August has been a relatively quiet month for pensions but there have still been a handful of developments.
Pensions developments included confirmation that company directors will have to verify their identity as of 18 November 2025, TPR’s thoughts on systemic risk, confirmation from the PPF that it is suspending levy invoicing, PASA guidance on member data protection and a joint update on FCF compensation for pension scam victims. We also provide a few pointers on the new Data (Use and Access) Act 2025 which, as data controllers, trustees will wish to familiarise themselves with.
Legislation, consultations, statutory reviews and enquiries
ECCTA 2023 identity verification requirements go live from 18 November 2025
Companies House has confirmed that the compulsory requirement for company directors and people with significant control of a company (PSCs) to verify their identity under the Economic Crime and Corporate Transparency Act 2023 (the ECCTA) will come into effect as of 18 November 2025. From this date:
- new directors and PSCs will have to verify their identity to incorporate a company or be appointed to an existing company;
- existing directors will have to confirm they have verified their identity when they file their next annual confirmation statement; and
- existing PSCs must verify their identity in accordance with an appointed day depending upon whether they are a PSC only or a PSC and a company director.
The identity verification process for limited partnerships, corporate company directors, corporate members of limited liability partnerships and corporate PSC officers will begin at a later stage.
Verified directors and PSCs receive a Companies House personal code which they will need to provide when registering a new company or submitting a confirmation statement.
Existing company directors and PSCs have been able to voluntarily verify their identity since 8 April 2025.
Acting as a director without being verified following the applicable commencement date will be an offence under the ECCTA.
Companies House updated identity verification guidance can be found here.
Pension implications: The requirement to verify relevant individuals’ identity (and other changes made by the ECCTA such as the requirement for corporate directors to be natural persons) impacts scheme employers and corporate trustees and they will need to ensure that the requirements are complied with. See our ECCTA 2023 hub for further information about the ECCTA.
Data (Use and Access) Act 2025
The Data (Use and Access) Act 2025 which received Royal Assent on 19 June 2025 makes widespread changes to data use and access. Amongst the changes introduced are the following.
- New Information Commission: A new Information Commission will replace the existing Information Commissioner’s Office to make it more like other regulators. It is to be given extended powers including in respect of document production and compelling attendance at interviews.
- Recognised legitimate interests: The introduction of new lawful grounds for processing data – recognised legitimate interests that includes safeguarding national security, protecting public security or defence, emergency responses, preventing crime and safeguarding a vulnerable person. It is the latter that will be particularly relevant for pension schemes.
- Data subject access requests (DSAR): Confirmation that the requirement to search for information in response to a DSAR does not need to extend beyond a reasonable and proportionate search. There is also an ability to pause the response time to a request if more information is reasonably required.
- Complaints: There is a new right for data subjects to complain to data controllers if they believe that there has been an infringement of their rights under the UK General Data Protection Regulation or the Data Protection Act 2018. Complaints must be acknowledged within 30 days and an outcome provided without undue delay.
- Special category personal data: Receives additional protection under data protection legislation because it is sensitive (e.g. health data). The Secretary of State has the power to add more types of special category data to the UK GDPR.
- International data transfers: International data transfers will still need to comply with the UK GDPR (through an adequacy regulation, appropriate safeguards or reliance on a statutory derogation for a specific situation). However, a new test is being introduced which will determine whether the standard of protection is “not materially lower” than that provided under the UK GDPR and the Data Protection Act 2018.
The Pensions Regulator (TPR)
TPR blog on why managing systemic risks is central to trusteeship
TPR’s 31 July 2025 Blog explains why managing systemic risk (including climate change and nature loss) is central to trusteeship.
Financially material systemic risks must be understood by trustees and managed as part of scheme governance and investment decision-making. Trustees are expected to challenge advisers and asset managers, and to ensure their schemes are resilient to systemic risks. TPR also ‘encourages’ trustees to use the Taskforce on Nature-related Financial Disclosures (TNFD) for identifying and managing nature-related risks such as deforestation, water scarcity, and biodiversity loss.
TPR has joined the UN Global Compact to provide access to global best practice and tools, enhanced its ESG Trustee Toolkit guidance, put its ESG and climate materials in one area on its website, and will carry on sharing emerging good practice.
A key development on ESG is the Government’s June 2025 consultation on mandatory transition plans for financial institutions, including pension schemes. TPR asks trustees to get involved with the consultation and is setting up an industry working group on the topic.
Key questions TPR expects trustees to ask:
- Are systemic risks being treated as core financial risk
- Is the scheme’s investment strategy sufficiently resilient?
- Are we using the right materials to stay ahead?
Key action points:
- Engage with the transition plan consultation.
- Consider the TNFD framework.
- Review governance structures and advice to ensure ESG risks are effectively managed.
- Use TPR’s Trustee Toolkit to develop ESG capability.
The TNFD launched a discussion paper for financial institutions in August 2025 which considers practical difficulties faced in dealing with nature-related dependencies and impacts at portfolio level. It includes consultation questions and invites feedback until 3 November 2025.
The Pension Protection Fund (PPF)
PPF 2025/26 levy invoicing put on hold pending final decision in the Autumn
On 31 July 2025, the PPF confirmed that it has put the 2025/26 PPF levy invoices on hold following the levy calculation easements that have been included in the Pension Schemes Bill 2025 which will allow the PPF to calculate a zero levy.
The PPF will make a final decision on the levy in Autumn following further parliamentary debate on the Bill (which will allow it to see how the Bill is progressing).
Other updates
PASA 4 August 2025 data guidance on protecting member data
The Pensions Administration Standards Association (PASA) has released guidance on essential steps for trustees and pension providers to protect member data. Key protective steps include:
- implement data access controls, advanced encryption and multi-factor authentication;
- include user training for administrator staff and trustees and refresh annually;
- carry out regular security reviews;
- use secure communication channels;
- have adequate incident response plans;
- trustees should vet and monitor third-party providers; and
- take care with artificial intelligence.
Trustees should liaise with their administrator to confirm that it is adequately protecting member data and consider their own systems. Having adequate internal controls includes having adequate systems for protecting member data and this includes identifying, managing, mitigating and monitoring the associated risks.
Joint announcement confirming that 2,000+ pension scam victims have received £81.5m in FCF compensation
On 19 August 2025, TPR, the PPF, the Fraud Compensation Fund (FCF) and Dalriada Trustees announced that over 2,000 pension scam victims have received a total of £81.5m in compensation from the FCF. Further compensation payments will be made during the remainder of 2025 and in 2026. The FCF is operated by the PPF.
The payments were paid following the High Court’s November 2020 decision in Board of the Pension Protection Fund v Dalriada Trustees Ltd [2020] that members of occupational pension schemes who transferred their benefits to a scam scheme can claim from the FCF under legislation that governs the FCF.
The FCF encourages members to contact the FCF if they believe they may be eligible for FCF compensation.