UK Pensions Briefing | The Pensions Regulator’s developing approach to enforcement of administration breaches

Which areas of scheme administration does the Regulator supervise?

The Pensions Regulator has several objectives under statute, including protecting members' benefits, reducing the risk of compensation claims on the Pension Protection Fund and, in relation to the DB scheme funding regime, minimising adverse impact on the sustainable growth of an employer.

Two further blanket areas in which the Regulator has enforcement powers are:

• Maximising compliance with employers' auto-enrolment duties.
• Promoting and improving the good administration of work-based pension schemes.

These last two objectives affect the vast majority of schemes and this briefing takes a look at some recent Tribunal decisions which cast a light on the Regulator's expectations and applicable enforcement policy in these areas.

What action can the Regulator take?

Usually, a warning letter setting out a timeframe for compliance is the Regulator's initial step following a breach. If further action is needed, the Regulator can require the employer to provide relevant information, ultimately inspecting the employer's premises if the information is not forthcoming.

Another option is for the Regulator to issue a compliance notice detailing the default and directing the employer to take (or refrain from taking) certain steps to remedy the contravention. Where the issue is unpaid auto-enrolment contributions, the Regulator may issue a notice directing the employer to pay and interest may be added at a rate of 4.2 per cent plus the increase in the Retail Prices Index.

For administrative breaches, the Regulator may issue an improvement notice which requires a specific individual or company to take a particular action within a certain time.

If a breach is not remedied, the Regulator may order two levels of penalties:

• A fixed penalty where an employer fails to comply with a compliance or improvement notice. This may provide for a flat-rate penalty of £400.
• An escalating penalty notice will then be applied for more serious or persistent breaches. Escalating penalties vary according to employer size, ranging from £50 a day for employers with one to four workers to £10,000 a day for those with 500 or more workers.

Auto-enrolment duties

Most employers are aware of their legal duty to automatically enrol eligible workers in a pension scheme and pay mandatory minimum contributions. The Regulator, rather than the employment tribunal, has responsibility for ensuring that employers comply with their auto-enrolment obligations. It believes that most employers wish to comply and, where legal breaches are minor, the Regulator will consider whether they are deliberate or not before acting.

• Examples of Regulatory action on auto-enrolment breaches
• Examples of Regulatory action on other administration breaches
• The Regulator's enforcement policies

Examples of Regulatory action on auto-enrolment breaches

Regulator's "disproportionate and oppressive" escalating penalty notice revoked by Tribunal

On June 17, 2024, the First-tier Tribunal allowed an employer's appeal against an escalating penalty notice of £14,000 in Gianni's Glasgow Ltd v Pensions Regulator. Unpaid contributions had arisen when the employer changed accountants. He had been unaware of the issue until the Regulator sent an email to his personal email address 39 days after the penalty started to accrue. Previous correspondence had not been forwarded from the employer's former accountant.

The employer acted promptly to remedy the unpaid contributions as soon as he became aware of the issue. The Regulator initially rejected the employer's first request for a review of the notice since it was out of time. A second review request was accepted, but the Regulator confirmed the escalating penalty notice.

The Tribunal decided that at the time of the review, the Regulator should have considered the employer's representations and then decided whether to confirm, vary or revoke the notice. The Regulator should have taken into account the remedial action the employer had taken.

A proper consideration of the circumstances of the breach, including the lack of intent, the failure of the Regulator to use other available means of communication, and the absence of harm to employees meant that the impact of the escalating penalty notice was "wholly disproportionate and oppressive". The Tribunal was also concerned that the penalty was disproportionate since it was of the same magnitude as the employer's annual contributions to employees' pensions. The Tribunal revoked the notice concluding that it was not fair, proportionate, or reasonable.

Sufficient time must be given to implement employer's reasonable resolution for unpaid contributions

Again in 2024, the Tribunal in Cambridge Rare Books Ltd v Pensions Regulator allowed a reference by an employer against an escalating penalty for failure to comply with an unpaid contributions notice.

The escalating penalty notice was issued on November 27, 2023, with a compliance deadline of December 24, 2023, to comply, after which the penalty would accrue at a daily rate of £500. The employer asked the Regulator to review the penalty on December 21, 2023, arguing that its director had been very unwell during the relevant period. To remedy the unpaid contributions, the employer offered to pay one month's unpaid contributions each month going forward.

The Regulator completed its review on January 2, 2024, and decided to allow the employer to comply with the notice by February 4, 2024. The unpaid contributions were not paid by this date and the escalating penalty started to accrue. The employer remitted the matter to the Tribunal arguing that the Regulator had given it insufficient time to resolve the unpaid contributions.

The Tribunal allowed the employer's reference on the basis that the Regulator had been unreasonable and disproportionate to vary the date of compliance only to February 4, 2024. The Tribunal's view was that the purpose of an escalating penalty was partly to provide an incentive for the employer to comply. The employer had already acknowledged its default and had resolved to pay off a certain amount each month, and it was not reasonable or proportionate for the Regulator to set a date for compliance that did not allow time for that action to be taken.

The Tribunal varied the notice to extend the compliance date to August 9, 2024. This allowed the employer a period of four months in which to comply, the same period over which the unpaid contributions arose.

Dismissal of employers' appeals where fixed penalty notices sent to correct addresses

In three cases based on similar facts in 2022, the Tribunal dismissed employers' appeals against fixed penalties issued for failure to submit to the Regulator declarations and re-declarations of compliance with auto-enrolment duties.

In all three cases, each of the employers claimed that they had not received correspondence from the Regulator reminding them of their compliance duties, although this had been sent to the employers' registered offices. The penalty notices (which the employers had received) were also sent to the same addresses.

The Tribunal concluded that there was no reasonable excuse for non-compliance. Although the compliance notices had been served during the pandemic, the Tribunal held that neither the pandemic nor successive lockdowns provided a reasonable excuse for failure to comply since they were served at a time when businesses were trading and had been sent to the employer's registered address in each case.

Employer's financial difficulties did not justify missing auto-enrolment contributions

In 2022, the Tribunal dismissed an employer's reference against an escalating penalty notice for failing to comply with an unpaid contributions notice relating to the period from December 2020 to April 2021.

The employer argued that their hospitality business had been closed due to lockdown until July 19, 2021, and all staff were furloughed. In addition, it did not have sufficient income to meet its bills. From August 1, 2020, employers were required to pay pension contributions for furloughed employees and the employer's unpaid contributions fell during this period. The employer said that it had taken a pragmatic approach to arrears, paying first those that would damage the business or result in redundancies.

The Tribunal determined this was no reasonable excuse for failing to comply. Whilst acknowledging that the pandemic had caused considerable disruption to business, the Tribunal held that employers' auto-enrolment duties continued throughout this period. Financial difficulties did not allow employers to stop or delay making pension contributions to prioritise other areas of the business, even during difficult times. Pension contributions were not an optional duty that could be ignored during times of financial difficulty.

Examples of Regulatory action on other administration breaches

Trustee's appeal dismissed against imposition of a penalty notice for failure to prepare chair's statement.

There is a legal requirement for trustees of DC schemes to prepare an annual governance statement, signed by the chair of trustees, within seven months of the end of each scheme year. This is referred to as the "chair's statement". In Caldwell (Trustee of the Smith & Wallace & Co 1988 Pension Plan) v Pensions Regulator [2024] the Tribunal dismissed an appeal by a trustee of a DC scheme against the imposition of a Regulator's penalty notice for failing to prepare a chair's statement.

The Regulator submitted that it had no option but to issue a penalty notice in relation to a failure since the use of the word "must" in the relevant legislation allowed no discretion, no matter how compelling the circumstances.

The Tribunal did not accept that the "mere use of mandatory language … excludes from consideration any explanation offered for the breach, however compelling". It considered that Parliament's intention was that a penalty should ordinarily follow a breach, but that the Regulator would be precluded from penalising trustees where "wholly exceptional circumstances fully explained and excused their non-compliance and imposition of a penalty would be manifestly unjust".

However, the Tribunal accepted that in this case the trustee had failed to present valid mitigating circumstances and therefore the Regulator was obliged to impose the penalty notice. There was also no basis on which the Regulator could properly have revoked the penalty notice under appeal.

Comment

The Tribunal had "considerable sympathy" for the trustee as it seemed the Regulator had no explanation for "what appear[d] to be a deliberate policy" not to draw the chair's statement requirements to trustees' attention. The judge found this "puzzling", given the lengths to which the Regulator has gone to draw attention to other duties, such as those relating to auto-enrolment.

This decision is interesting as there have been a large number of penalty notices issued for failure to prepare a chair's statement. The Regulator's latest compliance and enforcement bulletin shows that a total of 965 "mandatory penalty notices" have been issued in the period to December 2023.

The Regulator's current stance on schemes' cyber security

On December 11, 2023, the Regulator revised its April 2018 guidanceon cyber security principles for pension schemes. The revised guidance sets out practical steps schemes can take to meet the Regulator's expectations on cyber security, which are included in the Regulator's draft General Code of Practice which is not yet in force.

The revised guidance includes a new section asking schemes, advisers and providers to report "significant" cyber incidents to the Regulator on a voluntary basis. Significant cyber incidents are those likely to result in a significant loss of member data, major disruption to member services, or a negative impact on other pension schemes or service providers. Significant cyber incidents should be reported as soon as reasonably practicable: schemes do not need to conduct a full incident investigation before reporting.

The Regulator emphasises that this reporting requirement does not replace existing legal requirements to report cyber incidents to the Information Commissioner's Office, or to report breaches of pensions law likely to be of material significance to the Regulator. In certain circumstances, schemes may also be required to report significant cyber incidents to the National Cyber Security Centre.

The Regulator's enforcement policies

The above cases show that where an employer can show mitigating circumstances and a willingness to comply with their administrative duties, they may succeed in having a Regulator's penalty notice revoked. The Tribunal has given short shrift though to employers who are simply intent on following a path of non-compliance. Their penalties will be upheld and enforced.

Following a 2022 consultation, the Regulator published its consolidated enforcement policyand updated prosecution policy, together with its consultation response.

The new enforcement policy consolidates three previous compliance and enforcement policies for defined benefit, money purchase and public service pension schemes. The new policy also sets out how the Regulator intends to exercise new powers introduced by the Pension Schemes Act 2021, and has been updated to include the Regulator's new criminal powers introduced under that Act.

Alongside the revised policies, the Regulator has published an enforcement strategyproviding an overview of its enforcement approach in all areas of its work except auto-enrolment which is publishedseparately.

The Regulator states that, while the new strategy and policies are not a fundamental change in its approach, they give a clearer understanding of the enforcement journey and factors it will take into account throughout the life of a case.

It acknowledges that its enforcement work is constantly evolving more cases are taken on and new powers are tested. It intends to be transparent in the outcome of cases through its publications and will revisit the strategy and policies any changes in approach are needed.