Lots of great work has gone into building and developing the eagerly awaited Pensions Dashboard Programme (PDP). So many people in the industry are viewing this as a potential game changer in terms of people finally engaging with their pension and starting to take retirement planning seriously.
However, as we get closer to the roll-out of the PDP, security and, in particular, how individuals provide proof of identity, is a hurdle that must be successfully overcome. Wouldn’t it be a shame if the Dashboard were to be shunned by people who were resistant to using it through fears over information security? Or, if providers and trustees had concerns over sharing their data due to the way in which it was proposed that it be accessed?
GPG45 is preferred method
Government has already stated that to have a sufficient level of trust in the service, it expects a standard level of identity assurance for all users (individuals and delegates) that satisfies the National Cyber Security Centre’s Good Practice Guide 45 (GPG45) on ‘Identity Proofing and Verification of an Individual’. In a market engagement exercise, 90% of respondents confirmed they could provide identity assurance in line with GPG45, and 71% agreed that the GPG45 medium level of confidence for identity proofing was the correct approach for the PDP.
The Pensions Administration Standards Association (PASA) has made its views on this quite clear. While it concurs with Government on the need for an appropriate identity standard, it argues strongly against the idea of a central digital identity which it fears will create a “…….single point of failure, a single point of attack, limited capacity and a commercial monopoly that will not enable the open market required to sustain the pensions dashboard ecosystem into the future”. PASA’s alternative to this is the use of reusable identities by Pension Dashboard Providers which it believes would ease the identity verification workload for the user and the ecosystem as a whole.
PASA is working on the assumption that Providers will register the consent and authorisation (C&A) of members on the C&A server, which will be under the strict governance and responsibility of the Money & Pensions Service (MaPS). This would then ease the transition of C&A when a user switches their Provider.
Medium not deemed enough
PASA also has quite clear views on the level of verification required. It agrees that a medium level of confidence is workable and in line with what people go through when using the “check your state pension” facility, and also what many of us went through in the early stages of the pandemic when we were having to prove our identity online more often. However, PASA is clear that medium should only apply when providing information. As the Dashboard moves to the next level, and we are able to transact and move funds, then a higher level of confidence will be required, and indeed expected by users. It is important that checks are made to ensure that the identity belongs to the person who is claiming it; so security should follow GPG45’s guidance and use dynamic knowledge based questions.
It is very clear, says PASA, that the approach to identity standards should begin with existing standards and regulation. Why reinvent the wheel? Nothing new is required, other than something that is peculiar to the Dashboard and even then, it should be minimised. PASA states that companies already involved with, or looking to join, the PDP will already have these identity checks and standards in place. The PDP should not be creating another cross industry approach where one already exists that fits the bill.
Let’s avoid another scam opportunity
This matter will also be of particular interest to pension scheme trustees. As data controllers, they will want to know who takes responsibility where a data breach occurs as a direct result of a dashboard data exchange, where the identity has already passed the central security check. The identity checks that are performed to provide a medium level of confidence are not guaranteed. So, if secondary dashboard legislation compels data controllers to provide data to Dashboard Providers, but the controller does not consider GPG45 medium level of confidence safe enough and refuses, where does this lead us? Which regulation will prevail - compulsion or GDPR/DPA 2018?
Estimates suggest that two thirds of people now hold multiple pensions so should benefit from accessing the Dashboard. It is, therefore, key that the identity checks that are taken forward are suitably robust and provide trustees and providers with the appropriate degree of comfort. This applies to both the initial identification and subsequent authorisation that members are required to undergo.
Biometric tools will undoubtedly help as they become more prevalent and people get familiar with using them. In the meantime, however, it is incumbent on all of us in the pensions industry that we set the bar sufficiently high, building dashboards that are safe for consumers and that provide absolute security and confidence. We must, at all costs, avoid building an industry tool for scammers. That’s the last thing we need…