The Code in its final form is not greatly changed from the version proposed in March 2021. One notable difference is in the expected frequency of trustees’ ‘own-risk assessments’, which has been aligned with legislation and become less onerous.

Code contents

The General Code contains modules that will replace ten subject-specific Codes:

• 1: Reporting Breaches of the Law
• 4: Early Leavers
• 5: Reporting of Late Payment of Contributions to Occupational Pension Schemes
• 6: Reporting of Late Payment of Contributions to Personal Pension Schemes
• 7: Trustee Knowledge and Understanding (TKU)
• 8: Member-nominated Trustees/Member-nominated Directors—Putting Arrangements in Place
• 9: Internal Controls
• 11: Dispute Resolution—Reasonable Periods
• 13: Governance and Administration of the Occupational Trust-based Schemes Providing Money Purchase Benefits
• 14: Governance and Administration of Public Service Pension Schemes

The Code applies to the ‘governing bodies’ of occupational, personal and public-sector pension schemes, setting out their responsibilities in the areas covered by the soon-to-be superseded Codes listed above, as well as some newer ones such as cyber controls and climate-risk governance. The final version of the Code has been revised to address concerns raised by commentators who pointed out the various entities—scheme managers, advisory boards, pensions boards, pensions committees—that could be considered to have governance roles in the public sector pensions sphere.

Effective systems of governance

The most eagerly awaited sections of the General Code are likely to be those laying down the Regulator’s expectations for an ‘effective system of governance’ (ESOG) in private-sector occupational schemes.¹ Brought in via EU Directive 2016/2341 (better known as ‘IORP II’), the ESOG obligations extend the previous requirement for trustees to establish and operate adequate ‘internal controls’. (Public-sector schemes must also have internal controls, but under a separate UK legal provision). The elements of the ESOG must be proportionate to the characteristics of the scheme.

Own-risk assessments

Trustees of occupational pension schemes with 100 or more members will also be required to carry out periodical ‘own-risk assessments’ (ORAs) of the effectiveness of their governance systems. Failure to do so may be taken as evidence of poor governance. A scheme’s first ORA must (generally) be done and documented within 12 months of the end of the first scheme year to begin after the Code’s issuance (so, for example, a scheme with a 31 March year-end will be expected to complete its first ORA exercise by 31 March 2026). However, the Regulator says that it's not necessary that all aspects of the ORA are undertaken at the same time, and that it could be a collation or index of existing risk assessments. Nevertheless, the ORA should be documented in writing and signed off by the trustee chairperson. Subsequent ORAs must be undertaken at least every three years (the Regulator says that assessment of individual elements covered by the ORA should be undertaken when there are material changes).

Key functions

Private-sector occupational schemes with 100 or more members are also expected to have the capacity to undertake certain ‘key functions’. Those responsible for the risk-management function are expected to keep the scheme’s key risks, and the interdependencies between them, under review; to also consider the position from the perspective of the scheme’s beneficiaries; and to report their findings to the governing body ‘in a timely manner’. Schemes should have written policies on their risk management function, and review them at least triennially.

The IORP II Directive also requires that schemes have an internal audit function, tasked with evaluating adequacy and effectiveness of the system of governance. The UK’s implementing legislation also refers to this key function, without using the phrase ‘internal audit’. The Code discusses the role of internal auditor, but doesn't label it as a key function. It says that it could be undertaken by someone responsible for internal audit within the sponsoring employer’s organisation, provided they have the requisite knowledge of pensions matters, and that any actual or potential conflicts are properly considered.

Cyber controls

A scheme’s internal controls should include measures to manage cyber risks (the legal obligations are somewhat different for public-sector schemes, but the Regulator says that the adoption of cyber-risk measures is good practice in any case). It's expected that, amongst other things, governing bodies have knowledge and understanding of risks, establish clear roles and responsibilities, assess their vulnerabilities and those of their service providers, ensure that critical systems are regularly backed up, and have suitable policies and a cyber incident response plan.

Remuneration policies

Private-sector occupational schemes with 100 or more members will need a written remuneration policy, covering everyone (service providers included) who carries out scheme activities, where paid by the trustees. This is a change from the draft Code, which suggested that sponsor-renumerated roles should also be included; the Regulator has also removed an expectation that the policy should be disclosed to members.

What comes next?

The Code cannot come into effect until it has laid before Parliament for 40 days without either House passing a resolution against it. The Department for Work and Pensions must then make an order (statutory instrument) specifying the effective date. The in-force date is currently expected to be 27 March 2024.

Trustees who paused governance reviews pending the Code's completion can now resurrect those projects, and begin preparation for their first ORA.

¹ The UK’s ESOG legislation does not apply to authorized (DC) master trusts or collective money purchase schemes.

This communication has been compiled by Hymans Robertson LLP, and is based upon their understanding of legislation and events as at the date of publication. It is designed to be a general information summary and may be subject to change. It is not a definitive analysis of the subject covered or specific to the circumstances of any particular employer, pension scheme or individual. The information contained is not intended to constitute advice, and should not be considered a substitute for specific advice in relation to individual circumstances. Where the subject of this document involves legal issues you may wish to take legal advice. Hymans Robertson LLP accepts no liability for errors or omissions or reliance on any statement or opinion.