Financial & Credit

With record numbers of people saving for retirement, it is more important than ever that people understand their pensions and prepare for financial security in later life.  It is widely understood that many people lack confidence when making decisions about their finances and it can be difficult to understand and keep track of multiple pensions. The introduction of Pensions dashboards, allowing individual savers to see all their pensions in one place is expected to revolutionise the way people interact with their pensions in a similar way to how open banking is helping savers through the provision of a holistic view of banking products held.   This will place the onus on pension schemes who will need to ensure they are able to support the implementation of dashboards through the maintenance of accurate and complete data. The timing by which schemes will be expected to provide pension information data is dependent on several factors, the primary one being the number of relevant members with staging dates commencing from April 2023. However, as at Summer 2022, research by The Pensions Regulator (PSR) has shown that only 37 percent of Defined Benefit (DB) and Defined Contribution (DC) schemes have discussed dashboards at their schemes trustee board meetings.

Following the closure of the consultation on the draft Pensions Dashboards Regulations in March 2022 and subsequent guidance issued in June 2022, dashboard service providers and trustees or managers of relevant occupational pension schemes are looking to address the range of challenges that need to be overcome in order to make the Pensions Dashboard a reality. 

• Data Quality: For the Pensions Dashboards to work as intended, the data held by schemes needs to be ‘Dashboard Compliant’ and held digitally. 51 percent of DC and 33 percent of DB schemes still hold some member data non-electronically. Guidance as to the data standards for Pensions Dashboards was released in late 2020.
• Data Security: The approved dashboard providers will collectively have access to millions of member records via the dashboard ecosystem and any IT system / software with access to large amounts of personal data is a prime target for cyber criminals. Not only does this require the dashboard providers themselves to have robust and effective cyber security controls, the cyber security arrangements at individual schemes will also need to be enhanced to ensure they are able to detect and prevent cyber threats resulting from increased connectivity via the ecosystem.
• Dashboard Information: The success of the dashboards will be heavily reliant on the accuracy and completeness of the data it produces with dashboards required to provide three categories of data:
  • Administrative data – scheme specific information;
  • Signpost data – links to important information about the scheme; and
  • Value data – details of how much pension has been built up and how much they may have when they retire.
• Member Engagement: Ensuring users understand the scope and limitations of the information provided will be essential in assisting users to make informed financial decisions. For example, it is expected that at least initially, dashboards will have difficulty in articulating the true value of a certain pensions due to the nature of how these benefits are calculated. A significant increase in member communication is expected as members query the results of the pensions matching and it is therefore important that schemes have appropriate resources and procedures in place to handle the expected increased volume whilst ensuing day to day operations are not adversely impacted.

The landscape of pension saving has seen seismic changes over the past decade. The continuing shift from Defined Benefit to Defined Contribution accrual, the rise of Master Trusts, and success of automatic enrolment have each created new pressures on those governing pension schemes. The number of pension savers has increased massively, as have the standards expected of those running the schemes. Trustees and scheme managers need to have the right people, skills, structures and processes in place to facilitate scheme operations, enable effective and timely decisions, and to manage risks appropriately.

In March 2021, The Pensions Regulator (TPR) published its Draft Single Code of Practice which not only looked to amalgamate 10 of the existing codes of practice into a single code, but it also enabled the Regulator to respond to the requirements of the ‘Occupational Pension Scheme (Governance) (Amendment) Regulations 2018’ which is the legal instrument introduced in the UK to reflect the requirements of the second European Pensions Directive (IORP II).

Whilst the new code is predominantly a consolidation and restructuring of the existing codes it looks to replace, it does introduce new expectations of governing bodies (the new term for referring to the trustees or managers of occupational pension schemes, managers of personal pension schemes, scheme managers and pension boards of public service schemes that TPR regulates). These include:

• Effective System of Governance: As one of TPR’s primary objectives is to improve the governance of pensions schemes in the UK, within the new code the regulator has provided links to the relevant sections which set out expectations and which describe the minimum requirements for an effective system of governance (ESoG).
• Internal Controls: Are defined as the policies, processes and procedures carried out in running a scheme. They are also the checks and balances that ensure those processes are operating correctly. Whilst the code does not look to provide details on how specific controls should operate there are several modules within the new code which focus on risk management and the specific controls which should be in place within schemes. Although the code recognises that most governing bodies are not directly involved in every aspect of the day-to-day operation of their scheme and instead delegate operational tasks to an internal administration team or outsource to professional service providers, it states that regardless of delegation, the governing body retains accountability for those functions.
• Own Risk Assessment: For any scheme with over 100 members, the governance regulations introduce the requirement of an Own Risk Assessment (ORA) which recognises the Regulators belief that the risks faced by pension schemes are wide ranging and not solely related to investments. It is intended that the ORA will build on the principles of an ESoG within the code and will become a formalised process for the regular review and assessment of the management of risks.
• Cyber Security: Whilst the Regulator has already addressed cyber security risks in specific guidance, it is acknowledged that cyber security processes are still rare and therefore the code has been used as a mechanism to reinforce previous guidance and place direct expectations on schemes.
• Environmental, Social and Governance (ESG): The stewardship of a scheme’s investments is another new addition within the code which introduces two specific modules: 1) Stewardship that focuses on the governance responsibilities that come with financial investments, and 2) Climate change and the risks and opportunities it presents.

Internal Audit needs to support the scheme in both the short-term to ensure that they are well placed to meet the requirements of the Single Code of Practice in line with the expected timescales but also over the longer-term to support the build out and maturity of the ORA process.

1) Short term readiness assessments: Internal Audit’s primary focus in advance of the effective date for the Single Code of Practice (expected to be H2 2023) should be to assess the firm’s readiness to meet the requirements set out by the Regulators. This may include a gap analysis against the Code of Practice, any supporting guidance and should consider the documentation and evidence the regulator expects to be in place by this date, for example as follows:

• Review how the scheme has interpreted the Code of Practice and taken actions in response to this.
• Assess the adequacy of the scheme’s code implementation project and programme governance.
• Review the roles and responsibilities which relate to key aspects of the code, including the governing bodies’ understanding of its own responsibilities and where their sign-off is required. 
• Challenge Management’s identification of internal controls and associated rationale. 
• Where services are outsourced, assess the ability of the governing body to oversee the effectiveness of internal controls in operation at the third party provider.

2) Longer term ongoing effective system of governance: The role of Internal Audit should move to more holistic, thematic based format, providing risk-based assurance over internal controls which will then feed in to the schemes’ ORA process and annual review and attestation requirements.

Regulated firms are required to submit a range of returns on a regular basis which allow regulators to monitor the financial performance and position of regulated entities, including a number of more operational aspects of their performance and to perform benchmarking to inform the focus of their regulatory activities. Regulatory reporting continues to be the subject of many s166 skilled person reviews and ’Dear CEO’ letters issued by both the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), the most recent of which was issued by the PRA in September 2021. The accuracy, completeness and timely submission of regulatory returns continues to be a key focus, including the governance framework around the process.

• The FCA established a new Investment Firms Prudential Regime (IFPR) for UK investment firms which became effective 1 January 2022 and included changes to several areas including consolidation, own funds and Fixed Overheads Requirement (FOR). In addition, the FCA has also released a new Remuneration Policy Statement (RPS) template for firms in scope of the IFPR which may be used to record how their remuneration policies and practices comply with the new Remuneration Code. 
• As of 1 January 2022, the PRA’s Capital Requirements Regulation 2 (CRR2) came into effect for CRR regulated institutions, the key changes of which related to the requirement for firms to report their Net Stable Funding Ratio (NSFR), new market risk requirements and changes to counterparty credit risk.
• The PRA continues to develop proposals to implement all the remaining elements of Basel III (Basel 3.1) which is the final package of banking prudential reforms for CRR firms developed in response to the 2008/09 financial crisis. Basel 3.1 will result in significant changes to the way firms calculate Risk Weighted Assets under the Standardised Approach, and for firms who currently report under the Internal Ratings Based (IRB) Approach, they will be expected to apply a standardised output floor (OF). The OF will become a binding capital constraint for some UK Banks and introduce a new layer of complexity in capital planning and strategic decision-making for all. Banks should prepare now for the introduction of the OF, even while its design is still being debated by policymakers. Banks should be analysing the implications of the OF for internal capital allocation (understanding what we call “floor capacity”). Many Banks will also need to invest in the data and calculation infrastructure necessary to determine accurate revised standardised risk weights, which will be the basis for calculating the OF. The PRA intends to publish a Consultation Paper on Basel 3.1 implementation in the fourth quarter of 2022, and their current intention is to consult on a proposal that these changes will become effective on 1 January 2025.

Firms must have effective and comprehensive strategies, processes and systems to assess their financial resources and internal capital adequacy to identify and mitigate the nature and level of risk to which they are or might be exposed. This includes assessing the risk of non-compliance with the overall financial adequacy rule and the risk that the firm might not be able to meet in future the obligations in EU Capital Requirements Regulations (CRR). When assessing financial resources firms must (as part of the Pillar 2 rule) conduct periodical stress tests and scenario analyses that are appropriate to the nature, scale and complexity of the business and the major sources of risk that they are exposed to. Firms must identify the range of adverse circumstances of varying nature, severity and duration relevant to its business and risk profile and consider the exposure to those circumstances and maintain adequate (financial and non-financial) resources to minimise the risk of harm.

The new Investment Firms Prudential Regime (IFPR) was introduced for the Financial Conduct Authority (FCA) authorised Markets in Financial Instruments Directive (MIFID) from 1 January 2022. MiFID II includes Collective Portfolio Management Investment Firms (CPMIs) and regulated and unregulated holding companies of groups that contain either MiFID investment firms or CPMIs.

One of the key focus areas of FCA’s 2022 business plan is to deliver assertive action on reducing harm to investors and the market participants in the event of firm failure. When compared to the Internal Capital Adequacy Assessment Process (ICAAP), the IFPR includes a more explicit obligation on firms to identify potential sources of harm, demonstrate effective arrangements and adequate financial resources to mitigate this risk wherever it may arise. This extends to direct consideration of the potential for harm to consumers and market participants as well as the firm.

Further, the IFPR introduces the “K-factor” – a capital calculation based on the activities that an FCA investment firm undertakes. The applicability will differ depending upon the size and scale of the firm.

The IFRS 17 standards for accounting of insurance contracts continue to be a key focus area for insurers, with standards taking effect from 1 January 2023. Many insurers are at varying readiness-levels to ‘go live’ and for most, it is proving to be one of the most complex transformations due to the number of IT systems involved across actuarial, accounting, data and analytics systems. Most insurers are also planning to continue work on their IFRS 17 programmes after the “go live” date to compensate and implement enhancements required to confidently deliver compliance with the standards. Given the breadth and various milestones involved in such programmes, Internal Audit functions are reassessing their assurance approaches and timelines to ensure impactful assurance takes place to support implementation and post go-live.

In an ideal position at the final stages of delivering IFRS 17, many insurers should be able to produce and report on their balance sheet with IFRS 17 inputs. Delivering this will allow sufficient time for Insurers to perform revisions against accounting and actuarial assumptions, review the financial statements in consolidation with group-level entities, perform cosmetic-related IT enhancements, and consideration of key processes and controls for business-level adoption.

Whilst there have been no new requirements introduced since March 2021, where it was announced that IFRS 17 will defer to take effect until 1 January 2023, there continues to be a number of challenges in recognition of the scale and IT complexities involved that Insurers are facing as follows:

1. Competing resource requirements in the market: Insurers are competing to secure the services of subject matter experts to backfill resourcing requirements, primarily due to a shortage of IT Specialists (e.g. Software Engineers and IT Developers) available to support on IT testing activities and post go-live. This has stalled some momentum on programme milestones and Insurers are now making up for lost time.
2. Interim solutions to address unresolved IT dependencies: Insurers have been facing various degrees of IT challenges in order to implement the IFRS 17 solution into their existing IT infrastructures (e.g. IT legacy issues and data quality). There has been many sprints to build, develop, test and resolve issues over the course of the implementation phase, and IT have rarely fallen short of problems to address. However, where consistent delays have been experienced in relation to IT matters, this undoubtedly has put pressure on the programme’s overall progress, resulting in contingency planning and alternate workaround solutions at a higher cost to help prevent the risk of non-compliance with IFRS 17.
3. Revised disclosure plans: Insurers that are not able to meet the 1 January 2023 timeline have revisited their plans to meet revised disclosure timelines. The extension of time (e.g. even if it is a delay by one quarter) has led to a significant increase in investment and funding requirements to cover operating and capital expenditure in order to comply with IFRS 17.

As the need to address Environmental, Social and Governance (ESG) issues continues to evolve at increasing speed, it is essential that organisations have a comprehensive understanding of the ESG risks most material to their operations. Understanding and reporting on the issues important to consumers, investors and the wider society demonstrates commitment to contributing to a more positive, fair and sustainable environment. Whilst most organisations have begun their ESG journey with a focus on Climate Change, wider ESG issues such as Diversity and Inclusion (D&I), labour practices and human rights compliance are climbing up the agenda in Board rooms across the industry. However, the challenge remains of how to assess these risks and what exactly to disclose. Internal Audit can play a critical role by providing necessary challenge of ESG risk assessment design and methodology, as well as testing the design of the ESG disclosure framework, thus helping to improve investor and stakeholder transparency. ESG will be a key industry topic for many years to come and early engagement and commitment across an organisation will help shape the frameworks put in place to address the evolving and complex issues.

• Taskforce on Nature-related Disclosures (TNFD): The Taskforce on Nature-related Financial Disclosures (TNFD) was established in 2021 in response to the growing appreciation of the need to factor nature into financial and business decisions. The TNFD aim is to compliment the growth of the Task Force on Climate-related Financial Disclosures (TCFD) and this year, the TNFD has expanded its beta framework for nature risk management and disclosure, including the Taskforce’s approach and specific sector guidance. Ongoing market feedback will support the further design and development of the TNFD recommendations due in September 2023. ​
• UK Climate Stress Test: The Bank of England published in May 2022, the results of the Biennial Exploratory Scenario (BES) exercise on financial risks from climate change. Scenario analysis is a critical element of the ESG risk management framework and should be of interest to all banks, not just those that participated in the exercise. The results show that whilst the projected climate-related losses do not appear to threaten the solvency of banks, the size of losses may be underestimated. Furthermore, banks still have work to do with securing a better understanding of customers’ and counterparties’ climate transition plans (‘climate KYC’).​
• Taskforce on Climate-related Disclosures (TCFD): As of 6th April 2022, TCFD based reporting will be mandated for more than 1,300 of the largest UK-registered companies and financial institutions. These include many of the UK’s largest traded companies, banks and insurers, with large private companies also caught by the new rules. Companies will be required to go through a formal process of identifying and then disclosing details of material risks and opportunities arising from climate change under differing future climate scenario. ​
• International Sustainability Standards Board (ISSB): The ISSB released its exposure drafts on 31 March 2022 with comments to be received by 29 July 2022. The draft standards set out the requirements for disclosures over climate and general ESG reporting. It is expected to be adopted under UK law by 2024 or 2025. The exposure drafts set out the need for  sustainability reporting to be connected to and complement the financial statements. ​
• Greenwashing: As concerns over misleading environmental information continues to rise, the FCA has stated there is a “clear rationale” for stricter regulation for ESG data and ratings providers, to help ensure they are accounting for the full impacts of the businesses they assess.​
• Green-bleaching: As disclosure requirements continue to multiply, a new concept called ‘Green-bleaching’ is emerging. This term refers to instances where organisations invest in sustainable activities but refrain from making claims about this, to avoid the data reporting requirements and the scrutiny arising from disclosure obligations.​
• Conference of the Parties (COP) 27: While COP26 saw many new commitments promised, COP27, scheduled for November 2022, will aim to assess the progress in reaching these goals. COP27 president commented that the event will focus on implementation of pledges made through identification and application of practical policies and practices, including climate finance and mitigation strategies.​

The proposals in the Department for Business, Energy and Industrial Strategy’s (BEIS) Consultation Paper, ‘Restoring Trust in Audit and Corporate Governance’, represent the biggest shake-up of the UK’s corporate governance and audit framework in years. Whilst there are elements in the proposal that will be implemented through changes to the Corporate Governance Code rather than by legislation following the government’s Draft Audit Reform Bill and response in May 2022, the definition of Public Interest Entities (PIEs) has been expanded capturing a larger number of companies. Also the scale of the reforms is such that firms will need to establish change management programmes to comply with the proposed changes. The proposed requirement to strengthen internal controls by requiring Directors to attest to the effectiveness of their company’s internal controls will be delivered through the Corporate Governance Code and will therefore only apply to premium listed firms. Internal Audit has a role to play in providing assurance to the Board in respect of their organisation’s governance, risk and controls as well as programme assurance in respect of their firm’s compliance projects.

The proposals, as set out in the BEIS Consultation Paper and captured in the Draft Audit Reform Bill, Government’s Response paper and the Financial Reporting Council’s (FRC) subject position paper in July 2022, include numerous changes. These changes include the establishment of the Audit, Reporting and Governance Authority (ARGA) to enforce PIE Directors’ duties relating to corporate reporting and audit, and new measures to open the audit market. The following additional aspects are important for Internal Audit functions to be aware of to effectively support their organisations with initial and ongoing compliance in respect of the proposed reforms.

• Definition of PIE: Although to a lesser extent than set out in the Consultation Paper, the definition of PIE will be widened beyond premium listed companies to include large private companies, AIM listed companies and LLPs with 750 or more employees and at least a £750m annual turnover.
• Strong Internal Company Controls: Directors will be required to provide an explicit statement about the effectiveness of their company’s internal controls and the basis for that assessment. This aspect of the proposals will be delivered through the Corporate Governance Code which makes it optional on a “comply or explain” basis and not by legislation. Also, the provisions will only apply to premium listed firms.
• The Resilience Statement: All PIEs will be required by law to publish an annual Resilience Statement which sets out the company’s approach to managing risk and matters that they consider a material challenge to resilience over the short, medium and long term, together with an explanation as to how they have arrived at this judgement.
• The Audit and Assurance Policy (AAP): PIEs will be required to publish an AAP which sets out their approach to assuring the quality of the information reported to shareholders beyond that contained in the financial statements. This should cover a three-year period and include, inter alia (i) how companies have taken account of shareholders’ views in the development of their AAP; (ii) how companies intend to seek independent external assurance over any part of the Resilience Statement or over reporting on their internal control frameworks; and (iii) a description of the internal auditing and assurance process.
• Malus and Clawback: There will be new transparency requirements within the Corporate Governance Code about the malus and clawback arrangements that companies have in place.
• Directors’ Obligations in Relation to Fraud: Boards would be expected to report on actions they have taken to prevent and detect fraud.