Remuneration, cyber risk and beyond: the General Code unpacked

The Pensions Regulator’s (TPR) new General Code is mainly a consolidation of existing requirements, perhaps with more detail on regulatory expectations.

Many schemes already have policies in place addressing most of these requirements, so the first step towards compliance is to cross-check existing policies against the code.

Some existing policies will require very little amendment, but this is an opportunity to refresh policies and trustee practice alongside the regulator’s expectations.

Remuneration

One of the General Code’s new requirements is to have a remuneration policy in place.

This is a statement setting out the basis and means for paying those undertaking activities in relation to the scheme that are paid for by the governing body.

It’s worth noting that this only applies to schemes with more than 100 members and there is no requirement in the final code to publish this policy. The policy should be proportionate, considering the size, scale, nature and complexity of the scheme’s activities.

There is no need to include anything that is paid for by the employer, so if the employer pays for everything then the statement may be very short.

Where the trustees pay for services, the code states that the policy should cover “all persons or corporate bodies including service providers, who effectively run the scheme, those who carry out key functions, or whose activities materially impact the scheme’s risk profile”.

The code doesn’t clarify what “key functions” are, but this is defined in the regulations as the actuarial function, risk management function and “the function which internally evaluates adequacy and effectiveness of the system of governance”.

Schemes will need to consider which entities will be in scope, who effectively runs the scheme and whose activities materially impact its risk profile – to the extent these individuals are paid for by the trustee board.

The terms “basis” and “means” are a little unclear, but the code amplifies this by saying the policy must set out the principles for determining pay and the decision-making process for payment levels and help assess the value of the remunerated services.

A scheme might comment on whether advisers’ fees are benchmarked to market at agreed intervals and whether they provide a fixed fee for particular projects or work on an hourly rate and how this provides value for the trustees and the scheme but there’s no requirement to set out the amounts or rates of pay.

There is a helpful checklist in the code for preparing a remuneration policy. The policy should also include measures taken to mitigate potential conflicts of interest and focus on in-house roles. It should be reviewed at least every three years, although it may be appropriate to do so annually or where there are significant changes.

Other key areas

One key area to consider is cyber risk – most schemes will have a data protection policy in place but not all will have a cyber policy. It’s an opportunity to review both policies and make sure training is up to date, in particular to ensure trustees know what to do if their scheme suffers a cyberattack or data breach.

The code may also help identify other training topics to update trustee knowledge and understanding.

Much of the new code detail is logical and helpful. Trustees have overall responsibility for their schemes, so it is important that they have oversight of the functions they delegate – both to ensure everyone is clear on what has been delegated and to whom, and to ensure those functions are being carried out properly.

There are new expectations for the appointment, management, review and replacement of advisers, to enable trustees to receive a better service in line with their needs and requirements.

Will it help?

The question remains: will the code achieve TPR’s ambition to help ensure better scheme governance?

It’s certainly a useful resource and while the code itself is not legally enforceable, it includes statements of law that must be complied with.

In addition, the courts, the Pensions Ombudsman and TPR will use the code to determine whether trustees have complied with the legal obligations it contains – in particular, the requirement to establish an effective system of governance. All schemes within its scope should therefore engage.

Jessica Kerslake is a member of the Society of Pension Professionals and a partner at Allen and Overy.