Maggie Williams reports on the growing risks scheme face from fraudsters
“Poor pension scheme governance is not a victimless crime”. That was the view of Mark Boyle, chair of the Pensions Regulator speaking at the PLSA’s Trustee Conference last December.
Boyle may have been talking in broad terms about scheme governance, but the risk of literal financial crime with very genuine victims should be moving further up trustees’ and schemes’ agendas.
Members saw cyber issues increase in relevance from 56% in 2015 to 71% in 2016
Cyber fraud and the need for security processes to protect against it is increasing across the whole of the financial services industry. The Wealth Management Association’s (WMA) 2016 report on risks to its members saw cyber issues increase in relevance from 56% in 2015 to 71% in 2016. It is now perceived as the second-highest risk to wealth management firms.
Risk specialist Kroll’s annual global fraud and risk report shows similar concerns. It found that 89% of financial service firms have experienced fraud in some form over the past year, with theft of physical assets the most commonly reported (39%). The same number (89%) also said they had experienced a cyber incident in the last year, with data deletion, phishing attacks and viruses the most frequent issues.
60% of trustees said fraud was not a significant threat to their scheme
Pension schemes are not immune from cyber threats. Trustees and their administrators are responsible for the data of scheme members, and that includes ensuring that it remains safe. However, RSM’s recent Pensions Fraud Report found that 60% of trustees said fraud was not a significant threat to their scheme and 25% did not recognise that they were responsible for systems to prevent and detect fraud.
Ian Bell, head of pensions at RSM said that boards should be taking fraud and risk more seriously. “Generally speaking, there needs to be a much greater recognition of the scale of the fraud problem, and a much greater urgency and will to tackle it,” he said.
Trustees must also be alert to new and emerging threats
”Trustees must also be alert to new and emerging threats and ensure there is a robust fraud risk policy in place with appropriate control measures.”
Payment of benefits to relatives of deceased pensioners was the most common type of fraud according to RSM’s report. Over a third of schemes also reported liberation fraud as a concern – but under current legislation, trustees are unable to block transfer requests, even if they suspect they are fraudulent. The government’s consultation on pension scams, due to close on 13th February, examines whether trustees should be given greater capacity to block pension transfers.
There are also new obligations around working with third parties who have access to data, which apply to trustees
Related legislation, in the form of the General Data Protection Regulations (GDPR) is due to come into force in May 2018, and all schemes will need to be compliant. The new rules include additional requirements for data security and more stringent standards for reporting data breaches. There are also new obligations around working with third parties who may have access to scheme data, which also apply to trustees.
Ensuring that the risks of financial crime – and in particular cyber threats – are recognised and managed is about building a culture of risk awareness as much as having policies in place. But research by consultants Huntswood showed that 18% of wealth and asset managers and 20% of insurance and pension providers felt that their board did not understand the risks associated with financial crime.
The stakes are high for protection of member data. Fraud prevention, data quality and protection, and awareness of cyber risks cannot simply be another tick-box exercise or a ‘you are doing it aren’t you’ question to the scheme administrator. Making it a part of everyday scheme best practice is vital if the pensions industry is to minimise high profile and hugely damaging fraud attacks.