DWP has released a written ministerial statement that affects the connection deadline for pensions dashboards.
Additional guidance will be published in due course.

 

Consumer protection

Consumer protection is fundamental to the success of dashboards.
We follow the design principles set out by the Department for Work and Pensions (DWP).
We:

  • put the consumer at the heart of the process by giving people access to clear information online
  • ensure a consumer’s data is secure, accurate and simple to understand – minimising the risks to the consumer and the potential for confusion
  • ensure that the consumer is always in control over who has access to their data
 
 
 

Contents

What is consumer protection?

In the context of pensions dashboards, consumer protection is the action to minimise consumer harm, including redress for consumers if things do go wrong. It covers the design and operation of the ecosystem, compliance with regulations, rules and standards, as well as the way in which consumers will use dashboards.

The Pensions Dashboards Programme (PDP) is responsible for providing the central digital architecture, ie the elements that make dashboards work and the overall ecosystem design. PDP is also setting the security, technical and design standards that define how users’ data may be securely shared within the ecosystem and displayed. This is to ensure compliance with the UK General Data Protection Regulation (UK GDPR).

What are PDP’s responsibilities?

Working with our delivery partners, we’ve considered ways to prevent the risk of potential consumer harm:

Promoting the correct behaviours

The service standards and operational standards, which form part of the code of connection, and the technical standards detail how dashboards, pension providers and schemes must behave when they connect and are part of the pensions dashboards ecosystem.

The service standards require all parties to generate, exchange and store pseudonymised transaction identifiers representing all ecosystem interactions. This is to ensure correlation of logs across parties to support investigation (for example, in relation to user complaints), while minimising data retention and maximising privacy.

The operational standards’ requirements in relation to problem management and supporting forensic investigation ensure that if things do go wrong, there are means to piece together and reconstruct interactions.

The technical standards aid consumer protection by detailing connectivity mechanisms and the protocols for authorising the sharing of information.

There will be regular reporting to the regulators by all ecosystem participants, which are detailed in the reporting standards. We will also notify the regulator if we see any behaviour that does not match up to the required standards:

  • business audit requirements (ie information required for non-repudiation purposes and/or to support forensic investigation if things go wrong)
  • protective monitoring (for security protection and detection of threats)
  • operational monitoring (to monitor the health of the ecosystem and performance of pension providers and dashboards)
  • management information (data to track how service performance and how the dashboards service is used)
  • regulatory oversight reporting (data that will support regulators to monitor pension providers’ and dashboards providers’ compliance with legal obligations)

Ensure only legitimate parties can connect

Only the Financial Conduct Authority (FCA) and The Pensions Regulator (TPR) regulated pension providers and schemes (or their subcontracted third parties), FCA regulated financial advisers, FCA regulated dashboard providers, plus The Money and Pensions Service (MaPS) and DWP’s State Pension, will be able to connect to the ecosystem.

Before accessing the pensions dashboard ecosystem, we will check all regulated participants have regulated status with either TPR or FCA.

Clear pensions information

Our research highlighted many users are not confident about interpreting pensions information. They were particularly worried about whether they would feel overwhelmed with information on the dashboard.

PDP has been doing user research and prototype testing to ensure we get this right and this has led to our proposed design standards. This details how pensions information is to be presented to the user in a clear way and requirements to ensure dashboards are accessible and inclusive.

These design standards and the Financial Conduct Authority’s (FCA) proposed rules for dashboards (which are both subject to consultation) are vital to ensure dashboards present consumers with clear and comprehensive information. Appropriate explanations and warnings need to be displayed so, users are not misled or led towards financial products or detrimental decisions.

Releasing of data to the right person

Verification creates user confidence that only verified individuals can access pensions data and protect consumers from its theft. To address the risk PDP has procured an identity service, which will verify that certain biographical data relates to the user. This allows appropriate matching by pension providers and schemes (including possible matches when they are not sure) relying on the verified information.

PDP is using an identity service and in accordance with the principles defined in the Government Digital Service’s Good Practice Guide 44 and Good Practice Guide 45.

Preventing unauthorised disclosures

Pension providers and schemes have a duty to check for all view requests received from dashboards that the user has authorised the return of their pensions information to that dashboard.

This is a check with the central digital architecture that the relevant permissions (represented by tokens) are valid. Pension providers and schemes must accept MaPS’ assertion of user authorisations (captured by PDP from users at the consent and authorisation service).

Avoiding data theft and scams

Our research has highlighted the importance to consumers of being reassured it is a safe environment, given the data involved. Consumers were particularly concerned about the possibility of the information being mishandled or hacked.

We identified risks of personal data being mis-used and the risks of inappropriate entities gaining access to the ecosystem. This is where the security and governance of our ecosystem is important to ensure only legitimate parties can connect to the pensions dashboards ecosystem. Here we outline the aim and effect of our security standards:

Security standards ensure the appropriate level of security, following National Cyber Security Centre standards and best practice. They detail the technical authentication requirements for communication between parties within the ecosystem, encryption requirements for all data in transit across the ecosystem and the requirements for security-testing interfaces to the ecosystem.

This mitigates the risks of data theft and ensures data protection by guaranteeing all communication between parties within the ecosystem is appropriately encrypted, that parties are appropriately authenticated to each other when communicating and by ensuring that parties’ technical interfaces to the pensions dashboards ecosystem are regularly and independently tested for any vulnerabilities.

Before the ecosystem uses live data, it will go through a rigorous testing cycle to minimise the risk of errors.

The Financial Conduct Authority (FCA) is also proposing there are appropriate warnings in place on dashboards and signposts to guidance, including MoneyHelper its proposals for its dashboard rules.

Routes to redress if things go wrong

We’ve put in mechanisms to deal with consumer complaints and redress in cases of inadequate service by the central digital architecture. This could lead to consumer awards for, inconvenience or financial loss.

We’re also putting in place a support model with the aim to help a consumer to get to the right place when they have a complaint or an issue.

Working with others

Ensuring the appropriate level of consumer protection across the end-to-end user journey is a shared responsibility, in which multiple parties have roles to play. Dashboards providers and pension providers and schemes have their roles. By being compliant with their duties, dashboards and pension providers and schemes will drastically reduce their exposure.

PDP (as part of MaPS)  is not the only public body with dashboard responsibilities. Delivering dashboards requires industry and the public sector collaboration.  Our work to protect consumers takes place together with our delivery partners.

Pension providers

  • DWP new occupational pensions dashboards regulations and duties therein (compliance regulated by TPR)
    • MaPS standards – compliance with which required by regulations
  • existing pensions and trust law (regulated by TPR)
  • FCA rules for personal pension providers
  • consumer recourse to The Pensions Ombudsman/Financial Ombudsman Service

Dashboard providers

  • FCA rules for dashboards providers undertaking the regulated activity
  • DWP regulations and duties on dashboards therein
    • MaPS standards
  • consumer recourse to the Financial Ombudsman Service

PDP/MaPS

  • digital architecture
    • internal complaints process
    • consumer recourse to the Parliamentary and Health Services Ombudsman
  • MaPS dashboard
    • Pension Schemes Act 2021 duties
    • internal complaints process consumer recourse to the Parliamentary and Health Services Ombudsman

UK GDPR

Information Commissioner’s Office

Dashboards, and pension providers and schemes, both operate in regulated spaces, overseen by their regulators: the FCA and TPR.

Who we work with

Money and Pensions Service

PDP is part of The Money and Pensions Service (MaPS), which is required to offer a public service pensions dashboard. This dashboard will be part of MaPS’ MoneyHelper online and offline guidance to help consumers make the most of their pensions, including a retirement planning hub.

MaPS is researching how best to create onward journeys from its dashboard, to support consumers in making decisions once they have viewed their pension information on their dashboard.

While we can do everything possible to minimise any risk to consumers within the pensions dashboards ecosystem itself, we cannot control what consumers do following receipt of information about their pension(s).

Department for Work and Pensions (DWP)

The Department for Work and Pensions (DWP) is responsible for pensions dashboards policy and developed the Pensions Dashboards (Amendment) Regulations 2023. This legislation determines the conditions dashboards will have to meet to be a qualifying pensions dashboard service (QPDS). It also details the requirements of occupational pension schemes, including what data they must send to dashboards.

Financial Conduct Authority (FCA)

Dashboards
In due course, HM Treasury will amend the Regulated Activities Order to introduce a new regulated activity of providing a pensions dashboard to make dashboard providers subject to the Financial Conduct Authority’s (FCA) regulatory framework. The FCA is consulting on its proposed regulatory framework for firms operating pensions dashboard services in parallel to our consultation on design standards.

Existing regulatory frameworks and protections will continue to apply in respect of any other regulated activities that FCA authorised qualifying pension dashboard providers (QPDS) might choose to offer consumers as part of any ‘off-dashboard’ onward journeys.

Pension providers
Providers of stakeholder and personal pensions will be responsible for ensuring that they:

  • find all matching pensions
  • process find data lawfully (the purpose for which they receive it is for matching in accordance with their legal obligation)
  • produce and send correct data to users
  • only send data to a user-authorised dashboard

The FCA has enforcement and supervisory roles in relation to these pension providers’ compliance with duties in respect of the operation of pension schemes. It has consulted on and now made the final rules setting out the dashboard connection and data provision requirements for personal and stakeholder pension providers.

Some pension providers may choose to outsource their duties to connect to the pensions dashboards ecosystem to an integrated service provider (ISP). However, all the responsibilities for compliance remain with the pension provider, as the data controller and regulated entity.

The Pensions Regulator (TPR)

The trustees of occupational pensions schemes will be responsible for ensuring that they:

  • find all matching pensions
  • process find data lawfully (the purpose for which they receive it is for matching in accordance with their legal obligation)
  • produce and send correct data to users
  • only send data to a user-authorised dashboard

The Pensions Regulator (TPR) has enforcement and supervisory roles in relation to these pension schemes compliance with duties in respect of the operation of pension schemes, and is consulting on its proposed compliance and enforcement policy.

Some pension schemes may choose to outsource their duties to connect to the pensions dashboards ecosystem to an integrated service provider (ISP). However, all the responsibilities for compliance remain with the pension scheme, as the data controller and regulated entity.

Information Commissioner’s Office (ICO)

Using a pensions dashboard will involve the transfer of small amounts of an individual’s personal data between dashboards and data providers, which will all take place within the parameters permitted by UK General Data Protection Regulation (UK GDPR). The number of individuals using dashboards will create the scale.

Pension providers and schemes are identified as data controllers under UK GDPR. They are responsible for ensuring their members’ data is accurate, up-to-date, and not disclosed without member authorisation. The pension provider or scheme is responsible for setting its matching criteria and for the management of risk of mismatching, and for returning the correct data to the user at their dashboard. Similarly, dashboard providers are data controllers under UK GDPR when they display the view data returned by the pension providers and schemes.

The Pension Schemes Act 2021 makes clear the primacy of UK GDPR and that duties on pension schemes imposed by the regulations do not authorise or require processing of data that would breach data protection legislation. If any parties are found not meeting the requirements to protect individuals’ personal data, they could be subject to Information Commissioner’s Office (ICO) enforcement.

Financial Ombudsman Service

The Financial Ombudsman Service (FOS) was set up to help consumers resolve problems with regulated financial businesses. It has the power to help if dashboard providers (except for the Money and Pensions Service MoneyHelper dashboard) treat consumers unfairly. FOS is a free service and can award compensation up to a significant amount.

FOS can consider complaints about Financial Conduct Authority (FCA)-regulated pension providers and advisers. It will also be able to consider complaints against dashboard providers.

The Pensions Ombudsman

The Pensions Ombudsman offers a free and impartial service to help people resolve their occupational (employment linked) or personal pension scheme disputes. The Pensions Ombudsman can consider and investigate complaints about the maladministration of pension schemes or providers, as well as disputes of fact or law. Where a complaint cannot be resolved informally the Ombudsman may issue a binding determination, for which there is no maximum limit on redress.

While all parties will do all they can to protect consumers using pensions dashboards, it is not possible to eliminate risk entirely. Responsibility for the actions or decisions consumers make using the information displayed on a pensions dashboard rests with the consumer (as our design standards will make clear). Although, the Financial Ombudsman Service (FOS) and the Financial Conduct Authority (FCA) may still have an interest in the quality of financial advice a user receives.

Financial Services Compensation Scheme (FSCS)

The Financial Services Compensation Scheme (FSCS) provides compensation for consumers when firms have gone out of business. Generally, FSCS can protect and pay compensation for:

  • pensions provided by UK-regulated insurers who fail, if the pension qualifies as a ‘contract of long-term insurance’ (eg an annuity)
  • investments held within a personal pension (eg a self-invested personal pension (also know as SIPP) where the UK-regulated provider of the investment fails
  • bad advice concerning a pension given by UK-regulated financial advisers who have gone out of business

UK GDPR

UK General Data Protection Regulation (UK GDPR) applies to the movement, processing and storage of personal data. Dashboards will involve personal information being processed at scale. PDP is creating the pensions dashboards ecosystem, standards and processes with these data protection principles at its heart. It applies data protection by design principles as an integral approach to all ecosystem design processes and components, including the central digital architecture, dashboards, and pension providers and schemes’ interfaces to the ecosystem.