The Department for Work and Pensions (DWP) has issued a written ministerial statement providing an update on the publication of connection guidance which includes the new staging timeline for connecting to pensions dashboards.

Skip to content
Pensions dashboards programme logo
  1. Home

PDP: introduction to the pensions dashboards ecosystem

The Pensions Dashboards Programme has issued a call for input on staging, which details proposals for staged compulsory connection of pensions providers to the dashboard ecosystem. This is an important opportunity for industry to respond. To help support and provide clarity around the requirements for providers, we will be hosting two webinars.

These will be of interest to pension schemes and providers, administrators and administration software providers, consumer groups, and other stakeholders.

View recording:

PDP call for input on staging webinar: introduction to the pensions dashboards ecosystem
Read the transcript

Q&A Session: Introduction to the pensions dashboards ecosystem

What is meant by 'asserted' and what are the consequences of an item not being 'asserted'?

Asserted means that the data element has been verified by the identity service.

How will providers be verified? They will be sent personal information in order to find a match. How can the service be sure the data will not be misused?

Providers will be registered with the governance register. This will involve a process/mechanism for checking with the appropriate regulator. Use of data by providers will be subject to UK GDPR , and any use of the data for any other purpose, or persistence of the data when the provider finds no matching pension would be a breach of UK GDPR.

Will PDP provide guidance on matching rules schemes that should used?

The matching criteria were developed by the industry to provide a set of data that the data providers could use with their existing software. However, we are working with industry bodies (ABI, PASA, etc) to help them develop guidance.

The Small Pots Group are also doing some work on matching rules which might be useful?

PDP are staying close to the small pots initiative and will consider any findings of theirs.

Can PDP share any Data Protection Impact Assessment in order data providers can consider it as part of their own DPIA?

This work is already in progress, and PDP will publish a DPIA in due course. This will provide transparency and help engender trust from consumers and industry, as well as help inform ecosystem participants' DPIAs.

Is there an expectation that an ISP will support more than one Pension Scheme? If so will the ISP receive one find request in total or one find request per pension scheme?

ISPs may support many schemes. The ISP will be treated as a single endpoint, therefore the find request for those schemes will go to the ISP.

Are there any major risks, to any of the actors involved, of DDOS attacks from the find requests?

Under our Security Management Plan, the central technical architecture, once live, will be monitored 24/7 by a Security Operations Centre that will identify and respond to any security threats to the central technical architecture. This will include any endpoints that are accessed unusually. Similarly, as the find request is being received from a specific registered endpoint, the data provider may also pick up and block any unusual activity from an unrecognised endpoint related to a DDOS attack.

Sorry, a late question on the previous section that i missed the start of. On the identity verification upstream of the 'Find' on the dashboard, will you be matching against external systems? e.g. matching NINO against HMRC? So it's not just format being correct but matched against the generators of that data?

Our Data Standards publication set out the Find data providers will need to match against and stipulated that we expect the central ecosystem identity service to always verify users' name, date of birth, and current address. Users will be able to add further 'self-asserted' items, including National Insurance number, but this will not initially be verified by the identity service.

Can you add things like a service number used by uniformed services?

The data standards do not currently allow for this, but if there is strong demand this can be reviewed and a change to the standards requested.

We have serious security issues with this system how can this this be guaranteed?

There are many threats related to fraud and cybersecurity that need to be managed, without more specifics it is hard to fully answer this question. However, steps will be taken through the governance framework, and by regulators, to ensure the integrity of dashboard participants to the Ecosystem, and users will be subject to ID verification or authentication before being permitted to undertake a find or view request. The central architecture itself will be designed and developed adhering to security by design principles, subject to penetration testing by an accredited external party, monitored by a Security Operations Centre and overseen by the Security Working Group containing experienced security professionals from the PDP/MaPS, our technology supplier and industry. If there is a specific security risk that you are concerned with, please do make PDP aware and we can ensure we address it specifically.

Unfortunately, we missed the first part of the presentation due to technical difficulties; will a copy of the slides be made available, please?

Yes via the website.

Could you please send a link/details on the governance register?

There are more details on the website about the governance register and we are working with the regulators to define what is required.

How much have current software providers been engaged in the standards, please?

Data Standards were developed by a wide range of industry participants who responded to the initial expression of interest call.

The consumer has control over their data and can specify who they share it with. Provided they meet the requirements to allow them to participate in the ecosystem.

And there won’t be any difference between ‘no matching’ and unable to share (due to technical issues) as both won’t respond back for a ‘find’ request?

No matching or no pension found will not produce a response. Technical issues may not produce a response to the dashboard. Found pensions that do not have a full data set or cannot be shared for some reason can respond with a predefined error through the data payload of the view.

Will there be just one Dashboard available, or a range of choices for users? How many potential Providers could there be, please?

MaPS will provide a dashboard and commercial dashboards can be provided by any organisation that meets the governance and onboarding requirements of the PDP and meets the authorisation requirements of the FCA - providing a pensions dashboard will be a new regulated activity requiring authorisation by the FCA.

So, as a Trustee of a legacy DB scheme insured by Royal London, and administrator of a current DC scheme with L&G and a legacy DC scheme with AVIVA, for an employer, where will I fit in, please?

Each scheme will have its staging date for the staging cohort it falls into - which we’ve recommended be determined by size and benefit type. On our recommendations, the current DC scheme would be staged before the legacy DB scheme. However, voluntary early staging will allow for schemes that wish to stage earlier (eg if they have a single ISP/administrator that can connect them all in bulk). DWP regulations/FCA rules will ultimately determine the staging profile.

ISPs will receive one find request but may have multiple matches with different PEI’s will this be catered for?

Each PEI is registered with the consent and authorisation service, and the user can consent to allow a dashboard to view some, all, or indeed none of these.

Is FCA authorisation enough for a dashboard provider especially given the involvement of some FCA authorised entities with Pension Scams?

We are building consumer protection into pensions dashboards. We’ve adopted and carried forward the overarching design principles set out by the government to underpin the ecosystem, which put the consumer at the heart of the process, and are building the architecture on the foundation principles of data protection by design. The government’s policy position as set out in the consultation response is that existing regulatory frameworks (including the FCA as regulator for pensions dashboards, as well as UK GDPR) will ensure the appropriate level of consumer protection. Providing a pensions dashboard service will be a new regulated activity, and the FCA will develop an appropriate authorisation regime for organisations seeking to become dashboard providers. The FCA will also make rules governing the conduct of authorised dashboard providers.

If there’s no match when doing a find, how do you inform the user there are no details if the provider doesn’t confirm it?

No response will be sent to the user as this would generate @40,000 responses. However, PDP is developing design standards and conducting user research to provide the end consumer with standard messaging for just this sort of event.

What about non-digital pensions?

All pensions should be made findable digitally.

Does the provider need to digitise them? What if info is held in images/scans for example?

All pensions should be made findable digitally.

I appreciate that the identity service is outside PD but how are members verified?

The identity service will be part of a different procurement more information on this can be found on the PDP website.

Would it be helpful for a "dashboard ready" certificate to be issued to software suppliers who have made the effort - so that employers and members participating in the scheme can be informed that their scheme is compliant?

This is not something we have currently looked at but will certainly consider it.

You mention external dashboard providers as "providers" - do you anticipate that there will be independent dashboards?

Yes.

What is the expectation for schemes in terms of accurate and up-to-date data, when many are reliant upon employers or customers to notify us of new or changed details?

Schemes have existing obligations in terms of data accuracy and quality, and pensions dashboards will not impose any additional new requirements here. The duties apply to schemes, but schemes do need employers or customers to assist. We recognise the particular challenges concerning employer data, particularly for master trusts. The regulator(s) will work with schemes to drive data compliance.

What happens if your scheme does not hold all of the find data?

The scheme does not need to check all the data provided as part of a find, just the data you need to search.

Will you be engaging directly with public service pension schemes given that we represent a signifi cant proportion of membership?

Yes.

Is the National Insurance number mandatory given that not all individuals who have a pension have a National Insurance number?

You can select the data you wish to search for. No National Insurance number may make identification of a pension more difficult.

Logo icon representing the Pensions Dashboards Programme
Author:
Pensions Dashboards Programme

Published: 08 June 2021

Share this post