What's Happening In Pensions - Issue 118

Article Insights

1. Virgin Media legislative remedy

The Government has published amendments to the Pension Schemes Bill to address issues arising from of the Court of Appeal's decision in the Virgin Media case. This decision called into question the validity of past alterations made to salary-related contracted out occupational pension schemes, without the prior actuarial confirmation required being given (see our alert and Q&As for further detail on the decision).

The draft provisions set out a mechanism which would enable affected pension schemes to retrospectively obtain written actuarial confirmation that historical benefit changes met the necessary standards where they meet the conditions to be a “potentially remediable alteration”. Broadly this means that the alteration would have needed an actuarial confirmation when it was made, the trustees treated the amendment as a valid alteration, the trustees have not taken any "positive action" on the basis that they consider the alteration to be void and it is not excluded from the scope of remediation.

The following steps will be treated as a “positive action”:

• notifying members in writing that they consider the alteration was void (due to non-compliance with the relevant statutory requirements) and that they will administer the scheme on this basis; or

• taking any other steps in relation to scheme administration (due to considering the alteration to be void) which alter (or will alter) payments to or in respect of members.

A historical rule amendment will be excluded from the scope of remediation if any question relating to the validity of that amendment (relating to the relevant statutory requirements) has already been determined by a court, or was in issue in legal proceedings commenced on or before 5 June 2025 to which the trustees were (or are) a party, including where those proceedings have been settled.

In a welcome development, the current version of the amendments to the Bill would allow a scheme impacted by Virgin Media  where a scheme has been wound-up (before a date which is two months after the Act is passed), to be treated as having met the requirements for retrospective validation.

The Financial Reporting Council has announced that it will develop technical guidance to support scheme actuaries in confirming historical pension scheme amendments and make it available when the expected legislation comes into force.

In terms of next steps, schemes should monitor both the development of the legislation and the outcome of Verity Trustees v Wood  in which the High Court is considering further questions in this area and other issues around amending scheme rules.

2. PPF confirms zero levy for 2025/26

The PPF has announced that it will not charge a conventional levy for the 2025-2026 levy year. This will save DB schemes and their sponsoring employers collectively £45m.

Earlier this year, the PPF had confirmed that it was still in discussion with the Government about giving the PPF greater flexibility to reduce the levy, given its very large surplus. When setting this year's levy rules, the PPF included a provision enabling it to recalculate the conventional levy to zero if appropriate legislative changes were brought forward, and sufficiently progressed, this year.

The Pension Schemes Bill has since been introduced to Parliament with measures which give the PPF greater flexibility to set the levy. These measures enable the PPF to move to zero levy whilst preserving its ability to reinstate the levy in future if it were ever needed (see WHiP 117).

The PPF Board has decided to exercise its provision to move to zero levy for 2025/26 "recognising the Bill's parliamentary progress and the broad support among policy makers and stakeholders for this change".

3. ECCTA – identity verification

New identity verification (IDV) requirements will apply from 18 November 2025. These will apply to all company directors, limited liability partnership (LLP) members, and 'people with significant control' (PSC) of a UK company or LLP.

This will affect new and current directors of Trustee companies.

The IDV regime was introduced under the Economic Crime and Corporate Transparency Act 2023. 

For company directors:

• From 18 November 2025, any individual who is being appointed as a new director of a UK company (whether the company already exists or is newly incorporated) must have completed IDV before being appointed.

• Where an individual was an existing director of a UK company on 18 November 2025, the director will have until the company next files its annual confirmation statement at Companies House to complete IDV. The confirmation statement dates for a company are shown on its Companies House register page. For companies with confirmation statement due dates that fall shortly after 18 November 2025, this will mean that they may have very little time to ensure that their directors have completed IDV.

For PSCs:

• Every individual who is newly registered as a PSC with Companies House on or after 18 November 2025  must complete IDV and provide a statement confirming their personal IDV code within 14 days of being registered.

• For individuals who are already registered as PSCs on 18 November 2025, the position depends on whether the individual is also a director of the same company, as follows:
  • if the PSC is also a director of the company, the individual must provide an IDV code to Companies House within 14 days of the company's annual confirmation statement; or
  • if the PSC is not also a director of the company, the individual must provide an IDV code to Companies House within 14 days of the first day of their month of birth. For example, if the individual is born on 12 March 1990, the individual would have until 15 March 2026 (i.e. 14 days from 1 March) to provide an IDV code to Companies House.

Directors and PSCs who fail to verify their identities when required will commit a criminal offence. A company which allows a director to continue in their role without having completed IDV will also commit an offence, as will every officer of that company. In each case, the offence may be punished by a potentially unlimited fine. Equivalent offences will apply in relation to LLPs and their members.

Individuals can verify their identity either (a) directly via Companies House or (b) through an authorised corporate service provider (ACSP) which also provides IDV services. Companies House has published guidance on the new requirements.

A Travers Smith briefing explains the requirements in more detail. 

4. HMRC Pension Schemes Newsletter

HMRC's Pension Schemes Newsletter 173has clarified its view of the tax treatment of tax-free lump sums paid back into a registered pension scheme and provided an update on the abolition of the lifetime allowance:

• Returning tax free lump sums: For the second successive year, HMRC has commented on the tax treatment of lump sums (such as pension commencement lump sums (PCLS) or uncrystallised funds pension lump sums (UFPLS)) where individuals seek to return those payments to a registered pension scheme. This follows speculation about the potential changes to pensions tax in the Autumn Budget, such as whether the maximum amount that individuals can claim as a PCLS will be reduced (see our Budget Tracker (Autumn 2025) for more detail).

Certain pension contracts and policies allow for a cooling-off period. This reflects that under FCA rules consumers have a right to cancel certain contracts typically within 30 days of entering the contract, if they change their mind. Where a transaction falls within these rules then the tax consequences can be reversed, but only in the case of actions that are expressly referred to in the FCA rules.

A contract allowing a person to take a PCLS or UFPLS is not listed as a cancellable contract in FCA's Conduct of Business Sourcebook (COBS) 15.2 rules. Therefore, HMRC considers that cancellation rights do not arise with regard to paying these lump sums – even where a cancellation right applies to the entire contract.

HMRC has confirmed that "[o]nce lump sums are paid, the associated tax consequences (including the use of the individual's lump sum allowance and lump sum death benefit allowance) cannot be undone, even if the payment is returned or cancellation rights are exercised."

A registered pension scheme can still offer cancellation rights for the lump sum elements of cancellable contracts. However, HMRC has warned that where registered pension schemes choose to offer such rights "it is essential that they ensure customers understand that, once paid, the tax consequences of these lump sums […] will not be reversed, even if the payment is subsequently returned or cancelled."

The FCA has issued a parallel statementexplaining how their existing rules on cancellation rights operate in these scenarios.

• Abolition of the lifetime allowance. HMRC has provided an update on some further minor technical amendments to the legislation concerning the abolition of the lifetime allowance. HMRC states that these are "designed to clarify certain provisions, correct minor drafting inconsistencies and support smoother implementation". The regulations will be made in early 2026 and, when introduced, will have retrospective effect from 6 April 2024.

5. Capita data breach

The Information Commissioner's Office (ICO) has issued a total fine of £14m to Capita plc and its subsidiary Capita Pension Solutions for failing to ensure the security of personal data in connection with cyber breach in March 2023 that affected a significant number of pension schemes.

The ICO investigation found that Capita's security failures left personal data at significant risk and that Capita lacked the appropriate technical and organisational measures to effectively respond to the cyber-attack.

In particular, the ICO concluded that:

• Capita failed to prevent privilege escalation and unauthorised lateral movement, despite these vulnerabilities being flagged previously on at least three separate occasions.

• Capita failed to respond appropriately to security alerts – it took Capita 58 hours to respond to the high priority security alert which was raised within ten minutes of the breach.

• Capita's penetration testing and risk assessments were inadequate – penetration tests were not carried out after the initial test carried out when the systems were commissioned.

The ICO initially informed Capita of its provisional intention to fine it a combined total of £45m. Capita submitted representations and mitigating factors, including the improvements made after the attack, support offered to affected individuals and engagement with other regulators and the National Cyber Security Centre (NCSC). The ICO and Capita have now agreed to a voluntary settlement. Capita has acknowledged the ICO's decision, admitted liability, and agreed to pay a final penalty of £14 million without appealing.

The ICO has warned that “Maintaining good cybersecurity is fundamental to economic growth and security. With so many cyber attacks in the headlines, our message is clear: every organisation, no matter how large, must take proactive steps to keep people's data secure.”

The ICO has also highlighted key areas where organisations should be taking proactive steps to reduce security risks, such as:

Following NCSC guidance on preventing lateral movement and ensuring that the ‘principle of least privilege' is applied across the organisation:

• Regularly monitoring for suspicious activity and responding to initial warnings and alerts in a timely manner;

• Sharing the findings from penetration testing across the whole organisation so risks can be universally addressed;

• Prioritising investment in key security controls to ensure that they are operating effectively; and

• Checking agreements and responsibilities between data controllers and data processors.

Further details of the breaches, and the ICO's calculation of the fine, are set out in the full penalty notice and press release.

6. Compensation for pensions data breach

The Court of Appeal has held in Farley v Paymaster that pension scheme members can claim compensation for breach of UK data protection legislation, where their annual benefit statements were sent to the wrong addresses.

The ruling overturned part of the 2024 High Court decision, which held that members could only claim compensation where they can show that a third party had opened those wrongly addressed statements.

The key facts of this case are:

• In 2019, Equiniti (the defendant), acting as the administrator for the Sussex Police pension scheme, sent over 750 pension statements containing personal information (including dates of birth and national insurance numbers and information about their benefits) to out-of-date addresses after a database error.

• Over 400 members of the Sussex Police pension scheme brought a collective action, seeking damages for injury to feelings and, in some cases, psychiatric injury, stemming from fears of third-party misuse of their personal data — even where there was no proof anyone actually opened and read the mail.

• Sussex Police reported to the affected officers that "the risk of harm arising from this breach is assessed as low", but gave advice on protective steps, and offered them the opportunity to sign up to a fraud protection service. The incident was reported to the Information Commissioner's Office, which noted that Sussex Police had conducted a risk assessment that concluded that the risk of data subjects suffering significant consequences was "unlikely", that advice on identity theft was to be given to the affected data subjects and concluded that no further action was required.

The High Court struck out the claims of the vast majority of claimants, who had not presented any evidence that their benefit statement had been opened and read by any third party. This was on the grounds that they disclosed no reasonable grounds for bringing the claim. The envelopes had been marked 'Private and confidential' and the judge said that he would not infer that any had been opened and read where there was no evidence of that having happened. Over 100 statements were returned unopened. In only 14 cases was there evidence that the statement had been opened, and these claims were allowed to proceed. (See WHiP Issue 109.)

On appeal from the members, the Court of Appeal found that:

• The actual disclosure to a third party was not an "essential ingredient" of an allegation of processing or infringement. Sending data to the wrong address, even if you don't know if anyone accesses it, is still potentially unlawful "processing" under the GDPR.

• As matters of principle, compensation for emotional responses other than distress can be recoverable and there is no minimum ‘seriousness threshold' for non-material damage under the GDPR or the Data Protection Act 2018. However, there still needs to be proof of non-material damage. The Court emphasised that claimants can recover for fear or anxiety about possible misuse of their data, but only if those fears are "well-founded" (but not if the fear is (for instance) purely hypothetical or speculative). This is to be addressed on a case-by-case basis, and the case was remitted to the High Court.

• Each claim must be assessed individually, not struck out in bulk because of the aggregate cost or numbers. The minimal likely compensation for some claims did not render them abusive; low-value claims may be suitable for the County Court's Small Claims Track.

The decision confirms that there is no seriousness threshold for harm to qualify for compensation in data protection claims. This could make it more difficult for defendants to dispose of low-value claims at an early stage. The decision should not, however, be seen as a gift to claimants: the courts will give short shrift to far-fetched claims of harm that are not "well-founded".

See our new briefing 'No seriousness threshold for data protection claims — but the courts will reject speculative claims' for further detail.

7. Distribution of surplus

The High Court has approved a pension scheme trustee's decisions to vary the scheme's buy-in arrangements and use surplus scheme assets to augment member benefits in KO UK Pension Trustees Ltd v Barker.

The Coca-Cola Company Pension and Assurance Scheme (the "Scheme") closed to new members in 2006. Its liabilities were almost entirely secured by a buy-in policy, under a captive structure under which AXA acted as the 'fronting' insurer. The insured liabilities were reinsured by AXA under a back-to-back arrangement with a 'captive' reinsurer within the Coca-Cola corporate group. The reinsurer, Red Life Reinsurance Ltd ("RLR"), was regulated in Bermuda and required to hold £41m of regulatory capital in respect of its obligations under the reinsurance agreement. In addition to the buy-in policy, the Scheme held surplus assets of around £46m.

On termination of the buy-in policy, a significant termination payment would be payable to the trustee (around £232m). Due to changes in insurer pricing after the buy-in policy was put in place (amongst other variables), this termination payment would have exceeded the cost of purchasing a replacement buy-in policy securing the same liabilities (around £150-160m). The terms of the buy-in policy restricted the circumstances in which the trustee could trigger the termination payment, but the trustee was able to crystallise the termination payment upon the wind-up of the Scheme being triggered.

The trustee's powers were also restricted under the trust deed and rules:

• The trustee had no unilateral power to trigger the wind-up of the Scheme.

• The trustee had a unilateral power to augment benefits from surplus during a Scheme wind-up, but required the consent of the principal employer to amend or augment benefits while the Scheme was ongoing.

Accordingly, the trustee could not access the Scheme surplus without the principal employer giving notice to terminate the Scheme, thereby permitting the trustee to proceed to a wind-up and augment member benefits. However, the principal employer would not give notice to terminate the Scheme unless the termination payments under the captive structure (ultimately payable by RLR) were reduced.

The trustee made a Part 8 claim for the court's blessing of two decisions, which it had reached in principle with the corporate sponsor:

1. Adjustment to buy-in arrangements: The reduction of the termination payment under the buy-in policy so as to match the cost of a cheaper, replacement buy-in policy, covering the same liabilities as the existing policy. In return, the Scheme's principal employer would give notice to terminate the Scheme, thereby allowing the trustee to crystallise and access surplus from which to make augmentations of the pension entitlements during the wind-up of the Scheme.
   
   
2. Augmentation of member benefits: The augmentation of scheme benefits, using the surplus released during the winding up of the Scheme to give all beneficiaries an equal percentage augmentation of around 27% of their present benefits.

The judge stated that the proposal meant that the trustee would be taking a "bird in the hand" in the form of the current Scheme surplus, whilst giving up the "contingent possibility" of a greater surplus in future (e.g. if the principal employer eventually agreed to terminate the Scheme, or if Scheme wind-up was triggered through events outside its control, such as insolvency). In approving the trustee's decisions, the court noted that the proposal "would prevent the scheme from becoming a form of tontine, under which a dwindling cohort of the longest living scheme members may, in future, 'scoop the pool" upon a future termination of the Scheme. The Court also concluded that it was a relevant consideration that the employer group could simply wait matters out in a way that members (who have finite lifespans) could not.

Although the arrangements contemplated by the High Court were fact specific, this ruling is an interesting example of how the different stakeholders in a pension scheme navigated the balance of powers in a way which resulted in an upside for members and positive outcomes for the corporate sponsor.

8. Bridging pensions

The High Court has issued a decision concerning a member's entitlement to a bridging pension, in Spirit (Legacy) Pension Trustee Limited v Alexis. The ruling considered whether references to the "Stage pension age", defined by reference to the Pensions Act 1995, should be interpreted in a way which incorporated later changes to legislation.

The High Court allowed an appeal from the trustee of the Spirit (Legacy) Pension Scheme (the "Scheme"), from a decision by the Pensions Ombudsman. The Ombudsman had upheld the member's complaint that they were entitled to receive a bridging pension until age 66, based on Scheme rules which provided that such pension would cease at "State pension age", defined by reference to paragraph 1 of Part I of Schedule 4 to the Pensions Act 1995. The Ombudsman considered that this definition was "dynamic" in that it encompassed later changes to legislation, and therefore that legislative increases to State pension age were incorporated into the Scheme rules.

The Scheme trustee appealed the Ombudsman's decision, claiming that the reference to legislation was "static" and therefore that the defined term, "State pension age", has the meaning as originally enacted by legislation, rather than as amended after the introduction of the Scheme rules. On this basis, the trustee argued that the bridging pension was only payable to age 65 and that a dynamic interpretation would be tantamount to writing a 'blank cheque'.

The High Court held that the proper construction of the Scheme rule, in the circumstances, was static, and the member's "State pension age" for this purpose was age 65, not 66. In reaching this decision, Mr Justice Richard Smith applied the principle that where a contract or deed incorporates the provisions of a statute or subordinate legislation, there is no presumption either way as to whether the reference is to the law for the time being in force. Whether an interpretation should be static or dynamic is instead "a question of the proper construction of the words of incorporation in the context in which they are used".

The legislative reference in this case has been used "for equalisation of pensionable ages for men and women", rather than for increases in pensionable age. The Court observed the "rarity of parties who have used a convenient statutory shorthand to describe a factual situation intending that situation to vary unpredictably with the vagaries of future legislation". In this case, the Court held that there had been nothing in the statutory context when the Scheme rules were executed to suggest that increases to state pension age more generally were anticipated. The Court observed that the next major reform to increase state pension age was introduced in 2007, and that the increase could easily have been effected through an alternative legislative route.

As with most cases involving construction, this ruling was highly dependent on a particular set of facts, but it underscores the potential challenge of interpreting context-specific references to legislation in scheme rules.

9. Pensions Ombudsman – pre-2021 scheme transfers

The Pensions Ombudsman has issued:

• a press release setting out his position on trustees' obligations when considering a member's request to exercise a pre-2021 statutory transfer right from an occupational pension scheme; and

• a determination concerning a pension scheme member (Mr D) who transferred from the British Steel Pension Scheme (the "Scheme") to a small self-administered pension scheme in 2014.

From 30 November 2021, regulations have applied which restrict individuals' statutory transfer rights in specified circumstances, with the aim of helping trustees to stop scam transfers. (See our briefing 'Pension scams: new statutory transfer right restrictions' for more detail.)

The Ombudsman considered the trustee's duty of care that applied when making the statutory transfer from an occupational pension scheme before the 2021 Regulations were introduced, including in respect of due diligence.

The Ombudsman did not uphold the complaint that the Scheme had failed to carry out sufficient due diligence on the 2014 transfer. The Ombudsman found that when a member was exercising a statutory transfer right in respect of an occupational scheme there was no legislative or regulatory obligation on the trustee of the Scheme to undertake due diligence, beyond that required to meet the legislative criteria for a transfer, either generally or more specifically as set out in the Pensions Regulator's 2013 Action Pack or in the ‘Scorpion Leaflet' aimed at members.

The Ombudsman noted that the trustee had not voluntarily assumed a responsibility to investigate the receiving scheme (for example, as set out in the Action Pack) and had not made any promise or implied representation to the member that it was conducting due diligence which he could argue that he then relied upon to his detriment.

The Ombudsman has described this determination as providing "an important, legal assessment of a trustee's duty of care when considering a statutory transfer request", for the period from February 2013 until the 2021 Regulations came into force.

Although each case turns on its own facts, the Ombudsman has stated that this is likely to inform his approach to similar cases.

10. Contribution notice upheld by Upper Tribunal

The Upper Tribunal has upheld a contribution notice (CN) issued by the Pensions Regulator's Determinations Panel against the director and shareholder of a family business, which was the sponsoring employer of a DB occupational pension scheme inPelgrave v The Pensions Regulator.

The CN was issued in respect of the individual's role in the extraction of value (including the payment of dividends) from the Danapak Flexibles Retirement Benefits Scheme (the "Scheme"), whilst the Scheme was in significant deficit. The Regulator's Determinations Panel found that she had been a party to a series of acts that had caused a material detriment to the Scheme.

The relevant events took place between 2008, when the business was bought for £1, and 2019, when it was sold for the same amount. They therefore happened before changes to the moral hazard regime, introduced by the Pension Schemes Act 2021, took effect. (See our briefing 'Pension Schemes Act 2021: what happens next?' for more detail.)

The target of the CN had claimed that she as not a "party" to the relevant acts for the purposes of section 38(3)(a) of the Pensions Act 2004, as she "played no role in the relevant decisions". The Upper Tribunal held that "party to" should bear its ordinary meaning, being "a person who is concerned in an action or affair; a participant; an accessory” and "there is no articulation of any concept of hierarchy in the legislation".

The Regulator has highlighted in a press release that the case demonstrates that it is prepared to intervene "even when an employer remains in business".

11. TPR report on scheme rescue

The Pensions Regulator has published a regulatory intervention report on its role in the rescue of the Edinburgh Woollen Mill Ltd Retirement Benefits Scheme (the "Scheme"), following the insolvency of its employer sponsor.

The Regulator opened an anti-avoidance investigation following concerns about the circumstances leading up to the sponsoring employer's insolvency, including the payment of material dividends by the employer and the assignment of security from the group's banks to the employer's ultimate parent company. It also engaged with the entity that acquired the employer's business from its administration, Purepay Retail Limited (Purepay), the trustee and the Pension Protection Fund (PPF) to secure a scheme rescue.

The covenant adviser to the scheme's trustee contacted the Regulator in October 2020, expressing concerns about a lack of information regarding the employer's current financial position and the apparent insolvency risk. The administrators were appointed on 5 November 2020, following which the Regulator issued a series of statutory notices requiring certain recent financial information about the employer and group.

After receiving information in response to those notices, the Regulator had concerns about a series of events that took place before employer's insolvency (including intra-group loans and the payment of dividends from the employer) and opened a formal anti-avoidance investigation by mid-2021. At this stage, Purepay, which had acquired the employer's business from administration on 24 December 2020, proposed a scheme rescue and the Regulator entered into negotiations, alongside the trustee and the PPF.

The parties entered into an arrangement under which the Scheme would exit the PPF's assessment period, and Purepay would take over as the scheme's statutory employer through a Scheme Apportionment Arrangement in December 2024. Purepay also contributed £7 million to the Scheme and agreed to a recovery plan and a suite of covenant protections and downside mechanisms both on an ongoing and insolvency basis. The Scheme is now funded well above the PPF funding level and is expected to achieve full funding on a low dependency basis within the next three to four years.

The Regulator emphasised that it is vital sponsoring employers keep pension scheme trustees fully up to date with the employer's financial position and prospects, particularly when the employer is facing financial distress.

12. TPR enforcement strategy

The Pensions Regulator is consulting on a new enforcement strategy, which it describes as introducing "a more focused, agile, and outcomes-driven model", and reorientating its approach "towards risk-based regulation". The consultation closes on 11 November 2025.

The Regulator outlines eight proposed changes to its strategy. It proposes:

• Putting member outcomes first: to shift its focus from monitoring outputs to delivering real-world outcomes, such as preventing harm, securing redress, and building saver confidence.

• Setting clear enforcement priorities: to focus its enforcement efforts on issues that "that pose the greatest risk to members and the pensions system". By setting clear, central priorities and applying them consistently, the Regulator proposes to make better use of its resources and take action where it will have the greatest impact.

• Targeted enforcement: to take a proportionate, risk-based approach that concentrates resources on the most serious harm to members, supporting a broader shift toward a prudential regulatory model and contributing to long-term economic resilience in the pensions system.

• Acting earlier to prevent harm: to consider enforcement earlier to stop problems before they escalate, meaning closer integration between its Enforcement and Market Oversight teams, setting clearer expectations, and engaging in early interventions to prevent harm and stop issues before they grow.

• Working together to solve problems: to deepen collaboration with its external partners and stakeholders.

• Building flexible and skilled teams: to invest in its workforce and deploying staff more flexibly across different types of cases to improve efficiency and ensure the right expertise is available.

• Using data for smarter decisions: to use of data and digital tools to spot trends, guide decisions, and track results.

• Being open about what we do: to optimise the way in which it publishes enforcement outcomes and communicates expectations.

The new enforcement strategy sets out the Regulator's proposed approach to enforcement, including:

• its mission and strategic objectives

• how it prioritises enforcement activity

• the outcomes it aims to achieve

• the Regulator's enforcement toolkit and decision-making framework

• the Regulator's approach to serious economic crime

• how the Regulator will communicate enforcement outcome

The Regulator expects that the adoption of this strategy will mean that it revisits its wider suite of enforcement policies and procedures.

13. TPR report on scheme administration

The Pensions Regulator has published a report of its insights on scheme administration, following industry engagement over the past year with 15 pension administrators across a range of sizes, ownership models, and service types, including third-party administrators (TPAs), and in-house teams in both defined benefit (DB) and defined contribution (DC) markets.

The report recognises pensions administration as "a critical driver of good outcomes for savers" and highlights opportunities to strengthen governance, service delivery, and savers' outcomes.

The Regulator expects administrators and trustees to reflect on the findings in their report and to work together to identify ways to improve administrative practices to better serve savers. The Regulator also urged trustees to periodically review their contract with administrators to ensure it remains suitable and emphasised that improving data must be a priority for all.

The report focused on four key themes:

• Financial sustainability: The Regulator welcomes a shift towards increased investment in technology upgrades, AI, and people, but noted that "more work is required" to meet growing demands and member expectations, and to prepare for the significant upcoming regulatory and legislative changes, including pensions dashboards. The report highlights the challenge of recruiting and retaining staff, the need for administrators to adapt to evolving market demands and for trustees to recognise the strategic value of administration and encourage investment in innovation and resilience.

• Technology and innovation: The Regulator notes the growing investment in AI and digital tools, and the ongoing need to modernise and/ or integrate systems like administration, payroll, and member portals to prevent outdated systems increasing the risk of errors.

The Regulator considers that trustees and administrators should:

• focus on providing a high-quality member-centric experience, with good governance and transparent reporting. This focus needs to be embedded in administration contracts, which should be periodically reviewed to ensure they remain suitable;
• plan the likely impact pensions dashboards will have on administration services and review whether their current administration service, member engagement strategies and member interaction channels are likely to remain effective and be capable of handling the significantly increased demand; and
• focus on maintaining accurate, complete and up-to-date data, noting that data quality also plays a critical role when changing administrator or moving to an insurance provider. Early engagement with administrators is also crucial to ensure smoother transitions. As part of this, trustees should ensure they fully understand and negotiate contract terms with administrators, include data quality clauses where possible, and plan for exit strategies from the outset.

• Risk and change management: The Regulator outlines some strong examples of how firms are managing risk and change effectively, including:
  • using clear governance models – such as the 'three lines of defence' framework, which separates responsibilities into operational management, risk oversight, and independent assurance – to help spot and manage risks early; and
  • taking a proactive approach to managing change and complex regulatory demands, through some firms adopting dedicated change teams, securing additional funding, and working closely with industry bodies and the Regulator.

• Cyber resilience: The Regulator notes that key risks include phishing, weak supplier systems, and outdated infrastructure. The report highlights examples of cyber security practices becoming more robust, such as follow key security steps recommended by the National Cyber Security Centre, strong testing routines and senior-level oversight. However, the Regulator warns of certain gaps shown in Business Continuity Planning with communication protocols and executive oversight sometimes missing or lacking supporting documentation, and inconsistencies in cyber certifications.

14. TPR alert on impersonation fraud

The Regulator has issued an alert aimed at trustees and administrators which highlights a pension fraud technique involving unauthorised access to members' accounts using hacking and impersonation techniques. It urges trustees and administrators to be vigilant and report any suspicions.

The Regulator has identified a common theme in Action Fraud reports referring to attempts to bypass pension scheme defences and exploit security vulnerabilities to gain unauthorised access to members' accounts.

These methods include:

• Hacking members' email accounts: obtaining access to correspondence between the member and the scheme, then contacting the scheme using personal information to impersonate the member, to change details of the beneficiary's bank account to withdraw funds.

• Accessing members' account information: to set up fake pension accounts in the member's name and then move funds from the real account to the fake account. 

• Account access via poorly secured or unsecured account credentials: in these instances, the member and individual committing the act were known to each other.

• Deceased members' pension funds: diverting funds to an alternative bank account without the next of kin's knowledge.

The Regulator recommends that schemes take the following steps:

• Educate members: on the importance of online security and ensuring their pension account details are up to date and signpost members to the City of London Police Identity fraud guidance and the Stop! Think Fraud website.

• Review scheme systems and controls: i.e. the measures in place to prevent identity fraud, including member identity and verification checks, referring to Protecting Identities During High Risk Events guidance from the Pension and Administration Standards Association (PASA).

• Report fraud or cybercrime to Action Fraud: Using the online reporting tool to submit an information report, or a crime report.

15. TPR's annual review of DB funding

The Pensions Regulator has published its annual overview of funding levels and recovery plans in occupational defined benefit (DB) and hybrid pension schemes in the UK.

The report outlines certain changes made to its assumptions and the following key findings:

• 62% of schemes reported a surplus position in schemes with effective valuation dates from 22 September 2022 through to 21 September 2023. This compares with 27% of schemes in tranche 15, when this latest tranche would have been expected to complete their most recent previous triennial valuation. 

• The average (mean) assets to technical liabilities ratio for these schemes was 104% (median: 103%).

• The average (mean) recovery plan length for schemes in deficit was 4.4 years (median: 3.8 years), with a median end date falling in 2027. For comparison, the average (mean) recovery plan length in tranche 15 was 6.3 years (median: 5.3 years).

16. Pensions Dashboards – State Pension connection

The Pensions Dashboard Programme (PDP) has announced that the State Pension has completed connection to the pensions dashboards ecosystem, meaning that users will be able to see their personal, workplace and State Pension information together in one place.

The PDP provides further detail on what State Pension information will be shown on pensions dashboards and where users can continue to access further information via the "Check your State Pension forecast" tool on GOV.UK.

17. Financial services – targeted support

The Financial Conduct Authority (FCA) is consulting on consequential changes to its Handbook with the aim of ensuring that the "targeted support" framework works effectively with existing requirements.

This follows the FCA's earlier consultation on its proposals to allow advisers to provide targeted support to consumers in relation to pensions and retail investments. Firms would be able to make suggestions designed for groups of consumers with common characteristics, to help them make financial decisions (see WHiP 117 for more detail).

The FCA aims to finalise the regulatory framework for targeted support and publish its policy statement in December 2025. The FCA's Pre-Application Support Service (PASS) has opened to firms planning to apply for targeted support permissions, ahead of the gateway opening in March 2026.

The consultation closes on 17 October 2025.

18. Financial services – workplace savings schemes

The FCA has published a statement to provide clarity on the main rules relating to workplace savings schemes and reassurance that such schemes can be successfully set up and implemented to comply with those rules.

The statement addresses the perceived regulatory barriers to 'opt-in' workplace savings schemes (where employees choose to save via payroll). The FCA focuses on:

• risks that employers should avoid (e.g., charges, delays) in order to comply with the National Minimum Wage Regulations 2015;

• how many workplace savings schemes can be structured in a way that does not involve the employer carrying out a regulated activity for which they need FCA authorisation;

• how employers may issue communications to their employees about schemes without making a financial promotion (in breach of section 21 of the Financial Services and Markets Act 2000);

• the relevant requirements for a savings provider to consider when complying with the Banking: Conduct of Business sourcebook (particularly the requirement for employee consent);

• financial crime legislation and guidance that savings provider or employer/payroll provider/employee benefits companies should consider when carrying out KYC checks and Customer Due Diligence;

• what employers should consider when sharing employees' personal information with the savings provider; and

• how savings providers can notify employees about protection from the Financial Services Compensation Scheme.

The statement also refers to the requirement that savings providers must comply with the consumer duty when it applies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.