Pasa, Prag, and Pension Scams...

The existence and resulting impact of pension fraud has rightly been (and indeed remains) a hot topic. It is likely not a coincidence that the cost of fraud more generally has risen by over 50% since 2007, thereby coinciding with the 2007 – 2008 financial crisis. Many live in equally precarious positions due to the pandemic and so remain vulnerable to scams.  

Dalriada’s team, dedicated to the management of Regulator appointed pension schemes, witness every day the impact that scams have on the victims who, at worst, are at risk of losing their entire pension savings. This is a devastating outcome. The question for us, whether as trustees or administrators, is: what can and should we be doing to prevent these?  

Only weeks ago, the Pensions Research Accountants Group (PRAG) released fraud guidance aimed at pension scheme trustees, closely followed by similar guidance by the Pensions Administration Standards Association (PASA) aimed at pension scheme administrators. Whilst the guidance goes some way to set out the types of questions those of us in the industry should be asking ourselves (including identifying and remedying any weaknesses in our processes), it should not therefore be surprising that of particular interest is the trustee duties in relation to combatting pension scams. This is alongside the prospective new powers in draft regulations for trustees to stop some transfers from going ahead. This is where we would reasonably hold suspicions that the receiving scheme is a scam and may even be amid the backdrop of express pressure from the member themselves, using what would normally be their statutory right to transfer. We see time and time again cases of members, with the benefit of hindsight, arguing vehemently against their own interests.

That is not to detract from the fact that these are people who should be considered genuine victims. Members often transfer their existing pension benefits to scams on the advice of unregulated introducers or advisors. Is every Joe Bloggs necessarily aware of the FCA register? Are there not some who would put their trust in someone who is on one hand very convincing and, on the other, ostensibly very professional?

The reality is that scam victims will have a better and more personal relationship with those trying to defraud them than with their own pension companies. Members will often be prepped to expect some push back from their existing schemes, amid accusations that we are somehow working erroneously and in breach of their statutory right to transfer. We can combat this by not shying away from picking up the phone to members. Indeed, TPR has recently urged the pension industry to make a pledge to combat pension scams to include encouraging that there is at least one telephone call with a member when initial analysis has raised concerns.

It is clearly also important that we are able to effectively detect suspicious schemes in the first place. It is helpful if trustees already work closely with their appointed administrators in understanding and continually updating internal due diligence processes, in line with industry standards and developing cases that throw up additional warning signs. The nature of scammers is that they will adapt, and we should too.

Consider also what is publicly available on our online websites, and what can be used to steal the identity of trustees. For example, the requirement to put a document on a public website could be met without including a physical signature. Despite having had such a policy already in place, Dalriada recently combatted a live scam in which members received a letter purportedly from (by not from) their scheme trustee.

Consider also the security of members’ own data. Scam victims are often cold called in the first instance – where did their data come from originally to enable that to happen? Dalriada regularly assesses and seeks to improve its data and cyber security processes to minimise any risks, but we should be alive in particular to the security of members’ data.

Nor should not shy away from reporting any breaches in information or data security, including more generally any suspicious conduct, to the relevant regulatory bodies.