Terms of Reference of the Pensions Board is as follows:
(i) The Pensions Board will be chaired by a member chosen by the group
(ii) The frequency of the Pensions Board will be determined by the Board.
(iii) Reports to the Board will either reflect decisions taken by Pensions Committee or
be reports for noting already seen by Pensions Committee.
(iv) The role of the Board will be to assist London Borough of Hillingdon Administering
Authority as Scheme Manager: to secure compliance with the LGPS regulations
and any other legislation relating to the governance and administration of the
LGPS;
(v) To secure compliance with requirements imposed in relation to the LGPS by the
Pensions Regulator; and in such other matters as the LGPS regulations may
specify.
(vi) To secure the effective and efficient governance and administration of the LGPS for
the London Borough of Hillingdon Pension Fund.
(vii) To provide the Scheme Manager with such information as it requires to ensure
that any member of the Pension Board or person to be appointed to the Pension
Board does not have a conflict of interest. (NB: Being a member of the LGPS is
not seen as a conflict of interest.)
1
Agenda
PART I
1. Apologies for absence
2. Election of temporary chairman for the meeting (representation rotated)
3. Declarations of Interest and any Conflicts of Interest
4. Minutes of meeting held 30 April 2019
5. Exclusion of Press and Public
To confirm the items of business marked Part I will be considered in public and that
items marked Part II will be considered in private
6. Training and discussion item – Discretionary Powers
7. Administration update
8. Data Improvement Plan Discussion
9. Reporting Breaches Policy Review
10. tPR Checklist review & focus on E – managing risk and internal control and H –
Providing information to members and others
11. Update on Cyber Security controls and data mapping
12. Work programme 2019
PART II
13. Review of Pension Committee Reports
14. Administration Strategy Policy Review
2
15. Breaches Log
Members of the board are asked to bring their copy of the Pensions Committee agenda of 17 July 2019 to the meeting
3
Minutes
PENSIONS BOARD
30 April 2019
Meeting held at Committee Room 4a - Civic Centre, High Street, Uxbridge UB8 1UW
Employer Representatives:
Zak Muneer and Hayley Seabrook Employee Representatives: Roger Hackett and Tony Noakes
Apology for Absence: None
Also Present: Mary Lambe (AON Hewitt)
LBH Officers Present: Sian Kunert (Head of Pensions, Treasury and Statutory Accounts), Tunde Adekoya (Pension Fund Accountant), Seby Carvalho (Pension Fund Technical Officer) and Olivia Richards (Pension Fund Administration)
ELECTION OF TEMPORARY CHAIR (Agenda Item 2) Roger Hackett was elected to chair this meeting. The chair will rotate throughout the year with equal distribution of employer and employee representation.
DECLARATIONS OF INTEREST AND ANY CONFLICTS OF INTEREST (Agenda Item 3)
No conflicts of interest were declared.
MINUTES OF THE MEETING HELD ON 8 FEBRUARY 2019 (Agenda Item 4)
There was one typo to the minutes on the Cyber security accreditation which should have stated ISO27001. Agreed as an accurate record. Board members asked for an update on cyber security. It was suggested the ICT team would present at a future board meeting and data mapping be completed to assess next steps. It was noted the risk on cyber security on the risk register had been updated.
EXCLUSION OF PRESS AND PUBLIC (Agenda Item 5) That Agenda Item 13 be considered in private for the reasons stated on the agenda.
TRAINING AND DISCUSSION ITEM – REPORTING BREACHES OF
LAW (Agenda Item 6)
4
Board members received a training item on The Pension Regulator’s Code of Practice and Breaches. The first section of the training item covered the role of the Pensions Regulator, noting movement into public sector pensions in 2015, and explained the Code of Practice 14. The main objectives for the legislation is to promote and improve the understanding of good administration of work-based pensions to protect member benefits. It was noted the regulator is concerned with what is has been seen to date in the LGPS. Discussions were positive that the fund discuss the TPR compliance checklist at each meeting but it is worth an external overview in addition to self assessment. Direct links for board from code 14 include Knowledge and understanding, Conflicts of interest and Reporting breaches. Discussions took place relating to TPR data collection as data is a primary area of concern, through surveys and league tables and it lead to discussion regarding comparison of the two software suppliers within the LGPS as each supplier returns a different output for the common and specific data returns in October 18 across funds. Members were concerned with the authenticity of other funds data who claim to have higher scores of compliance. Members discussed the enforcement powers that have been extended to the TPR. The second part of the training item covered breaches of the law. It is the legal duty of the administrators of the scheme to ensure that the regulators processes and procedures are being complied with. The fund should have in place a Breaches Policy which is states the legal requirements and who breaches should be reported to. This is required to be updated every 3 years. The fund should also have a Breaches Procedure in place to operate in conjunction with the Breaches Log. The policy and procedure can be a single document. All breaches are required to be recorded on to an internal breaches log. Members were given an example showing a traffic light framework of what should be reported to the regulator, examples of possible breaches and a decision tree on possible outcomes on what should be reported. Roger raised the concern over lack of knowledge as to when a breach may have occurred to ensure compliance with reporting of breaches. Discussion took place that having a procedure and log in place with regular reporting was essential with the breaches log to be included in committee and board papers. Board’s control over reporting breaches includes formulation of procedures and discussion over levels of communication to help ensure governance in this area. It was confirmed the fund has a published policy in place on the website, however the breaches log needs updating and reporting regularly. It was agreed that the policy be reviewed at the next board meeting in September to ensure it is complete and comprehensive. It was suggested examples may be helpful in the policy/procedure. Officers noted the breach reported by Hillingdon to the regulator stated in agenda item 7 linking to the traffic light system on reportable or
SK SK
5
recordable breaches. AON to send on a number of recent article and slides to support the boards increased knowledge.
AON
ADMINISTRATION UPDATE (Agenda Item 7) Board members received information relating to a recent meeting at SCC. Members were informed of a new Lead Manager who has a similar philosophy in service expectations to the Hillingdon team and is eager to make improvements. Concern was raised that the regulator wants funds to have data improvement plan in place. It was noted that there is a current data improvement plan in place held by SCC as data administrator however it is not as useful as it could be and this is being revised. There are 4 different work schemes to help improve our data quality. It was agreed the data improvement plan be brought to board in September. Members suggested there may be more information that can come to them to show progress in data cleansing and clearance of backlog work. Progress made by other schemes were also considered Officers said they were happy to include more information and present a report showing the progress at the next meeting. The contract management with SCC was discussed, as a delegated service there are a number of areas that lack clarity and detail however all required resources to action a comprehensive administration function are funded by the pension fund due to the changing regulatory environment and complexity of data.
Zak raised a concern over the complexity of the year end reporting spreadsheet for end of year data which employers are required to compile before the 30th April each year. It was noted that not all fields are relevant to all individuals but all fields are necessary for production of the ABS. The discussion then moved to a potential future solution called iconnect, which would allow year end reporting to be completed on a monthly basis to reduce workload at year end. Thus controlling data input from the onset. SCC doesn’t currently have this software but are
investigating and officers noted there could be problems with this option. It was discussed that further training could be provided to employers at year end to help support employers with this data capture. As part of the agenda pack there was a copy of the annual pensioner letter for information. This is the only communication with pensioners and considered to be the annual newsletter by SCC, officers and board members agreed this was insufficient. Officers will discuss the quality of communications with members once the SCC team has been expanded to enable focus on education and communication. It was noted the letter should have been approved by Hillingdon before distribution.
SK SK
6
SPECIFICS OF THE LGPS – 85 Year Rule and 50/50 Scheme (Agenda
Item 8) Board members were provided with a synopsis of what the Rule of 85 means and the eligibility criteria plus updates on 50/50 Option and Auto enrolment uptake. Members found this item an interesting topic. The calculation to determine eligibility for the Rule of 85 is age plus LGPS membership. This is only valid to member of the LGPS at anytime between 1 April 1998 and 30 September 2006. Auto re-enrolment took place on 1 April 19 this resulted in 232 employees being enrolled into the scheme. To date 113 employees have opted out since the auto enrolment. Members discussed possible reasons as to why employees may opt out. Officers suggested that the common trend of employees who do opt out are either young or low earners e.g. apprentices. Members have requested for an updated figure for opt out employees at the next board meeting in September. The 50/50 scheme currently has 32 employees, many of which tend to be higher earners. Members discussed further the advantages of the pension scheme.
SC
TRAINING POLICY AND TRAINING NEEDS (Agenda item 9) Members received a revised version of the Pensions Fund Training Policy in advance of approval at the Pensions Committee in July 19. Members unanimously agreed that the policy benefits the Pension Committee, local Pension Board members and Senior Officers by way of ensuring the fund is managed by individuals with the appropriate level of knowledge and skills. Therefore it was agreed that the training priorities suggested in the report be adopted and used for future training of Board Members.
RISK MANAGEMENT POLICY (Agenda item 10) Members received a revised version of the Risk Management Policy to review in advance of the Pensions Committee in July 19. Members are in agreement with the revised version as climate change and cyber security have both been added to the Policy to reflect the importance of the issues and to ensure that they are actively managed.
TPR CHECKLIST REVIEW – Focus C – Conflicts of Interest and D –
Publishing Information (Agenda Item 11)
Members discussed the report provided on conflicts of interest and publishing information compliance areas within the pensions regulator checklist. Twelve out of the fourteen items are fully compliant, whilst two are partially compliant. Officers explained to members that they are currently reviewing and improving the necessary information needed to be fully compliant.
7
WORK PROGRAMME 2019 (Agenda Item 12)
The Board discussed work flow items in the upcoming work plan. Members requested for the data improvement plan to be added to the specific topics covered in September.
The scheme completing an annual survey to the Pensions regulator and the Board have requested to view this. Communications issued by various bodies that intended for circulation to Chairs of Pensions Boards for a trial period to be sent to Roger Hackett to ensure board receive.
REVIEW OF PENSION COMMITTEE REPORTS (Agenda item 13) This item was discussed as a Part II item without the press or public present as the information under discussion contained confidential or exempt information as defined by law in the Local Government (Access to Information) Act 1985. This was because it discussed ‘information relating to the financial or business affairs of any particular person (including the authority holding that information)’ (paragraph 3 of the schedule to the Act).
The Board was provided with the agenda for the last Pensions Committee which took place on 20 March 2019.
The Board noted the reports and decisions made at Pensions Committee that papers were clear. Hayley was in attendance at the Pensions Committee. Board noted that there had been a decrease in funds during Q4 in line with the market correction, since then the
position had recovered.
AOB Members asked if the pension fund is sufficiently resourced. Officer’s advised they
were looking into potentially bringing a temporary resource to help with governance and compliance across administration and investments and would keep the board updated. Board members requested that Roger be set up as the LGA point of contact for Chair of the pension’s board to ensure the board receives all communication intended for
them.
The meeting, which commenced at 3.00 pm, closed at 4.53 pm.
These are the minutes of the above meeting.
8
Pensions Administration Report Item 7
Committee Local Pensions Board
Contact Officers Sian Kunert, Finance
Papers with this report Hymans Good Governance review report
REASON FOR ITEM To inform the Pension Board of administration developments and recent Communications with scheme members and scheme employers. INFORMATION Self Service membership update As at 27 August 2019 there were 4,337 scheme members registered for the online member self service portal “mypensiononline”. Table below shows breakdown of registered members by category. Sign up to mypensiononline
Membership Category
Total Membership Numbers
Registered online for Self service 31.03.2019
Registered online for Self service 25.06.2019
Registered online for Self service 27.08.2019
Active 9,136 2,689 2,713 2,741
Deferred 9,946 767 878 1,127
Pensioners 6,722 388 425 469 All figures as at 27 August 2019
Annual Benefit Statements Annual Benefit Statements have been produced and issued; more information will be provided verbally on the day. Employers were sent information from SCC which included wording for a news items on internal web pages, FAQ’s and a youtube video explaining the ABS to help members access and understand their statements.
9
Annual Allowance SCC have been successful in achieving early completion, in advance of the 6 October deadline, to communicate with individuals of a breach in annual allowance limits with a pensions saving statement. Communications from the Hillingdon team were sent out on 26 July to senior officers or those identified as potential cases, with an information sheet as to what Annual allowance is, to help increase member knowledge in this area before letters were received. A training item will also be set up in October/November to help senior officers better understand this important tax issue. SCC issued letters to 41 affected members between 24-29 July advising further action was needed where the individual was subject to Tapered allowance or provision of their pensions saving statement where a calculation could be made. The fund was also informed of 13 other members who had been identified but discounted from breaching the limit. Opt out’s from Auto enrolment The Council sent out Auto Enrolment letters to 226 employees. Due to the requirement to refund collected contributions of opt out’s made within 3 month time limit, opt outs were tracked up to 30/06/2019. Within the 3 month period there were 117 opt outs on it but there will be few more who would have opted out after 30/06/2019. Of the opt outs we have 75 females and 42 males. That left 109 members who opted to stay in the scheme as at 30/06/2019. TpR and other statutory returns A declaration was made to the TpR on 23/04/2019 informing the regulator that the Council had complied with auto-enrolment. In addition to this return the fund is required annually to report to the TpR its data score. This will be actioned by SCC when the data Score information is available – likely to be October. As well as the TpR returns the fund also annually completes the following
SF3 return - from Ministry of Housing, Communities and Local Government that was submitted by Hillingdon team in August
NFI - submitted by Surrey CC in September\October
OPSS Occupational Pension Scheme Survey - from Office of National Statistics, receive this in September every year. Reports submitted by Surrey CC
10
Good governance in the LGPS report Hymans were appointed by the Scheme Advisory Board (SAB) to facilitate a review of governance structures for the LGPS. The report was designed to examine the effectiveness of the LGPS governance models and to consider alternatives. The report was delivered to the SAB on 8 July and a copy has been attached to these papers. The report recommends introducing key benchmarks to assess each fund, to set minimum standards for funds rather than a prescribed governance structure; enhanced training requirements for S151 officers and pensions committees to align more with Pension Board training requirements; and an update to relevant guidance to enhance sign posting. Triennial Valuation Hymans are making good progress with the triennial valuation. Data was provided by SCC by the agreed deadline of 31 July 2019, with all critical errors cleared prior to sending. There is a significant improvement in data quality from the past two valuations. Hymans have completed a number of modelling reports to help senior management feed into assumptions used within the valuation. Hymans plan to present to Pensions Committee on 30 October with the full fund valuation results and a revised Funding Strategy Statement for approval by employers. An employer forum is being set up in November to present and issue employer results.
11
Data Improvement Plan - Discussion Item 8
Committee Local Pensions Board
Contact Officers Sian Kunert, Finance
Papers with this report Draft Data Improvement Plan
REASON FOR ITEM To introduce the Pensions Board to the first draft of the Hillingdon Fund Data Improvement plan and discuss further areas of development to the plan and additional areas of focus. RECOMMENDATIONS It is recommended that Local Pensions Board
1) Review the draft plan and suggest areas for improvement and expansion 2) Consider the progress on the data improvement projects 3) Support the next steps suggested
INFORMATION The Pensions Regulator requires schemes to monitor data quality at least annually and put in place a data improvement plan where necessary. Even schemes with good data can experience quick deterioration if controls are not in place. Public sector schemes are required to submit annually their quality of data score distinguishing between
common data – basic data items used to identify members, e.g. National Insurance
number, address, name
scheme-specific data – all the other data you need to run your scheme and
calculate benefits, e.g. employment records
Where a data improvement plan is required it should clearly set out:
the scope of the improvement work
the activities the administrator will undertake as part of the improvement plan
a defined end date within a reasonable timeframe
roles and responsibilities
how progress with be monitored and reported
12
Where data problems are identified, which are not being resolved, the fund would need to consider whether a breach of the law needs to be reported to the regulator.
As administering authority the fund is legally accountable for record keeping; even where the admin functions are delegated, as in Hillingdon’s case to SCC; the ultimate responsibility remains with the fund.
NEXT STEPS
The attached Data Improvement Plan picks up on the project work in progress working through known data issues, as well as the primary areas of concern resulting from the 2018 Data Score process. Details as to how to improve some of these data areas have not yet been established, but are on the plan for progression.
SCC and Hillingdon officers have agreed to work together once the existing data cleanse work has been completed for the triennial valuation process, from mid-September to start to remedy data issues arising from the Data Score.
In addition there will be some areas of improvement that have not yet been identified. It is suggested that AON as Governance adviser review the data improvement plan once SCC and Hillingdon officers have been able to move the draft plan forward from September to ensure a full fund view has been considered in the approach.
Officers will bring the updated improvement plan to future meetings for discussion.
13
London Borough of Hillingdon
Local Government Pension Scheme
Data Improvement Plan
Version 1
July 2019
14
Background
1.1 London Borough of Hillingdon is an employer within the London Borough of Hillingdon Local Government Pension
Scheme (LGPS) and is also the Administering Authority for the scheme.
1.2 Data is used by the Pensions, Treasury and Accounts Team with the day to day administration of Hillingdon LGPS
scheme delegated to Surrey County Council (SCC) under a Section 101 agreement effective from 1 November
2016.
1.3 Extracts of pension records and specific reports are shared appropriately between Employers (including Admitted
and Scheduled bodies), the Hillingdon HR Team, SCC, the funds Actuary Hymans, and the Hillingdon Legal
Advisor.
1.4 Pension data relating to individuals is shared with the relevant employee and/or their nominated representative as
necessary, this includes the production and distribution of the Annual Benefit Statements.
1.5 The Pensions Regulator (tPR) regulate the governance and the administration of public sector pensions, the
objectives of this plan are designed to comply with the current and future tPR standards and requirements.
2 Objectives
2.1 To identify where Hillingdon LGPS pensions data is located, make an assessment of its accuracy, identify any
issues which impact on the ability to run the scheme effectively and put plans in place to correct data as required.
3 Desired Outcomes 3.1 To improve the data set to deliver:
3.1.1 Improved member service, for example reduced processing times for events such as transfers, the calculation of estimates
and the completion of Admission Agreements.
3.1.2 Fewer assumptions having to be made with the valuation data.
3.1.3 Improved and verified data used within Annual Benefit Statements for current and deferred members.
3.1.4 Completion of administrative tasks, for example clearing any backlogs in a timely fashion.
3.1.5 Update documented procedures to reduce the risks of errors recurring.
3.1.6 Compliance to GDPR and other relevant data protection legislation and regulation.
3.1.7 Greater confidence that data is accurate when completing statutory returns
4 Scope and prioritisation.
4.1 The data groups in scope for assessment and potentially for improvement work are:
4.1.1 Active member records.
4.1.2 Deferred member records.
4.1.3 Pensioners records.
4.2 The data groups that will be given priority are: 4.2.1 Unprocessed leavers (i.e. cases where SCC already have the leavers form). 4.2.2 Unprocessed leavers (i.e. cases where SCC require more information and a leavers form from Hillingdon and or Admitted
and Scheduled bodies). 4.2.3 Deferred members where the recalculation of benefits is necessary. 4.2.4 Workflow cases inherited from the previous administration provider. 4.2.5 Active member’s records where data cleansing is assessed as being required.
15
4.2.6 Pensioners records that have been assessment as being impacted by Guaranteed Minimum Pension (GMP) requirements. 4.2.7 Any record identified via the combined Common and Conditional report as required by the tPR.
5 Dependencies 5.1 The completion of the objectives is dependent upon:
5.1.1 The Hillingdon Pension team project managing the actions required to complete the priorities.
5.1.2 Data extracts being made available to the Hillingdon Pension team from SCC using the Altair Pensions Administration
database.
5.1.3 All Employers (including Admitted and Scheduled bodies) responding positively to data queries sent to them in a timely
fashion.
5.1.4 SCC verifying (as far as possible) and correcting pension records following the replies from the Employers.
5.1.5 Agreement with Heywoods being reached to supply the combined Common and Conditional report out of Altair.
6 Timeframes and timelines
6.1 It is intended that the objectives will be completed by 30 September 2020.
6.2 The Pensions Board review and develop this plan at its next meeting 10 September 2019.
6.3 The Pensions Committee to approve this plan at its next meeting on the 30 October 2019.
6.4 Timelines for the individual actions required to complete the objectives are attached as Appendix 1.
7 Resourcing
7.1 The completion of the objectives is dependent upon adequate skilled resources being available from:
7.1.1 The Hillingdon Pension Team.
7.1.2 SCC.
7.1.3 Admitted and Scheduled Bodies.
7.1.4 Actuary (Hymans)
8 Governance and reporting
8.1 This Data Improvement Plan has been proposed and written by the Hillingdon Pension Team with comments
requested from the following stakeholders:
8.1.1 SCC.
8.1.2 Hillingdon Local Pensions Board.
8.1.3 Actuary (Hymans).
8.2 This Data Improvement Plan will be approved by the Pensions Committee and reviewed and monitored regularly by the
Pensions Board.
8.3 Progress with the individual actions will be monitored by the Hillingdon Pensions Team and SCC at their quarterly Liaison
meetings.
8.3.1 The SCC team will be responsible for writing the minutes of the liaison meetings and allocating the subsequent actions.
8.3.2 Stakeholders allocated actions will be responsible for the delivery of the agreed action by the agreed target date.
8.4 Progress monitoring reports will be written by the Hillingdon Pension Team and presented to the Pensions Board quarterly
and the Pensions Committee twice per year.
16
9 Fraud Controls to note
9.1 Mortality screening
9.2 Overseas pensioner death certification
9.3 NFI
17
Appendix 1
Timelines for individual actions required to complete the objectives
No Action Area Activities to resolve Action Lead Support Planned completion date
Queries % Complete
1. Unprocessed leavers (i.e. cases where SCC already have the leavers form).
See project update in Appendix 4
SCC Hillingdon
2. Unprocessed leavers (i.e. Orbis require more information and a leavers form from Employer HR).
See project update in Appendix 4
Hillingdon SCC
3. Recalculation of existing deferred benefits.
SCC Hillingdon
4. Workflow cases inherited from the previous provider.
SCC Hillingdon
5. 2019 Valuation critical errors
Triennial Valuation project. Data cleanse to ensure all critical clear prior to update to Hymans. Data queries sent to employers for resolution prior to valuation submission and ABS production for March 19
GMP reconciliation project initiated June 2018. Project update see Appendix 4.
SCC & JLT
Hillingdon GMP population 26,263
Matched 28/06/2019 21,845
18
7. Heywood’s combined Common and Scheme Specific report
See Appendix 2 for more detail on scoring and prioritisation for
improvement areas.
Data as at Nov
2018
7a. Address tracing 7,496
7b. Member benefits - Transfer in details 1
1,913
7c. Member benefits - Tranches of Original deferred benefit
1,461
7d. Members Details – Salary 2,861
7e. CARE Data 2,064
7f. Contracted Out - NI Contributions / Earnings History
1,054
7g. Contracted Out - Pre 88 GMP 663
7h. Contracted Out - Post 88 GMP 1,132
19
Appendix 2
Summary of Common Data Results November 2018
79.0% of member records do not have a single common data failure.
Data Area Pass rate
Cases with errors
Focus areas
NI number 95.5% 2,144 Amber
Name 100.0% 0 Green
Sex & DOB 100.0% 2 Green
Date Commenced and NRD 100.0% 1 Green
Status 100.0% 0 Green
Status & Invalid Data View 99.8% 121 Amber
Address 84.4% 7,496 Red
Status & Valid Data View 99.3% 352 Amber
Summary of Scheme Specific Data Results November 2018
79.9% of member records do not have a single scheme-specific data failure.
Data Area Pass rate
Cases with errors
Focus areas
Member Benefits 86.4%
Divorce details 100.0% 0 Green
Transfer in details 1 28.5% 1,913 Red
Transfer in details 2 84.6% 411 Amber
AVC details 99.7% 4 Amber
Total Original Deferred Benefit 96.5% 245 Amber
Tranches of Original deferred benefit 79.0% 1,461 Red
Total Gross Pension 99.8% 13 Amber
Tranches of Pension 91.9% 469 Amber
Total Gross Dependant Pension 99.4% 6 Amber
Tranches of Dependant Pension 86.4% 129 Amber
Member Details 96.9%
Date of Leaving 99.9% 18 Amber
Date joined scheme 100.0% 1 Green
Employer details 100.0% 1 Green
Salary 87.6% 2,861 Red
Contributions 92.0% 1,997 Amber
Leavers 99.8% 30 Amber
Service 99.8% 56 Amber
CARE Benefits 85.0%
CARE Data 85.0% 2,064 Red
CARE Revaluation 100% 0 Green
HMRC 97.1%
BCE 2 100.0% 1 Green
BCE 5 100.0% 2 Green
BCE 6 96.2% 122 Amber
BCE7 37.5% 5 Amber
BCE8 100.0% 0 Green
LTA Charge Paid 99.9% 4 Amber
AA Charge 93.3% 624 Amber
Contracted Out 91.0%
Date Contracted Out 97.2% 682 Amber
NI Contributions / Earnings History 82.8% 1,054 Red
Pre 88 GMP 80.2% 663 Red
Post 88 GMP 78.9% 1,132 Red
Note
Focus area of Red if % less than 90% and over 500 cases impacted.
20
Appendix 3
Status 2 Project details and progress
Backlog Status 2 Number at project outset
2439
Progress
Progress date
Cases Sent to JLT
Cases to be processed
Case sent for internal query
Case queried passed to client
Cases Processed
(Waiting to be checked)
Cases checked & Completed
07/06/2019 1352 768 n/a n/a 557 27
06/07/2019 1826 292 133 614 307 480
12/07/2019 1940 143 215 606 212 764
19/07/2019 2028 58 119 666 246 939
02/08/2019 2124 20 42 686 122 1254
09/08/2019 2124 1 50 692 35 1346
21
Appendix 4
GMP Project and progress update
GMP Rec Population
26,263
Executive Summary
1 Data Gathering commenced. We have 9 resource lined up to complete the gathering as far as possible within the timeframe we have left with HMRC, so will concentrate our efforts on the completion of the Membership data gathering that will have the most impact on the overall Fund liability.
2 Initial Query logs have been uploaded
3 HMRC turnaround times are currently 4 months.
Tasks Completed
1 All initial Phase 1 analysis completed
2 Bulk analysis has been completed
4 Data gathering continues and moves cases from one category to another although doesn’t affect totals
2 All current client referral files have been returned
3 We are continuing to data gather, and are now closer to matching or querying with you remaining records
4 HMRC have returned many responses and we are currently working through them
5 Decisions made at the workshop will close off a number of cases going forward
Date Matched Not on NISPI Not on Admin NISPI Type 5&7's Multiple Service GMP Queries
20/09/2018 12,422 4,286 567 262 2,679
05/10/2018 14,517 4,286 567 3 2,679
31/10/2018 13,438 4,286 567 3 2,679 1,089
23/11/2018 16,646 4,286 567 3 2,679 1,089
10/12/2018 16,646 4,286 567 3 2,679 1,089
20/12/2018 16,646 4,286 567 3 2,679 975
10/01/2019 16,646 4,286 567 3 3,070 975
24/01/2019 16,646 4,286 1,141 3 3,070 975
08/02/2019 16,646 4,286 1,141 3 3,070 969
22/02/2019 16,888 4,286 1,141 4 3,070 969
08/03/2019 16,888 4,286 948 4 3,070 969
22/03/2019 16,888 4,286 949 4 2,162 969
05/04/2019 16,969 4,268 848 0 2,162 868
18/04/2019 17,818 3,485 848 0 2,179 828
03/05/2019 17,865 3,485 827 0 2,231 828
17/05/2019 19,664 1,919 500 37 449 842
31/05/2019 20,602 1,024 260 3 238 858
14/06/2019 21,001 1,013 260 3 235 932
28/06/2019 21,845 293 262 3 240 939
31/07/2019 22,310 278 58 3 4 956
Summary position 31/07/2019
Total Population 26,263. To resolve 1,299.
True Membership issues - NOA, NON, Multiple, NISPI Type 5/7 – 343 – 1.31% outstanding
True GMP Discrepancies – 956 - 3.64% outstanding
22
Reporting Breaches Policy Item 9
Committee Local Pension Board
Officer Reporting Sian Kunert, Finance
Papers with report Draft Revised Reporting of Breaches Policy
SUMMARY
This covering report supports the revision of the Hillingdon Pension Fund policy for reporting breaches of the law which was last approved by Pensions Committee in September 2015.
RECOMMENDATIONS:
That the Pensions Board 1) review and note the changes to report2) suggest any areas of further revision.
SUPPORTING INFORMATION
As part of the work undertaken to set up the Local Pensions Board 2015, an initial review of the Pension Regulator's Code of Practice was undertaken, which identified several areas where a review of policies and procedures is required. The most urgent issue was that the Fund did not have a policy to report breaches of the law. With the assistance of AON Hewitt, a draft procedure was developed, approved and published in September 2015. The policy clearly sets out the process and the responsibilities for reporting breaches of the law. The responsible officer for the London Borough of Hillingdon Fund is the Head of Pensions Treasury and Statutory Accounts.
The policy is still compliant and up to date with regards the legislation, minor tweaks have been made throughout to amend the departmental restructure from when this report what approved.
The draft revised policy attached to this report and will go to Pensions Committee for approval in October.
23
London Borough of Hillingdon Pension Fund
Procedure for Reporting Breaches of the Law
Introduction
This document sets out the procedures to be followed by certain persons involved with the London Borough of Hillingdon Pension Fund, the Local Government Pension Scheme managed and administered by the London Borough of Hillingdon, in relation to reporting breaches of the law to the Pensions Regulator.
The London Borough of Hillingdon, as Administering Authority, has delegated responsibility for the implementation of these procedures to the Deputy Director Strategic FinanceHead of Pensions, Treasury and Statutory Accounts.
Breaches can occur in relation to a wide variety of the tasks normally associated with the
administrative function of a scheme such as keeping records, internal controls, calculating
benefits and making investment or investment-related decisions.
This Procedure document applies, in the main, to:
all members of the Pensions Committee and the Local Pension Board all officers involved in the management of the Pension Fund including members of the
London Borough of Hillingdon Pensions, Treasury and Statutory Accounts Strategic Finance Service and the Corporate Director of Finance
any professional advisers and third party suppliers including auditors, actuaries, independent advisers, third party administrators, legal advisers and fund managers
officers of employers participating in the London Borough of Hillingdon Pension Fund who are responsible for pension matters.
The next section clarifies the full extent of the legal requirements and to whom they apply.
Requirements
Pensions Act 2004
Section 70 of the Pensions Act 2004 (the Act) imposes a requirement on the following persons:
a trustee or manager of an occupational or personal pension scheme a member of the pension board of a public service pension scheme a person who is otherwise involved in the administration of an occupational or personal
pension scheme the employer in relation to an occupational pension scheme a professional adviser in relation to such a scheme a person who is otherwise involved in advising the trustees or managers of an occupational
or personal pension scheme in relation to the scheme, to report a matter to The Pensions Regulator as soon as is reasonably practicable where that person has reasonable cause to believe that:
(a) a legal duty relating to the administration of the scheme has not been or is not being complied with, and
(b) the failure to comply is likely to be of material significance to The Pensions Regulator.
Formatted: Font: (Default) Arial, Not Bold
24
The Act states that a person can be subject to a civil penalty if he or she fails to comply with this requirement without a reasonable excuse.
The duty to report breaches under the Act overrides any other duties the individuals listed
above may have. However the duty to report does not override ‘legal privilege’. This means
that, generally, communications between a professional legal adviser and their client, or a
person representing their client, in connection with legal advice being given to the client, do
not have to be disclosed.
The Pension Regulator's Code of Practice
Practical guidance in relation to this legal requirement is provided in The Pension Regulator’s
Code of Practice including in the following areas:
implementing adequate procedures judging whether a breach must be reported submitting a report to The Pensions Regulator whistleblowing protection and confidentiality.
Application to the London Borough of Hillingdon Pension Fund
The London Borough of Hillingdon has developed this procedure which reflects the guidance
contained in The Pension Regulator’s Code of Practice in relation to the London Borough of
Hillingdon Pension Fund and this document sets out how the Council will strive to achieve
best practice through use of a formal reporting breaches procedure.
Training on reporting breaches and related statutory duties, and the use of this procedure is
provided to Pensions Committee members, Pension Board members and key officers involved
with the management of the London Borough of Hillingdon Pension Fund on a regular basis.
Further training can be provided on request to the Head of Pensions, Treasury and Statutory
AccountsDeputy Director Strategic Finance.
London Borough of Hillingdon Pension Fund Reporting Breaches Procedure
The following procedure details how individuals responsible for reporting and whistleblowing
can identify, assess and report (or record if not reported) a breach of law relating to the London
Borough of Hillingdon Pension Fund.
It aims to ensure individuals responsible are able to meet their legal obligations and avoid
placing any reliance on others to report. The procedure will also assist in providing an early
warning of possible malpractice and reduce risk.
1. Clarification of the law
Individuals may need to refer to regulations and guidance when considering whether or not to
report a possible breach. Some of the key provisions are shown below:
Section 70(1) and 70(2) of the Pensions Act 2004: www.legislation.gov.uk/ukpga/2004/35/contents
Employment Rights Act 1996: www.legislation.gov.uk/ukpga/1996/18/contents
Occupational and Personal Pension Schemes (Disclosure of Information) Regulations 2013 (Disclosure Regulations): www.legislation.gov.uk/uksi/2013/2734/contents/made
The Pensions Regulator’s Code of Practice: http://www.thepensionsregulator.gov.uk/codes/code-governance-administration-public-service-
pension-schemes.aspx In particular, individuals should refer to the section on ‘Reporting breaches of the law’, and for information about reporting late payments of employee or employer contributions, the section of the Code on ‘Maintaining contributions’.
Further guidance and assistance can be provided by the Head of Pensions, Treasury and Statutory AccountsDeputy Director Strategic Finance, as long as requesting this assistance will not result in alerting those responsible for any serious offence (where the breach is in relation to such an offence).
2. Clarification when a breach is suspected
Individuals need to have reasonable cause to believe that a breach has occurred, not just a
suspicion. Where a breach is suspected the individual should carry out further checks to
confirm the breach has occurred.
Where the individual does not know the facts or events, it will usually be appropriate to check with the Head of Pensions, Treasury and Statutory Accounts Deputy Director Strategic Finance at the London Borough of Hillingdon, a member of the Pensions Committee or Pension Board or others who are able to explain what has happened. However there are some instances where it would not be appropriate to make further checks, for example, if the individual has become aware of theft, suspected fraud or another serious offence and they are also aware that by making further checks there is a risk of either alerting those involved or hampering the actions of the police or a regulatory authority. In these cases The Pensions Regulator should be contacted without delay.
3. Determining whether the breach is likely to be of material significance
To decide whether a breach is likely to be of material significance an individual should consider
the following, both separately and collectively:
cause of the breach (what made it happen)
effect of the breach (the consequence(s) of the breach)
reaction to the breach
wider implications of the breach.
Individuals may also request the most recent breaches report from the Head of Pensions,
Treasury and Statutory AccountsDeputy Director Strategic Finance, as there may be details
on other breaches which may provide a useful precedent on the appropriate action to take.
Further details on the above four considerations are provided in Appendix A to this procedure.
The individual should use the traffic light framework described in Appendix B to help assess
the material significance of each breach and to formally support and document their decision.
A decision tree is provided below to show the process for deciding whether or not a breach
has taken place and whether it is materially significant and therefore needs to be reported.
4. Referral to a level of seniority for a decision to be made on whether to report
The London Borough of Hillingdon has designated an officer (the Head of Pensions, Treasury
and Statutory AccountsDeputy Director Strategic Finance) to ensure this procedure is
appropriately followed. They are considered to have appropriate experience to help
investigate whether there is reasonable cause to believe a breach has occurred, to check the
law and facts of the case, to maintain records of all breaches and to assist in any reporting to
The Pensions Regulator, where appropriate.
If breaches relate to late or incorrect payment of contributions or pension benefits, information
the matter should be highlighted to the Head of Pensions, Treasury and Statutory Accounts
Deputy Director Strategic Finance at the earliest opportunity to ensure the matter is resolved
as a matter of urgency.
Individuals must bear in mind, however, that the involvement of the Head of Pensions, Treasury and Statutory AccountsDeputy Director Strategic Finance is to help clarify the potential reporter's thought process and to ensure this procedure is followed. The potential reporter remains responsible for the final decision as to whether a matter should be reported to The Pensions Regulator.
The matter should not be referred to the Head of Pensions, Treasury and Statutory Accounts Deputy Director Strategic Finance if doing so would alert any person responsible for a possible serious offence to the investigation (as highlighted in section 2). If that is the case, the individual should report the matter to The Pensions Regulator setting out the reasons for reporting, including any uncertainty – a telephone call to the Regulator before the submission may be appropriate, particularly in the case of a more serious breach.
27
5. Dealing with complex cases
The Head of Pensions, Treasury and Statutory Accounts Deputy Director Strategic Finance
may be able to provide guidance on particularly complex cases. Guidance may also be
obtained by reference to previous cases, information on which will be retained by the London
Borough of Hillingdon, or via discussions with those responsible for maintaining the records.
Information may also be available from national resources such as the Scheme Advisory
Board or the LGPC Secretariat (part of the LG Group - http://www.lgpsregs.org/).
If timescales allow, legal advice or other professional advice can be sought and the case can
be discussed at the next Committee or Board meeting.
6. Timescales for reporting
The Pensions Act and The Pension Regulator's Code require that, if an individual decides to report a breach, the report must be made in writing as soon as reasonably practicable. Individuals should not wait for others to report and nor is it necessary for a reporter to gather all the evidence which The Pensions Regulator may require before taking action. A delay in reporting may exacerbate or increase the risk of the breach. The time taken to reach the judgements on “reasonable cause to believe” and on “material significance” should be consistent with the speed implied by ‘as soon as reasonably practicable’. In particular, the time taken should reflect the seriousness of the suspected breach.
7. Early identification of very serious breaches
In cases of immediate risk to the scheme, for instance, where there is any indication of
dishonesty, The Pensions Regulator does not expect reporters to seek an explanation or to
assess the effectiveness of proposed remedies. They should only make such immediate
checks as are necessary.
The more serious the potential breach and its consequences, the more urgently reporters
should make these necessary checks. In cases of potential dishonesty the reporter should
avoid, where possible, checks which might alert those implicated. In serious cases, reporters
should use the quickest means possible to alert The Pensions Regulator to the breach.
8. Recording all breaches even if they are not reported
The record of past breaches may be relevant in deciding whether to report a breach (for
example it may reveal a systemic issue). The London Borough of Hillingdon will maintain a
record of all breaches identified by individuals and reporters should therefore provide copies
of reports submitted to The Pensions Regulator to the Head of Pensions, Treasury and
Statutory AccountsDeputy Director Strategic Finance. Records of unreported breaches
should also be provided to the Head of Pensions, Treasury and Statutory AccountsDeputy
Director Strategic Finance as soon as reasonably practicable and certainly no later than within
20 working days of the decision made not to report. These will be recorded alongside all
reported breaches. The record of all breaches (reported or otherwise) will be included in the
quarterly Monitoring Report at each Pensions Committee meeting, and this will also be shared
with the Pension Board.
Reporting a breach
Reports must be submitted in writing via The Pensions Regulator’s online system at
www.tpr.gov.uk/exchange, or by post, email or fax, and should be marked urgent if appropriate.
If necessary a written report can be preceded by a telephone call.
Commented [S1]: This has not been done to date. Need to confirm the timing of information from SCC to feed in. What level of detail to report? See section below Should the full log be confidential
Appendix A – Determining whether a breach is likely to be of material significance
To decide whether a breach is likely to be of material significance individuals should consider
the following elements, both separately and collectively:
cause of the breach (what made it happen)
effect of the breach (the consequence(s) of the breach)
reaction to the breach
wider implications of the breach
The cause of the breach
Examples of causes which are likely to be of concern to The Pensions Regulator are provided
below:
Acting, or failing to act, in deliberate contravention of the law.
Dishonesty.
Incomplete or inaccurate advice.
Poor administration, i.e. failure to implement adequate administration procedures.
Poor governance.
Slow or inappropriate decision-making practices.
When deciding whether a cause is likely to be of material significance individuals should also
consider:
whether the breach has been caused by an isolated incident such as a power outage, fire, flood or a genuine one-off mistake
whether there have been any other breaches (reported to The Pensions Regulator or not) which when taken together may become materially significant
The effect of the breach
Examples of the possible effects (with possible causes) of breaches which are considered
likely to be of material significance to The Pensions Regulator in the context of the LGPS are
given below:
Committee/Board members not having enough knowledge and understanding, resulting in pension boards not fulfilling their roles, the scheme not being properly governed and administered and/or scheme managers breaching other legal requirements
Conflicts of interest of Committee or Board members, resulting in them being prejudiced in the way in which they carry out their role and/or the ineffective governance and administration of the scheme and/or scheme managers breaching legal requirements
Poor internal controls, leading to schemes not being run in accordance with their scheme regulations and other legal requirements, risks not being properly identified and managed and/or the right money not being paid to or by the scheme at the right time
Inaccurate or incomplete information about benefits and scheme information provided to members, resulting in members not being able to effectively plan or make decisions about their retirement
Poor member records held, resulting in member benefits being calculated incorrectly and/or not being paid to the right person at the right time
Misappropriation of assets, resulting in scheme assets not being safeguarded
31
Other breaches which result in the scheme being poorly governed, managed or administered
The reaction to the breach
A breach is likely to be of concern and material significance to The Pensions Regulator where
a breach has been identified and those involved:
do not take prompt and effective action to remedy the breach and identify and tackle its cause in order to minimise risk of recurrence
are not pursuing corrective action to a proper conclusion, or
fail to notify affected scheme members where it would have been appropriate to do so.
The wider implications of the breach
Reporters should also consider the wider implications when deciding whether a breach must
be reported. The breach is likely to be of material significance to The Pensions Regulator
where the fact that a breach has occurred makes it more likely that further breaches will occur
within the Fund or, if due to maladministration by a third party, further breaches will occur in
other pension schemes.
32
Appendix B - Traffic light framework for deciding whether or not to report
The London Borough of Hillingdon recommends those responsible for reporting to use the
traffic light framework when deciding whether to report to The Pensions Regulator. This is
illustrated below:
All breaches should be recorded even if the decision is not to report.
When using the traffic light framework individuals should consider the content of the red,
amber and green sections for each of the cause, effect, reaction and wider implications of
the breach, before you consider the four together. Some useful examples of this is
framework is provided by The Pensions Regulator at the following link
*New breaches since the previous meeting should be highlighted
34
tPR Checklist – Conflicts of Interest and Publishing Item 10
Committee Local Pension Board
Officer Reporting Sian Kunert, Finance
Papers with report Summary Dashboard of compliance tPR checklist toolkit details
SUMMARY This report is to show compliance in relation to items E – Risk and Internal Controls and H –Providing Information to Members and Others of the tPR checklist regarding governance of the Fund. RECOMMENDATIONS: That the Pension Board note the update SUPPORTING INFORMATION At the Local Pensions Board in April 2016 and October 2017 the Board discussed and reviewed the Pensions Regulator. The checklist was carried out to measure how the fund was performing on its governance and management of the scheme in relation to the Pensions Regulator requirements to identify any gaps for improvement. At the initial review in April 2016 the fund met the majority of the requirements but there were a number of non-complaint and partially complaint issues where progress was being made. There were significant improvements in October 2017. As part of a rolling review to update completion and compliance a review has been carried out on the sections E – Risk and Internal Controls and H –Providing Information to Members and Others. In the October 2017 review of all areas in the checklist the fund saw improved compliance on 29 items, with 17 partially compliant items outstanding and no non-compliant items remaining. Within sections C and D there were 3 areas of partial compliance and one that was not yet relevant. Officers have updated the comments and compliance on these two sections as part of this paper. In the review there was improved compliance on E8 and H1, with no change on H13. H11 which was not relevant previously relating to electronic communication has been reported s fully compliant in this review Attached to this report is the movement on these two areas across the 3 review periods. Along with the detail supporting the reasons for the compliance achievement for sections E&H.
35
To support the governance of the Fund, a full independent review of the TPR checklist has been scheduled for results to be feedback to Pension’s Board in February 2020.
36
Summary of movement in compliance for sections E&H
The scheme manager must establish and operate internal controls which adequately ensure the scheme is administered and managed in accordance with the scheme rules and the requirements of the law.
38
E4 Does the Administering Authority
review the effectiveness of the
risk management and internal
control systems of the Fund?
The Risk register uses a red amber green approach, so red risks are prioritised.
However there are some risks which remain under regular review i.e. investment
risks, funding risks, employer risks, which are looked at by the PC with the help of
external advisors.
Also the format and process involved with the risk register helps to identify
additional risks or update the status of risks.
Old risks which are no longer red will remain on the register but as green so they
are not forgotten if there is still a small risk, however one off time specific risks are
removed when no longer relevant.
Covering report includes movements in risks and this is also shown on the register.
Risks are formally reviewed on a quarterly basis, but identification is on an ongoing
basis as a matter of management of the Fund
Ongoing
(quarterly)
13/08/2019 Fully completed Fully compliant
E5 Does the Administering Authority
regularly review the risk register?
Yes. This is carried out quarterly at each PC meeting (though risks can be added at
any time if identified sooner).
Ongoing
(quarterly)
13/08/2019 Fully completed Fully compliant
E6 Is there a standing item on the
Pension Board agenda to review
scheme risks?
There is a standing item on Pension Committee agaendas and following any PC
meeting the risk register/report will be included in the PB meeting as part of PC
papers for governance review. (PB meetings follow soon after PC meetings)
Ongoing
(quarterly)
13/08/2019 Fully completed Fully compliant
E7 Does the Administering Authority
have adequate systems,
arrangements and procedures
(internal controls) in place for the
administration and management
of the Fund and are they
documented ?
Examples of administration related internal controls currently in place (see notes for
accounting controls) - not all are documented which is an action for the process of
appointing the new administration providers:
- Access to building restricted
- If any council member works at home via secure council link
- Team have access to admin system via a dedicated pc connected to the public
Wifi, which connects to the Surrey County Council systems via a Secure VPN from
SCC
- Disaster recovery / business continuity systems in place including working from
Surrey CC.
- Altair is tested at a national level
- Use of Altair workflow/task management for certain standard tasks
- All calculations are supposed to be checked by a senior member of staff when
payments made checked by team leader and senior officer
- SLA reporting weekly
- Use NFI
- Annual benefit statements process and statements require members check their
details.
- Password security on system so restricted access for personnel.
- Member comms scanned on internal systems and kept next to each member
records
- Overseas certificate checks
- BACS for all beneficary payments
- Detailed reports to reconcil oll payments
- BACS bank account held at zero unless files received to clear, only Hillingdon
treasury team can make payments from the current account.
- Breaches reporting procedure
- Data systems backed up each day - to different locations Surrey (hosted - retained
off site)
- Triennial valuation identifies data issues and "fixed" at time.
Ongoing 13/08/2019 Fully completed Fully compliant Accounting related controls in place:
- Pension Fund bank account reconciliations vs paperwork notfications
of payments made, carried out by Pension Fund Accountant on monthly
basis - includes all investment transactions and expenses as well as
benefit payments.
- Cash management process carried out Daily with senior officer sign off
- 2 Pension Fund authorised signatories required for transactions over
£1m
- Audit reports also obtained from Custodian
- Systems password protected and limited access to custodian website
(Accountant only)
- Purchase orders set up for invoicing
- Invoices recorded and checked vs agreements/POs and expectations
39
E8 Do these procedures apply
equally to outsourced services,
are internal controls reflected in
contracts with third party
providers and is there adequate
reporting in relation to those
controls?
Currently there is no formal arrangement with Prudential (AVC provider)s, there is
limited communications with them though any issues are discussed with them at the
time.
This has been incorporated into the contract with Surrey for administration of the
fund. The Fund require reporting in line with SLAs and external audit will get
assurances from them.
Northern Trust provide annual internal controls reports as part of year end process.
Contract and
review dates
13/08/2019 Fully completed Fully compliant Investigate assurances available from Prudential.
40
H - Providing information to members and others
Legal requirements
No. TPR RequirementLondon Borough of Hillingdon
Approach / Evidence
Frequency of
Review
Last Review
Date
Check
completed Compliant Notes
H1 Has an annual benefit statement
been provided to all active
members within the required
timescales?
ABS produced for all members in 2018.
On track for 2019 also.
Annual 13/08/2019 Fully completed Fully compliant
H2 Do these meet the legal
requirements in relation to
format?
All of the required figures and
descriptions are included in the
statements. It is noted that the quality of
the statements produced by Surrey CC
is of a high standard. ABS for active is
produced and held on mypension portal
and Deferred posted fr the final year in
Annual 13/08/2019 Fully completed Fully compliant
H3 Has a benefit statement been
provided to all active, deferred
and pension credit members who
have requested one within the
required timescales?
All statements were produced in 2018 on
time and posted to either those who
requseted and defferred members with
addresss to all deferred members
Pension credit members are sent
statements at the same time.
Annual 13/08/2019 Fully completed Fully compliant
H4 Does this meet the legal
requirements in relation to
format?
All of the required figures and
descriptions are included in the
statements (we have not seen a pension
credit member statement but assume
they are the same as deferred
statements and so are compliant).
Annual 13/08/2019 Fully completed Fully compliant
H5 Has an annual benefit statement
been provided to all members
with AVCs within the required
timescales?
Prudential send statements in April or
May each year.
Currently they do not provide Hillingdon
with a listing of who has been sent a
statement in order to confirm that all
relevant members have received one.
This could be an action to check (this
may be being done as part of accounts
reconciliation)
Annual 13/08/2019 Fully completed Fully compliant Consider obtaining list of
members to check all relevant
members are being sent a
statement as an additional check.
The law requires schemes to disclose information about benefits and scheme administration to scheme members and others. This includes requirements relating to benefit statements and certain other information which must be provided
under the requirements of the 2013 Act, HM Treasury directions and the Occupational and Personal Pension Schemes (Disclosure of Information) Regulations 2013 (‘the Disclosure Regulations 2013’). In addition to these duties, there are
41
H6 Do these meet the legal
requirements in relation to
format?
Example statement not provided by
Prudential to date (but we have
assumed format and contents are the
same as we have seen for other Funds
with Prudential as AVC provider as all
have been the same). This has been
checked against the requirements and is
compliant.
Annual 13/08/2019 Fully completed Fully compliant It is not clear whether there is the
option for lifestyling in the
Prudential funds offered and if so,
there should be checks to ensure
the required communications
relating to lifestyling are also
provided to members. Suggest
that the situation regarding
lifestyling is checked with H7 Is basic scheme information
provided to all new and
prospective members within the
required timescales?
New member packs are sent out by HR
with the members Contract of
Employment, this is also the proceduer
followed by all Scheme Employers.
Regular
monitoring
13/08/2019 Fully completed Employers - Fully
compliant
Check details contained within
Governance Policy agreed with
all employers
H8 Does this meet the legal
requirements in relation to
format?
The details are all provided on either the
brief guide, the full guide (on the
website) and in the letter sent to the
member with the statutory notice.
There are a few areas where the
information in the guide could be more
explicit (see actions).
Ongoing 13/08/2019 Fully completed Fully compliant The regulations require that a
Annual 13/08/2019 Fully completed Partially compliant Tracing services will be provided
in conjunction with third parties
and Surrey CC during 2019/2020
44
Pension Fund Cyber Security and Data Mapping Item 11
Committee Local Pensions Board
Reporting Officers Tunde Adekoya, Finance
Papers with this report Data Mapping diagrams
REASON FOR ITEM To provide the Pensions Board with an overview of the data flow and Cyber relationship existing between the Pension Fund and various organisations, and the possible cyber threats the fund may be vulnerable to. RECOMMENDATIONS That Pensions board note this report and discuss SUPPORTING INFORMATION Cyber security deals with protecting anything connected across the network. This includes:
Hardware like desktops, laptops, servers and mobiles
Software like communication and work applications
Data in transit and at rest.
The most important thing is understanding that everyone is at risk of cyber-attack. Business is increasingly being carried out over network connected devices, and each one presents a tempting target. The motive is usually profit, though activism can also play a role. The rewards of cyber-crime are so great that threats have dramatically increased. Cyber criminals have become highly professional, often drawing on the resources of organised crime or ingenious hackers.
No organisation or entity is too big or small for cyber attacks. Cyber criminals don't generally target individuals or businesses - they target vulnerabilities. A business of two is as prone to attack as a large corporation if a vulnerability is detected. A key point is that cyber-attacks are automated. They constantly probe for weaknesses all around the clock and they absolutely will not stop.
What are the common threats?
Network intrusion
45
This is any unauthorised activity on a computer network from an outside source. Intrusions not only consume bandwidth, they're also designed to do harm like stealing data.
Phishing
Phishing uses false pretences to steal information like passwords and credit card details. A phishing attack poses as a legitimate email, SMS, Instant Message or website from an organisation you know.
Ransomware
Ransomware will either lock your computer to prevent access, or threaten to make sensitive files public. Hackers promise to unlock your system when a ransom is paid.
Rootkit
A rootkit is a program that allows hackers to hide other malware like spyware and viruses on your computer.
Spyware
Spyware tracks what you're doing. It collects information like passwords, web browsing and email addresses and uses it for malicious purposes.
Trojans
Named after the Trojan horse of antiquity, Trojans are malicious programs in disguise. They don't replicate but they do create a backdoor that gives hackers control of your computer.
Virus
A virus is malicious software that replicates itself when activated so it can spread to other computers and files. The aim varies - deleting data, stealing passwords, making documents unusable, spamming contacts and more.
Zero-day exploit
This is a vulnerability that has not been discovered by software or security vendors. The vulnerability can be exploited until it is detected and patched, when it stops being zero-day.
DATA MAPPING As a result of the training on Cyber Security at Pension Board in February 2019 it was agreed the first steps in assessing cyber resilience would be mapping data flow for the pension fund. Data flow maps have been provided for the administration and investment functions as supporting documents to this report. Key data threats to the Pension fund could relate to the protection and controls relating to
payments in and out of the fund, for beneficiary transactions
fund manager transactions and scheme assets
Member records / personal data breaches or loss
46
Transfer of data between data processors
System failure as a result of a cyber attack
Reputational impact through lack of trust as a public body Board discussed that the Pension Fund was part of the Council and as such should feature in Council policy for cyber protection. Board agreed it should gain assurance that they could place reliance on the Council having effective policy in place. In addition as the majority of beneficiaries data is held within the SCC systems and not on the Hillingdon network the Board should gain assurance that SCC can show they can defend their systems appropriately. Hillingdon ICT controls Members of Pensions Board have requested for a member of the Hillindon ICT team to attend and present/explain the control environment in pace to protect the fund around Cyber security on the Hillingdon network. In addition what incident response plan is in place and does this consider the pension fund. At the time of writing this report, officers have not been able to agree attendance with ICT, however the Acting Interim Head of ICT is happy for this to happen and a meeting will soon be set up with the service manager to agree how and when this can be provided to best meet the Board needs. Officers will continue working with ICT to arrange attendance. Beneficiaries data records are held on the Surrey County Council systems. Hillingdon staff can access this, however there is no direct connection from the Hillingdon corporate network to the data. Access to the system is via a dedicated pc connected to the public Wifi, which connects to the Surrey County Council systems via a Secure VPN. There is however member data held on the Hillingdon systems, as well as all asset data and activity and all financials. To manage the Councils risk to Cyber security there are a number of controls in place which include
an ICT Acceptable Usage Policy which is part of the induction programme for all new starters
robust password security in place to access networks and software
ICT health checks performed on a regular basis
Security testing and ensure ICT security protection systems and anti-virus measures are in place to protect and up-to-date to meet new threats
Email monitoring
External audit of Public Sector Network (PSN) compliance has been completed
Guidance on pension scams are included on the Pension Fund website to support members of the scheme.
47
SCC controls As part of the controls testing, officers asked SCC for various information in relation to their cyber security in line with the Pensions Regulator guidance.
Internal controls in place at SCC include
protection at the perimeter and on endpoints, including – WAF, Internet firewall, email security appliance, web filter and proxy, advanced endpoint protection engine. These are all within support contracts and kept up to date automatically.
regular scans for security vulnerabilities within the infrastructure and target fixes based on vulnerability severity and exploitability
collect logs from all security appliances, to give the security team the insight to quickly detect and respond to internal and external attacks, simplifying threat management and minimizing risk.
Accreditation to demonstrate cyber readiness
Accredited to ISO27001:2013 for our Primary Data Centre
PSN compliant (to June 2019) – copy of certificate received
Application was submitted for Cyber Essentials Plus accreditation Oct 2018, this failed in January 2019, due to out of date applications on laptops, however is being remedied with an update automation and SCC booked a new audit and accreditation attempt in May 2019.
There is a response plan in place to deal with any incidents and to safely resume operations, however is not documented in one place. There are a number of documents and systems that provide for this. In addition SCC confirmed controls, processes and response plans are tested and reviewed.
EMPLOYEES -Early Payment of deferred pension requests -Notification of Deaths -General Pension queries
EXTERNAL PAYROLL\EMPLOYERS -Starter\Leaver\Changes forms -Pensions\Opt Out\other admin forms -Monthly Returns\payments -Year End Returns -Employment\Pension queries -Outsourcing\TUPE data
L B HILLINGDON -Year-end payroll report\return -Hillingdon Starters\Leavers\Changes -Pensions\Opt Out\other admin forms -Monthly Returns -Employment\Pension queries -Death Grants Payment Authorisation -TUPE data to draft AA -Signed\sealed AA
HYMANS (Actuaries) -Accounting reports -Valuation -TUPE data
HML Health Unit -Ill Health -Applications -Medical Information
This report is to enable the Pension Board to review meeting dates and forward plans. The Board will be asked for suggestions for items to be discussed at future meetings.
OPTIONS FOR THE BOARD
Make suggestions for future working practices and/or reviews and priorities.
INFORMATION
1. Pension Board was set up from 1 January 2015, with the first meeting in July 2016.At its meeting 2 November 2017, Council agreed to structural changes of the Boardto improve the overall effectiveness of the Board.
2. Dates for future Pension Committee meetings are outlined below to considertiming of future meetings
Meetings Specific topics
30 October 2019 Presentation and overview from LCIV
Pension Fund Annual Report 2018/19
Valuation update and Funding StrategyStatement
Investment update and manager review
Revised Administration Strategy
Administration Report
Risk Register
ESG and Voting Engagement
29 January 2020 Training - Pension Fund Governanceincluding SAB
Investment update and manager review
Administration Report
51
Annual report from Pensions Board to Pensions Committee
Risk Register
Responsible Investment Policy
25 March 2020 Training - Public sector procurement, specifically procurement within the LPS
Investment Strategy Statement update
Valuation report and results and Funding Strategy Statement
Investment update and manager review
Administration Report
Risk Register
ESG and Voting Engagement
TBC July 2020 Training TBC
Audit of Accounts and Annual Report
Investment update and manager review
Administration Report
Communication Policy Revised
Risk Register
3. Planned dates for future meetings and potential topics to review
Meetings Specific topics
10 September 2019 Training – Discretionary Powers
Administration Strategy Review
tPR Checklist review & focus E – managing risk and internal control and H – Providing information to members and others
Update on Cyber Security controls in place and data mapping to identify risk areas
Data Improvement Plan
Review of reporting breaches policy
Review of Pension Committee Reports
27 November 2019 Training – Taxation in Pensions and Myners principes
Draft annual report from Board to Pensions Committee
