should not represent a radical change in their day to day running.  What will change is where schemes need to take a more granular approach in ensuring that processes are documented through their ESOG and then kept under review, through the ORA.  

 

Link to article