Pension (Information and Communication Technology Requirements for Administrators) Directive 2025

GOVERNMENT NOTICE NO. 59 PENSION ACT (NO. 6 OF 2023) PENSION (INFORMATION AND COMMUNICATION TECHNOLOGY REQUIREMENTS FOR ADMINISTRATORS) DIRECTIVE, 2025 ARRANGEMENT OF PARAGRAPHS PARAGRAPH PART I__PRELIMINARY

1. Citation
2. Interpretation
3. Application
4. Objectives PART II__MINIMUM PENSION ADMINISTRATION SYSTEM REQUIREMENTS
5. Pension administration systems
6. Capability of a pension administration system to make calculations
7. Capability of a pension administration system to produce reports
8. Other capabilities of a pension administration system
9. Security capabilities of a pension administration system
10. Interface and compatibility functions
11. Maintenance and support PART III__SUBMISSION OF INFORMATION
12. Submission of information
13. Administrators to update information in the pension administration system PART IV__INFORMATION AND COMMUNICATION TECHNOLOGY RISK MANAGEMENT
14. Information and communication technology governance and risk management
15. Outsourcing information and communication technology services
16. Acquisition, development and implementation of information and communication technology systems
17. Business continuity management PART V__GENERAL PROVISIONS
18. Data archiving
19. Replacement of pension administration management systems 4th July, 2025 365

PARAGRAPH PART VI__ENFORCEMENT 20. Monetary penalties PART VII__TRANSITIONAL ARRANGEMENTS AND SCHEDULES 21. Compliance with this Directive SCHEDULES IN EXERCISE of the powers conferred by section 68 (1) of the Pension Act, 2023, I, DR. MACDONALD MAFUTA MWALE, Registrar of Financial Institutions, hereby issue the following Directive__ PART I__PRELIMINARY

1. This Directive may be cited as the Pension (Information and Communication Technology Requirements for Pension Administration Systems) Directive, 2025.
2. In this Directive, unless the context otherwise requires__ “administrator” includes a self-administered pension fund.
3. This Directive shall apply to a self administered pension fund, a pension services company and an administrator.
4. The objectives of this Directive are to__ (a) prescribe minimum requirements for a pension administration system; (b) promote good information risk management by an administrator; (c) specify minimum member and employer information to be maintained by an administrator; and (d) mandate an administrator to submit information relating to a member, to the Registrar. PART II__MINIMUM SYSTEM REQUIREMENTS 5.__An administrator shall have a pension administration system that is in line with the specifications outlined in this Directive and the guidelines issued by the Registrar, from time to time.
5. A pension administration system shall have the capability to calculate__ (a) any form of payment of benefits as defined in the Act; (b) aggregation of returns on fund investment across individual accounts; (c) penalty interest on delayed pension contributions; 366 4th July, 2025 Citation Interpretation Application Objectives Pension administra￾tion systems Capability of a pension administra￾tion system to make calculations

(d) penalty interest on delayed benefit payment to a member or beneficiary; (e) severance due entitlement; (f) actuarial ratios, factors and rates; (g) regulatory ratios; (h) deferred vested benefits; (i) projected benefits on retirement, which shall include several scenarios; and (j) any form of financial calculations as may be prescribed by the Registrar. 7.(1) A pension administration system shall have the capability to produce reports relating to (a) member information which shall include__ (i) pension contributions showing employee contributions, employer contributions and any investment income thereon; (ii) voluntary contributions and any investment income thereon; (iii) transfers; (iv) severance due entitlement and any investment income thereon; (v) withdrawals from the account of a member; (vi) any charges, fees or deductions made against the account and appropriate allocation to the employer or member portion; and (vii) the account balance at any point in time; and (b) information about a pension fund, which shall include__ (i) membership details; (ii) up to date trail of month to month contributions; (iii) up to date trail of month to month investment income; and (iv) benefit payment history. (2) The pension administration system shall have the flexibility to produce a wide range of easily customizable report templates with automated procedures. (3) The pension administration system shall have the capability to tailor reports to suit regulatory needs including statutory returns. (4) The pension administration system shall be able to produce__ (a) membership movement reports; (b) financial reports; (c) membership certificates; (d) pension benefit payment letters; and (e) statement of pension benefits. 4th July, 2025 367 Capability of a pension administra￾tion system to produce reports

(5) The pension administration system shall have the capacity to produce reports dating back to the date of entry of a member. 8.(1) A pension administration system shall, at a minimum, be able to (a) create and maintain pension member accounts, including member take on values, transfers or past service values; (b) allow set up of a range of fund types based on fund rules; (c) handle different categories of members within a fund; (d) handle programmed withdrawal functionalities, where applicable; and (e) scan, display and process documents as required. (2) The pension administration system shall be scalable to handle increase in membership, increase in number of transactions and new administrative requirements. 9.(1) A pension administration system shall have adequate controls to protect against (a) unauthorized access, processing or usage of data; (b) unlawful access, processing or usage of data; (c) unintentional or intentional data loss; and (d) other security threats. (2) The controls in subparagraph (1) shall include__ (a) maintenance of system users and user groups; (b) definition of user roles and permissions, including password requirements; (c) audit trail; and (d) segregation of duties, including__ (i) granting minimum, sufficient access or privileges; (ii) employing role-based access controls; and (iii) enabling session lock after inactivity. 10. A pension administration system shall be able to interface with other systems to__ (a) minimize the dependency of manual intervention; (b) minimize paper-based information flow; and (c) upload and validate imported data generated by external systems, including data provided by the Registrar. 11.(1) A pension administration system shall have adequate maintenance and support, which shall include (a) a signed service level agreement defining service levels in terms of response time according to priority; and 368 4th July, 2025 Other capabilities of a pension administra￾tion system Security capabilities of a pension administra￾tion system Interface and compatibility functions Maintenance and support

(b) a system administrator with sufficient capacity. (2) A turnaround response time for support shall be forty-eight hours. PART III__SUBMISSION OF INFORMATION 12. An administrator shall submit, in the form as prescribed in the Schedule, the following information__ (a) details of a member as and when a new member joins a fund or an existing member updates personal details; (b) details of a beneficiary as and when a new member joins a fund or an existing member updates beneficiary details; (c) employer and employee contributions on a monthly basis; (d) investment income on a monthly basis; (e) benefit payments on a monthly basis; (f) transfers in or out on a monthly basis; (g) severance due entitlement on a monthly basis; and (h) details of a trustee as and when a trustee is appointed or exits. 13. An administrator shall update information of a member in the pension administration system, within fourteen days of receipt. PART IV__INFORMATION AND COMMUNICATION TECHNOLOGY RISK MANAGEMENT 14. An administrator shall have__ (a) adequate internal information and communication technology governance framework including an information and communication technology strategy and policy that includes cybersecurity, with clear roles and responsibilities for__ (i) information security risk management; (ii) cyber security management; and (iii) business continuity management; (b) an internal control framework, including information and communication technology audit and regular independent reviews; and (c) adequate technical skills to support information and communication technology operational needs and risk management processes on an ongoing basis. 15. An administrator shall__ (a) have a policy governing the outsourcing of information and communication technology services; (b) have terms and conditions governing the roles, relationships, obligations and responsibilities of all contracting parties set out in clear written and signed off agreements; and 4th July, 2025 369 Submission of information Administra￾tors to update information in the pension management information system Information and communica￾tion technology governance and risk management Outsourcing information and communica￾tion technology services

(c) require a service provider, from whom a service has been outsourced, to grant the Registrar and all parties nominated by the administrator access to its systems, operations, documentation and facilities for purposes of carrying out any review or assessment for regulatory, audit or compliance purposes. 16. An administrator shall__ (a) implement a process that defines roles, responsibilities and accountabilities to govern the acquisition, development and maintenance of information and communication technology systems; and (b) put in place measures to mitigate the risk of unintentional alteration or intentional manipulation of the information and communication technology systems during development and implementation of information and communication technology projects. 17.(1) An administrator shall establish a business continuity management program. (2) The business continuity management program in subparagraph (1) shall include a (a) business continuity plan; and (b) disaster recovery plan. PART V__GENERAL PROVISIONS 18. An administrator shall ensure that member records are readily accessible for a period of not less than seven years after a member exits a fund. 19.(1) An administrator shall notify the Registrar of the replacement of a pension administration system. (2) Where an administrator has acquired a new pension administration system, the Registrar may conduct an assessment of the pension administration system. PART VI__ENFORCEMENT 20.(1) Where the Registrar determines that an administrator has breached this Directive, the Registrar may impose the following__ (a) for an administrator, a monetary penalty of up to K50,000,000; and (b) for a natural person who is a member of the board of directors or senior management of the administrator, a monetary penalty of up to K10,000,000. (2) The monetary penalty in subparagraph (1) shall be paid through an electronic bank transfer in favor of the Reserve Bank of Malawi, within ten working days after being notified of the violation. 370 4th July, 2025 Acquisition, development and implementati on of information and communica￾tion technology systems Business continuity management Data archiving Replacement of pension management systems Monetary penalties

PART VII__TRANSITIONAL ARRANGEMENTS 21. An administrator shall comply with this Directive within a period of twelve months from the date of publication in the Gazette. SCHEDULE (para. 12) Member Details Table 1 1 Internal member ID given by pension administrator 2 First name 3 Other names or initials 4 Last name 5 Maiden name or former last name 6 Civil status at time of data delivery 7 Civil status at time of entry into fund 8 Malawian national ID 9 Nationality 10 Gender 11 Date of birth 12 Place of birth (district), only Malawians 13 Place of birth (village), only Malawians 14 Home district 15 Home village 16 Residential district 17 Residential village 18 Postal address 19 Mobile number 20 TPIN Beneficiary Details Table 2 1 First name 2 Other names or initials 3 Last name 4 Maiden name or former last name 5 Malawian national ID 6 Nationality 7 Gender 8 Date of birth 9 Place of birth (district), only Malawians 10 Place of birth (village), only Malawians 11 Residential district 4th July, 2025 371 Compliance with this Directive

Beneficiary Details Table 2 12 Residential village 13 Home district 14 Home village 13 Postal address 14 Mobile number 15 Email address Investment Table 3 Income 1 Year and month of amortization 2 Amount of investment income on member contribution 3 Amount of investment income on employer contribution 4 Amount of investment income on additional voluntary contribution 5 Amount of investment income on severance due entitlement Contribution Table 4 1 Date of payment / announcement 2 Year and month paid for 3 Amount of member contribution 4 Amount of employer contribution 5 Amount of additional voluntary contribution 6 Percentage of voluntary contribution 7 Salary of the month the contribution was paid for Benefit payment Table 5 1 Date of receipt of complete application from member to access pension benefit 2 Effective date of the benefit payment 3 Date of payment of pension benefit 4 Condition for accessing the pension benefit 5 Total pension benefit paid Transfers in and out Table 6 1 Date of receipt of complete application from member/trustee to make a transfer Transfers in and out Table 6 2 Effective date of the transfer 3 Date of payment of the transfer 4 Mode of transfer (transfer in or transfer out) 5 Total transfer amount 372 4th July, 2025

Severance due entitlement Table 7 1 Date of joining Company 2 Date of transfer of severance due entitlement 3 Severance due entitlement Trustee Table 8 1 First name 2 Other names or initials 3 Last name 4 Malawian national ID 5 Gender 6 Date of birth 7 Postal address (district) 8 Postal address (village) 9 Postal address 10 Mobile number 11 Email address 12 Telephone number Employer Table 9 1 Internal employer ID given by pension administrator 2 Name of employer 3 Corporate form 4 Company postal address (district) 5 Company postal address (village) 6 Company postal address 7 TPIN 8 Business registration number 9 Name of focal point 10 Email address of focal point 12 Telephone number of focal point Made this 7th day of February 2025. DR. M. M. MWALE (REF. NO. FIN/PFSPD/01/06) Registrar of Financial Institutions 4th July, 2025 373