Guidance

Pension schemes newsletter 88 - June 2017

Published 30 June 2017

© Crown copyright 2017

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/pension-schemes-newsletter-88-june-2017/pension-schemes-newsletter-88-june-2017

1. Contacting Pension Schemes Services

In Pension Schemes Newsletter 86 it was explained that the Pension Schemes Services postal address has changed. This is to remind you that if you need to write to us, you should write to:

Pension Schemes Services
HM Revenue and Customs
BX9 1GH
United Kingdom

2. Relief at source for Scottish Income Tax

a. Residency tax status look up service for pension scheme administrators

As explained in the Pension Schemes Scottish rate of Income Tax Newsletter HM Revenue and Customs (HMRC) has been working to develop a residency tax status look up service for pension scheme administrators that’ll be available via an application programme interface (API) or through GOV.UK.

We said we’d let you know when the API technical information on the look up service is available. The draft technical information is now available however feedback from customers shows that publishing these without access to a test site can be confusing. So we’ve developed an external test environment that has all the technical information you’ll need to be able to develop and test APIs for the residency tax status look-up service.

We would like to offer you the opportunity to have early access to the test environment and the draft API technical information so that you can conduct some user testing and give us feedback on the test environment and products. This will help us to develop and improve the service before we finalise and publish the technical information in autumn.

At this stage we can only provide access to scheme administrators who provide us with their email address, if you would like access to the external test environment and instructions please email: pensions.businessdelivery@hmrc.gsi.gov.uk and put ‘Relief at source - access to test service’ in the subject line of your email.

We’ll provide more information for pension scheme administrators on using the look up service via GOV.UK in due course.

b. Amendments to APSS105 and APSS106

Following the introduction of Scottish Income Tax, we are amending forms APSS105 and APSS106 to include information about contributions made by members who pay Scottish Income Tax and the tax relief you are reclaiming on these contributions.

We’ll replace the existing forms in April 2018, but so that you can prepare to use the new forms we’ll publish these in draft. We hope to do this in the summer in a future pension schemes newsletter.

c. Secure Data Exchange Service enrolment

As explained in Pension Schemes Newsletter 87, in January 2018 we’ll tell you the residency tax status of your individual scheme members for the first time using Secure Data Exchange Service (SDES) so that you can apply the correct rate of relief at source to your scheme members in 2018 to 2019. From 2018 onwards we’ll tell you this information in January each year through SDES.

If you’re a pension scheme administrator who doesn’t currently use secure electronic transfer (also known as SET) to submit your annual return of individual information, you must now send us the information we need to enrol you onto SDES.

So that we can enrol you onto SDES you must send us the information in Appendix 1 by email to: pensions.businessdelivery@hmrc.gsi.gov.uk. Please put ‘Relief at source - SDES enrolment details’ in the subject line of your email.

To give us enough time to coordinate your enrolment with our SDES project team, please email us with this information by 31 July 2017.

Our SDES project team will then use this to enrol you for SDES from autumn 2017 and this means you’ll be able to receive the notification of residency tax status of your individual members that we’ll send you using SDES in January 2018.

Once we’ve received and processed your enrolment details we’ll send you a letter containing your unique reference number and known fact to the registered office address provided on your enrolment form. This will enable you to complete enrolment.

You can find more specific information about using SDES in Appendix 2 of this newsletter.

d. Rate applying for the whole year

We’ve received a number of queries about circumstances where members change residency status ‘in year’.

We can confirm that pension scheme administrators must apply a tax rate, rest of UK (rUK) or Scottish rate, for the whole tax year regardless of whether they later find out the member’s status has changed.

If a new member joins your scheme and you’re unable to look up their status before you apply tax relief at source to their first contribution, you must default their status to rUK and maintain this rate for the whole tax year.

If a member’s circumstances change ‘in year’, we’ll collect or repay any shortfall or excess directly to the member through our taxpayer end of year tax reconciliation.

3. Annual return of individual information

In January 2017 HMRC issued notices requiring pension schemes operating relief at source to submit their annual return of individual information (also known as the RPSCOM100(Z)) for tax year 2016 to 2017 to HMRC by 5 July 2017.

If you fail to submit this information by 5 July 2017 any subsequent interim repayments will be held pending receipt of the outstanding information.

If you submit your annual return of individual information but your return fails processing, we’ll still deem this to be outstanding and will stop any subsequent interim repayments pending successful re-submission.

If your submission fails for a third time we’ll stop all future interim repayments to your scheme until a further re-submission is received and is deemed successful.

If you’re a pension scheme administrator operating a relief at source pension scheme but have yet to receive a notice requiring you to submit this information for 2016 to 2017, please email: pensions.businessdelivery@hmrc.gsi.gov.uk and put ‘Relief at source’ in the subject line of your email.

You can find more information about the annual return of individual information and the member information that we need in guide relief at source annual information returns.

4. Pension scheme transfers

a. Requests for confirmation of a receiving scheme’s registration status

In guide Pension administrators: member transfers it’s explained that transferring schemes often ask HMRC to confirm the registration status of the receiving scheme as part of the checks they undertake before making a transfer. We’ve seen an increase in the number of duplicate requests from transferring scheme administrators who initially email this request to us but then follow this up by sending the same request by post.

This is to remind you that if you’re contacting us about the registration status of a receiving scheme, please only send this once either by post or email and don’t send a duplicate request.

b. HMRC’s response to requests for confirmation of a receiving scheme’s registration status

In guide Pensions administrators: member transfers we explain the 2 responses that we give to requests from transferring scheme administrators for confirmation of a receiving scheme’s registration status.

In cases where we’ve issued response 2 we’ve recently received a number of queries questioning the response because a scheme administrator holds evidence that the receiving scheme is registered with HMRC. This is a reminder that the text of the letter issued in as response 2 states:

HMRC only provide confirmation of registration status when both of the following apply:

  • the receiving scheme is registered with HMRC and is not subject to a deregistration notice, and
  • the information held by HMRC does not indicate a significant risk of the scheme being set up or being used to allow pension liberation

At this time one or both of these conditions does not apply. HMRC is therefore unable to provide the confirmation you have requested.’

You should note that if we issue response 2 this doesn’t necessarily mean that the receiving scheme is not a registered pension scheme and there are other circumstances that mean we can’t confirm the registration status of the receiving scheme.

As you know, HMRC don’t approve transfer requests. The decision whether to agree to a pension transfer lies with the transferring scheme administrator. If you’re a transferring scheme administrator, you should carry out further checks to satisfy yourself whether or not a transfer should be made.

5. APSS262 reporting transfers to qualifying recognised overseas pension schemes

As explained in Pension Schemes Newsletter 86 HMRC has updated the forms relating to overseas pension schemes following the recent changes to the information requirements for pension scheme administrators and overseas scheme managers.

We’re continuing to receive old APSS262 forms from pension scheme administrators reporting overseas transfers. We’ll reject any old APSS262 forms reporting transfers made from 9 March 2017 because they don’t contain the additional information that you’re now required to provide.

We would also remind all pension scheme administrators that if you fail to provide the information required under the new pension tax rules within the relevant timescales, you may be liable to penalties. This includes circumstances where we’ve had to reject a form for any reason and have sent you a request to resubmit.

You can find the latest versions of all our forms online (including the updated APSS262 form) on pension scheme forms.

6. Lifetime allowance

a. Queries from pension scheme members about lifetime allowance

HMRC has seen an increase in the number of phone calls from scheme members who don’t have lifetime allowance protection, asking about their lifetime allowance certificates or lifetime allowance protection notification number. These calls seem to be because scheme members are completing forms from their schemes that refer to lifetime allowance, protection certificates and lifetime allowance protection notification numbers.

As you know not all individuals need to apply for lifetime allowance protection, and so not all members have a lifetime allowance certificate or protection notification number. Please can you let your members know that they can find more information about the lifetime allowance and information about protecting their pension savings in guide Tax on your private pension contributions.

Your members can also check if they hold lifetime allowance protection through their personal tax account.

b. Lifetime allowance look-up service for pension scheme administrators

In Pension Schemes Newsletter 86 it was explained that we’re continuing to develop the lifetime allowance pension scheme administrator look-up service.

Thank you to everyone who has provided feedback to us as part of our user research on the lifetime allowance pension scheme administrator look-up service. We’re continuing to work on this service so that it’ll be available online in early summer and we’ll continue to keep you updated on our progress.

c. Lifetime allowance additional member functionality

In Pension Schemes Newsletter 86 we also told you about work to include an additional member function for the lifetime allowance online service so that members can tell us online if they have lost their lifetime allowance protection.

Our work on this continues and we’ll provide further update on our progress with this in future pension schemes newsletters. In the meantime, pension scheme members should continue to contact HMRC in writing to tell us if they have lost their protection until the new function goes live later in the year.

7. Appendix 1 - SDES enrolment information and contact details for the support team

I wish to enrol onto SDES. Please find the required details below:

*denotes mandatory information

Organisation name*

Organisation registered address* (as per the information registered under Companies House)

Primary contact details:

Name*
Role*
Main contact number*
Additional contact number
Email address*

Primary Security/IT Contact (if different to above)

Name
Role
Main contact number
Additional contact number
Email address

Secondary Contact

Name
Role
Main contact number
Additional contact number
Email address

Secondary Security/IT Contact (if different to above)

Name
Role
Main contact number
Additional contact number
Email address

8. Appendix 2 - HMRC Secure Data Exchange Services technical specification

What is Secure Data Exchange Services

Secure Data Exchange Services, also referred to as SDES, is provided by HMRC to enable the secure transfer of data, to and from external organisations over the internet.

Designed to be lightweight and user friendly, SDES is also a free service - only requiring users to obtain Government Gateway credentials and enrol on the service.

Organisations can use SDES in one of 2 ways, using SDES via:

  • a browser, requiring minimal technical knowledge and no additional development by the user - this is the default option following enrolment
  • an automated connection - for those that integrate data transfers with their internal systems

SDES also provides email notifications that informs users on a variety of situations, including; receipt confirmation and advising when new files are available to download. Users on an automated connection can also benefit from direct notifications to local systems.

Enrolling for SDES

Prior to enrolment

SDES is limited to transferring specific types of data, and isn’t for general use. Therefore, before attempting to register for SDES, users must make sure they have been directed to use this service. This may have been by direct communication with HMRC, or in other supporting documentation. If you’re in any doubt, please contact the HMRC department responsible for the data transfer you’re attempting to transfer.

Once you’ve confirmed that SDES is the correct way to transfer your data, the following steps describe the process to enrol for the service:

  1. Contact the SDES Support Team - the support team will capture the information set out in Appendix 1 of this newsletter regarding your organisation.
  2. The support team will then validate that the data you intend to send is appropriate for SDES. Upon completion, correspondence will be sent via post to your company registered address, containing your unique reference number and known fact to enable completion of enrolment.
  3. Obtain Government Gateway credentials - all users of SDES must have individual Government Gateway credentials. The first user on behalf of an organisation must go to GOV.UK (link to be confirmed) and create their credentials (additional users can be added later). Existing credentials may be used, however it’s recommended that users create specific credentials for business rather than using any credentials utilised for personal affairs.
  4. Enrol for the SDES Service - navigate to the SDES service (link to be confirmed) and select ‘Start’. If you’re not already logged into Government Gateway at this time, you’ll be directed to do so. Once logged in, the service will then direct you to an enrolment page where you can enter your unique reference number and known fact, received via post to complete security checks for enrolment.
  5. Enter email address - the final step will direct you to provide an email address. All email notifications will be issued to this email address, therefore it’s important that an address is entered that is monitored. It’s recommended that this is to a central mailbox or a distribution list, as the email notifications may contain important messages, such as failure to pass antivirus checks or new files available for download. Once this has been provided, enrolment is complete.

Post registration

Following registration, users may transfer data with HMRC in one of the following ways:

  • browser - this is the option enabled by default
  • automated - this option enables automated transfer via File Transfer Protocol Secure (FTPS), and must be configured with the SDES technical support teams before use

Using SDES via a browser

The browser option for SDES is designed to be a clear and user friendly process that only requires the capability to browse the internet to use. Customers will be presented with clear web pages that provide direction and help to either upload or download files, as well as update preferences or seek further information.

Using SDES via the browser is enabled as default, and is the recommended option for users with minimal volumes to transfer, or technical constraints.

Prerequisites

The following prerequisites are needed:

  • Government Gateway credentials (see enrolling for SDES)
  • completion of SDES enrolment
  • device with access to the internet
  • browser with Javascript enabled
  • appropriate internet connection to upload/download files (size varying on type of transfer)

Logging in

Customers can access the SDES webpage (link to be confirmed). If they’re not logged in, they’ll be prompted to do so. Users who don’t have Government Gateway credentials, or who are not enrolled on SDES, will not be permitted access to the service.

SDES dashboard

This will be the page that users are presented with when logging in, or completing any other activity within the SDES service. This page contains:

  • a link to upload files
  • recent documents from HMRC to download
  • a link to all documents from to download
  • a link to update email preferences

Upload documents

Selecting to upload documents will direct users to an upload page, where files can be selected for upload by manually selecting or using a ‘drag and drop’ method.

After selecting files, users will submit for error checking, which will determine if users have submitted any files which aren’t accepted by the service. Where unacceptable files are detected, they’ll be rejected and the user informed. After correcting any necessary files, the system will upload the files whilst displaying a status. Once all files are uploaded the user will be informed.

SDES also performs additional security checks after completing the upload. However due to the time it takes to carry out these checks, users will be informed via email notification of any errors.

Download documents

Selecting to download documents will immediately start the download of the selected files. Dependant on the file size and user’s internet connection, it may take a significant period of time to complete the download.

Please note that the browser window must remain open during download. Shutting the browser or the connected device will immediately cancel the download.

Email preferences

Users will be able to access this page to update the email address provided for notifications when they first enrolled. Users will receive email notifications for the following:

  • file received
  • file delivered
  • failed upload
  • failed antivirus
  • new file available for download
  • download file deletion warning (multiple)

Other information

SDES supports the following internet browsers:

  • Internet Explorer - version 9 and above
  • Chrome - latest version at release
  • Firefox - latest version at release
  • Safari - latest version at release
  • Opera - latest version at release

Use of SDES via browsers is secured by Hyper Text Transfer Protocol Secure (HTTPS).

Browsers must have Javascript enabled in order to use SDES.

Using SDES via an automated connection

The automated connection for SDES isn’t enabled as default and must be requested by users by contacting the SDES support team. Technical guidance will then be provided to enable this option, which provides the following capabilities:

  • automated upload and download of files via FTPS
  • receipt of system notifications via GOVTALK messaging service (this is in addition to the default email notifications)

This method is recommended for users with high transfer volumes. Please note that this option, whilst using an established file transfer protocol, will require technical configuration, as well as possible development.

Prerequisites

The following prerequisites are needed:

  • Government Gateway credentials (these will be utilised by FTPS software)
  • completion of SDES enrolment
  • software that is capable of transferring files via FTPS utilising Transport Layer Security (TLS) 1.2 protocol
  • network with access to internet
  • static IP address range for whitelisting
  • appropriate internet connection to upload/download files (size varying on type of transfer)

Initial setup

Customers will need to either source or develop software capable of transferring files via FTPS, which must also be able to use TLS 1.2 encryption protocols; this is mandatory for automated transfers with SDES. It’s recommended that users look to source the software, as there are many established products which satisfy this criteria for minimal cost.

After installation of the software, users’ technical teams will need to configure their local network to allow the following:

  • file transfer via FTPS
  • connection via a static IP address range

The IP address is effectively the address which identifies your connection in the internet. Normally this is randomly generated whenever a new connection is made. By setting up a static IP address range which doesn’t change, this can then be used by the SDES service as an additional layer of security for identification purposes.

SDES technical support teams will then provide the URL link to be entered into your file transfer software, along with Government Gateway credentials which have been enrolled onto SDES. Please note that as these credentials will be used for a system connection, it’s recommended that these are securely stored by the appropriate area in your organisation.

Optional: customers on an automated connection may also select to enable system notifications via GOVTALK. This allows the SDES system to provide a message directly to your local systems for the same scenarios where an email is generated.

The benefit of this functionality, is that it allows your local systems to react automatically on certain messages. For example, when the message for ‘New file available for download’ is received, your system could automatically attempt to download the file without the need for manual intervention.

Messages are sent via specific protocol (to be confirmed), which will need to be set up by the customers’ technical team, and a URL link provided to which SDES can send messages. A user will then need to log into SDES via their browser and access their email preferences page, which will now have a new option for system notifications after the automated connection has been enabled. The user will need to enter the URL link for their messaging service and save it. Following this, system notifications will automatically be sent.

Trigger event

The users’ system will be programmed to initiate the file transfer process upon a specific action, referred to as a ‘trigger event’. This may be manual intervention by a user, or the system automatically reacting to programmed scenarios, such as receiving an automated message from SDES.

Local software connects to SDES

The customer’s file transfer software will initiate a connection to the SDES server, using the URL link provided, and submitting Government Gateway credentials for authentication. The connection security protocol must be TLS 1.2.

SDES authentication

SDES automatically carries out the following authentication checks, validates:

  • connection is from a whitelisted IP address range
  • Government Gateway credentials
  • credentials are authorised (enrolled) to use SDES

Failure of any of the above checks will automatically terminate the connection.

When successfully authenticated, the user’s software will have access to 2 folders:

  • upload - SDES will only permit files to be uploaded to this folder, previously uploaded files that are still to be processed may also be present, but it’ll not be possible to modify or access the files
  • download - SDES will only permit files to be downloaded from this folder, any files available for the user to download from HMRC will be presented here

File upload

The customer’s file transfer may select to upload one or more files to their upload folder on SDES. SDES will then process the file, with the appropriate confirmation or rejection emails (and optionally system notifications if activated) being issued.

File download

The customer’s file transfer may select to download one or more files from their download folder on SDES.

Connection closed

Following completion of any uploads and/or downloads, the customer’s file transfer software must terminate the connection to SDES for security purposes. SDES will automatically terminate an inactive connection after a specified period of time.

General information

The following information applies to both the browser and automated interfaces for SDES.

How long is the SDES registration process

The initial contact and credential creation steps of the process can be completed within an hour. However, as the customer’s unique reference number and known facts are issued via post, the total registration process takes approximately one week, which may be extended during busy periods.

We recommend that customers wishing to use the automated process allow an additional week for technical configuration.

What is the largest file size that I can transfer

SDES can accept any file formats excluding:

  • executable files (.exe) - these files are forbidden and will be immediately rejected
  • encrypted files

Please note that SDES is only the transfer mechanism. Users should make sure their files meet the acceptable format(s) and structure(s) for the intended recipient.

How long does SDES hold files for

SDES retains files for 144 hours/6 days (starting from when the file is made available to the user for download). After this time period has elapsed, the file is securely purged for security purposes, and is unrecoverable. The submitter and/or recipients must not rely on SDES for file recovery.

How does HMRC make sure SDES is secure?

All connections to SDES are made using industry standard encryption:

  • HTTPS for browser transfers
  • TLS for automated transfers

Files are always encrypted during transit or at rest. In addition, there is no direct access to any files within SDES, meaning that even HMRC technical support teams can’t access files. There are also additional approvals within HMRC to ensure data protection.

Does SDES record any auditing information

For security purposes, SDES records all interactions, file movements and system activities. This includes users who log in to the service, any actions taken via browser or automated connections, and activities such as virus checks. This enables SDES to have full traceability for security purposes, and also quickly identify and resolve any issues.

What’s the availability of SDES

The SDES service will be available 24 hours a day, 7 days a week, excluding any scheduled maintenance. The support team for SDES is available Monday to Friday, between the hours of 8am to 5pm, excluding bank holidays.

Does SDES provide the ability to test file uploads/downloads

Yes, SDES has a test capability where a document referred to as a ‘proving file’ can either be sent by a user, or issued to the user from HMRC.

This is a specifically named file that doesn’t interfere with back-end HMRC systems, but allows upload and download capabilities to be verified.

Please inform the SDES support team if you would like to run the proving file test.

Disclaimer and further questions

Disclaimer

The information presented in this document is correct at the time of publication. Due to the ongoing nature of the iterative delivery approach, however, it may be subject to change where feedback during the process recommends design changes or other improvements are identified. Notification of any such changes will take place as soon as possible.

Questions

If you’ve any questions or concerns, please email the Product Manager for the SDES Matthew Walker matthew.walker@digital.hmrc.gov.uk.

Back to top