Skip to main content

Your browser is out of date, and unable to use many of the features of this website

Please upgrade your browser.

Ignore

This website requires cookies. Your browser currently has cookies disabled.

Set your privacy preferences

We use necessary cookies to make our website work. Cookies are small files stored on your device. We also use optional cookies to improve our services and tell us if you have seen our advertising. The data we collect is anonymised. Are you happy to accept these cookies?

Guide to completing the systems and processes questionnaire

Published: October 2018

Updates to the systems and processes guide and questionnaire

This section will help you to easily identify the changes made to the systems and processes questionnaire and accompanying guide.

For clarity, we have renamed the guide, so it is now called ‘Guide to completing the systems and processes questionnaire’.

This document details how the changes we’ve made will help applicants prepare their systems and processes questionnaire, narrative and evidence for formal application, from 1 October 2018.

All page numbers refer to the new version of the document.

Summary of changes: guide to completing the systems and processes questionnaire

Section 1: Completing your application: systems and processes

Completing the systems and processes questionnaire

Final paragraph: we have inserted a new paragraph and bullet points which describe a three-step process for demonstrating and evidencing against requirements. (Is a system or process present? How does it work? How is it monitored over time?)

The role of external assurance, accreditation and other independent external assessments

Penultimate paragraph: we inserted a new paragraph requesting a clear explanation about how any control objectives cited from independent external assessment (IXA) reports are relevant to any requirement where they have been submitted as evidence. This explanation will need to be included in narrative against each requirement where IXA is referenced.

Master trust assurance

Final paragraph: a new sentence has been added regarding any qualifications or exceptions in master trust assurance reports.

Section 2: Requirements and supporting evidence

Understanding the structure of your master trust

Entire section: we have added a section requesting a structure chart of your master trust, which will allow us to understand how the various key functions of the scheme (IT systems providers, administrators, investment managers, etc) fit together and interact.

Functionality and maintenance of IT systems

5. Protecting data

Entire section: we have significantly re-drafted and enhanced this section of our guide, providing further clarity on the types of evidence we are seeking, on a requirement-by requirement basis. We suggest that you address in detail all of the guidance provided in this section to ensure your questionnaire includes the correct type of evidence based on new details provided.

Processes and how they are governed

7. Record-keeping

Paragraph 3: we have revised the wording of our expectations around the role of data scores in terms of their value as evidence in your application. Please ensure you have considered whether these common and conditional data scores are helpful in demonstrating that your data governance is effective.

8. Maintaining contributions

Paragraphs 6 and 7 (beginning “Where the necessary payment information is not supplied ...”): we have reproduced two further paragraphs from our Code of Practice number 5 on maintaining contributions, which refer to the trustees’ role in monitoring employer contributions. It is important that you make it clear how trustees ensure that employer contribution amounts reconcile against the amount set out in payment schedules, whether using a risk-based process, or another method.

9. Trustee recruitment and standards, requirement 9b

From paragraph 3 (beginning “In drafting your chair’s statement ...”): we have included further guidance on how overall trustee and scheme governance around skills, knowledge and competence should be assessed and evidenced. This has significant overlap with evidence found in your chair’s statement and, as such, we have highlighted this overlap to provide further clarity.

9. Trustee recruitment and standards, requirement 9e

Paragraphs 4 and 5: we have added two further paragraphs relating to this requirement. The first stresses the importance of including a conflict of interest policy and register, as including just one of these documents would not be sufficient for us to carry out our assessment. The second paragraph references further guidance we published in 2018 on conflicts management as part of our work on 21st century trusteeship, which provides further useful background and examples of good practice.

10. Trustee governance

All guidance related to requirements 10a to 10f: we have made significant enhancements to this section, including a request for further evidence and narrative to demonstrate the quality of trustee decision-making. We suggest you revisit this section in detail to ensure you are providing adequate information in your application.

11. Managing service providers (general)

Paragraphs 3 to 5: we have added further information on the scope of narrative and evidence required relating to service providers. In particular, we would like you to name the individuals or organisations you consider to be the providers of key services. This will allow us to properly assess your processes and governance relating to those service providers. In this section we also re-state our need for you to provide a structure chart, which shows how key service providers to the scheme interact.

11. Managing service providers, requirement 11b

Final paragraph: we have inserted an additional sentence to this final paragraph, which reads: “You should present this in such a way that both the criteria used to monitor the performance of each service provider, and how this monitoring is carried out, is clearly identifiable.”

11. Managing service providers, requirements 11c and d

Paragraph 1: we have included at the end of the final sentence a request for further evidence: “a narrative of how this process is reviewed over time to ensure its ongoing effectiveness and relevance.”

13. Risk register

We have removed ‘guidance’ and ‘description’ under requirements 13a and 13b, which effectively duplicated what was already stated in relation to section 12 on risk management.

15. Communicating with members

Introduction, paragraph 3: we have included a new paragraph, which requests further narrative and evidence to demonstrate how the quality of communications plans, policies and processes are monitored over time to ensure they continue to be appropriate. 

After the list of requirements, paragraph 1: we have added an additional request for applicants to consider whether, and how, member communications interact with existing dispute resolution procedures.

Significant changes to the questionnaire

The key change to the questionnaire is the addition of two new fields for completion against each relevant requirement. These are:

  1. The ability to address our three step narrative process (whether a system or process exists, how it works and how it is monitored over time), for all relevant requirements.
  2. The opportunity to highlight control objectives in IXA reports, including a narrative explaining how they are relevant to each requirement.

Introduction

This guide is for those submitting applications for master trust authorisation — specifically the section relating to the master trust’s systems and processes. The applicant will be the scheme trustee.

Section 1: completing your application: systems and processes

When applying for authorisation, and throughout supervision, you will need to demonstrate and evidence how your master trust meets the systems and processes requirements set out in Schedule 4 of the Occupational Pension Scheme (Master Trust) Regulations 2018 (the Regulations) and our Code of Practice no: 15, Authorisation and supervision of master trusts (the code). These requirements reflect our expectations of any well-run scheme and master trusts should be able to provide evidence that systems and governance processes meet them.

This guide will help you understand the evidence that is more likely to satisfy us that your master trust has adequate systems and processes in place and will run effectively. You should refer to this guide when completing the questionnaire. In the questionnaire, you should provide a clear narrative and refer to indexed documents, specifying the particular sections, pages or paragraphs of these documents which are relevant to each requirement.

Completing the systems and processes questionnaire

Using the questionnaire, you should describe how your master trust meets each of the requirements laid out in our code, and highlight specific evidence supporting your response to each question.

You can download the questionnaire from our website, complete it offline and then upload it, along with your supporting evidence in electronic format, via our online master trust portal. The questionnaire will help you do the following:

  • Identify the specific requirements which need to be met.
  • Describe how your master trust meets that requirement.
  • Create an index referencing the specific sections (pages, paragraphs, sentences) of your supporting evidence, which relate to each specific requirement.
  • Explain how any control objectives tested in independent external assessment reports are relevant to evidence against certain requirements.

The narrative and evidence submitted as part of an application must be clear, relevant and user friendly (for example, by use of highlighting, tabs and cross-referencing).

We will be unable to make an assessment of whether and how you meet the requirements unless we are able to answer the following questions against each requirement:

  1. Does the systems functionality, process or governance function exist?
  2. How does it work?
  3. How is it reviewed and monitored by the trustees to ensure it is effective over time?

The role of assurance, accreditation and other independent external assessments

The ability to demonstrate that a robust and independent external assessment has been carried out, with a sufficient degree of scrutiny, will greatly improve the strength of evidence in an application. This is not a mandatory requirement. However, any inhouse analysis, for example, internal audit processes, will be expected to demonstrate an equivalent level of robustness and scrutiny.

For certain (but not all) requirements, our preference is for you to have an independent external assessment in place, which has tested the existence and effectiveness of the IT system requirements, and administration and governance processes. In our questionnaire, we have indicated the specific requirements where our preference is for an independent external assessment to have been carried out.

If external assurance reports are submitted that use a Type 1 and Type 2 approach (for example, master trust assurance), these should have been conducted as a Type 2 report as these assess both the controls in place and their operational effectiveness.

Where evidence of independent external assessment is submitted, ideally the report should have been signed off by the trustees and reporting accountant within six months of the application date. If this is not possible, for example due to the existing reporting cycle in place for the master trust, the accompanying narrative should set out any changes or issues that have occurred since the report and actions that have been taken where issues were raised. In particular, we want to understand how trustees are comfortable that nothing adverse has happened since the report was signed off. We will consider reports as part of a suite of evidence and master trusts may wish to provide an update from a reporting accountant or an appropriately qualified person from the service provider where a report is more than six months old.

If any significant changes or material failures have occurred since a report was produced, for example a change of administrator or IT system, we expect to be provided with an updated report, a bespoke review against agreed upon procedures, or an explanation of any alternative work that has been undertaken to give the trustees comfort on their systems and processes.

Our understanding is that the frequency of other forms of assessment varies (ISO reviews are typically carried out every three years, for example). However, we would expect these to be treated in the same way if the significant change or material failure has occurred which affects the results of the review.

We are aware of various forms of independent external assessments which are available to, and in use by, master trusts. These include: assurance testing, such as AAF 01/06 and the master trust assurance framework; quality standards, such as ISO assessments of IT security and delivery; and accreditations, such as those offered by the Pensions Administration Standards Association and the Pensions Quality Mark (PQM Ready).

The scope of any such review is not standardised, but is defined by the entity being assessed. For example, control objectives can be removed by trustees from the scope of a master trust assurance assessment and report. Similarly, the scope of an ISO 27001 assessment is agreed before a review is carried out and therefore may vary between master trusts. Trustees in receipt of an AAF 01/06 report from their scheme administrator might find that some, or all, of their master trust arrangements or processes are not within the scope of the report.

Additionally, we have noted that the depth and quality of the methodologies used in assessing against these standards can also differ greatly. We have seen examples where reporting accountants reviewing against the same control objective have generated vastly different levels of useful evidence, depending on their methodology. Therefore, we have not stated which independent external assessment framework would apply to our requirements.

You may wish to take advice on how far any existing assurance or accreditation supports your application for authorisation from the individual or organisation that carried out the assessment. For example, if you (or your third party administrator) have been subject to AAF 01/06, your reporting accountant would be able to provide you with a view on whether the external assessment demonstrates that the requirements are met, or whether supplementary material is needed.

In relation to any independent external assessment report, we will want to understand the methodology used by the assessor to carry out the review against each standard or control objective (this is a standardised approach to an AAF report, for example) and also the evidence which informed the assessor in carrying out the review and coming to their conclusion.

Assurance reports will normally include a series of control objectives against which the reporting accounting (or other type of assessor) will assess your scheme / processes / systems. The objectives may not match the specific requirements laid out in the code. However, there may be overlap between certain control objectives and the requirements (either in the control objective itself, or in what has been assessed by the reporting accountant). Where this is the case, it is imperative that you describe in your questionnaire how the control objective is relevant to the requirement and, in your narrative, in explaining how your master trust meets that requirement.

We have included a table in our questionnaire against each relevant requirement for you to evidence how the cited control objectives support your narrative.

Master trust assurance

If you have been through the master trust assurance framework process (related to AAF 02/07), you will not automatically satisfy us that your systems and processes are sufficient to run your scheme effectively. However, having liaised with a significant part of the market that has been through this assessment, we believe they are in a much better position to provide the evidence required than those who haven’t. Those who have master trust assurance are more likely to:

  • already have strong evidence to demonstrate that they meet some (but not all) of the expectations set out in our code
  • have a better understanding of how, in practice, to create a strongly evidenced narrative to describe how they meet each expectation

It is also important to stress that if any existing master trust assurance reports contain any qualifications or exceptions, these will need to be considered and addressed in your application.

Section 2: requirements and supporting evidence

Below we have listed the requirements set out in legislation and our code. Each requirement has been given a number, which corresponds to those used in the questionnaire and should be used to submit your narrative and indexed evidence.

We have liaised extensively with master trusts, and those who advise them, to understand the types of evidence which already exist in various types and structures of schemes’ systems and processes. Against each requirement, we provide:

  • further clarification which might help you understand how to present your narrative on how your master trust meets that requirement
  • information where we believe existing scheme or provider documentation might exist — as part of good industry practice, which would support the narrative
  • detail on situations where there is not likely to be existing scheme or provider documentation

Key considerations

When preparing your application, you should bear in mind three key considerations:

  1. We expect you to provide the evidence we need to make our assessment.
  2. Our assessment will be predominantly desk-based. Therefore, all information will need to be documented in an accessible format, clearly indexed and sign-posted, and contain a description of how you undertake your work.
  3. You will need to satisfy us that all necessary systems and processes are in place, are effective in practice and are monitored over time to identify and resolve errors, should they arise.

Understanding the structure of your master trust

When assessing the evidence presented with the systems and processes questionnaire, it is useful for us to understand the structure of your master trust. Please provide a structure chart which includes your scheme administration, IT service providers, investment management, trustee board (and any other governance committees). This is particularly important where your master trust has any of these features:

  1. Multiple administrators (potentially with different IT systems in operation).
  2. Complicated governance structures, with multiple committees or boards which support either the scheme strategist or trustee board (or both).
  3. Multiple investment managers and/or investment platform providers.

Functionality and maintenance of IT systems

1.Administration system payments[1]

1a The default is for all payments in and out of the master trust to be made electronically and that any manual payments are made by exception.

Our preference is that you provide an independent external assessment report, which demonstrates that a reporting accountant has visited your premises and has tested the IT system. If other assessment testing has been carried out, these are also likely to be fit-for-purpose evidence. Where no testing has been carried out, you should provide other evidence, which could include:

  • copies of communications to employers when on-boarding which would describe default payment methods for paying contributions
  • evidence of when manual payments may be made and have been actioned in practice (for example, details of the system specifications which might demonstrate that manual payments are made by exception, and screenshots or a redacted accounts statement being made where relevant
  • relevant management information and reporting which shows the volumes of manual vs electronic payments

1b The IT system has the capability to accept contributions from a range of sources and caters for different sizes of employers.

Sources may include multiple employers’, payroll systems, and individuals, if applicable. You may provide us with copies of contribution monitoring reports, management information which allows tracking against payment schedules, or other governance reporting. Screenshots may also be useful here, but be aware that we also need a narrative to provide context.

1c There is a capability for the transfer of data and monies from and to employers (including third party payroll or other providers acting on behalf of employers), administration systems (whether in-house or third party), investment managers and investment platform providers.

Our preference is for this requirement to be evidenced as part of independent external assessment. We would expect that the master trust provider would be tracking the flow of money between various parties involved in product delivery. To do this, management information needs to be generated, which allows this tracking/monitoring to take place. A combination of system screenshots and management reports used for ongoing monitoring, alongside a clear narrative about how they demonstrate that the IT system has this capability and is monitored to be effective over time would be evidence for this requirement.

2.Administration system records[2]

2a The IT system has the capability to record members’ benefits correctly, including identifiers, contributions, investments, payments and transfers.

Our preference is for this requirement to be evidenced as part of independent external assessment. If no independent external assurance has been carried out, you will be expected to provide other evidence. As a minimum, this could include communications to employers when joining the master trust, which evidence default payment methods for paying contributions. Individual member records could also provide useful, but not definitive, evidence here.

As above, we will need to understand how these functionalities are tested over time to ensure continued effectiveness, or, where issues arise, that they can be efficiently identified and managed. The identifiers referred to above may include names, addresses, reference numbers, dates of birth, and membership dates.

2b The IT system contains the functionality to record member contributions and generates reporting on historic contributions, including each pay period, the amount, when it was received and invested, how it was invested and unitisation.

Our preference is for this requirement to be evidenced as part of independent external assessment. Evidence might also include copies of contribution monitoring reports, management information which allows tracking against payment schedules, or other governance reporting.

3.Administration system transactions[3]

3a The IT system has the capability to process financial transactions, including core transactions automatically and securely, and calculating accurate investments and disinvestments. This needs to be the case where there is a member instruction or a default is used.

3b The system has the capability to carry out reconciliations of data against transactions and investments held and there is capacity for the reconciliation to be carried out against all members and multiple cycles.

3c There is a process for rectifying any errors identified.

Our preference is for evidence of independent external assessment to be submitted as part of your application, which should include evidence that the assessor has performed an onsite test of these system functionalities and processes.

These requirements are expanded further below.

3d There is segregation of duties in the administration system to encompass a more junior level of clearance to input data and request payments or investment changes, and a more senior level to authorise changes and transactions.

3e There are authorisation levels in the administration system to prevent payments of certain sizes exceeding those allowed by the trustee mandate.

'Segregation of duties’ (ie which individuals or teams have access to which areas and functions of the administration system for security purposes) may not be based on the levels of seniority referenced above. You should:

  • demonstrate that there are policies in place outlining who has access to what, in terms of the IT system and functionality
  • evidence why these different levels of access have been agreed
  • evidence how compliance with these processes is monitored

Documentation provided by administrators may include most this information. We will expect your narrative to fill any gaps.

The monetary amount of financial payments over which the trustees would need sign off (referred to here as the ‘trustee’) needs to be included your evidence. We also need to understand how this amount was assessed and agreed as the acceptable level at which trustees must give authorisation.

4.Planning for change[4]

4a Evidence is provided of how known changes to the system are planned and executed, and this is reflected in the business plan.

Under the new regulatory regime for master trusts, there will be more planning and resourcing changes and updates than have been required previously. The creation of formal roles such as scheme funder, scheme strategist and promoter/marketer means it could be either or both of these parties/entities, along with the trustees, that are responsible for ensuring these activities are properly planned, resourced and executed.

We will not expect to see all of the changes that have been, or will be, proposed for the near future. Instead, we want to understand and assess how the planning, decision-making processes and resourcing of these systems changes function, including descriptions of how:

  • system changes are identified to trustees/strategist/funder/promoter (if applicable)
  • it is agreed who will pay for these changes (and whether there will be any impact on the business plan — applicable to the scheme strategist)
  • the trustees ensure that any additional expense to scheme members is
  • assessed to ensure that it represents value for members (as assessed in the annual DC chair’s statement)
  • any proposed changes are reflected in the trustees’ annual business planner (ie the business plan used by trustees to plan their own activities, rather than the formal ‘Business plan’ referred to elsewhere in our code)
  • completion of changes (and other tasks related to these changes) are monitored to ensure quality
  • the trustees ensure that the system remains fit for purpose as the business grows (for example through acquisition)

Given that these roles are new to some schemes, the requirements above may not have been documented previously. Your evidence will either need to be a (new) governance document or covered in your narrative.

4b Evidence is provided to show that the system is able to be updated. There is evidence of a robust methodology for releasing changes to systems, along with a portfolio of ongoing change to systems for the period of the business plan.

4c There is an IT process for making scheduled and known changes, including annual updates and changes in tax thresholds.

4d There are adequate and sufficient resources, with appropriate skills and resources, to carry out the work.

4e There is evidence that the IT system can meet the physical system requirements anticipated in the business plan and that it has the funds to meet those requirements.

Our preference is for these requirements to have been tested as part of independent external assurance. We do not believe that onsite testing is necessary, but are keen to see that a reporting accountant, or similar, has been provided access to these processes to carry out an assessment.

Evidence may take the form of a statement from your IT provider (or administrator, if they own the IT system). As part of the narrative against these requirements, you should describe how the trustees are confident that any such statements are correct.

4f The business plan accounts for how planned and potential future upgrades can be managed within the administration system and the strategist and trustee are satisfied that the system can be upgraded to meet the needs of the master trust.

4g There is a policy in place for maintaining, upgrading, and replacing hardware and software and that this is accounted for in the business plan.

In developing your business plan, you will need to demonstrate that you have considered potential future upgrades and maintenance to IT systems, whether they are the responsibility of the master trust provider, or of a third party administrator/service provider.

Once these activities have been agreed and the costs accounted for in the business plan, you need to provide evidence that the consideration of, and planning for, upgrade and maintenance work is accounted for in ongoing governance and monitoring activities.

We suggest that a documented process and plan is owned by either the scheme strategist or the trustees, which details when IT system reviews take place, what considerations are part of the reviews, who is responsible for delivering any proposed changes, and how they will be funded.

5.Protecting data[5]

Industry practice in this area has advanced significantly in recent months and years. The management of a cyber attack is as critical, if not more critical, than attempts to mitigate or defend against attacks, which is becoming increasingly difficult.

For this reason, we have produced guidance for trustees on our expectations on cyber defence and cyber resilience. This guidance will strongly inform the evidence required as part of an application for authorisation and you should be clear in any narrative how your evidence meets the expectations set out in this guidance.

The following are key to demonstrating that your plans and activities in this area are fit for purpose:

  • A cyber defence strategy with responsibility allocated to appropriately skilled individuals, which is reviewed to ensure it stays current and effective.
  • A cyber resilience strategy, which explains how the organisation will react to any cyber threats and attacks, as per our guidance. We will need to understand how this strategy and the activities detailed are tested to ensure they are effective in reacting to problems, if and when they arise.
  • Your plans to revisit and refresh these strategies.

5a There are cyber defence strategies in place, including firewalls and intrusion detection systems.

Your cyber defence and resilience strategies may comprise a number of information security policies and procedures, including an information security policy, acceptable use policy, business continuity plan, incident management policy etc. Please provide a description of how your policies are structured to aid our understanding of them for the purpose of the assessment, to include:

  • a diagram of your network, including where firewalls and intrusion detection systems are placed within your network. Typically, a security architecture document can be used for this purpose
  • screenshots or similar evidence detailing firewall implementation and key security features and configuration, such as an evidence of intrusion detection system(s) (IDS) or intrusion prevention system(s) (IPS)
  • evidence to show how your strategy extends and incorporates to include your third-party suppliers
  • roles and responsibilities assigned to ownership of the strategy

5b There are procedures and protocols in place for governance, the identification of risks and breaches, and responding to cyber incidents.

You should provide:

  • well maintained procedures with clearly assigned roles and responsibilities
  • evidence that procedures are reviewed regularly, and evidence to show that procedures are tested regularly

5c There are roles assigned to manage these protocols and procedures.

You should provide evidence of clearly defined roles and responsibilities assigned to persons with sufficient knowledge and experience in their field.

5d Scheme and member data should be backed up at least daily, with back-up servers at an external location and an offline backup.

We expect to see policies and supporting documentation that governs effective back up processes, which should include backup schedules, recovery point objectives, secure backup data storage and disposal processes for backup media, which consider the risk of data loss and/or theft. An ‘external location’ could be anywhere that is outside of the premises of the master trust provider, including virtual and cloud-based storage. You will need to demonstrate how data backup strategies have been developed and agreed to ensure there is a good understanding of the benefits of the back-up option in use. Further evidence should include:

  • detailed description of the backup and secure disposal process
  • description of the security controls in place for backup data in transit and at rest
  • backup logs to show that the policy is adhered to

If offline backup storage is located outside the UK, we would like to see consideration of the how the requirements of the EU General Data Protection Regulations and the Data Protection Act 2018 are met in terms of any personal data stored or transferred. This will need to take into account any guidance issued by the UK Information Commissioner’s Office.

5e There is a disaster recovery process in place with roles assigned and it is tested every six months, or over a longer period if appropriate for the scheme and the risk being managed.

Our preference is for independent external assessment to have been carried out in this area. We believe this kind of assurance forms part of a number of independent external assessment frameworks. There may also be scope for IT security assessment standards such as ISO27001 or ISO22301 — to (also) play a role, but only if an external audit/review of some kind were to form part of the methodology employed to carry out, or review the findings of, the assessment.

You will need to provide evidence of how operational issues and failures are addressed at a business continuity level, as well as at the level at which a disaster recovery process would operate or become operative. There are two key points of interrogation here.

  • There need to be plans in place to identify and react to issues arising at the master trust provider (potentially the scheme strategist) level and in particular around the scheme administration.
  • The trustees’ scrutiny and quality control over these plans, as part of their internal controls framework.

We suggest that you provide both the business continuity and disaster recovery plans in place at a provider level, along with a description of how these have been assessed by the trustees to ensure they are fit for purpose. You should also explain how frequently these plans and processes are assessed to ensure they remain up-to-date and fit for purpose.

You should be clear about who holds responsibility for carrying out any actions cited in these plans. We need to see clear allocation of roles and responsibilities for activities included in business continuity and disaster recovery plans.

Footnotes for this section

  • [1] Paragraphs 1 to 3 of Schedule 4 to the Regulations.
  • [2] Paragraph 4 of Schedule 4 to the Regulations.
  • [3] Paragraph 1 of Schedule 4 to the Regulations.
  • [4] Paragraph 3 of Schedule 4 to the Regulations.
  • [5] Paragraphs 2 and 8 of Schedule 4 to the Regulations.

Processes and how they are governed

6. Reconciliations

We expect to see evidence of independent external assessment in relation to requirements 6a and 6b below.

6a The process demonstrates how reconciliations will be completed and by who.

Regular reconciliations are good practice for pension scheme management. We need to see your existing procedures about how this process functions. It should also be clear that it was part of the evidence submitted to your reporting accountant/assessor.

A procedure owned and used by a third party provider or administrator would be acceptable, along with evidence that this has been subject to independent external assessment.

6b Reconciliations are completed at least once a month.

This information should be included in the documented process/policy described above and tested through independent external assessment. We will need to understand how delivery against these timescales is monitored over time.

6c The process sets out the action that will be taken to put members in the correct position if errors or inconsistencies are found and how under/over allocations of units will be treated and funded.

You should provide the documented process/policy which sets out how errors are addressed. Examples of how errors have been rectified in the past would strengthen the evidence base against this requirement.

In situations where financial compensation may be required, you should explain not only who would be responsible for paying any compensation, but also demonstrate how the funds would be made available. This information may also be found in the business plan. If this is the case, then a link to the relevant section of the business plan is acceptable evidence, if referred to in your narrative.

7. Record-keeping[6]

We expect record-keeping and related processes to be subject to independent external assessment. This may either be assessment carried out on the master trust itself or the scheme administrator, if it is a third party. You should demonstrate that the assessment is related to the specific systems and processes used to administer your master trust. Third party administrators can run multiple administration systems, used by different clients. Ensure that you clarify with your third party administrator that their AAF 01/06 applies to the administration platform which you are using and then evidence this in your application.

Our focus in terms of understanding the quality of your record-keeping will be on the processes and monitoring of data quality, with an accompanying plan in place to address data issues. Our assessment will not be based on individual data scores at any given point in time.

However, we would suggest that evidence of strong data scores for both common and conditional data would be useful evidence in demonstrating the effectiveness of your data monitoring governance and processes.

7a The process directs how records are kept up-to-date and that exception reporting is in place to ensure that errors and gaps, once identified, are reported to the relevant governance function.

It is clear that reporting around scheme administration happens at two levels:

  1. Regular reports are sent to trustees for discussion (typically the quarterly administration report).
  2. The administrator will run their own detailed monitoring of data held to identify issues and produce plans to rectify them.

We need to understand both levels of governance and monitoring to carry out our assessment.

We do not expect trustees or providers to replicate the processes and monitoring of the administrator, but rather to understand and be able to describe how it works and why they consider it to be effective.

7b There is a plan to rectify data errors, and the business plan and continuity strategy reflect the impact of the data quality within the scheme.

If errors are identified using the processes referenced above, you will need to demonstrate how these are reported, addressed and monitored to ensure that:

  • they are resolved
  • if the same errors are identified again, that the root cause is identified and addressed

You should give examples of how errors have been identified, addressed and resolved (including trustee oversight measures), what lessons were learned and how these were implemented. Any instances of errors not being identified, or identified but not rectified, should also be given where known. This will allow us to assess how issues are managed in practice.

Root cause analysis is a standard procedure in pension scheme administration and, as such, we expect to see documented the process used by each administrator/provider/scheme.

It is important that you set out clearly how the business plan and/or continuity strategy demonstrate that funds are available to rectify significant data errors, should they occur.

7c Evidence of service provider agreements that include provisions, roles, responsibilities and source of funds for resolving errors that impact members.

We understand that IT systems — and the processes which monitor their effectiveness - could be provided from various sources within the overall structure of a master trust. This could be from a dedicated IT provider, the scheme administrator, internally within the provider business, or elsewhere. Firstly, it is important that your narrative and evidence allows us to understand who your relevant service providers are. We do not expect all service providers to be included in this assessment, only those which are critical to IT service delivery, which would include those administrators (both third party and internal), IT service providers and potentially those carrying out, or involved in, investment activity.

In terms of demonstrating you have met this requirement, we will need to see that the set up agreements with whoever is providing the IT system has a clear owner (or owners) who has responsibility for provision and ongoing monitoring. This information may be found within provider contracts if outsourced, or internal service agreements if provided inhouse.

Rectification of issues, once identified, can be expensive. For this reason, you should explain where the funds would be found to pay the cost of rectifying errors and how those responsible are checking that these funds continue to be available over time.

8. Maintaining contributions[7]

8a There is a process for ensuring the master trust can accept contributions from new employers.

8b The scheme is able to quickly identify missing contributions and there is an effective process in place to chase them.

8c See 8c below

8d There is a process for rectifying the missing contributions, ensuring minimal financial detriment to the member.

8e There is a log of missed contributions, which includes actions taken in response to the missed contributions and any member detriment noted and acted upon.

We have laid out our expectations in our Code of Practice no: 5: Reporting late payment of contributions to occupational pension schemes, as to how contributions should be received and monitored and also how missing contributions should be reported to us and followed up with employers. We expect to see adequate evidence that these regulatory expectations have been met.

Code of Practice no: 5: Reporting late payment of contributions to occupational pension schemes states:

‘Trustees [...] have a duty to check that the contributions that fall to be paid under the scheme rules are taken into the scheme in accordance with the schedule and to safeguard those contributions once they are in the scheme.’ Part one, paragraph 29.

‘[Trustees] also have a duty to seek to recover any outstanding payments and debts to the scheme.’ Part one, paragraph 29.

‘Employers will often provide the payment information trustees need to monitor contributions at the same time as they send the contributions to the scheme. This will be as part of the normal administrative arrangements of the scheme between employer and trustees, which should be agreed at set up. Payment information may include:

  • pensionable earnings
  • documentation reflecting the scheme provisions about contributions’ Part one, paragraph 31

‘Where the necessary payment information is not supplied by the employer, and trustees decide they need it to carry out risk-based monitoring, they should request the additional information they need from the employer. Trustees do not need to obtain payment information as a matter of course [ ... ]’ Part one, paragraph 32

‘Trustees should have risk-based processes in place to monitor the payment of contributions which will allow them to check whether the contributions and amounts that are due to be paid to the scheme under the payment schedule are actually paid by the due date.’ Part one, paragraph 22.

There are various documents and processes cited in Code of Practice no: 5 which should be provided as evidence, including:

  • documented, risk-based process for monitoring contributions
  • processes to facilitate the transparent movement of payment information
  • payment schedule, prepared in consultation with the employer
  • processes to check the contributions due reconcile with those received

You should provide evidence of the risk-based processes used for monitoring the receipt of contributions. Further to this, you also need to explain and evidence how trustees are confident that these processes are:

  • based on the correct management information from the various parties involved
  • monitored over time to ensure that it continues to be effective

This would include describing how the trustees ensure contribution amounts are being correctly calculated by the employer. Furthermore, you should include in evidence the documented policies and procedures which describe:

  • how and when an employer is alerted where a payment failure is identified
  • an approach to resolving payment failures, obtaining overdue payments from the employer and rectifying administrative errors

8c In the event of an employer insolvency or redundancy payment service, there is a process for reclaiming the contributions from the employer assets

In this case, the relationship we are most interested in is that of the trustees and insolvency practitioner representing the employer who has experienced an insolvency event. We expect to see a documented process in place explaining how the trustees will engage with the insolvency practitioner for any employer who has gone into administration or become insolvent when there is, or there is the potential to be, a claim. You will also need to explain the follow-up process in place to allocate (or re-allocate) any funds that are returned via the insolvency practitioner.

9. Trustee recruitment and standards[8]

9a It is clear who is responsible for the recruitment and selection process and the input that is required from other parties.

To evidence that this requirement is met, we expect you to be able to produce a documented process which outlines the responsibilities for selection and recruitment of trustees. This will need to include reference to potential risks in terms of trustee selection such as possible conflicts of interest, whether the trustee has a specific role (such as member or employer-nominated trustees) and how these risks are identified and managed over time.

You will also need to explain how recruitment processes take account of the skills, knowledge and competence needed by the trustee board as a whole.

9b It is understood which skills and competencies need further development on the trustee board as a whole, and how this is monitored over time.

As outlined in our regulatory guidance on scheme management skills, there should be evidence that master trusts have assessed the skills, knowledge and competencies necessary to properly govern their scheme over time.

You should include an analysis to demonstrate which of these skills, knowledge and competencies were provided by the trustees (on an individual basis) and which gaps may be filled, either on a short or long-term basis) by advisers or other individuals (perhaps by representatives of the scheme strategist, funder or promoter/marketer).

In drafting your chair’s statement* you will already need to demonstrate you are meeting a similar requirement, which is best achieved by employing this two-step process:

  1. Demonstrate an understanding of the key skills, knowledge and competencies required to run *your* scheme, and then;
  2. Demonstrate how these skills, knowledge and competencies are present either on the trustee board, or supported by other individuals or entities, including advisers, by scheme strategist or funder, or from elsewhere.

* From Occupational Pension Schemes (Charges and Governance) Regulations 2015 17.1.D

“[ ... ] explain how the combined knowledge and understanding of the trustees or managers, together with the advice which is available to them, enables them properly to exercise their functions as trustee or managers of the scheme [ ... ]”

9c There is a succession plan in place to maintain the skills and competencies needed by the board.

The analysis of skills, knowledge and competence referred to above, along with the documented selection and recruitment process (these could all form part of the same document) will need to include a description of succession planning, to ensure that critical skills are not missing from, or unavailable to, the trustee board for prolonged periods.

9d The principles for determining trustee remuneration are assessed and agreed.

While the function of the trustees and the trustee board is to ensure members’ interests are considered and the risk of detriment is monitored and managed, trustee services in most master trusts are provided at a cost to the master trust and therefore, in most cases, the member.

All member-borne charges should be considered as part of the value for members’ assessment in the annual chair’s statement or equivalent document9. This assessment should include adequate evidence of the assessment of trustee remuneration for the master trust. To be clear, our focus is on how trustees assess the levels of remuneration, rather than levels of remuneration themselves.

You should also provide evidence that any assessment of trustee remuneration has been agreed. To demonstrate this, copy of an excerpt from the minutes of the trustee board meeting where the chair’s statement was discussed and signed off by the trustees should be included.

9e Fitness and propriety is assessed on an ongoing basis, along with any potential conflicts of interest and how these are managed or resolved.

You should have (either in the ‘selection and appointment policy’ or elsewhere) a documented policy for assessing the fitness and propriety of new trustees, including that used to assess candidates prior to formal appointment. We will assess the fitness and propriety of existing trustees as part of the authorisation application. Trustees appointed to a master trust post-authorisation must also meet the fitness and propriety requirement.

To evidence this, you should describe and evidence how the master trust assesses new trustee appointments against the fitness and propriety requirements outlined in the Regulations in terms of honesty and integrity, competence and conduct. We expect that trustees’ policies and procedures for checking fitness and propriety align to our own requirements for authorisation, which can be found which can be found in our Code of Practice no: 15.

Once again, this will need to be fully documented for us to be able to make an assessment of the robustness of this policy as part of our scrutiny of your application.

Further to this, your evidence should clearly explain your conflicts management processes. In doing so, we would suggest that you provide both your conflicts of interest policy and your conflicts register. Our view is that well run schemes will already have these in place. In order to be satisfied, it is important that we are able to understand how conflicts are addressed and managed, as well as how they are recorded.

During 2018, we have also provided further guidance to trustees on the management of conflicts of interest.

9f A resignation and removal policy is in place which provides clarity on who can remove a trustee, under what circumstances and the steps for doing so.

A description of the trustee removal process (including grievance and appeal processes, or similar) should be included in the documented selection and appointment process (or elsewhere if more appropriate).

10. Trustee governance[10]

10a The frequency of trustee meetings and under what circumstances this may change.

10b The circumstances where extraordinary meetings may be called and how.

10c Expectations of trustees in preparing for meetings and actions needed in between them.

10d Who has responsibility for setting the agenda and frequency of trustee meetings and who else is consulted in the development of an agenda (for example trustees, strategist, funder, advisers).

10e Standing agenda items.

10f The number of trustees required to be present for the trustees to be considered quorate.

To properly understand and assess how trustee governance functions within your master trust, we need to see a documented policy or process for the running of the trustee board. If you do not already have a policy document such as this, we would suggest one be developed for inclusion in your application.

In some cases this may be maintained by a trustee secretariat or pensions management function, but owned by the trustees themselves. This is entirely acceptable, as long as it is clear how the trustees maintain sign off and oversight of this delegated function. Trustees are entitled to delegate the responsibility for carrying out tasks, but they will always retain accountability. This policy or process should provide a detailed description of the how the requirements above (10a-f) are met. Further to this, you should include evidence of the effective running and decision-making of your trustee board. Including the following as part of your application would strengthen your application:

  1. Examples of trustee minutes for a 12-month period.
  2. Examples of the management information or evidence which the trustee board would use to inform discussion and make decisions.
  3. A case study of where trustees have considered, made and actioned a significant decision.

When submitting this type of information, you will need to explain in your narrative the context for submitting. For example, if a service provider or adviser review has been discussed, explain and evidence the context for the discussion, signpost the evidence used to assess provider or adviser performance, provide some insight into the discussion itself and finally use minutes to show the outcome of the review and how actions were allocated and tracked to completion.

10g The extent to which the trustee can influence or direct scheme strategist and funder in making decisions which may have material consequences for the business.

10h It is clear who is able to make a decision in a scenario where the interests of the strategist and funder may be in conflict with the interests of scheme members. In this scenario, there should be a clear process for trustees to make known and record their views and decisions.

It is critical that you demonstrate how trustees manage and mitigate the risk that others involved in the provision of the scheme make decisions that may not necessarily be in the best interests of scheme members. This may include roles without direct fiduciary obligations to members, such as the strategist, funder and also, potentially, promoter/funder.

The best evidence to demonstrate that this requirement has been met would be a documented sign off process (possibly a joint policy or side-letter) agreed by the trustees and any business representatives, that outlines a hierarchy of decision-making where such a document is available. This needs to clearly demonstrate that the trustees have a discretion/veto in decision-making to mitigate the risk that any commercial strategies or activities do not conflict with members’ best interests.

10i There is a process for trustees to be notified of breaches and a corresponding process for monitoring breaches of the law and determining whether they are reportable to TPR.

Reporting breaches to us is a key part of the trustee role. You should include a documented process which explains how possible/perceived breaches are assessed by trustees, how it is identified whether or not they are materially significant and, finally, how they are reported to us if required.

11. Managing service providers[11]

We would regard ‘service providers’[12] for the purposes of an application for authorisation as any company carrying out work for, or providing services to, the master trust.

However, not all of these are critical services to the delivery of the pension product. If a critical service (for example scheme administration) is provided in-house, we consider it is essential for trustee boards to have in place similarly robust controls in terms of availability of resources, skills, competencies and fitness and propriety of relevant staff members and ensuring the ongoing quality of services provided. Service providers would also include advisers, both to trustees and others involved in running the scheme.

Please make sure it is clear which service providers you are including in your evidence when completing this section. Evidence should include the companies (or teams, if services are provided internally) which provide the following key services:

  • Scheme administration.
  • Advice (both to trustees and other entities including scheme strategist and funder).
  • IT software and services.
  • Investment management, including platform providers.
  • Member communications.

However, there are likely to be more service providers which might also play a significant role in the delivery of your scheme/product, so the above list is not intended to be exhaustive. You must include evidence related to all of these significant service providers, whether internal or external.

Once again, please provide a pictorial representation of the structure of your scheme which demonstrates who, from an organisational and governance perspective, is involved in the running of the master trust.

11a Service providers are assessed in advance of appointment, including access to due diligence carried out as part of the appointment process.

It is standard industry practice to ensure there is proper due diligence before appointing any service providers. You will need to provide evidence of what due diligence was carried out, by whom and according to what criteria. We are more likely to be satisfied if we are provided not only with the due diligence process, but also an explanation and evidence of the considerations that informed the choice of any service providers.

Where service provision is carried out internally within the business (for example in insurers, administration and consultancy businesses) we would instead expect that service levels would have been agreed for the provision of these services and would expect the relevant evidence of this to be submitted, with an explanatory narrative.

The trust deed and rules of master trusts cannot, by law, prohibit trustees from changing service provider (even if services are currently provided in-house). Therefore, we would expect the ongoing monitoring of internal services to be performed with the same level of scrutiny and accountability of those that are outsourced.

11b Performance indicators were agreed on appointment and there is accountability within the service provider for ensuring these are met, with escalation points. This should include a process for managing investment advisers and recording decisions taken.

This expectation involves two activities and evidence for each is likely to be found in a different source. Firstly, we expect performance indicators for all service providers to be found in the contracts which were agreed on appointment. While performance indicators agreed with service providers may have broad coverage, we are only interested in those directly related to the provision of member benefits and the delivery of the business plan. Given the varied structures and types of master trusts, this list of indicators is likely to vary greatly from master trust to master trust. For that reason, we are unable to provide examples. You should understand your structure and activities and therefore be best placed to decide what is and is not relevant.

You should also explain and evidence how the trustee board, or other entities on their behalf, monitors the ongoing quality of the delivery of these services to ensure the performance indicators are being met on an ongoing basis. The governance activities relevant here will be contingent on the performance indicators identified above.

Your narrative should explain how trustees (or those monitoring on their behalf) use internal controls to identify failures in delivery against these performance indicators. You should also address how trustees have reassured themselves that they are satisfied with the performance indicators agreed and the effectiveness of controls and processes in place to monitor their delivery. You should present this in such a way that both the criteria used to monitor the performance of each service provider, and the how this monitoring is carried out, is clearly identifiable.

11c These performance indicators are considered regularly by an appropriate person, the outcomes are recorded and all actions are allocated and tracked.

11d Service providers and advisers are kept under review, including detailed criteria for assessment (and key performance indicators (KPIs) and service level agreements (SLAs) if they apply).

To meet regulatory expectations on scheme governance related to our DC Code of Practice 13: Governance and administration of occupational trust-based schemes providing money purchase benefits (and associated guidance), trustees will have a documented process which includes description of how the quality of advice and service provision is monitored over time. This should include the levels of quality agreed on appointment and the regularity of reviews. This should be submitted as part of your application, along with a narrative of how this process is reviewed over time to ensure its ongoing effectiveness and relevance.

You will need to provide narrative and evidence demonstrating how roles and responsibilities are allocated for the ongoing assessment of providers and advisers. This will also need to cover how trustees have identified who is responsible for generating the management information required to carry out quality reviews, and how is it ensured that the agreed management information continues to be correct over time.

Finally, you should describe and evidence how any actions and decisions resulting from provider and/or adviser reviews are executed and tracked to completion. How regularly are progress reports requested from owners of actions? What is the escalation process if issues are not being resolved within the agreed timescales? Please include examples in your narrative (with relevant sections of meeting minutes).

11e Trustees can demonstrate how they establish that their service providers are fit and proper and the methodology for doing so. This may include evidence of the checks carried out by service providers on new staff and how tender processes are operated.

We expect that thorough due diligence is carried out before appointing a service provider to carry out activities on behalf of the master trust. This would include ensuring that those acting on behalf of the master trust meet the appropriate standards of fitness and propriety, as per common industry practice.

Please ensure you explain and evidence the checks are carried out by (or on behalf of) trustees, including what elements of integrity, competence and conduct are included in checks, how information is sourced to perform these checks and what sign-off and approval is required once the checks have been carried out.

11f The role of the trustee board, strategist and funder is clear if a decision is needed to replace any service provider.

As with other critical decisions on changes to the overall roles and responsibilities for running the master trust, you should demonstrate the hierarchy of decision-making. This is covered in detail in the earlier section on trustee governance (section 10).

11g There is a clear process for ensuring information relating to the performance, evaluation and ongoing fitness and propriety of service providers, including any issues or concerns, is brought to the attention of the trustees in a timely manner.

To evidence that this requirement is met, you should explain and evidence the following:

  • What types of issues are considered significant enough to be reported to trustees?
  • How they are reported, by whom and when?
  • How are the trustees expected to react to ensure issues are discussed promptly between trustees and any other relevant parties and to ensure action is taken to resolve these issues in a reasonable timeframe?

You will need to describe the data and management information used to identify, review and (where appropriate) escalate issues and decide how this information is made available as required.

11h Trustees can demonstrate they understand and are familiar with the contracts/agreements (and any impacts on service/ability to act) in place with all service providers to the master trust. There should also be a written process documenting how these can be updated and agreed.

A scheme’s trust deed and rules cannot constrain trustees in making a decision to replace a service provider at any time. Therefore, you need to demonstrate that you have considered whether there are any other scenarios where clauses in contracts or agreements with service providers could potentially interfere with your decision-making about appointments or replacements, or cause a situation where you could potentially be unable to act in the best interests of members. You should consider and explain any potential impact on service as a result of your ability to intervene, which might be found in contracts and agreements.

To evidence this, you must provide narrative and evidence which describes how you have carried out this analysis, what the outcomes were and any actions required to manage or mitigate the identified risks.

12. Risk management[13]

12a There is an ongoing process for the identification, measurement, monitoring, prioritisation and resolution of risks, including investment risks.

Risk management is an essential aspect of running a master trust. We expect trustees and providers to demonstrate that they have systems and processes in place to ensure compliance with the requirements of the master trust legislation itself. This should address the five statutory criteria for authorisation, ie:

  • the people running the master trust are fit and proper
  • systems and processes are robust
  • there is a scheme funder who will be able to financially support the scheme
  • the scheme is financially sustainable with sufficient funds
  • there is a continuity strategy in place which will help protect members’ benefits if certain circumstances occur which put the scheme at risk

You should provide evidence of the adequacy of your risk management, including operational, financial, regulatory and compliance risks. You should also identify the relevant risks under each of these risk types to include in your master trust’s risk management framework.

You should provide narrative and evidence which describes the key operational, financial, regulatory and compliance risks identified for inclusion on the risk register, along with commentary on:

  • how these risks have been identified, assessed and rated
  • how they are to be mitigated, managed or monitored over time (including the management information required to facilitate this, where appropriate)
  • who owns each risk
  • what plan would need to be executed were each risk to manifest
  • how — and how often — are the risks on the risk register reviewed and refreshed to ensure they are current

We expect you and other relevant parties to demonstrate you have identified all risks which may affect the ongoing effectiveness and running of the master trust, should they materialise.

In addition to submitting a risk register, you will need to explain and evidence how particular risks are identified and how they are managed You should also describe how trustees know who is managing key risks to members and also demonstrate that they have considered whether this individual or organisation has the necessary skills, knowledge and resources to be the appropriate owners of this risk.

You should also describe the evidence and management information trustees use to monitor and manage risks of various types and how they ensure they are getting this information from the relevant source.

We are carrying out a desk-based assessment of this vital and critical activity, with little opportunity to request further information. As such, a detailed narrative of how risk identification, monitoring and management works in practice must be provided in narrative, along with all relevant documentary evidence.

We would typically expect the trustee board to be at the centre of, and ultimately responsible for, these activities. However, we also understand that there may be other risk-management activities which take place elsewhere in the structure of the master trust (perhaps by scheme strategist, funder or promoter/marketer). Where this is the case, please ensure you provide narrative and evidence related to both the other parties’ risk management activities and of the trustees’ scrutiny of those activities.

12b The scheme strategist has considered and documented actual and perceived risks to the delivery of the business plan and has documented mitigations or processes for monitoring and managing each of these risks.

Our code sets out what a business plan should contain. Beyond this, the scheme strategist will need to be able to track the successful delivery of that business plan to ensure that any underperformance is identified as early as possible, and that appropriate mitigating action can be taken.

Therefore, you should provide evidence of a process which identifies the individual(s) responsible for tracking the business plan against actual performance, including frequency and scope of reviews.

We are also more likely to be satisfied where evidence is presented that the scheme strategist has considered what mitigating actions might be taken if the business plan is at risk of not being delivered, particularly where this might represent a risk to members’ benefits, or the ongoing financial strength and sustainability of the provider or scheme.

12c There are appropriately skilled individuals taking responsibility for the management of risk monitoring against the business plan, and those individuals have access to the necessary management information and intelligence to properly carry out this task.

The individual(s) mentioned above will require certain skills to be able to properly carry out this task. You should submit evidence identifying these skills, how they have been obtained — including relevant qualifications — and describe how staff are monitored to ensure these skills are available.

12d Information and relevant data is regularly (at least quarterly) received from the responsible parties (funder, strategist, administrator, investment manager etc) to enable the risk register to be properly updated.

Evidence will need to be prepared and submitted which demonstrates that the trustees:

  1. know what data and management information will be required to properly carry out risk management activities
  2. are able to access this information when required

A documented agreement between the trustees and those who would need to provide the data would be sufficient evidence to demonstrate that this requirement has been met. The agreement should reference any penalties which could be levied if data and management information are not made available to trustees in a timely manner.

12e The trustees have documented how issues identified through risk management will be managed to resolution, including processes for allocation of owners and a responsible party for monitoring the resolution of issues in between trustee meetings, particularly if the resolution is the responsibility of the scheme administrator, strategist or funder.

As referenced earlier, it will not be sufficient for applicants to simply document, mitigate and monitor against risks. You should describe and evidence how those running the scheme will respond should any key risks materialise. We do not expect this to be done for every granular risk which is being monitored. There will be key risks which, having been assessed by trustees (or others), have either a significant impact or are more likely to occur (or both). It is these key risks we want to see evidence of in a management plan. You should identify which risks are considered ‘key risks’ within your scheme.

13. Risk register

13a There is a risk register to support the ongoing monitoring of risks and it has been considered and agreed by the scheme strategist, funder and by the trustee board.

13b The risk register is regularly reviewed in detail by trustees, with considerations and decisions being documented and ownership and actions attributed, along with timelines for delivery.

See requirement 12a under Risk management.

13c An annual review is conducted to ensure that there have been no additional risks arising which should be included on the risk register.

You will need to describe the methodology which has been agreed and used to assess the risks monitored through the risk register to ensure this is robust. This will include reference to the evidence used to carry out these assessments.

14. Planning resources effectively[14]

14a All key administration tasks, including the timely sending of notifications and documents to us, are fully documented, with detailed end-to-end processes.

14b These process documents and maps are subject to regular review, particularly after system or process change to ensure human resources allocated remain sufficient.

14c Key resources, with the necessary skills and experience to deliver the objectives in the business plan, have been identified and there is a plan in place to ensure continuity of service.

14d There is awareness of the timeframes required to bring new human resource onboard and what contingency is in place to mitigate any under-resource due to increase in work volumes or the loss of staff.

It is likely that this evidence also exists in documents prepared by your scheme administrator, whether they be an external, third-party provider, or in-house. Beyond submitting copies of these processes and plans, you should also consider two further questions when creating a narrative against these requirements:

  1. How are these processes and plans reviewed and approved by the trustees (or others on behalf of the trustees) to ensure they are appropriate?
  2. What is the overlap between operational planning of this type and the strategist’s documented business plan?

15. Communicating with members[15]

Member communication and engagement is a vital part of running a pension scheme and industry practice in this area has made many positive developments in recent years.

To evidence you are meeting requirements 15a to 15g, you will need to provide a documented engagement plan (including realistic timescales for delivery), as well as evidence that the trustees or provider have the relevant skills and competencies to plan and carry out this work (if not themselves, then through other means including advisers, other organisations or individuals).

You should also provide narrative — and any associated documents or other evidence — which described how the quality of processes, policies and member communications are monitoring and improved over time.

15a There is a communications plan in place dealing with how to improve or maintain member engagement with the master trust.

15b The communication plan covers the methods that will be used to improve/maintain member engagement. This should include the standards and timing of regular and scheduled communications with members. There is a process to ensure members receive timely investment information.

15c There is a process for members’ views to be heard by the trustees at board level.

15d Trustees and the strategist respond to member feedback and take appropriate action.

15e The communication plan includes provision for regular reviews for effectiveness, including updates to reflect changes to the scheme and/or membership profile.

15f There are processes in place to identify issues and gather feedback from members.

15g There are processes in place for escalation of issues or complaints to the relevant decision-maker and to resolve the root cause of the issue.

It would be beneficial to consider how your Internal Dispute Resolution Procedure operates and whether it is relevant to the operation of any of your member feedback processes.

We will also need to see your complaints management procedures, including reference to root cause analysis of member/customer complaints, to ensure that these are both properly handled on receipt and reacted to more widely across the business/scheme (where appropriate). In most cases, we believe these to be standard documents and providers can source them from existing scheme documentation.

Further to this, master trusts are required by law to provide a process for members to be able to give feedback. The scheme’s chair’s statement must contain details of the arrangements put in place to encourage members’ views to be put forward on matters relating to the scheme. Further information on our expectations of trustees in this area can be found in our DC Code of Practice 13 and the associated regulatory guidance on communicating and reporting: DC schemes.

Footnotes for this section

  • [6] Paragraphs 4 and 10 of Schedule 4 to the Regulations.
  • [7] Paragraphs 1 and 4 of Schedule 4 to the Regulations.
  • [8] Paragraph 5 of Schedule 4 to the Regulations.
  • [9] See regulation 4(3) (b) — where regulation 23 of the Occupational Pension Schemes (Scheme Administration) Regulations 1996 do not yet apply to a master trust scheme, an application must contain a document describing how the scheme meets, or is intended to meet, the requirements set out in that regulation.
  • [10] Paragraph 5 of Schedule 4 to the Regulations.
  • [11] Paragraph 6 of Schedule 4 to the Regulations.
  • [12] Regulation 2 of the Regulations.
  • [13] Paragraph 7 of Schedule 4 to the Regulations.
  • [14] Paragraphs 1, 4, 9 and 10 of Schedule 4 to the Regulations.
  • [15] Paragraph 11 of Schedule 4 to the Regulations.
Back to top