The Government has restated its commitment to delivering pensions dashboards in a written statement.
Approach to governance of standards
Our governance approach sets out how PDP has developed the standards. It outlines scope and how future changes are set and managed, once the standards are approved by the Secretary of State.
Introduction
Background
- Pensions dashboards are apps, websites or other tools which will help individuals view their pensions information online. They will bring together all an individual’s pensions, including their State Pension as well as any occupational and personal pensions (including insurers), to support better planning for retirement and growing financial wellbeing.
- The Money and Pensions Service (MaPS) set up the Pensions Dashboards Programme (PDP) in 2019 to design and create the pensions dashboards ecosystem and the supporting governance framework. The pensions dashboard ecosystem contains the central digital architecture (CDA) that will make pensions dashboards work. It will connect millions of individuals to their information across thousands of pensions, via multiple pensions dashboards. More information can be found on our pensions dashboards ecosystem page.
- The Pension Schemes Act 2021 and the Pensions Dashboards Regulations 2022 delegate authority to MaPS to set standards, specifications, and technical requirements (which we refer to as standards) for pensions dashboard ecosystem participants. The purpose of standards is to ensure the security, stability and effective operation of the pensions dashboard ecosystem. They set out the technical and operational detail underpinning the primary and secondary legislation.
Scope of the approach
- As a digital service, the pensions dashboards ecosystem needs to be able to implement changes in service requirements in a simple and timely manner. Our standards provide this flexibility. They allow for further iteration and development as the service matures.
- This document contains MaPS’ approach to the production and maintenance of these standards.
- References to PDP in any of the documents should be read as ‘PDP, as part of MaPS’.
Interaction with FCA regulatory framework
- Standards are separate from, but designed to complement, the FCA’s regulatory framework for pension dashboard service firms. Firms which operate a Qualifying Pensions Dashboard Service (QPDS) will need to be (or become) FCA authorised, get the regulatory permission to undertake this new regulated activity and meet any Handbook rules and guidance that the FCA may introduce for firms undertaking this activity.
Application
- Standards apply to the trustees or managers of occupational pension schemes and the managers of stakeholder and personal pension schemes, and insurers (pension providers and schemes) connected to, or are required to connect to, our pensions dashboard ecosystem and QPDS.
- Parties (such as administrators or software providers) may apply our standards and guidance on behalf of their clients. We expect that much of the implementation of our standards will be undertaken by such third parties on behalf of multiple clients. A pension provider or scheme connecting via an already-connected third party will use the third-party’s processes to meet our security, service, connection and operational standards. However, as the standards and guidance apply to the pension provider/scheme, it remains responsible for compliance with them, even if implementation is delegated to a contracted third party.
Effect
- Standards are mandatory requirements and, therefore, compliance by pension providers and schemes as well as QPDS is compulsory.
- Because of the importance of the standards for the security, stability and credibility of pensions dashboards, non-compliance could lead to disconnection from the pensions dashboards ecosystem.
- Standards and guidance may be admitted in any proceedings relevant to pension provider’s, scheme’s or QPDS’ compliance with their dashboard duties – this also applies to the obligations owed by any other party (for example, a sponsoring employer or administrator). It will be the decision of the body hearing the proceedings (including any regulatory proceedings conducted by the FCA or The Pensions Regulator (TPR) to assess the evidential weight to be attached to any standard or guidance admitted.
Guidance
- To further support QPDS and pensions providers we have also issued guidance. References to our guidance in this document are for background purposes.
Content of the standards
- More detailed description of standards:
- data standards – the data formatting requirements pension providers and schemes must follow when returning pensions data
- design standards – requirements for QPDS’ presentation of the pensions data to users on dashboards
- reporting standards – the data required from pension providers, schemes and QPDS to enable the monitoring of the health of the pensions dashboards ecosystem (for example, compliance and performance)
- technical (including API) standards – the requirements for how pension providers, schemes and QPDS interface with the CDA and with each other, including connectivity mechanisms, protocols for authorising the sharing of information, and the generation and registration of pension identifiers
- security standards – the technical and procedural standards to ensure security of the ecosystem
- service standards – the technical and procedural minimum service requirements, including service availability and response times, connection state changes (including planned interruption to information technology systems) and notification requirements
- operational standards – the operational processes participants must follow to connect to the ecosystem and to maintain connection, including onboarding procedures, dispute management and escalation and service level failure protocols
Governance
Initial setting
- PDP have developed the initial standards in collaboration with industry. They have been subject to consultation. They are also subject to Secretary of State for Work and Pensions approval: we are publishing the documents now to provide as early sight as possible of the requirements, but they are not yet formally approved. This can only happen once the Pensions Dashboards Regulations 2022 have been approved by Parliament and come into force (formally giving MaPS the authority to set these standards). Following formal approval, we will publish these as confirmed standards. No major changes are expected prior to approval.
Subsequent changes
Source of change
- Changes to standards have several drivers and sources:
- new or amendments to existing legislation – which either indirectly or directly impacts the standards and guidance
- changes to third party standards – where third-party standards are being leveraged then should they change, and any impact would need to be reviewed
- PDP (including our suppliers) – continuous improvement and product evolution, including user testing
- changes required by the FCA or TPR
- changes identified by ecosystem participants
- Whilst this list is not exhaustive, it illustrates the diverse sources of change.
- Change requests will be subject to our governance process where they will be evaluated for impact and benefit.
Decision makers
- The following will be responsible for approving changes:
- PDP – for minor technical changes
- Secretary of State – for all other changes
Change management
Classification
- Changes fall into two camps: minor; or major.
- Minor changes are those changes that have minimal impact on most pension providers, schemes and QPDS. Examples of minor changes are:
- minor additional testing requirements within the code of connection
- minor change to an optional element of data standards, whilst remaining optional
- When publicising these changes, we will explain how we have assessed these changes as minor.
- All other changes will be major changes. Examples of major changes could include:
- substantial changes to processes or the data required
- technological developments (incurring significant pension provider, scheme or QPDS resource to implement)
- changes in the way the pension providers, schemes or QPDS are required to connect and receive or return information (for example, an upgrade of the API standard to a newer technology stack, or the use of new security software)
- substantial changes to business processes required to meet duties (for example, additional reporting requirements that mean pension providers, schemes or QPDS are required to supply significantly more information, or more regular reports to PDP for monitoring purposes)
Engagement and consultation
- As part of this governance process, we will consider who to engage with. This may include TPR, FCA, Department for Work and Pensions (DWP), industry stakeholders as well as ecosystem participants.
- The government has issued consultation principles and we will follow them, where applicable. Major changes will always be consulted on.
Notification period
- Where possible this will be at least: 12 months for major changes, and six months for minor changes.
Implementation frequency
- To assist those implementing the standards with their planning, updates will be applied annually for major changes and bi-annually for minor changes, at the following times:
- major and minor – October
- minor only – April
- More frequent updates may be applied in an emergency (for example, to patch a security breach). This is classified as something urgently required to maintain the security or integrity of the ecosystem. We will provide as much notice as we can, given the circumstances.
Version
- To ensure each version is clearly recognisable and auditable the following versioning numbering will be applied:
- primary version – whole number indicating the major standard release
- secondary version – a branch of the primary version and all branches must be backwards compatible with the primary version
- An example is ‘version 3.2 ‘3’ is the primary version and ‘.2’ is the secondary branch version.
Compatibility
- Pension providers, schemes or QPDS must be able to support the primary and secondary branch versions below the secondary branch number the participant has chosen to implement.
- An example is live standards versions are 3.0, 3.2, 3.3. If a participant chooses to adopt ‘3.2 they must also support 3.0 but do not need to support 3.3.
Deprecation
- Once a standard has moved to the next primary version release, then the old primary version and all secondary branches attached will be retired.
General
Third party standards
- Where third-party standards are referred to in our standards (for example UMA in our technical standards and the Web Content Accessibility Guidelines 2.1 in our design standards), we will review regularly to ensure they remain current, appropriate and usable by pension providers, schemes and QPDS. Where appropriate, we will actively engage with the third-party standards provider to understand the effect changes to their standards may have on pensions dashboard ecosystem participants.
Curation (notification, publication)
- Publication – MaPS will be responsible for publishing the standards (currently on the PDP website).
- Notifications – We will notify ecosystem participants about changes by email with the following classifications:
- urgent – requires action immediately
- notification – something that people need to know and may require action
- information – for information
Non-adherence
- Standards will be used to check pension provider, scheme and QPDS compliance with, amongst other things, their dashboard connection and reporting obligations.
- Where appropriate, we will work with pension providers, schemes and QPDS to help reconcile any potential compliance issues. However, as adherence to the standards is an important requirement, and vital to the security, stability, and credibility of the pensions dashboards ecosystem, we will also put in place processes to escalate allbreaches we identify to FCA/TPR.
- Failure to adhere to our standards, or have regard to our guidance, can be used as evidence of breach of legal duties and may be used by the FCA or TPR in any regulatory action.
- Also, we reserve the right to disconnect any pension provider, scheme or QPDS from the ecosystem for breaching their dashboard duties, which for pension providers and schemes would mean they would not be able to meet their obligations.