Master trust regulations finalised
The final draft of the master trust regulations has been published, setting out the new authorisation and supervision regime for master trusts, which is due to come into effect on 1 October 2018. Master trusts will have six months from that date to obtain authorisation from the Pensions Regulator; from 2 April 2019, any scheme that falls within the definition will be unable to operate without authorisation. Non-authorised master trusts will have to transfer members to another scheme and wind up in accordance with a specific process set out in the regulations.
Schemes that include non-connected participating employers (broadly, employers that are not part of the same group undertaking) may fall within scope of the master trust definition unless an exception applies – for example, where the participation is a transitional arrangement following a corporate transaction, or relates to a joint venture structure. If this could apply to your scheme, please get in touch with your usual Allen & Overy adviser as soon as possible to discuss options.
Schemes where the only DC benefits provided are AVCs, pension credit rights or transfers-in are outside the scope of the master trust regime. The regulations have resolved a potential area of concern about the ‘cluster scheme’ provision, which treats multiple schemes as a single master trust where the schemes are under common control. The regulations now provide that where all the employers in the relevant schemes are connected, the cluster scheme provision will not apply.
The Regulator is currently consulting on a master trust Code of Practice to provide clarity on the application for authorisation and the matters relevant to its decision on whether a master trust should be or remain authorised. Prospective applicants for authorisation are able to submit a draft authorisation application before 15 June in order to get feedback from the Regulator about their likelihood of success.
GDPR: guidance on consent
The Information Commissioner’s Office (ICO) has published final guidance on consent, one of the six lawful grounds for processing personal data. The guidance explains what counts as valid consent and how to obtain and manage consent in compliance with the GDPR, and includes a checklist to help ensure consent is valid, whether newly acquired or existing under current data protection laws.
In the context of running a pension scheme, it is generally likely to be unnecessary and impractical to use consent as a ground for processing personal data – schemes are more likely to rely on the need to comply with a legal obligation and on the ‘legitimate interests’ grounds for processing. However, in some specific situations, particularly where special category data is involved (for example, health data on an ill-health early retirement (IHER) application), there is a higher bar for establishing a lawful basis for processing. In these circumstances, data controllers must be able to show one of the six lawful grounds (for example, in the IHER example, the need to comply with legal obligations under the Finance Act 2004 before granting an ill-health pension) and must also meet one of a number of additional conditions. Traditionally, consent has been sought in this context, but the guidance suggests that in the longer term this is likely to be inappropriate (and possibly invalid) under the GDPR – data controllers should look to see whether any of the other additional conditions may be applicable.
The current draft of the UK data protection legislation includes a potentially relevant additional condition which covers processing that is necessary in connection with obligations imposed by law on a data controller in connection with employment or social security (which would include incapacity pensions) – so there may be a route through this and similar situations without relying on consent. This is an issue that schemes will need to review once the Data Protection Bill is finalised; the ICO will also issue further guidance at that stage. It’s also worth noting that consent may continue to be required in relation to access to medical notes or reports, but this is separate from the issue of whether consent is valid in relation to processing special category data.
Until the Bill comes into effect and the additional processing conditions are clear, schemes may need to continue to seek consent to the processing of special category data even though this is not a perfect solution for GDPR purposes.
Where consent is relied on, the guidance emphasises that the consent request must be clear and separate from any other terms and conditions; it must be actively given (not a pre-ticked consent box), informed, freely given and easy to withdraw; the specific purpose for the consent must be given and parties relying on the consent must be named; and the consent must be documented and appropriate records kept.
Enforcing data protection: ICO draft policy
The ICO has also published its draft regulatory action policy for consultation. This sets out how it intends to use its enforcement powers under the EU General Data Protection Regulation and the forthcoming UK Data Protection Act (currently a Bill) and other legislation. The draft sets out a risk-based approach to enforcement, with an emphasis on responding to breaches involving highly sensitive information, affecting large groups of individuals, or impacting vulnerable individuals. Sanctions should be ‘proportionate and dissuasive’, with the most significant powers targeted at organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data.
The draft policy also sets out a hierarchy of regulatory action: ‘as a general principle, the more serious, high-impact, intentional, wilful, neglectful or repeated breaches can expect stronger regulatory action. Breaches involving novel issues, technology, or a high degree of intrusion into the privacy of individuals can also expect to attract regulatory attention at the upper end of the scale’.
The draft includes statutory guidance on how the ICO will serve assessment or enforcement notices, noting that the ICO may require access to documents which explain how an entity has met its legal obligations in relation to data protection and the governance controls in place to measure compliance. It also discusses the factors relevant to the ICO in deciding whether to issue a penalty notice, and how the amount of any penalty would be set. The consultation closes on 28 June 2018.
Financial Guidance and Claims Act – Royal Assent
The Financial Guidance and Claims Act 2018 has now received Royal Assent. The Act includes provisions to establish a single financial guidance body which would, among other functions, provide information and guidance to pension scheme beneficiaries about flexible benefit options.
Under a default guidance procedure, trustees will have a new duty to seek confirmation from members seeking to access or transfer flexible benefits that they have either received pensions guidance or have actively opted out of receiving it. The expectation is that future regulations will provide for the possibility of pausing an application to allow a member to obtain guidance/advice, unless the individual wants to proceed without it. The provisions will supplement (but not replace) existing signposting requirements and will add additional compliance hurdles to the transfer/flexible access process. Further guidance is expected about how the requirements should be met.
The Act also introduces a regulation-making power to ban cold-calling relating to pensions. The power is to be exercised by the end of June, failing which the Secretary of State will have to explain the delay to Parliament.
TPR publishes corporate plan for 2018-2021
The Pensions Regulator has published its corporate plan for 2018 to 2021, proposing to focus on improving trustee standards, master trust authorisation, auto-enrolment compliance, the regulation of DB schemes (with a focus on funding) and working with the government to implement the DB White Paper proposals. The Regulator plans to spend GBP4.3million more in 2018/19 and increase its headcount by 12% to ensure it can realise its aim of being a clearer, quicker and tougher regulator.
Save the date: trustee training
Our next trustee training session will be held on the morning of Tuesday 6 November 2018. Please save the date – further details to follow.