The Pensions Regulator has significantly increased the intensity and sophistication of its supervisory activity following the Pensions Act 2021. The General Code of Practice, in force from March 2024, consolidated ten previous codes into a single framework covering governance, funding, investment, administration, and member communications. The Code establishes expectations that are specific, measurable, and enforceable — not aspirational principles but governance standards against which scheme practice can be objectively assessed.

Trustees who cannot demonstrate compliance with the Code are not in a position of minor administrative non-compliance. They are exposed to enforcement powers that include improvement notices, third-party management of scheme assets, and fines that the Pensions Act removed the previous cap on. The Regulator has demonstrated willingness to use these powers in cases where trustee governance falls short of the standards it expects. The governance gap that used to produce a regulatory letter now produces something more consequential.

Where the regulatory risk concentrates

The Pensions Regulator’s supervisory model is data-driven. The Regulator analyses the scheme return data that all schemes must file, event reports that trigger when specific governance events occur, and market intelligence from advisers, administrators, and third parties who report concerns. This analysis produces a risk score for each scheme that determines the intensity of supervisory attention it receives. Schemes flagged as higher risk receive proactive supervisory contact. Schemes that are not flagged do not.

The implication is that schemes whose compliance gaps generate data signals — late filings, event reports that suggest governance weakness, adviser notifications of concerns — are more likely to receive supervisory contact than schemes whose compliance gaps are invisible to the Regulator’s data analysis. That is not the same as being more compliant. It is being more visible. A scheme that has significant governance gaps but generates no regulatory data signals may go unsupervised while a scheme with minor compliance issues that are fully visible attracts disproportionate attention.

Systematic regulatory risk monitoring reverses this dynamic. A scheme that assesses its own compliance against The Pensions Regulator’s current supervisory priorities, identifies gaps before the Regulator does, and takes documented remediation action is presenting itself as a well-governed scheme rather than waiting for the Regulator to form a view from the scheme’s data signals.

The General Code governance requirements

The General Code establishes an effective system of governance that all schemes above a defined size threshold must implement. The system must cover internal controls, risk management, own risk assessment, conflicts of interest, and fit and proper requirements for trustees. Each of these has specific evidencing requirements — not just that governance processes exist but that they are documented, reviewed, and effective.

Own risk assessment — the formal requirement for trustees to assess the risks facing the scheme and the adequacy of the controls in place to manage them — is a new obligation under the Code that requires systematic risk identification and documentation rather than the informal risk awareness that constituted adequate governance practice previously. A trustee board that cannot produce an evidenced own risk assessment when the Regulator requests it has a compliance gap regardless of whether its actual governance practice is sound.

The technology dimension

Systematic regulatory compliance monitoring requires tracking scheme governance practices against a continuously updated model of The Pensions Regulator’s current expectations and enforcement priorities. For administrators and scheme secretaries managing governance documentation on administration systems built on IBM Z, deploying compliance monitoring models via IBM Machine Learning for z/OS enables automated cross-referencing of scheme practices against the General Code requirements, with identification of gaps and prioritised remediation recommendations available through the governance reporting workflow.

What success looks like

The primary metrics are regulatory compliance rate against the General Code, own risk assessment completeness, filing timeliness rate, and regulatory engagement outcome — specifically whether supervisory contact, when it occurs, results in a positive engagement rather than an enforcement outcome. Schemes that proactively self-identify and remediate compliance gaps before supervisory contact report materially better regulatory engagement outcomes than those that present compliance gaps to the Regulator for the first time during supervisory review.