The Government has restated its commitment to delivering pensions dashboards in a written statement.

Skip to content
Pensions dashboards programme logo
  1. Home

Consumer protection

Consumer protection is fundamental to the success of dashboards.

To protect consumers, the Pensions Dashboards Programme, part of the Money and Pensions Service, follows the design principles set out by the Department for Work and Pensions (DWP):

  • put the consumer at the heart of the process by giving people access to clear information online
  • ensure a consumer’s data is secure and simple to understand (minimising the risks to the consumer and the potential for confusion)
  • ensure that the consumer is always in control over who has access to their data

This video contains out of date information about data held in the central digital architecture. Find out more in the data protection impact assessment.

Introduction to consumer protection for pensions dashboards

What is consumer protection

In the context of pensions dashboards, consumer protection is the action to minimise consumer harm, including redress for consumers if things go wrong. It covers the design and operation of the ecosystem, compliance with regulations, rules and standards, as well as the way in which consumers will use dashboards.

PDP responsibilities

PDP provides the central digital architecture. This includes the elements that make dashboards work and the overall ecosystem design. PDP is also setting the standards that define how users’ data may be securely shared within the ecosystem and displayed.

Working with our delivery partners, we have considered ways to prevent the risk of potential consumer harm.

Promoting the correct behaviours

The service standards and operational standards, which form part of the code of connection, and the technical standards detail how dashboards, pension providers and schemes must behave when they connect and are part of the pensions dashboards ecosystem.

There will be regular reporting to the regulators by all ecosystem participants, which are detailed in the reporting standards. Regulators will have access to reporting and operational data via PDP reporting to support their functions in respect of monitoring compliance and supervisory or enforcement action.

Ensure only legitimate parties can connect

Aside from the Money and Pensions Service’s MoneyHelper dashboard and DWP for the State Pension, the only parties that may connect to the ecosystem are:

  • pension providers regulated by the Financial Conduct Authority (FCA)
  • pension schemes regulated by The Pensions Regulator (TPR)
  • third-party connection providers operating on behalf of pension providers or schemes (for example, integrated service providers)
  • private sector dashboards regulated by the FCA

Clear pensions information

PDP's research highlighted many users are not confident about interpreting pensions information. They were particularly worried about whether they would feel overwhelmed with information on the dashboard.

The design standards will set parameters for the display of pensions information by commercial dashboards to ensure presentation is clear, neutral, and accessible

These design standards and the Financial Conduct Authority’s (FCA) rules for dashboards will be vital to ensure dashboards present consumers with clear and comprehensive information. Appropriate explanations and warnings need to be displayed so, users are not misled or led towards financial products or detrimental decisions.

Verifying users are who they claim to be

Verification creates user confidence that only verified individuals can access pensions data and protect consumers from its theft. To address the risk PDP has confirmed GOV.UK One Login as the identity service provider. The identity service ensures dashboard users are who they say they are and that pensions data is requested by users with verified identities. This gives pension providers, schemes and the Department for Work and Pensions (DWP) State Pension confidence that the user is who they say they are and that they have authority to receive the pension information.

PDP is using an identity service and in accordance with the principles defined in the Government Digital Service’s Good Practice Guide 44 and Good Practice Guide 45.

Preventing unauthorised disclosures

Pension providers and schemes have a duty to check for all view requests received from dashboards that the user has authorised the return of their pensions information to that dashboard.

This is a check with the central digital architecture that the relevant permissions (represented by tokens) are valid. Pension providers and schemes must accept MaPS’ assertion of user authorisations (captured by PDP from users at the consent and authorisation service).

Avoiding data theft and scams

Our research has highlighted the importance to consumers of being reassured it is a safe environment, given the data involved. Consumers were particularly concerned about the possibility of the information being mishandled or hacked.

We identified risks of personal data being mis-used and the risks of inappropriate entities gaining access to the ecosystem. This is where the security and governance of our ecosystem is important to ensure only legitimate parties can connect to the pensions dashboards ecosystem.

To reduce risk, the pensions dashboards ecosystem design ensures there is no central database or aggregation of pensions data, with pensions data only being stored by pension providers, schemes or their third-party connection provider.

Security standards ensure the appropriate level of security, following National Cyber Security Centre standards and best practice. They detail the technical authentication requirements for communication between parties within the ecosystem, encryption requirements for all data in transit across the ecosystem and the requirements for security-testing interfaces to the ecosystem.

This mitigates the risks of data theft and ensures data protection by guaranteeing all communication between parties within the ecosystem is appropriately encrypted, that parties are appropriately authenticated to each other when communicating and by ensuring that parties’ technical interfaces to the pensions dashboards ecosystem are regularly and independently tested for any vulnerabilities.

The Financial Conduct Authority (FCA) rules ensure there are appropriate warnings in place on dashboards and signposts to guidance, including MoneyHelper.

Routes to redress if things go wrong

PDP are putting in mechanisms to deal with consumer complaints and redress in cases of inadequate service by the central digital architecture. This could lead to consumer awards for inconvenience or financial loss.

PDP are putting a support model in place with the aim to help a consumer to get to the right place when they have a complaint or an issue.

UK GDPR

UK General Data Protection Regulation (UK GDPR) applies to the movement, processing and storage of personal data. Dashboards will involve personal information being processed at scale. PDP is creating the pensions dashboards ecosystem, standards and processes with these data protection principles at its heart. It applies data protection by design principles as an integral approach to all ecosystem design processes and components, including the central digital architecture, dashboards, and pension providers and schemes’ interfaces to the ecosystem.

Data protection impact assessment (DPIA)

To identify and minimise risks associate with processing person data, we have published a DPIA in respect of the processing of personal data by the Money and Pensions Service (MaPS) in accordance with its function to deliver the Pensions Dashboards Programme (PDP). This includes building and running the central digital architecture (CDA) and related services that make pensions dashboards possible, and connecting pension providers and schemes and dashboards to it.

It does not cover MaPS’ other dashboard function, the provision of the MoneyHelper public service pensions dashboard, which will be covered in a separate DPIA.

Read the data protection impact assessment

Related organisations

Ensuring the appropriate level of consumer protection across the end-to-end user journey is a shared responsibility, in which multiple parties have roles to play. Dashboards providers and pension providers and schemes have their roles. By being compliant with their duties, dashboards and pension providers and schemes will drastically reduce their exposure.

PDP is part of the Money and Pensions Service (MaPS_ who are also responsible for creating a pensions dashboard for everyone to use. This dashboard will be part of the support MaPS offers to consumers about how to manage their pensions, which includes MoneyHelper.

While MaPS will do everything possible to minimise any risk to consumers within the pensions dashboards ecosystem itself, we cannot control what consumers do following receipt of information about their pensions. MaPS must also follow the Financial Guidance and Claims Act 2018 to ensure consumer protection.

There are other organisation with dashboard responsibilities, with dashboards requiring close industry and the public sector collaboration. Our work to protect consumers takes place together with our delivery partners.

Department for Work and Pensions and Department for Communities (Northern Ireland)

The Department for Work and Pensions (DWP) and Department for Communities (NI) are responsible for pensions dashboards policy and dashboards legislation. This legislation determines the conditions commercial dashboards will have to meet to be a dashboard providers. It also details the requirements of occupational pension schemes, including what data they must send to dashboards. Pension schemes, and dashboard providers must adhere to the regulations.

The Pensions Regulator

The trustees of occupational pensions schemes will be responsible for ensuring that they:

  • find all matching pensions
  • process find data lawfully (the purpose for which they receive it is for matching in accordance with their legal obligation)
  • produce and send correct data to users
  • only send data to a user-authorised dashboard

The Pensions Regulator (TPR) has enforcement and supervisory roles in relation to these pension schemes compliance with duties in respect of the operation of pension schemes, and has published their compliance and enforcement policy.

Some pension schemes may choose to outsource their duties to connect to the pensions dashboards ecosystem to an integrated service provider (ISP). However, all the responsibilities for compliance remain with the pension scheme, as the data controller and regulated entity.

Occupational pension providers must adhere to the Pensions Dashboards Regulations and duties (including MaPS standards) and existing pensions and trust law, which is regulated by TPR.

Financial Conduct Authority

Dashboards

HM Treasury has amended the Regulated Activities Order to introduce a new regulated activity of providing a pensions dashboard to make dashboard providers subject to the Financial Conduct Authority’s (FCA) regulatory framework. Commercial dashboards providers must therefore be authorised by the FCA and have the relevant permission to operate.

The FCA has published the rules for firms providing pensions dashboards service, to ensure an appropriate degree of consumer protection and ensuring dashboard providers act in consumers' best interests and deliver good consumer outcomes, while supporting effective competition in 'post-view' services and innovation in the interests of consumers.

Pension providers

The FCA is responsible for the rules for personal pension providers, which mirror the DWP regulations for occupational pension schemes and impose the same duties.

Providers of stakeholder and personal pensions will be responsible for ensuring that they:

  • find all matching pensions
  • process find data lawfully (the purpose for which they receive it is for matching in accordance with their legal obligation)
  • produce and send correct data to users
  • only send data to a user-authorised dashboard

The FCA has enforcement and supervisory roles in relation to these pension providers’ compliance with duties in respect of the operation of pension schemes.

Some pension providers may choose to outsource their duties to connect to the pensions dashboards ecosystem to an integrated service provider (ISP). However, all the responsibilities for compliance remain with the pension provider, as the data controller and regulated entity.

Information Commissioner’s Office

Using a pensions dashboard will involve the transfer of small amounts of an individual’s personal data between dashboards and data providers, which will all take place within the parameters permitted by UK General Data Protection Regulation (UK GDPR).

Pension providers and schemes are identified as data controllers under UK GDPR. They are responsible for ensuring their members’ data is accurate, up-to-date, and not disclosed without member authorisation. The pension provider or scheme is responsible for setting its matching criteria and for the management of risk of mismatching, and for returning the correct data to the user at their dashboard. Similarly, dashboard providers are data controllers under UK GDPR when they display the view data returned by the pension providers and schemes.

The Pension Schemes Act 2021 makes clear the primacy of UK GDPR and that duties on pension schemes imposed by the regulations do not authorise or require processing of data that would breach data protection legislation. If any parties are found not meeting the requirements to protect individuals’ personal data, they could be subject to Information Commissioner’s Office enforcement.

Financial Ombudsman Service

The Financial Ombudsman Service (FOS) was set up to help consumers resolve problems with regulated financial businesses. It has the power to help if dashboard providers, except for the MaPS MoneyHelper dashboard, treat consumers unfairly.

FOS can consider complaints about Financial Conduct Authority (FCA)-regulated pension providers and advisers. It will also be able to consider complaints against dashboard providers. FOS is a free service and can award compensation up to a significant amount.

The Pensions Ombudsman

The Pensions Ombudsman offers a free and impartial service to help people resolve their occupational (employment linked) or personal pension scheme disputes. The Pensions Ombudsman can consider and investigate complaints about the maladministration of pension schemes or providers, as well as disputes of fact or law. Where a complaint cannot be resolved informally the Ombudsman may issue a binding determination, for which there is no maximum limit on redress.

While all parties will do all they can to protect consumers using pensions dashboards, it is not possible to eliminate risk entirely. Responsibility for the actions or decisions consumers make using the information displayed on a pensions dashboard rests with the consumer (which will be stated in the design standards). Although, the Financial Ombudsman Service and the Financial Conduct Authority may still have an interest in the quality of financial advice a user receives.

Financial Services Compensation Scheme

The Financial Services Compensation Scheme (FSCS) provide compensation for consumers when firms have gone out of business. Generally, FSCS can protect and pay compensation for:

  • pensions provided by UK-regulated insurers who fail, if the pension qualifies as a ‘contract of long-term insurance’ (such as an annuity)
  • investments held within a personal pension (such as a self-invested personal pension (SIPP) where the UK-regulated provider of the investment fails
  • bad advice concerning a pension given by UK-regulated financial advisers who have gone out of business