The Pensions Regulator’s long awaited General Code was laid before Parliament on 10 January 2024. The Regulator says, in the accompanying press release, that the Code is expected to come into force on 27 March 2024.
The General Code amalgamates 10 of the Regulator’s 16 codes of practice, so much of the content will be familiar. It does not include the existing codes on funding (which is due to be re-issued in revised form later this year), modification of subsisting rights, notifiable events, material detriment or the specialist codes of practice for master trusts and collective defined contribution schemes.
The General Code also sets out the Regulator’s views on the policies and processes that trustees should have in place to comply with their statutory duty to have effective systems of governance in place, and on the frequency with which trustees should review those processes to ensure that they remain appropriate.
Status of the Code
As with other Regulator codes of practice, the General Code is not a statement of legal duties. Whilst it does summarise some statutory requirements, it mainly sets out the Regulator’s expectations in relation to scheme governance.
There is no specific penalty for failing to comply with those elements of the Code that do not represent statutory requirements, and the Regulator acknowledges that it is not necessary to follow all parts of any code of practice in all circumstances.
In addition, governance processes must be proportionate to the size, nature and complexity of the scheme, so there is flexibility for trustees to work out how they intend to comply with their relevant legal duties, taking account of the contents of the Code.
Key content
The Code is structured using five main headings, which are in turn broken down into a total of 51 modules. Whilst much of it will be familiar because it restates existing codes or guidance, trustees should be aware that there are new requirements in there.
The Code is 171 pages long and covers a lot of ground, but some of the key points to note are:
- Effective system of governance (ESOG): Section 249A Pensions Act 2004 requires trustees to “establish and operate an effective system of governance including internal controls… [which is] proportionate to the size, nature, scale and complexity of the activities of the… scheme". This applies regardless of scheme size, although certain types of scheme are exempt, such as authorised master trusts and CDC schemes. The Regulator is obliged by statute to issue a code of practice in relation to this requirement.
The General Code identifies specific areas of governance, including policies and processes, that need to be addressed to ensure that trustees comply with their obligation to have an ESOG (see page 69 onwards). Trustees should also have a policy for the review of each element of the ESOG at least every three years.
- Own risk assessment (ORA): Trustees of schemes with 100 or more members should carry out an assessment of how well the ESOG is working, and the way potential risks are managed. This is referred to as an “ORA”. The ORA needs to be in writing and signed off by the chair of trustees. The first ORA should be completed within 12 months of the end of the first scheme year starting after the General Code comes into force or, if later, either 15 months from the date on which next actuarial valuation is due or the due date for the next chair’s statement. Subsequent ORAs should be carried out at least every three years, but not all elements of the ESOG need to be assessed at the same time. The General Code sets out specific matters that should be addressed by the ORA.
Although trustees may have processes to review governance in place, they are unlikely to comply with all of the ORA requirements and will need to be reviewed.
- Trustee board: The Code suggests that trustees should have a number of policies and processes in place around appointment and removal of trustees including a succession plan, processes to deal with temporary and extended absenteeism and a resignation and removal policy. Trustee meetings should be at least quarterly and it should be clearly understood who has responsibility for the agenda.
One new expected element of governance for schemes with 100 or more members is a remuneration policy dealing with the remuneration paid by trustees to anyone who effectively runs the scheme, carries out key functions, or whose activities materially impact the scheme’s risk profile. The policy should include an explanation of the decision-making process for the levels of remuneration, and why these are considered appropriate. It should generally be reviewed annually. However, there is no longer any expectation that the policy will be published.
The Code restates the Regulator’s expectations around trustee knowledge and understanding. They have not been extensively revised but new elements have been added to reflect measures introduced elsewhere such as familiarity with the remuneration policy, ORA and cyber security policies and there is a new expectation that trustees will have an awareness “of diversity and inclusion on investment decisions, such as if scheme investments are aligned with member’s responsible investment preferences or religious beliefs”.
Trustees should also have agreed and documented policies for making appointments to the scheme and should review the performance of advisers and service providers against the objectives set for them.
- Investment and funding: Despite the title of this section, it focusses entirely on investment. Key points to note include an expectation that trustees will identify any investments not traded on a regulated market, and will document why such investments are being used and how they fit in with the agreed investment objectives. There are also expectations around stewardship, including identifying rights attached to investments, considering the approach to voting and engagement and monitoring and regularly reviewing investment managers’ stewardship practices.
- Scheme administration: Trustees should have “sufficient knowledge” of administration and understand the scope of the administrator’s responsibilities and tasks. Administration should be a standing agenda item at trustee meetings.
The Code also deals with governance in relation to record keeping, IT systems and cyber-security. Trustees should have evidence that their IT system can meet current and anticipated requirements. They should also have policies in relation to the use of devices, controls on data, assessing whether breaches need to be reported to the Information Commissioner and a cyber-incident response plan.
- Reporting to the Regulator: The Regulator has noticed that the registrable information schemes are required to provide is often only updated following the issue of a scheme return notice. However, the statutory requirement is for it to be updated as soon as reasonably practicable. As a result, the Code says that updates to such information should be made “at the very latest within five working days of the [trustees] becoming aware of the change”. The Regulator notes in its response to consultation that there are circumstances where a longer period may be reasonable, or where five days may be too long.
The Code also includes the Regulator’s expectations in relation to whistleblowing. However, the Regulator says that it expects these provisions to be updated shortly.
What next?
Compliance with the Code need not be a tick box approach. There is scope for trustees to consider what policies and processes they actually need to ensure that their scheme is well-governed. In addition, where trustees have already reviewed the governance processes that their scheme needs, it may be that initial compliance with the General Code may not be as onerous as they expect.
Trustees will need to identify any additional governance requirements expected by the Regulator and consider what a proportionate approach to them would be.
They also need to identify what the deadline is for their first ORA and put in place a timetable for completing it. This will involve identifying all of the existing governance processes that will need to form part of it. There is guidance on what should be covered and how to go about an ORA in the risk management and scheme governance sections of the Code.
Although the deadlines for the first ORAs are more than two years away, it will represent quite a lot of work, and is something that should be scoped out now so that it can be tackled in an orderly and efficient manner over time.
