Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.

Ignore

This website requires cookies. Your browser currently has cookies disabled.

Governance and administration risks in public service pension schemes: an engagement report

Findings from our engagement with 10 local government funds, selected from across the UK, to understand scheme managers’ approaches to a number of key risks. As part of each engagement we fed back on good practice and suggested improvements that could be made.

The engagement took place between October 2018 and July 2019 following the results of our annual governance and administration survey, in which we identified that improvements being made across the Local Government Pension Scheme (LGPS) had slowed down. We were pleased to note that scheme managers were already sharing good practice with their LGPS peers and hope that working with us offered scheme managers a new perspective on their funds.

We carried out this review at a high level based on meetings with scheme managers to understand the challenges they face. The meetings were supplemented by a review of some fund documentation and examples of communications sent to members, prospective members and beneficiaries.

It is not a comprehensive evaluation of the funds’ operations and is not intended to replace audit requirements, nor is it to be considered as regulatory assurance or an endorsement of the fund by The Pensions Regulator (TPR).

Glossary of terms

Term Description
CETV Cash Equivalent Transfer Value, a valuation of a members benefit entitlement that can be transferred to another scheme.
FCA The Financial Conduct Authority, which regulates firms in the financial sector including IFAs.
Firm A business in the financial sector carrying out activities that require authorisation from the FCA.
Fund A locally administered element of a wider pension scheme.
IFA Independent Financial Adviser, a person with FCA authorisation to advise people about financial decisions.
Member A person who has paid into and expects to receive or is receiving a benefit from a pension scheme.
PAS Pension Administration Strategy, a document detailing roles and responsibilities as well as penalties for non-compliance with duties to the fund.
Pension Board A body that supports and advises the scheme manager.
Pension committee A body running a pension scheme with the delegated authority of the scheme manager.
PSPS Public Service Pension Scheme
Saver A potential beneficiary of a pension scheme, whether or not they are a member.
s.151 officer A senior member of staff at a Local Authority. Controls resourcing across the Authority, including for the running of the local element of the Local Government Pension Scheme.
Scheme A pension scheme which may have separate funds within it.
Scheme manager The person or body legally responsible for the operation of a PSPS.
SLA Service Level Agreement, an agreed and measurable level of quality usually forming part of a contract.

Executive summary

Overall we found a number of common areas, some requiring improvement but others demonstrating good practice relating to the various risk areas we investigated. The key improvement areas are summarised below. These findings align with the findings from our annual public service governance and administration survey.

Key person risk: While most scheme managers demonstrated a good knowledge of what we expect, many funds have a lack of comprehensive documented policies and procedures. We also found an over-reliance on controls put in place by the Local Authority with little interaction between the scheme manager and Local Authority. This was particularly prevalent in relation to cyber security but this theme overlays several of the risk areas we explored.

Pension boards: Engagement levels varied, with concerns being raised about the frequency some pension boards meet and their appetite to build their knowledge and understanding. We saw evidence of some pension boards not wanting to review full documents, instead relying on much reduced summaries and leading us to question how they could fulfil their function. Others were well run and engaged.

Fraud / scams: We saw evidence of scheme managers learning from wider events and taking steps to secure scheme assets. However, not all were as vigilant when it came to protecting members from potential scams.

Employers: We saw considerable variance in the approaches taken to dealing with the risks surrounding employers, such as receiving contributions and employer insolvency. Generally this was connected to fund resourcing but also related to different philosophies related to taking security over assets.

The following sections detail our findings and recommendations, together with case studies we believe will be helpful to the PSPS community.

Key findings and associated case studies

Area of focus: Record-keeping

Code of Practice 14 – Governance and administration of public service pension schemes

Failure to maintain complete and accurate records and put in place effective internal controls to achieve this can affect the ability of schemes to carry out basic functions. Poor record-keeping can result in schemes failing to pay benefits in accordance with scheme regulations, processing incorrect transactions and paying members incorrect benefits.

Findings Recommendations
 Many scheme managers have moved from annual to monthly member data collection and found this enabled them to verify data at an earlier stage, with some funds providing monthly reports to employers highlighting the quality of data submitted and action points they need to complete.

Well-run funds are aware of the quality of the common and scheme specific data they hold. Where it is not entirely accurate robust and measurable, data improvement plans are in place. scheme managers of these funds consider a range of methods to improve data quality, including tracing exercises and improving contract management methods.

They also generally have a robust PAS in place which detail rights and obligations of all parties to the fund.
  • Scheme managers should be aware of how the member data they hold is measured. Data quality needs regular review. A robust data improvement plan should be implemented as appropriate.
  • The quality of member data should be understood by the Scheme Manager and Pension Board. It should be recorded and tracked to ensure common and scheme specific data is of good quality. An action plan should be implemented to address any poor data found.
  • Although not a legal requirement, a PAS could be implemented clearly setting out responsibilities and consequences of not complying with duties to the fund. The Pension Board should review the PAS and ensure it will stand up to challenges from employers.

Record-keeping case study 1

One scheme manager we engaged with identified concerns with the accuracy of both the common and scheme specific data it held about the fund members. Following engagement with TPR, the scheme manager created and implemented a robust data improvement plan to drive up record-keeping standards.

One of the data areas of concern for the scheme manager was the number of missing member addresses - this resulted in data scores of 60-80% for common and scheme specific categories. After a review of available resources, the scheme manager undertook a tracing exercise and within a short period of time was able to locate and carry out existence checks on over 90% of the deferred members without known addresses. The exercise also involved reviewing the way active and pensioner members are communicated with to ensure the fund holds the correct contact details for them.

This is an example of a scheme manager taking a holistic approach to improving its record-keeping standards. It gave consideration to the resource available so the project achieved a positive result while providing good value for money. The scheme manager has established that having a data improvement plan which is regularly reviewed will improve oversight of the actions it needs to take and the associated deadlines.

Record-keeping case study 2

The scheme manager of a fund we engaged with openly communicated with us about the challenges it faced in producing Annual Benefit Statements. We were told delays were caused by employers not providing member data to the scheme manager on time, and there were issues with the accuracy of some member data provided by employers.

Having considered its operational structure, and our expectations on governance and administration, the scheme manager reorganised itself internally. With the support of the s.151 officer, the scheme manager developed and implemented a robust data improvement plan which could be measured.

As well as creating a data improvement plan the scheme manager also strengthened its pension administration strategy, outlining responsibilities and the timeframes for action. This document made the consequences of non-compliance by employers clear, such as financial penalties. The scheme manager has also introduced regular employer forums to help further raise standards with employers.

As a result the scheme manager has seen a marked improvement in employer engagement and the quality of member data it holds. It continues to actively monitor both data quality and employer compliance. 

Area of focus: Internal controls

Code of Practice 14 – Governance and administration of public service pension schemes

The scheme manager of a public service pension scheme must establish and operate internal controls. These must be adequate for the purpose of securing that the scheme is administered and managed in accordance with the scheme rules and in accordance with the requirements of the law.

Findings Recommendations

There were a range of approaches to identifying, monitoring and mitigating risks to the funds we engaged with. Some funds had detailed risk management frameworks in place and clear defined procedural documents. Others lack detailed risk registers or do not review the risks to the fund on a frequent basis, with little oversight of work being done to identify or mitigate risks.

We found evidence across a number of funds of key person risk, where a long serving member of staff has developed a high level of knowledge about their role and internal processes but this knowledge is not documented. This leaves these funds exposed to the risk of a sharp downturn in administration and governance standards should the key person unexpectedly leave their role.

Funds with an engaged s.151 officer who has a good relationship with the scheme manager are more likely to have clear and robust internal controls.

  • A risk register should be in place and cover all potential risk areas. It should be regularly reviewed by the pension board.
  • The scheme manager should take a holistic view to risks and understand how they are connected.
  • The pension board should have good oversight of the risks and review these at each pension board meeting.
  • Internal controls and processes should be recorded, avoiding an over reliance on a single person’s knowledge levels.
  • The scheme manager should ensure all processes are documented and reviewed on a regular basis.
  • Decision and action logs covering all decisions provide a useful reference point as decisions recorded in minutes can be hard to locate.

Internal controls case study 1

A scheme manager has reviewed the approach it takes to maintaining a risk register, having found the approach it was taking could be more effective.

The scheme manager developed a high level document which identifies a wide range of risks with all members of the senior leadership team having a role in the identification and scoring of potential risks.

This document is supported by detailed ‘risk maps’ which provide:

(i) a description of the identified risks

(ii) the person responsible for overseeing the risk

(iii) how the risk is scored and

(iv) details of the mitigating actions and controls in place

Action points identified have clear timescales for completion with an identified person being responsible for delivery.

The full risk register is made available to the pension committee and pension board each time they meet and its review is a standing item on both agendas. This allows for constructive oversight and challenge, along with a clear process to act on feedback provided.

This is an example of a fund which is engaged at all levels of seniority to identify and mitigate risks to good saver outcomes. There are clear, identified processes in place along with strong oversight of the work being done. This approach was devised before TPR began to engage with the scheme manager and demonstrates a clear desire to improve. 

Internal controls case study 2

A scheme manager has developed two risk registers, one for the pension committee (which as acts as delegated scheme manager) and a separate, shorter, register for the pension board.

The risk register for the pension board had been reduced in size and detail at the request of the pension board. We have concerns the reduced risk register will prevent the pension board members from having full oversight of all the fund’s risk and applying their knowledge and understanding in an appropriate way as they will not be fully conversant with the facts surrounding each risk.

The pension board also only reviews the risk register twice a year. We believe the risk register should be a standing item on the agenda for both the pension committee and the pension board and reviewed at each meeting – ie it will be reviewed at least each four times a year by each body.

We gave feedback to the scheme manager about our concerns and recommendations, and would encourage funds that adopt similar practices to consider how they can make more effective use of the pension board and improve the engagement levels of its members.

Area of focus: Administrators

Code of Practice 14 – Governance and administration of public service pension schemes

Good administration is the bedrock of a well-run fund. A scheme manager should work well with its administrator or administration team, and ensure the right people and processes are in place to ensure members’ benefits are administered to a high standard.

Findings Recommendations

Better performing scheme managers have a close relationship with their administrator, whether they use a third party provider or an internal team. In these instances robust SLAs are in place which are routinely monitored by senior managers. These scheme managers are also willing to effectively challenge reports from administrators to ensure they fully understand the work being done.

Not all scheme managers have clear oversight of the work being done by administrators or question the information provided by them when it is appropriate to do so. This leads to the scheme manager not understanding how well the fund is performing and can act as a barrier between the scheme manager and both participating employers and members.

There is a variety of methods used to appoint third party administrators, and scheme managers generally carefully consider the best approach for the individual circumstances of their fund.

  • Scheme managers must agree targets and have a strong understanding of what service providers are expected to achieve. The scheme manager should challenge and escalate as appropriate should agreed standards not be met.
  • Contract lengths should be known and planned against to allow sufficient time to consider contract extensions or for the tender process, as appropriate. This mitigates risks in handing over to a new administrator.
  • It is helpful for the administrator to attend and present to pension board meetings as pension board members can use their knowledge and understanding to effectively challenge reports being provided.
  • Scheme managers should hold regular meetings with their service providers to monitor performance.

Administrator case study 1

A scheme manager had entered into a outsourcing contract with an administrator. The administrator’s performance over a period of time was unsatisfactory, and targets and SLAs were not consistently met. Despite the council’s finance director personally intervening with the administrator, matters were not improved to acceptable levels and penalty clauses were invoked.

The scheme manager decided to terminate the contract and review alternative administrative options, with a key aim of including more visibility, which the previous contract type arrangement had not provided.

The scheme manager decided not to take the administration back in house, but to enter into a third option, a shared service partnership with another administrator. This is charged on a shared cost per member basis. The new administrator also provides administrative services for a few other public service funds. The scheme manager is now part of a collaborative board and engages regularly with other scheme managers, has better visibility and good reporting functionality which now enables easy monitoring of the administrator’s performance.

Data quality improvements were recognised as a key focus for the new administrator on its appointment. The scheme manager developed and put in place a robust data improvement plan with the new administrator and has made considerable improvements in its data quality scores in a short period of time. They are now using the plan as a living document to continue to target the areas needing improvement. 

Administrator case study 2

One of the scheme managers had appointed a third party administrator using a partnership agreement, rather than a commercial contract. This demonstrates one of a number of approaches taken by scheme managers to secure administration services.

The scheme manager has established a clear set of objectives for the administrator and receives monthly reports about whether these are being met. The reports are shared with the pension board. Additionally, at each pension board meeting a representative of the administrator is present. This allows the pension board members to directly question the administrator about the work it is doing on behalf of the scheme manager and ensure that good saver outcomes are achieved.

Even when a scheme manager uses an outsourced administration service it remains liable for the work done on its behalf. This example demonstrates positive steps taken by a scheme manager to ensure it has effective oversight and can hold an administrator to account.

Administrator case study 3

A scheme manager was informed that its third party administrator intended to restructure in order to improve the level of service it provided to its clients. The administrator was confident that the restructure would not affect its business as usual work and the scheme manager took comfort from this without seeking more detailed assurances.

The restructure did not go as planned, which led to delays in member data being processed and SLAs not being met for around six months. The scheme manager has since increased the number of both operational and strategic meetings it holds with the administrator to combat the declining performance of the administrator.

As part of this work the scheme manager has set clearly documented expectations and provided priorities to the administrator to minimise the number and impact of poor saver outcomes. The scheme manager has now developed new ways of working with the administrator to ensure it probes the administrator’s plans in more detail in the future.

This is an example of a scheme manager placing excessive reliance on assurances from an administrator without seeking evidence that supported the assurances. Robust contract management is important and will help scheme managers to identify upcoming risks to savers and to build a strong understanding of the information being provided. 

Area of focus: Member communication

Code of Practice 14 – Governance and administration of public service pension schemes

The law requires scheme managers to disclose information about benefits and scheme administration to scheme members and others. This allows savers to understand their entitlements and make informed financial decisions.

Findings Recommendations

A number of scheme managers are currently reviewing the documents they send to savers. It is widely appreciated that pensions and retirement provision is complicated, and communication with savers needs to be in plain English. A variety of methods are being used, with the strongest scheme managers in this area working closely with a technical team and also enlisting the assistance of non-technical staff to check readability and whether it is comprehensive.

Not all scheme managers fully appreciate the extent of their duties to provide information to savers, with some not knowing about the legal duty to inform active members where employee contributions are deducted but not paid to the fund within the legislative timeframe.

  • Information sent to members should be clear, precise and free from jargon.
  • There should be senior oversight of communications sent to members and prospective members.
  • It is often helpful for scheme managers to measure the effectiveness of their communication with savers, eg measuring website traffic and running surveys.

Member communication case study 1

A scheme manager had previously delegated responsibility for communication with members to its third party administrator. However, it had a number of concerns about the quality of the service being provided, which included how members were kept informed and the level of detail provided.

The scheme manager took the decision to change its administrator and has now taken greater control over the communication with members. This has led to the development of a new pension administration strategy, with clear expectations around member communications being set and monitored.

A new website is being developed and the scheme manager recognises that having a clear online presence is an important method of communicating with current and potential members.

It is important to communicate with members, potential members and other relevant savers in a clear way. The information provided by a scheme manager will be used by members to make important decisions about their financial affairs. This is an example of a scheme manager looking to improve the member experience through revising the way it communicates. 

Member communication case study 2

We engaged with a scheme manager that has developed a detailed communication strategy, which covers the content, frequency, format and methods of communicating. The scheme manager actively promotes the benefits of joining the fund to prospective members and through the participating employers.

Two people are responsible for different aspects of member communications, with all material being formally approved by the scheme manager before being used. The scheme manager has developed a wide range of accessible materials for savers, including a website, a wide range of information booklets, and newsletters.

Members are informed clearly of how they can raise any queries or concerns about the operation of the fund. This includes members being able to go to the scheme manager’s offices in person to discuss any queries with a suitable member of staff.

The scheme manager conducts annual surveys of its members, publishing the outcomes on its website and in its annual report. It uses this information, together with complaint trends, to identify how it can provide a better service to savers.

Area of focus: Internal Dispute Resolution Procedure (IDRP)

Code of Practice 14 – Governance and administration of public service pension schemes

Scheme managers must make and implement dispute resolution arrangements that comply with the requirements of the law as set out in the Code to help resolve pensions disputes between the scheme manager and a person with an interest in the scheme.

Findings Recommendations

Some scheme managers have clear procedures in place for recording, and learning from, complaints and disputes they receive. They use this information to make changes to the way the fund is run in order to provide the best possible service to beneficiaries.

Not all the complaints procedures and IDRPs we saw were clear about who was entitled to use them, and in some cases details of how to complain were not clearly published. This limits the ability of people with an interest in the funds to raise concerns and restricts a useful source of information for scheme managers.

Not all scheme managers have a clear definition of a complaint. It is important for scheme managers to act in a consistent manner and if what a complaint looks like is not known this will affect its ability to put things right.

  • There should be a clear internal policy on how to handle complaints, including escalation to suitable senior members of staff.
  • People entitled to use the IDRP should be given clear information about how it operates.
  • This information should be easily available, eg on the fund website.
  • The pension board and scheme manager should have oversight of all complaints and outcomes, including those not dealt with in-house.
  • Complaints and compliments could be analysed to identify changes that can be made to improve the operation of the fund.

IDRP case study 1

All the scheme managers we engaged with operate a two stage IDRP, where the first and second stages are looked at by people who are independent of each other.

Initially, one of the scheme managers we engaged with didn’t have oversight of complaints entering the first stage of the IDRP. These complaints were dealt with by employers as they were not considered to be issues about the fund or an in-house administration matter. This meant the scheme manager did not have full oversight of the first stage complaints and therefore could not identify whether there were any trends or patterns that needed addressing, eg an employer training issue.

Following engagement as part of the cohort work, we recommended that the scheme manager develop greater oversight of the work being done on its behalf. The scheme manager now recognises this is an area where it should improve and has amended its processes to ensure it is aware of how member outcomes are being managed when first stage IDRP complaints are received.

IDRP case study 2

Like all other funds we engaged with, this scheme manager operates a two tier IDRP. However, the scheme manager stood out in this instance for the detailed and methodical manner in which it records complaints that are raised.

All complaints are recorded in a single log which detail how it progresses, potentially from an initial concern through to a finding issued by the Pensions Ombudsman. This allows the scheme manager to analyse complaint trends and the learning points are used to improve the operation of the fund.

Additionally, all actions relating to complaints have a clear owner. This allows for strict quality control and helps ensure complaints are dealt with as soon as possible.

We would encourage all scheme managers, where they have not already done so, to adopt a detailed and auditable approach to monitor complaints and compliments received through all channels. 

Area of focus: pension boards

Code of Practice 14 – Governance and administration of public service pension schemes

The role of the pension board is to assist the scheme manager with the operation of the scheme. Pension board members are required to have an appropriate level of knowledge and understanding in order to carry out their function.

Findings Recommendations

Scheme managers have a variety of methods for appointing pension board members and the structure of these boards also varies between funds. In some cases board member rotation is staggered to help preserve knowledge levels. Additionally, some boards have independent chairs, depending on the needs of the individual pension board.

We also found a mix of engagement levels amongst pension board members. Some scheme managers are able to call on strong, committed pension boards to assist them with the operation of the fund. Other scheme managers face challenges around pension board members who routinely fail to attend meetings or complete the training they need to meet the required level of knowledge and understanding.  

The relationships between pension boards and scheme managers varied - where the pension board had a strong relationship with the scheme manager, including a willingness to challenge, we found better-run funds.

  • The scheme manager should arrange training for pension board members and set clear expectations around meeting attendance.
  • Individual pension board member training and training needs should be assessed and clearly recorded.
  • The pension board should meet an appropriate number of times a year, at least quarterly.
  • Processes should be in place to deal with an ineffective pension board member by either the chair of the pension board or the scheme manager.
  • Scheme managers should be aware of the risk of pension board member turnover and ongoing training needs.
  • Regular contact between the scheme manager and chair of the pension board is helpful. An open and auditable dialogue outside of formal meetings can help improve the governance and administration of the fund.
  • The chairs of the pension board and pension committee should consider attending each other’s meetings to observe as this leads to better transparency.
  • Pension board members should be fully engaged and challenge parties where appropriate.

Pension board case study 1

One scheme manager spoke to us about the challenge it has faced regarding attendance at pension board meetings, and ensuring the pension board has the required level of knowledge and understanding. At one time it had to reschedule a meeting of the pension board because so few people attended the meeting.

Since then the scheme manager has changed its policy on pension board meetings. One pension board member with a low attendance record has been removed and replaced with a more engaged representative.

The scheme manager is also reviewing how it records the training that pension board members attend. Currently, training is recorded at a high level and there is no clear method of identifying training needs, although informal discussions take place between the scheme manager and individual pension board members.

The scheme manager has recognised that it needs to better understand how pension board members are meeting their obligation to have an appropriate level of knowledge.

Pension board case study 2

Another scheme manager we engaged with has reviewed how the pension board operates and decided to appoint an independent chair. While the chair does not have voting rights, this person lends their expertise to the running of the pension board to ensure meetings run effectively.

Having an independent chair is not compulsory but in this instance is a positive example of a scheme manager being aware of the needs of the local pension board and taking steps to ensure it operates effectively.

The scheme manager has also developed a strong working relationship with the chair, holding a number of informal meetings outside of the formal pension board meetings. This working practice allows the scheme manager to ensure the pension board receives all the information it needs and that the scheme manager can comprehensively answer any anticipated questions.

Area of focus: Employers and contributions

Code of Practice 14 – Governance and administration of public service pension schemes

Contributions must be paid to the scheme in accordance with scheme regulations. Scheme managers are also reliant on employers to provide accurate and timely member data, which is required for the effective administration of the scheme.

<
Findings Recommendations

Scheme managers monitoring the payment of contributions often face the challenge of payroll providers making a single payment for several employers and delaying sending a breakdown of the amount paid. Some scheme managers have been working with participating employers to encourage them to provide training to payroll providers where the payroll company won’t engage with a body it doesn’t have a direct contractual relationship with. Changing a payroll provider can cause issues. Early engagement with the employer and provider is helpful to mitigate later problems.

Scheme managers have a variety of ways of assessing the risk of employers failing to pay contributions or having a disorderly exit from the fund, depending on the fund’s resources. Better resourced and funded scheme managers will carry out detailed covenant assessments of all participating employers, with other scheme managers only reviewing those they believe to pose the highest risk.

Most scheme managers seek security from employers to mitigate the risk of a failure to pay contributions. Some scheme managers rely on guarantees, particularly in relation to participating employers providing outsourced services. Others expect the majority of employers to set up a bond. Only a few scheme managers accepted a wide range of security types, generally those with larger funds.

Decisions around what security to require are often based on previous ways of operating, rather than considering the best option in individual circumstances. 

  • Scheme managers should understand the financial position of participating employers and take a risk-based and proportionate approach to identifying employers most at risk of failing to pay contributions. Red, Amber, Green reporting often provides extra focus.
  • Employer solvency should be considered on an ongoing basis and not just at the time of each valuation.
  • Where employers outsource the payroll function, early engagement with the employer on the potential risks will help them manage their supplier.
  • Employers may exit the fund so it is helpful to have a principle based policy on how to manage this given that circumstances are likely to vary in individual situations.
  • Scheme managers should develop an understanding of the risk and benefits of a range of security types, such as charges, bonds and guarantees.
  • Scheme manages should consider whether accepting a range of security types will offer more effective protection to the fund, rather than focussing on a single form of security.
  • Scheme managers should understand which employers have not provided any security for unpaid contributions and consider what appropriate steps can be taken to secure fund assets.
  • Where security is in place, Scheme Managers should have a policy on when the security should be triggered.

Employer case study 1

Having a robust method for reviewing employer risk is a high priority for one of the scheme managers we engaged with. It has developed a process to maintain oversight of the various participating employers in the fund, covering a range of topics from the provision of member data to the strength of the employer covenant.

Each employer is risk rated and the risk levels are regularly monitored. This allows the scheme manager to gain advance notice of potential problems so it can take steps to mitigate the risks and to provide comfort that guarantors are in a position to pay additional amounts to the fund if a call on the guarantee is made.

This information is also used to inform employers of any failures to meet their obligations to the fund at an early stage, identifying action points they need to carry out.

Employer case study 2

Scheme manager 1 has decided to incorporate a charging policy for seeking the reimbursement of costs caused by an employer’s failure to comply with its obligations into admission agreements. This means the scheme manager has a clear policy in place that all employers will be aware of when they start to participate in the fund.

Not all scheme managers have approached the issue of employer compliance in the same way. Scheme manager 2 has a small portfolio of participating employers and relies on having a good relationship with them in order to achieve compliance. This scheme manager also considers that as most employers are supported by central government it need not be concerned with affordability.

We were concerned about the lack of formal processes to ensure compliance. While the scheme manager has not encountered difficulties to date, we have recommended that it makes some improvements. Additionally, all scheme managers should remember that, should a participating employer suffer an insolvency event, any missing payments due to the fund will need to be paid by someone and there should not be an over-reliance on the taxpayer and other employers. 

Area of focus: Cyber security

Guidance: Cyber security principles for pension schemes

Pension schemes hold large amounts of personal data and assets which can make them a target for fraudsters and criminals. scheme managers need to take steps to protect their members and assets accordingly.

Findings Recommendations

Most scheme managers are heavily reliant on the security systems put in place by the Local Authority, with some not engaging with how the procedures in place affect the fund. Scheme managers of well run funds have a good understanding of the IT systems in place, even where these are implemented by the Local Authority.

Some scheme managers have not given consideration to the risks posed by cyber crime. For these funds, cyber security did not appear on the risk register before our engagement with the scheme manager.

Scheme managers that are aware of the risks associated with cyber crime generally have robust procedures in place to test the effectiveness of both cyber security and resilience methods.

  • Scheme managers and pension boards should understand the risk posed to data and assets held by the fund so steps can be taken to mitigate the risks. This should be reflected in the risk register.
  • Regular, independent, penetration testing should be carried out. Scheme managers should consider physical security as well as protection against remote attacks.
  • Where cyber security is maintained by the Local Authority rather than the scheme manager, the scheme manager should understand the procedure and ensure the fund’s requirements are met.
  • Scheme managers should be aware of the cyber security processes used by third party providers, such as the administrator or custodian, that handle fund assets or data.

Cyber security case study 1

A scheme manager we engaged with identified cyber security as one of the top risks to the fund. It demonstrated a good awareness of the processes put in place by the Local Authority and carries out testing of these processes.

The scheme manager had recently tested both its cyber defences and the wider business continuity plan. As a result it is confident it can provide a good service to savers in the event of a wide variety of disaster scenarios.

As part of our engagement we also found the scheme manager has processes in place to assess the adequacy of steps taken by its service providers to protect member data. This gives the scheme manager comfort that member data will be secure when being handled by other bodies.

Although the scheme manager has not implemented its own controls it has rigorously reviewed the process put in place by the Local Authority. It has satisfied itself that those processes are of a sufficient standard to protect the fund and its savers.

Cyber security case study 2

A scheme manager had not considered the importance of cyber security until we engaged with them as part of this work. The scheme manager was reliant on the security measures put in place by the council but did not engage on the topic, so it was not clear how it was affected.

Cyber security did not appear on the fund’s risk register and the scheme manager was not actively considering the dangers of a successful cyber attack on the fund.

Following our engagement, the scheme manager has developed its understanding of the risks surrounding cyber security. It now records the risk on its risk register and as part of the Local Authority’s strategy all staff will receive mandatory training in cyber security.

The scheme manager has also started engaging with third party service providers to ensure they also have robust cyber security and data protection procedures in place. This gives the scheme manager better oversight of how member data is protected when not under the scheme manager’s direct control and marks a significant improvement in how this risk is monitored and mitigated.

Area of focus: Internal fraud and false claims

Code of Practice 14 – Governance and administration of public service pension schemes

Schemes without strong internal controls are at greater risk. This includes having a clear separation of responsibilities and procedures which prevent a single member of staff from having unfettered access to scheme assets. Strong internal controls, particularly over financial transactions, also help mitigate the risk of assets being misappropriated.

Findings Recommendations

Scheme managers generally appear to have an awareness of the risks of fraud against their fund, both from an internal and external source. We found scheme managers are generally aware of publicised fraudulent activity that have affected other pension schemes and have taken steps to review their own procedures.

Scheme managers of well run funds typically take steps to regularly screen member existence. Their scheme managers are also aware that not all incorrectly claimed pension benefits are the result of an attempt to defraud the fund and can identify when to treat a situation with sensitivity.

Most scheme managers have introduced multiple levels of sign offs, with more than one person being required to agree to a payment being made. The scheme managers were also aware of frauds involving other funds, where this had been made public. They had taken steps to reduce their own vulnerability to similar issues.

  • Scheme managers should regularly review their procedures to protect the fund’s assets from potential fraud.
  • A clearly auditable process should be in place for the authorising of payments. Ideally, this would require more than one person to provide authority to make the payment.
  • A scheme manager should have a policy in place to differentiate between a potential fraud and a potential honest mistake by a saver.
  • Where a fraud is detected in the scheme manager’s fund, or another one, they should take steps to stop the fraud and analyse causes to prevent a reoccurrence.
  • When paper records are being used they should be held securely to prevent the risk of loss or mis-appropriation.

Fraud case study 1

A scheme manager has worked with its administrator to put in stringent measures to prevent fraudulent activity. In addition to participating in the National Fraud Initiative, it does regular life certificate exercises as part of the fund’s policy, checking mortality and addresses. Where doubts are raised the scheme manager will suspend payments pending clarification.

Many of the members of the fund are now non-resident in the UK, which provides challenges to the scheme manager in locating members. The scheme manager has adopted an innovative use of technology for the foreign domiciled members by arranging video calls to speak to the member who must show their passports to provide their identity and confirm personal details.

The scheme manager demonstrated good awareness of the risk of internal fraud by connected persons, and there is clear segregation of duties. Additionally the workflow processes being system driven provide automatic checks with different people checking and authorising the processes. Suspicious payments are immediately reported to senior management to check.

Fraud reporting policies are clear, and internal auditors are involved whenever there is suspicion of a fraudulent activity. The fraud reporting goes immediately to directorship and chief executive level.

Fraud case study 2

In this instance the scheme manager has strong controls in place to identify potential frauds against the fund assets.

The scheme manager works with the National Fraud Initiative to identify instances of possibly fraudulent claims for a benefit from the fund. The scheme manager’s work in this area is supplemented by its involvement with the ‘Tell Us Once’ initiative and the use of a third party agency to help identify when beneficiaries have passed away.

The scheme manager also demonstrated an awareness of the risks associated with members and other potential beneficiaries being overseas. It carries out existence checks on these people as well as those residing in the United Kingdom.

When a payment is due to be made, the scheme manager has introduced a vigorous set of controls. This has led to a clear separation of duties and the requirement for payments to be independently authorised, reducing the risk of fund employees misappropriating fund assets.

Conclusion

We’ve outlined some areas of good practice in this report, and also some areas where we remain concerned and expect scheme managers to improve where appropriate. Overall, we noted:

  • Not all funds are the same and there is a variety of equally valid approaches to mitigating risk used across funds in the LGPS.
  • It is important that scheme managers recognise, and maintain, a separation between the fund and Local Authority to avoid an over-reliance on the Local Authority’s policies and procedures. When establishing its own policies and procedures a scheme manager should be able to seek assistance from the pension board, meaning steps should also be taken to ensure the pension board is able to fulfil its role. Where this is not possible, scheme managers should feed into creating Local Authority policies to make sure they are fit for purpose.
  • There are clear benefits to the operation of the fund where there is an engaged s.151 officer who is directly involved.
  • Good quality data and record-keeping standards underpin all aspects of successfully running a fund and these areas should be treated as a priority in order to drive good outcomes.
  • Scheme managers that have developed and implemented a robust pension administration strategy have found them useful. While not a legal requirement, scheme managers should consider whether this type of document will be useful and look to introduce them where this is the case.
  • A common risk is the unexpected departure of key members of the scheme manager’s staff. Succession planning and clearly recorded processes help mitigate this risk.
  • Measuring governance and administration is challenging and requires more than just an analysis of raw figures. Scheme managers should therefore put in place appropriate reporting measures that they believe capture both quantitative and qualitative assessments. This approach should be tailored to the specific circumstances of their fund.
  • Scheme managers should take a holistic approach when considering the governance and administration risks to their fund. Most risks are connected to each other and a scheme manager should understand how a risk materialising will impact on other areas of governance and administration.
  • Risks to funds are constantly changing and evolving. For example, the methods used by scammers change over time. Scheme managers should be alert to the changing nature of risks and adapt their approaches accordingly.
  • Many scheme managers have a clear understanding of how their funds operate and want to provide the best experience for savers. Where scheme managers liaise with each other to discuss common challenges and solutions to them, whether at formal events or through ad hoc engagement, often leads to improved governance standards. We encourage such action.