David Reid, the Pensions Dashboards Programme’s Head of Policy, discusses consumer protection and how the different organisations connected with pensions dashboards will work together to ensure dashboards are safe for consumers.
Pensions dashboards present a novel challenge when it comes to consumer protection as they bring together personal data from a range of sources. Each user may have several pensions sitting within different schemes, which are displayed on a dashboard run by a separate organisation. So individuals will be reliant on multiple organisations having the right mechanism in place to protect their data and personal information.
Consumer protection isn’t a new or unique issue to dashboards. There are consumer protection measures in place already that relate to data processing – notably the UK General Data Protection Regulation (GDPR), which is enforced via the Information Commissioner’s Office (ICO). The provision of pensions information is also subject to existing regulations and rules, regulated by The Pensions Regulator (TPR) and the Financial Conduct Authority (FCA).
But, as with any new financial product or service, there is a risk of finding gaps in the existing consumer protection. This is why we’re focusing on clarifying the consumer’s redress against PDP, should anything go wrong with the digital architecture, to minimise any risks to consumers using dashboards.
This work sits within the wider regulatory framework, which is distributed across a number of organisations – as is clear from the diagram.
PDP liability for the central digital architecture
PDP is responsible for the security of data within the central digital architecture itself. To promote security within the digital architecture, we are building it in line with a range of technical and security standards that apply best practice, as recommended by the National Cyber Security Centre.
We are developing a complaints mechanism, so that users will be able to raise any issues they face with the central digital architecture itself. Although we have confidence that these will be few and far between, the complaints handling process will include the ability to make awards for inadequate supplier service that causes financial harm.
PDP is also liable for the accuracy of the assurance provided by the identity service that savers really are who they say they are. We have procured an identity service that can prove that to accepted cyber security standards. So data and dashboard providers will be able to rely on the identity asserted by the identity provider.
Pension providers and schemes liability
Pension providers and schemes will see their duties formally set out in the DWP regulations and FCA rules on dashboards over the coming months.
While we await the formal response to recent consultations, we know the broad scope of the duties will be to:
- connect and receive find requests from the central digital architecture
- search for matching pensions and register pensions found
- return any matching pensions data to pensions dashboards for savers to view, in line with the standards set by PDP
Once the relevant legislation is passed, these duties will be regulated by TPR and the FCA.
Providing pensions information via dashboards
Provision of a pensions dashboard will be a new regulated activity, bringing dashboards within the FCA’s regulatory perimeter. This means dashboards will have to comply with FCA rules, such as the requirement for authorised firms to pay due regard to the interests of its customers and treat them fairly, as well as any specific dashboards conduct rules.
As with so much about pensions dashboards, we need to work together to ensure successful delivery. PDP and its delivery partners are considering consumer protection at every step in building the central architecture and it will be central for every organisation involved in pensions dashboards.