Administration agreements – is yours fit for purpose?

TPR's recent blog has emphasised its efforts to work more closely with pension scheme administrators – unsurprisingly so because administrators are at the heart of making sure that a pension scheme is properly run.

It is crucial that trustees ensure the document that governs that relationship – the administration agreement- is robust. The problem for many trustees is that their administration agreement will have been in place for many years and will not have been substantially reviewed, even though there may have been additional services or GDPR-related language added.  Trustees now face greater legal risks than ever before; these may arise for example from increasing cyber threats or an increased governance burden, and the importance of having good scheme administration will become even more pronounced when pensions dashboards finally come online.   Having appropriate administration terms in place, which properly reflect the world in which trustees operate, will help protect them from legal and reputational risks.   

If there was any doubt on the matter, the forthcoming General Code makes absolutely clear that trustees are responsible for scheme administration, even though this is very often outsourced to a third-party supplier.  The Pensions Regulator expects trustees to include administration as a regular item at meetings, to monitor the performance of their administrator and to receive regular reports.  The Code recognises the importance of having adequate contractual terms; this is so that trustees can rely on those terms to drive improvements, to manage any change of supplier, and to hold the administrator to certain standards such as having an adequate business continuity plan.

Trustees, as data controllers, should also be aware of the importance of properly managing their administration arrangements in order to limit their risks under data protection laws.  UK GDPR allows individual data subjects to bring direct claims against controllers where the data subject suffers damage as a result of something done (or not done) by a data processor.  This would apply for example where a trustee engages an administrator who then loses member data with resulting damage.  The controller (i.e. the trustee) will have a defence to the data subject's claim if it can prove that it is "not in any way responsible for the event giving rise to the damage".  If a trustee is to rely on this exemption, it will need to be able to show that it took reasonable steps in appointing, monitoring and managing its processor.  This starts with having the right contractual terms in place.  The UK GDPR sets out in some detail the data processing terms that must be included and administrators should be aware of these so the process of implementing or updating terms should not be a difficult one.

So, for trustees who are negotiating a new administration agreement or considering dusting-off and updating an old one, we recommend that you think about the following:

• Have you got an agreed robust and practical cyber breach reporting and management framework? Have you seen the administrator's business continuity plan?
• Are the data security commitments that the administrator is providing robust and legally enforceable?
• Do the data protection terms accurately reflect current law and guidance?
• Will your administrator be allowed to sub-contract services? In what circumstances will this be allowed, what contractual terms will apply to the sub-contracting, and who will be liable for acts / defaults of sub-contractors?
• Have you included regular reporting obligations, and made clear what should be included in those reports?
• Are service levels clearly defined, and what will happen if there are repeated or continuing breaches of those standards?
• Is the agreement clear on any limitations of liability and who will be liable to meet any costs arising from errors or breach of security commitments?
• Do you have sufficient clarity around exit terms? Most administration agreements provide for an exit plan to be agreed when a party gives notice to terminate, but it is helpful to include some detail around what this might look like and some sort of cap for providing handover services. It is much easier to agree this up front than to try to deal with any issues when a relationship is ending.

Our recommendation to any trustees wondering if their administration agreements are fit for purpose is to take advice.  It is always better to make sure your documents cover different scenarios than to try to manage issues on an ad hoc basis.