There is a growing concern around ‘administration risks’ and trustees are beginning to embed these within their Integrated Risk Management Dashboards. A key issue surrounding administration is IT Security and Cyber Risk. The question from many trustees is whether some of the technology innovation appearing within the world of pensions is increasing or decreasing the security of their data, finances and members. Is the technology leading-edge or bleeding-edge? How can they trust the Pensions Dashboard, Robo-advice platforms and all-online Master Trust offerings?

Pension administration is a high risk business. We hold the personal and financial details of individuals, including national insurance numbers, postal addresses and bank account details. We manage billions of pounds worth of assets, moving millions of pounds of assets and cash, often on behalf of a single member. It is critical that our systems, processes and people are built for security.

Any reputable pension administrator has invested heavily in IT security. Their systems and processes are built for cyber resilience. Often the weakest link is not the IT infrastructure itself. It is an individual employee clicking on a questionable link, or an administrator who accepts easily forgettable birth certificates as proof of identity. As an outsourced provider, it is the administrator’s role to safeguard trustee assets.

However, it is ultimately the trustee’s role to conduct appropriate due diligence to ensure that they have selected a reliable administration partner.

There are a number of key factors that can help the trustees make this decision, including:

·       Does the administrator have ISO 9001 certification? This is a base level certification of measurable process definition.

·       Is your administrator AAF 01/06 audited and were there any exceptions identified? The AAF 01/06 audits pension administration specific processes and ensures an independent third party review of their controls.

·       Has the administrator completed their Cyber Essentials certification? This is a Government approved certification, specifically targeting cyber security issues.

·       How often does the administrator conduct independent penetration testing on their systems? You would expect this to be at least annually.

·       Have their employees completed comprehensive Data Security and IT Security training at joining and annually?

·       Are there segregated duties separating IT infrastructure, Systems and Operations? This reduces the ability for collusion amongst the various internal parties responsible for technology security.

·       Are there rigorous ID verification checks in place prior to any financial transaction? Administrators can now cross check member identities against the DVLA database, voter registers, credit card records and more, all in real time. This is far more stringent than merely requesting birth and marriage certificates, which can be purchased online or created using graphics software.

·       Does the administrator conduct full Disaster Recovery tests at least annually, to ensure that they can cope if the worst was ever to happen?

·       Finally, are there clear Treasury controls and segregation of duties to ensure that there is a thorough vetting of all financial transactions on behalf of the trustees?

Trustees should also review their own position. For example, by considering:

·       Do they have sufficient capability to understand and review the risks? Or do they need further training and independent support?

·       Is appropriate, independent and informed advice available?

·       Is the technology used by the trustees secure?

·       Do the trustees have a clear data and IT security policy in place?

·       Are there clear roles and responsibilities, a chain of command and a process in place in case of a crisis?

·       Are data and instructions securely transmitted between the trustees, administrator and other advisors?

·       Does the trustee risk register cover administrator risks, especially IT security, data security and cyber?

·       Are these risks reviewed regularly and at least annually?

Technology innovation can allow members to have incredible access and control of their pensions, if managed within a controlled environment. A useful benchmark is your bank account, where you can log into a mobile application and view an account balance, recent transactions, transfer money to a baby sitter, review credit card transactions and grimace at the balance on your mortgage. However, it is critical that data and IT security are baked into the design process, with the appropriate checks and balances.

For the trustees, having key administration risks listed in their risk framework is wise. Reviewing these annually against administrator’s performance is important, and an independent review of the various controls is even more valuable. In the end, it is not FinTech that will put your pension scheme at risk. It is a pension administrator who has taken process controls lightly and a trustee who has not made the appropriate reviews.