In the inaugural issue of our new Taylor Wessing Pensions Bulletin we give a snapshot of monthly pensions developments below.

Please get in touch with your usual Taylor Wessing pensions contact if you would like to discuss anything you have seen in the Bulletin.

Increasing focus on ESG obligations

As part of its campaign aimed at ensuring trustees are meeting their ESG duties, the Pensions Regulator (TPR) has said that it is putting extra emphasis on compliance with ESG governance and climate reporting duties this year. This includes checking and monitoring in-scope schemes:

• Statements of Investment Principles (SIP), to confirm that they include details of the trustees' policies covering how the scheme invests, including how financially material ESG and climate factors are taken account of, and that this has been published
• publication of an implementation statement explaining how the trustees have complied with their scheme's SIP, and
• inclusion of a web address for the SIP and the implementation statement in scheme returns. TPR has said some schemes have failed to provide a correct address and has flagged the possible penalties for failing to comply with the publication requirements.

TPR has also published its review of the first wave of disclosures by certain (larger) schemes that are required to publish data relating to the climate change reporting requirements to which their scheme is subject. TPR's report both identifies good practice and highlights areas where it expects to see improvements – trustees should take account of these points for improvement when preparing future reports.

Single (now General) Code coming soon

The single Code (which is to consolidate ten of TPR's existing codes and include some changes resulting from recent regulations) has been renamed the "General Code" and will be finalised "in the spring". By way of reminder, some new key aspects include:

• the requirement for trustees to have an "effective system of governance" proportionate to the size, nature, scale and complexity of their scheme, and
• for schemes with 100 or more members, a requirement to carry out an "own risk assessment", which essentially means assessing how their own policies and procedures address risks faced by the scheme.

Much of the ground it covers will be familiar to trustees, but to be sure of complying trustees may wish to seek advice on any gaps. The new General Code will apply immediately once implemented so preparation will be key, and trustees should be looking to understand if there are any issues that they could address now before the General Code comes into effect.

First Collective Defined Contribution (CDC) scheme authorised

The first CDC scheme, the Royal Mail Collective Pension Plan, has been authorised by TPR. Under current legislation only single employers or employers in the same group of companies can set up CDC schemes. However, the DWP has just finished consulting on extending this to multiemployer schemes whose participating employers are not associated (e.g. master trust schemes), which offer benefits for both members' accumulation and decumulation phases and arrangements that provide decumulation options only (in both cases, where the arrangement is trust based). A reminder of what CDC is can be found here.

Cyber security

It has recently been reported that large outsourcing provider Capita has been subject to a cyber attack on its systems. 2023 has been a busy year for cyber criminals, with PayPal, T-Mobile and JD Sports amongst the other companies suffering data breaches. Even with the best defences, there is a risk to every organisation that a threat actor may be able to access systems and bring business to a halt or at least cause reputational damage, data and financial loss and delays.

The Pensions Regulator requires, in its Cyber Security Principles, trustees to take steps to build their cyber resilience including their ability to recover when an incident takes place. Steps that trustees can take include:

• creating and "stress testing" an incident response plan so they can have confidence that in a breach scenario they have the tools and processes to deal with the incident and continue to run the scheme,
• taking training on cyber risks and vulnerabilities, and
• taking steps to assess the controls that third party providers have in place to deal with cyber incidents.

For further information on cyber threats, and how we can help our clients get "breach ready", see Cyber security 2023: key threats and challenges.

New TPR Guidance on LDI

After the financial crisis that unfolded following the mini budget last September, and which particularly involved schemes which adopt a Liability Driven Investment (LDI) strategy, there has been mounting scrutiny on how the situation was handled and what measures can be put in place going forwards to prevent it from arising again. In particular the Financial Policy Committee of the Bank of England has recommended (amongst other things) that TPR should:

• have a remit to take into account financial stability considerations, and
• take action as soon as possible to mitigate financial stability risks by specifying minimum levels of resilience for LDI funds and LDI mandates in which schemes invest.

TPR has now issued Guidance setting out practical steps trustees can take to manage risks when using leveraged LDI. The Guidance focuses on four strands: investment strategy, collateral resilience, governance and monitoring. The aim is to ensure that schemes have robust and effective processes in place to ensure they withstand market shocks. One aspect that trustees can easily engage with is making sure that they have processes in place that will allow them to work quickly and effectively with their key advisers in the event of a crisis.

Delay to scheme funding code

TPR has confirmed in its recently published corporate plan (2023/24) that its scheme funding code will be finalised in April 2024 as opposed to later this year as anticipated. The final version of the scheme funding regulations (upon which TPR's code is to be based) are also awaited. See our briefing note for a reminder of key aspects of the draft regulations.

Dashboards developments

The deadline for the first wave of schemes to connect to the pensions dashboard was to be 31 August of this year, but the DWP has instead announced a delay. This is to allow the technical infrastructure to be ready for schemes to connect. While the DWP has said that more time is needed, they have not said how long the delay will be, leaving it to the Chair of the Pensions Delivery Programme to revisit timescales. Our advice to trustees: don't stop preparing! There is nothing to indicate that this has been kicked very far into the long grass, and it is better to be ready than to be caught on the hop.