Three years on from pension freedoms, pension scheme trustees are becoming more alert to fraud risks but are still too complacent when it comes to prevention, particularly in relation to ‘old school’ frauds rather than cybercrime, according to research from RSM
The firm’s annual survey of trustees representing 124 pension schemes found that over half (52%) recognised that fraud presented a significant threat to their scheme, up from 41% last year. The findings indicated 16% had experienced a fraud in the past two years.
Fraud has shot up the agenda with 85% of schemes now including fraud on their risk registers, up from just over a third last year. Almost two thirds of trustees (64%) reported that they had received fraud risk training within the last year, up from just one in five (22%) last year. Despite this improvement, 18% of trustees still did not recognise that they were responsible for the systems of fraud detection and prevention.
RMS says that although trustees are becoming more aware of fraud risks, this is not necessarily being translated into action. One third (33%) of pension schemes have not tested their anti-fraud control in the last 12 months, despite being expected to test internal controls at least annually by the Pensions Regulator.
The findings also highlight a marked gap between perceived areas of vulnerability and experience on the ground. Most respondents thought cybercrime and IT breaches pose the greatest threat of fraud to their scheme. However, perennial risks, such as pensioner existence fraud - whereby fraudsters continue to draw the benefits of deceased members – and pensions liberation scams are still the most commonly detected frauds.
Of those that had experienced fraud in the past year, 39% said this was down to pensioner existence fraud, but only 32% had asked scheme administrators to amend or enhance pensioner checks. In addition, 35% had experienced fraud due to transfer or liberation scams, yet 64% had not reviewed or enhanced their transfer processes and policy.
Although 89% of respondents stated that cybercrime presents a significant threat to the industry, less than half (48%) had received formal cyber risk training in the last year, with many schemes failing to review security measures to prevent and mitigate any such attacks.
These security measures include claimant identity testing undertaken by the scheme administrator. This was reviewed by only 21% of respondents while only 20% had a 24-hour cyber incident response plan in place.
RSM’s survey also suggests that many schemes are struggling to get ready for the new General Data Protection Regulation (GDPR) which comes into force in May, with 13% saying they have yet to take any action to prepare. Key problem areas include reviewing all contracts with data processors, complying with individuals’ rights to personal data deletion and dealing with tightening of consent requirements.
Ian Bell, head of pensions at audit, tax and consulting firm RSM said: ‘While our survey shows an increasing awareness of the fraud risks facing pensions schemes, it also points to a persistent level of complacency among some trustees.
‘What’s particularly interesting is the mismatch between perceived fraud risk and actual fraudulent activity. Schemes must do much more to uncover “old school” frauds such as relatives continuing to claim payments after a member’s death or tackling suspicious pensions transfer requests, while at the same time staying alert to new and evolving threats such as cybercrime.
‘The fact is that pensions schemes hold a goldmine of personal and financial data so trustees must ensure that they are taking their data protection obligations seriously, particularly with the imminent GDPR rules. Failure to comply might lead to reputational as well as financial risk for those who fall foul.’
Report by Pat Sweet