POL00338297
POL00338297
Post Office Ltd Security Performance Pack
Period 4 — 2010/11
Post Office? Pack
Contents
POL00338297
POL00338297
BESSRESEE
®
z
BBBBOLOOOTAPRAIIaA
Risk Indicator Key
‘Security Grime Risk Summary
P2/P4/PP2 Robbery & Burglary against Branch Network
P3 Robbery against Cash In Transit
P2i3 Network & Supply Chain Injuries:
P4 ‘Grown Office False Alarms.
ATM Gime / Inflation of ATM cash figures
‘Casework —Losses by Type
‘Asset Recovery Against Fraud
‘QNCH Inflation of Cash in Tills
‘Grown Otfice Cash Losses
Cheques / Open tems
Royal Mail Revenue Theft using Postage Labels
‘Spoilt Postage Labels
Lottery Soratchcards
‘Savings Stamps
‘Commercial Security Financial Services
‘Commercial Security - Financial Services
‘Commercial Security - Financial Services
‘Commercial Security - Government Services, Malls & Telephony
‘Commercial Security - Government Services, Malls & Telephony
Information Security- Mais & Retail (Includes POI DSS)
Information Security- Government Serves
Information Security Financial Services
Information Security Programmes & Infrastruture and Telephoney
4 - Gmevine
Positive Trend
No Ghange To Last Month
Negative Trend
eCUITy rear Penurinance
Post Office? Pack
seqqo~e= To eo
POL00338297
POL00338297
SECURITY RISK SUMMARY
Physical Crime Primary Cash Loss Risks
Risk P1 — Slide A2 Supply Chain Cash Centre/Depot Robbery (Industry
remains on high alert)
P2-A1/A3 Network Robbery (over target in period, under target year to date
= full year forecast increase from £829k to £940k vs £1.052m target)
ERSFAS Caan In tranat Robbery (recast decreased from £7204 to
5
Extreme
£1Milion
P4-A1/AA/A5. Network Burglary (forecast increased to £497 (over target)
from £451k)
im
PI
PRIVAAS Network TIGER hostage (mainly NI risk, status due to
nteligence)
PP2-A1/A3 Northem Ireland Robbery (threat continues into new year)
PP3-A2/A3. Supply Chain Depot/Cash Centre TIGER hostage (high impact)
Fraud Risks
E:A8 ONCH infiton of Cash n Tl (offices over target re over hong
im
4
Major
£250k to
£1million
Trauma
IMPACT
F2-A9 Crown Office Losses including fraud (YTD £643k> target of £490k)
F3-A13/A14 False accounting of stock (Inc Savings Stamps, Scratchcards
{& Swindon issues)
F4.A11/12 RM Revenue The, Rejected and Spoit Postage Labels (non
‘cash impacts)
Commercial Security Cash Loss Risks
C1-A18 Telephony bad debt inc fraud (£1.7m write off to P2, full year
Budget £3.3m pus £2m provision, compared to £4.5m last year)
‘Security Cash Loss Risks (Combined Physical & Fraud
s 3 Even chance 4 5 Very S1-A5_ ATM Crime (Rob, Burg & Fraud)
‘41.80% Likely likely Information Security Risks - Non Cash Impacts
itwangi000 IS1 -A20-AZ3 Governance
re 1S2 -A20-A23 3 Party Management
@ Postive Trend —@_ Negative Trend gq Nochange to. $3 -A20-A23 Solution Design
last month 1S4 -A20-A23 Client Management
(Crime Risk: Chris Thorpe » GRO §
formance
POL00338297
POL00338297
A1. Post Office Branc Crime Risk — P2/4 &
Network Robbery & PP2.. Ce Risk
Burglary Losses Indicator
£360,000
£300,000
£250,000
£200,000
£150,000
£100,000
£50,000
&
cash value
POPS PS OPT PB OPS PIO PIT P12 PL Po POM
mm Act ad 9 Taroct
‘Commentary
‘The full year forecast is £1463k against a target of £1540k, which is £77k or 5% below target.
Current period combined losses are 111% or £92k over target, £175k against £83k target.
Year to date combined cumulative losses are 10% or £45k under target, £419k against £464k target
Year on year comparison of current period shows 51% or £59k increase, £175k against £1 16k previous year
Year on year comparison of cumulative losses shows losses of a 29% or £169k decrease, £419k against £588k previous year
Incident numbers for the period are 3% higher than the previous years (32 v 31) with cumulative numbers being 38% lower (85 v 137)
Burglary losses for the period were 46% or £22.5k over target (£72k v £49k) and 120% or £39k higher than the previous year (£33k)
Robbery losses for the period were 190% or £64k over target (£98k v £34k) and 19% or £16k higher than the previous year (£82k)
BRALIndustry trends show Met, GMP & W Yorkshire (Robbery) and Met & W Midlands (Burglary) police force areas are suffering from the highest volumes of]
Mitigating actions, update and status
+ Task Force Vehicles continue to provide health checks and reassurance visits in the North West & W. Yorks, although their main focus remains covering cash]
deliveries
+ Sussex Police are stil continuing their rounds on Adopt a Post Office raising the profile of partnership working
+The Security Team are currently engaging with the Met Police in relation to an increase in gun enabled crime within the area
‘EcuMy delintions of Robbery & Burglary differ rom the UK oniminal legal derinilion Tor analysis/stalstcal reasons. Robbery is defined as Including a Mreal
pr actual violence; this includes aborted and apprehended attempts where assailants Were prepared to rob. Burglary is defined a8 including any attempt on
emise containing a Post Office (includes broken locks, alarms, lines cut etc)
formance q
(Physical Crime: Dave Pardoe ~§ggiIReTs{o iat
A2. Supply Chain Robbery Crime Risk — P3.
POL00338297
POL00338297
Losses Crime Risk
[Please note new Supply Chain Target] Indicator
£160,000
8
B c100,000
i
£20,000
mae Attst Tere
Commentary.
+" The full year forecast is £633k against a target of £30k which is £333k or 111% above target. [This reflects Supply Chains Target]
+ Year to date cumulative losses year are 142% or £206k over target, £351k against £145k target. [This reflects Supply Chains Target]
‘Year on year comparison of current period shows 140% or £45k increase, £77k against £32k previous year
Year on year comparisons of cumulative losses shows a 77% or £152k increase, £351k against £19k previous year
Incident numbers are 80% higher than at the same level year on year (9v5) with cumulative numbers 14% lower (24v28)
Ytd 66% of Supply Chain losses occurred within the London area depots covering the Metropolitan area accounting for 46% of the volume of crime
Ytd 8% of Supply Chain losses occurred from the Manchester depot, accounting for 17% of PO Supply Chain volume of crime
Based on industry data the Metropolitan police force had 28% of industry losses with 49% of the volume of crime (Jan to Jun)
For Jan to June, GMP had 17% of industry losses and 11% of the volume of crime and Merseyside had 2% of the losses and 2% of the volume
Figfzderigaions for industry incident numbers for July are down on June (68 June v 52 July), wth the Met, West Yorks and West Mids showing the
Mitigating actions, update and status
ost Office funded Task Forge vehicies have been deployed within the Metropoltan, West Yorkshire, GMP, West Mids & Merseyside police areas
Police operations ("Vanguard in tne Met force area; “Vanguard” in Manchester, “Guardian” in Merseyside & armed response in W. Mids) were depioyed in
per
Police visited Dartford & Midway depots to increase awareness and engagement.
West Yorkshrie Police continued to support CVT services in the Leeds area
‘OL Security definitions of Robbery & Buraany afer from the UK criminal legal definition for analysisTatatstcal reasons, Robbery is defined as including &
threat or actual violence; this includes aborted and apprehended attempts where assailants were prepared to rob. Burglary is defined as including any
tempt on a premise containing a Post Office
cludes broken locks, alarms, lines cut etc).
formance
(Physical Crime: Dave Pardoe
A3. Supply Chain and Network Crime Risk — P2/3.
- Firearms & Injury
POL00338297
POL00338297
Network imuries yt ‘Supply chain imuri
a Maar rose atoes 1 Meer tatoo
Network Firearms yte ‘Supply Ghein Firearme yte
a Koo tearm caveat : erasers
09% nance 2, cmon
a hoot rare craton wm foc Theor corned ant
pon © fores
0% aoa tvarmoutmetes I I 9135 or ey
Nore seen net a Nene sem cr wea
Commentary
Supply Chain
+ of § Supply Chain incidents for the period were carried out with firearms present or intimated, bringing the cumulative total to 11 of 24 with firearms.
present, compared to 0 incidents for the period and 6 of 28 cumulative for the previous yr to date [2009/10]
+ 5S injuries were reported for Supply Chain incidents during the period, bringing the cumulative total to 6 ( crew) minor injury, compared to 3 injuries for
the period and 11 (10 crew & 1 public — all minor) cumulative for the year to date [2009/10]
Network
+ 8 of 13 Network incidents for the period were reported where firearms were present or intimated, bringing the cumulative total to 20 of 40 with firearms,
compared to 5 of 9 for the period and 22 of 50 cumulative for the previous yr to date [2009/10]
+ 4 injuries (3 minor & 1 major & 2 other minor) were reported for Network incidents during the period, yr to date total of 10 (7 agents & 3 other), compared
with 3 (minor, 1 agency & 2 other) for the period and 8 cumulative for the year to date (6 agents & 2 other) [2009/10]
Mitigating actions. Update and status
+ The Security Team are currently engaging with the Met Police in relation to an increase in gun enabled crime within the area
+ Annual review of risk for Supply Chain to determine business policy on the use of body armour.
Security Team Performance
(Physical Crime: Dave Pardoe
Crime Risk -
A4. Crown Office False Alarms P4.
Crime Risk
Indicator
POL00338297
POL00338297
Network Alarm Ratio of False Activations vs Alarms Crown Office False Alarms
ous
oo
s0Camtate
Bees
I —CoFate Aas ato 011 omsane
I eye at ate
&
a
Ed
28
neta ayo arto
May Jun JU Aug Sep Oct Nov Dee Jan Feb Mar
Peet Age Moy Aug Sop
Commentar
Sthe Crown Network branches have experienced a total of 2538 False Alarms yr to date from 375 branches, with 839 occurring during period 2.
+Estimated Cost of Group 4 Keyholder Callouts to false alarms yr to date is £33.3k, with £11.3k costs cain period 2.
june: are carers eo hash Branches that will require the system to be upgraded at a cost of c£ 10k per system to regain police response, a business case
as been submited for tis.
Opportunity identified to reduce policed FA numbers - numbers had been high due to system Reporting error where some FA's were counted as double,
this has now been rectfied, overall numbers reduced and new targets set based on corrected historical data
‘ithe number of Polced Palse Alarms during period 3 was 17, cuTtulatve yr to date 44, compared to 41n the same period las yr and a cumulative total
of 90 yr to date last yr. This is currently 22 ahead of target, resulting in a forecast yr end figure of 176.
«The target to reduce Policed False Alarms is 20% this year to 265, the yr end outturn was 331 (2009-10).
The Industry Polloed False elarm ratio 1.0.21, at period 3 (yr to date and annualised) the Crown Office ratio fs 1: 0.47, [approx 2 times higher}.
Mitigating Actions
+ Equipment team contacting branches post key holder call out to discuss each issue.
+ Industry comparison data highlighting that CO performance is poor in comparison,
+ Phone calls made to branches post policed alarm to establish reason and aid branch earning - list of do's and don'ts emailed to branch
+ Phone calls made to branches with the highest number of non-policed false alarms [top 10] ~ to reduce call out costs and educate the branches on the
issu
ues.
+ Crown focus article issued as a reminder to ensure alarms are set when leaving the branch, reduction in call out costs.
~—
vat si
Assets: Kevin Patnel!: COE
A5. Automated Teller
Machine (ATM) Crime
Crime Risk - S1
POL00338297
POL00338297
Crime Risk
Indicator
POL BOIATM Cumulative Crime Numbers POL BOIATM Cumulative Losses
2
Fe
2 8+ faFraud
8 H cXCrT Reb]
ge lnatBugII § 204 laBu9
Zz, 7 60,000 4
IwRob jm Rob_
£40,000
2 Mt eb paves
o E)
1 2 3 4 1 2 3
Period Period
Commentary
+ 2 ATM related incidents occurred in period 4, (1 att robb - M18 & 1 burg — CH2), compared to 2 for period 4 last year [09-10],
+ Total crime losses yr to date amount to £150.6K from 10 ATM related incidents, compared to £144.7k from 5 incidents last yr.
. 10-11 ~ 2 burglaries - £124.4k, 3 attempted burglaries, 2 attempted robbery, 3 Fraud - £26.1k
: 09-10 ~ 2 burglaries - £79.7k, 2 attempted burglaries, 1 Fraud - £65k
+ BBA Industry trends show Avon & Somerset, W Yorkshire & Cheshire are suffering from the highest level of ATM crime
Mitigating actions, update and status
*Arrangements have been made to deploy temporary fogging kits to branches in the Chester postcode area
*Security, Network Support & the ATM Service Team are reviewing branches that regularly declare in excess of their maximum ATM cash limits.
formance
(Physical Crime: Dave Pardoe -
Pack
Fraud: lain Murphy
POL00338297
POL00338297
A6. Casework - losses by type
(Cases Raised by Value (€k) YTD 2010-14
0
0
00
0
200
‘00
o
Pood Pood? Prd3 Pd Pint Pd Pd? =P Prod Prd 10. Pub 1 Pi 12
Commentary
+ Casework losses year to date amounts to £578k in 71 cases, an average loss of £8k
+ [compared to £804k in 67 cases for 2009/10, same period, with an average loss of £12k],
+ Audit deficiencies year to date amount to £35k, 61.4% of all casework raised (value).
. [compared to £652k, 85% of all cases raised for 2009/10 (value), same period].
+ An average audit loss of £14.2k per case in 25 cases raised year to date
@ [compared to an average of £15.9k per case in 41 for 2009/10, same period].
Highest Loss cases raised in period 4— 2010/11
POLTD/1011/0059
POLTD/1011/006%
49/07/2010
26/07/2010
Cash Loss,
Cash Loss
258,000.00
£36,191.51
£58,000.00
£36,191.51
I [7 aNex
fice” Pack (Crime Risk: Mark Dinsdale: -JUgMIKeT- Toma
AT. Asset Recovery Against Fraud
POL00338297
POL00338297
Crime
Indicator
‘Cumulative figures from cases closed YTD - 2040-11 LossesiRecoveries from cases closed by period 2010-11
£700,000 £400,000
£350,000 immition
£600,000 0000
£500,000 loews £250,000
£400,000 aSecuty Rec £200,000
£300,000 £150,000 + Seaty
7 £100,000 few
£200,000 £50000
£100,000 £0
£0 123.4567 8 9 1011 12
Period
‘Commentary
+ From 53 cases closed, year to date £571.9k has been recovered against identified losses in those cases of £599.8k [compared to £819k against
£800k last yr.
+The year to date figure for recoveries is 95.4% [compared to 102.4% last yr for the same period].
Mitigating actions, update and status
Dave Posnett joined the FIU as a Financial Investigator on the July 5" and has started his Fl training programme. Dave has also commenced
working on his own financial investigation cases and now has access to the NPIA computerised support system.
‘Successes- POLTD/0910/0063, Confiscation hearing, order made for the repayment of £18.7k plus interest of £1.9k within 6 months. Will be 100%
recovery, restrained assets in place to fulfil the Court order.
POLTD0910/0014, In order to avoid going into confiscation, the defendant requested a variation to the Restraint Order. The Order was accordingly
varied by the FIU and as a result the full amount of the loss of £74.8k was recovered without recourse to a confiscation hearing.
POL00338297
POL00338297
A8. Cash In Tills Over Night ne
Cash Holdings (ONCH) Crime Risk
I
‘Cash In Tills Value Over target ‘Number of offices over target by £25K or more
emo
0 Ca
J emo ea F.
3 esoo :
$ s200 Fy “hl inl
Jove »H A AI
e100 é]7]®]*]o]"]e2]1]2]3]¢
fo weelels[elelzfe[+[«[eleI2
jacsoon] =] #[a[=[slmIn[sIaleIs
(pease [oe I so) wo) ew [wf [ee [ee I ar
[1 0-25K 1 Over £25K t0 50K wi Over £50K to ET00K m Over £100K I
Commentary
+ At Period 4 there were 5350 offices over target, down from 6013 in Period 3.
+ The number of offices £25K or more over target was 208, down from 379 in Period 3.
+ Overall value at over target offices is £40.9m, down from £48.1m in Period 3.
+ Overall Retail Cash In Tills holdings were over target by -£5.57m, down from +£3.88 in Period 3.
Mitigating actions, update and status
‘+ Security and CRM Team Bristol met to agree and discuss proposed program activity following Horizon Online migration, sometime in October 2010.
Horizon Oniine - migrations and associated cash verifications remain suspended until problems are rectified. Stakeholders have been identified and
agreed in respect of proposed weekly fraud conference calls once full migration is rolled out. The Sharepoint site that captures all migrating branches
and relevant data has now been communicated to all stakeholders.
‘Security are aiming to implement monthly BAU intervention activities at branches where ONCH concerns are evident. In conjunetion with Cash
Management, a number data streams are being evaluated to ascertain the most appropriate data for targeting purposes.
formance
Gnencee GRO I
POL00338297
POL00338297
A9. Crown Office Loss Crime Risk —
Initiative F2.
Crime Risk
Indicator
£20000
£1500,000
ems Oimisive Losses
£1,000,000 = cutee Socuty Target
amis Grown Bost
£500.00
© J
1 2 2 4 3 ° 7 ° ° eo oe
‘Commentary
+ The budget for Crown Office losses in 2010/2011 is £1.61m, equating to £134k per Period. The Security Team objective aims to support this and
also aspire to a 10% reduction against last years losses, representing a target of £1.47m of losses at year end. This equates to £122.5k of losses
per Period,
Data used for this programme reflects the actual net losses and gains posted to the accounts by Crown Offices. It does not factor in adjustments for
known Transaction Corrections or incorrecl/omitted postings, both of which should result in compensating errors when and where identified,
The losses in Finance Period 4 totalled £138.7k. Cumulative losses stand at £643k year to date, against a year to date target of £490k. Losses in
Period 4 were slightly in breach of both Crown budget and Security target and are cumulatively 23.8% in breach of ytd target.
—TrecTretority (£20k) are te tor KOWTTETOTS OCTmIS-Keys Where TC's wit be postett during pErtod—
‘MitRfating actions, update and status
Regional Support Advisors continue to target the worst 80 performing branches each month. A pro-forma is completed by Branch Managers, to
demonstrate Losses & Gains policy adherence, along with compliance to Security, Cash Declaration and Transaction Correction procedures.
A matrix of Security activities associated with Crown loss reduction has been submitted to the Head Of Crown Efficiency. A meeting held with the
Crown Team has identified next steps around developing root cause analysis, a review of the Security toolkit and comms to support intervention
activity in September/October.
Root cause analysis of losses by Security is now complete. This has identified the ratio of losses v Transaction Corrections and the most prevalent
Transaction Corrections in terms of volumes and values across the Crown estate and per branch.
POL00338297
POL00338297
Crime Risk — F.
A10. Cheques/Open Items Crime Risk
Indicator
[16th of Month vJan-10] Feb-10] Apr-10I May-10] ‘Jun-10] ‘Jul-10)
[Open tems (- 4 days) 5221 3,925] 3716 3,385I 2.914] 2,907I
Jan-10} Feb-10] Apr-10 May-10I Jun-10I Jul-10I
IBalance(- 4 days) £1,197,803] £1,097,486 £865,642I £2,460,928} £912,011 £1,018 682 £261,741
Jan-10} Feb-10I Mar-10! Apr-10) May-10 Jun-10) Jul-10I
INumber of offices 1,704] 1,448] 1,186) 1,317] 4,213] 41,108) 4,000)
rer) Debt te Post Offeel Adaya)
00 £3,000 00
5.00 £250.00
4000 ., =2000000
$ 3.000 & 1,500,000
2 2000 * ¢1,000,000
1,000 £500,000
° 0
bate onte
Commentary
last month) showing a debt of £25k or more this month.
No items over 4 months are currently unresolved.
‘The average value of each open item has fallen from £350 last month to £97 this month.
‘The average balance of open items per office has also fallen from £919 last month to £282 this month.
+ The net balance deficit to Post Office Limited (allowing 4 days for receipt) in cheque discrepancies was £281k at 15th July with 5 offices (down from 11
‘There were 26 offices with 10 or more open items (up from 16 last month), but only 2 offices with more than 20 open items.
Mitigating Actions, update and status
currently being
+ P&BA are continuing to contact offices on a daily basis to target those showing cheques at site balances and to resolve open item issues.
+ The security team have been working with P8BA to develop a monthly cheque risk scoring for all offices to feed into the branch profile, which is
formance
Pack
(Fraud: Kim Abbotts -}
Crime Risk — F:
A11. Rejected Postage Labels
Crime Risk
Indicator
POL00338297
POL00338297
Period 4 2 3 4 5 G 7 8 9 10 A 412
Predicted fraud evel 2010/1 I £25,010 I 20.010] 510,705
Cumulative predicted fraud
2010 / 2044 £25,619 I £45,638 I £65,434
Eumulative forecast Fava
2010 I 2041 £37,785 I £68,013 I £98,241 I£136,026/£166,254I£196,482]£234 267 I£264 495I£294,723I£332,508I£362,736I £392,964
Rumba of ices above
tolerance 109 444 91
Wetter, ‘Number of offices above tolerance:
eo off Om, _,_,_,_,_,_,
‘8 #468 @ 7 een nn #8 1092 3 4 5 6 7 8 9 0 1 12
nla
Commentary
+ Period 3 figures have now been revised to remove offices reporting printer problems and offices migrating to HOL.
+ These offices have only been removed if they have not previously appeared above tolerance In April and May 2010.
+The data for July is currently being analysed using the same method to ensure that the predicted fraud figures are adjusted accordingly.
Mitigating Actions, update and status
+ As offices are migrating it has become clear that the value of rejected labels are increasing. Investigation into June's figures showed that out of 95
offices included in the predicted fraud figure, 91 had migrated and had not showed as above tolerance in the previous 2 months prior to migration.
+ The current labels being used are causing problems with the printers with 3331 calls reporting faults in July 2010 received, compared to 1497 in July
2009. A new label has been developed and is due out for testing imminently.
formance
ffice®
Pack
(Fraud: Kim Abbotts ~3QNCelS<NNE
Crime Risk — F:
A12. Spoilt Postage Labels Crime Risk
Indicator
POL00338297
POL00338297
Period 1 2 3 4 5 é 7 a Ey 40 41 2
Predicted fraud level 2010/14 _I £27,502 I £27,478 [£23,010
[Cumulative predicted fraud
2010/2014 £27,502 I £54,980 I £77,990]
Kumulative fraud forecast 2010]
2014 £38,683 I £69,629 100,574.£139,258I£170,204I£201, 150I£239,833I£270,779I£301,725I£340,408I£371,354I2402,300)
Number of offices above
jolerance 135_I 158 I 133
Pea ts Number of offices above tolerance
400000 2204
300000 00)
180 +
1234567 8 9 101112
‘Commentary
+ Period 3 figures have now been revised to remove offices reporting printer problems and offices migrating to HOL.
+ These offices have only been removed if they have not previously appeared above tolerance in April and May 2010.
+The data for July is currently being analysed using the same method to ensure that the predicted fraud figures are adjusted accordingly.
Mitigating Actions, update and status
+ As offices are migrating it has become clear that there can be teething problems with spoilt postage. Investigation into June’s figures showed that out of
32 offices included in the predicted fraud figure, 10 had migrated and had not showed as above tolerance in the previous 2 months prior to migration.
+ The current labels being used are causing problems with the printers with 3331 calls reporting faults in July 2010 received, compared to 1497 in July
2009. A new label has been developed and is due out for testing imminently. VES
(Fraud: kim Abbotts - ICL SONI
POL00338297
POL00338297
A13. Lottery Scratchcards Crime Risk — F3
Crime Risk
Indicator
Network Vat of erat cheard mln “Targeted Branches Nunber holding 22k
000000
2000
= 7 7 7 a cL
Rear ans Tag archers —I aoe —I —aaes I —su50 —I —anz0—I —su00 I ~atsa—I “aay —I “aoa I “aaat I aan [aan I 38
C= ee of erachand hairgs I ESBV7 STS] EOB3074 [E508 508 [EATS TOU I ESARG TOY [65.62 ITS] COSA TOM [ESBGT OUT [ET SIOING ETSY BASS AGS ATS [ET BVO. TOO
[Newent = Aerape has per been I etp4s I e1pse I evpoo I etuea I evovo I exper I e1poo I etooe I exoot I e1ses I e1nos I e104
Fen rae - bar tang >E2K I — 06 —I aoa] 96 —] 198 I a6 I a8 I 208 98 at 980 9 I 8
Hesgeos ranches -vave orang sak I HEYA I EsoaTSI for 256 I eeea.set I eorz 64 I Hasan] 6720S I ROOA ABE I Ran vaT I HSTT ED I Eas x80 I R.A
[exgeted rans Anragerourgs > I espe I eaeas I eopoa—I ease I exes —I eave I wavea—I eamss I cei? I eae I eoraz_I £2760
‘Commentary
‘Across the Network: There are 3432 branches holding £3.5m of scratchcards, with an average value of £1k per branch
+ Targeted Branches holding >£2k: There are 192 branches holding £529k of scratchcards, with an average value of £2.7k per branch,
+_Key measurement: Branches in breach of £2k target increased in P4. The 192 branches represent 1 Crown, 37 Multiples and 154
Mitigating actions, update and status
+ The Feasibility report concerning the PING project has been circulated. Subject to HNGX delays and phased removal of scratchcard games,
the estimated completion of full PING migration will be February 2011. This will facilitate better monitoring/controls in respect of scratchcard
movements.
11 interventions have been requested by Security year to date, based on the level of scratchcard holdings and trends. These have identified
£46k of losses, of which £35k relates directly to scratchcard concems. BAU Interventions have now been postponed until HNGX migrations
are complete.
ait; FEnOMMCE
‘Security have been supplied with dispenser data for all branches and are currently working on overlaying this data so that more accurate (16)
(Fraud: Lester Chine
POL00338297
POL00338297
A14. Savings Stamps Crime Risk — F3.
Crime Risk
Indicator
Seo Sump Multiple Multiple
som Period 1 Period2
oun iBranche]
red Value voiue I 's
cam [sivas I isim no pouerl 0.00 I o I1,625.0 e210
ee sown I foverciaim I ooo I 0 I erao. £365,
a nop
E Inder ciaim I 0.00 I 0 /es.405.0 eoooI 0 _I esto. zl
som
son.
ot sooo I o fessaoog seooo] 0 I e325,
Number of offices Period'12_I Period I Perioa2 I Periods
flue of discrepancies Period 12 etiod 4 eriod 2 etiod 3
otal Checks 20 2851 3
aim no pouch 331 ae laim no pouch £136, evrarad__€216,1 £278,
claim 4 " 12 484 over ciaim e19.45q £32.20 esr esr,
dor ei 154 48 161] [Under claim £10054 £53,309 £43.40 ess,
otal discrepancies rt it oof ot e137, £151,679 __£200,8 £230,
‘Mitigating Actions. Update and status
+ Robust processes are now in place at Swindon to perform a 100% check on all returned unsold POSS.
+ Credence report finalised to track deposits onto new automated budget card,
+ 15 overciaims totaling £10.4k and 8 underclaims totalling £4.2k discovered to date in returned POSS checked at Swindon.
+ Just over £2.5 million in unsold POSS left out in the network.
+ Process allowing P&BA to pick up the discrepancies posted by Swindon has been checked and appears to be robust.
(Fraud: Kim Abbotts
A.15
POL00338297
POL00338297
Commercial Security
Financial Services
Issue : Phase 1: Transcash G20's are manual deposit slips that are mainly used for bill payments or making cash
deposits into Business accounts & for making donations to a Freepay account. The fraudsters are using G20's as.
deposits and providing a cheque as a means of payment. They clear the funds before the cheques are bounced.
Phase 2: There are also pre printed G20 slips that are issued by businesses, payment may only be paid by cheque if
the words "cheque acceptable” are printed on the form. The fraudsters are producing their own pre printed paying in
slips and although the account number entered onto the form does not exist, they have somehow managed to place an
account number into the code line details on the bottom of the paying slip.
This fraud started in April and the total known level of fraud was £1,008,000.
Action : Phase 1: We have already stopped the G20 Transcash fraud and we have measures in place to stop this kind
of fraud occurring again.
Phase2: There is still a problem around the pre printed format. Although this fraud is temporarily contained we cannot
guarantee that it will stop permanently. Therefore, the Security team are having number of meetings with various
stakeholders including the fraud team at A&L to find a long term solution and also to establish the links between the
two fraud teams. Security and product teams met A&L to explore the long term solutions that would be acceptable to
both parties
After implementing fraud measures at both A&L and POL systems, the level of POL liability is £147k. No further
fraudulent activity to report since 14/06/10.
Lessons Learned conference call has been arranged by Security for 6th of August to have a SWOT analysis on this
recent event and agree on the future communications and activities to better manage an event similar to this one in
future
Security will be meeting the Horizon Online team to find and implement a system driven security measure to stop this
Kind of fraud going forward
formance
Post Office® cl (Commercial Security : Serpil Fis
POL00338297
POL00338297
A.16 Commercial Security
Products
Financial Services
Issue : The Post Office Pin Entry Device (PED) currently in use is no longer seen as compliant by the payments
industry. The industry target set for replacing pre Visa PED Standard devices is July 2010. As a result the Post Office
PED estate is out of step with the industry in terms of standards compliance
Action : Security is now working with the PIN PEDs Replacement Project Pre-ITT Board to capture security
requirements for the ITT.
Issue : The current contract for the provision of the Post Office (PO) TMC card programme comes to an end in May
2011, when all aspects of the card service will end. As a strategic product in the PO travel money portfolio, this Travel
Money Card Next Generation Project is to identify a replacement to the existing card programme.
Action : Security is working with the product and the project team on the Security Risk Review and also on the
required security and fraud prevention measures.
Issue : In order to bring the group EBusiness solutions and requirements together the RMG has made an agreement
with CAP Gemini, who is expert in fraud management.
Action : Security is working with RMG and Experian to define the required security and real time fraud prevention
measures on group products through a number of fraud management workshops run by Cap Gemini.
formance
Post Office® cl (Commercial Security : Serpil Fischer
POL00338297
POL00338297
A.17 Commercial Security
Financial Services
Issue: Fraudsters are currently targeting our offices in an attempt to cash high value A&L, Clydesdale Bank and Bank
of Ireland personal cheques. Branches have been receiving telephone calls from someone claiming to be from one of
our partner banks requesting that the branch carries out an emergency cheque encashment. The fraudster then
provides the branch with account and cheque details along with a telephone number. The fraudster then ask for a call
back to verify that the request is genuine. The calls are not genuine as we have no emergency cheque encashment
arrangements with any of our partner banks
Action: Security and product teams issued an MBS and an Operational Focus article to re-iterate the problem to the
network.
Grapevine SMS messages are also sent to the affected geographical areas.
Security is working with A&L, BOI, Clydesdale, SOCA, Grapevine and POL product teams to measure the actual
problem and find a solution to stop this fraud occurring
Security is liaising with the Horizon Online team to find a system driven measure to stop permanently this kind of fraud
happening in future.
Issue : Chip & Pin drastically cut cardholder present fraud in the UK, however, fraud has migrated to cards which are
not issued with chip and pin. This is because the technology behind those cards is simple and allow cards to be easily
cloned and used without the owner's knowledge. POL Bureau products have been targeted by this type of fraud and
YTD (Year to Date) fraud losses are £125k.
Action : Security and RBS fraud Management have decided to issue an MBS advising Code 10, for authorisation, for
‘Swipe and Signature Cards to stop fraud, RBS states this process is currently successful with no genuine customers
being stranded so far.
formance
Post Office® cl (Commercial Security : Serpil Fischer:
POL00338297
POL00338297
A18. Commercial Security — risks and issues
Current Status
Government Services, Mails & Telephony
Issue: The risk of internal fraud by clerks or Subpostmasters targeting vulnerable customers affecting Post Office Ltd and
POCa branding
Action: In order to proactively identify this before the customer complains, analysis of duplicate transactions has been
produced to input to the Network Branch Profile (for audit activity) and testing of suspicious profiles for piloting branch
interventions, with the Network. JP Morgan are developing the key filter identified and exploring others to identify potential
fraud in real time at source. Recent activity has highlighted the non-conformance of branches to the rules pertaining to holding
of POCa cards and/or PINs for customers, with some fraud arising from this and how to contain this is being raised with the
Network Teams.
Issue: The risk of fraud (particularly internal) negatively affects the DVLA relationship and contract.
Action: Ongoing fraud liaison meetings are held with the DVLA held to discuss their current concems. Analysis, specific
branch intervention and the wider ‘Top Tips’ communications programme has shown a large reduction in manual transactions in
the post invention monitoring. Current concems are the volume of ‘able to disable’, change of taxation class transactions that
could be an opportunity to misappropriate tax revenue due to the DVLA and analysis and data sharing is being developed to
inform a programme
Issue: Non-compliant offices in the network.
Action: Compliance checks as part of HNGX roll out continued through July with §621 completed (source: Sharepoint) of which
5370 were compliant and 251 non-compliant. The Equipment Team are monitoring the non-compliant numbers and sending to
the Compliance Team for process adherence. Installations of equipment at existing non-compliant branches began in January
with 67 installations completed and 37 non compliant remain being managed similar to above.
Issue: Telephony bad debt out turned at £4.5m last year and at P2 this year £1.7m was written off. The full year budget for
write off is £3.3m with an additional £2m provision.
pyaincont ination
(Commercial Security: Joanne Hancock
POL00338297
POL00338297
A19. Commercial Security — risks and issues
Government Services, Mails & Telephony
Issue: The business analysts team require fraud assurance around contract bid for new front line service for IPS. Also as the
roll out progresses some installations are being queried as to the effect on Physical Security.
Action: The bid process is underway and the Security Team will continue to provide advice through the delivery process.
Liaison with the project team is to be undertaken to establish @ way forward with providing assurance that installations do not
affect Physical Security.
Issue: The business is developing SMoTS (simple money transmission service) to provide the service for the replacement of
DWP cashcheques. Part of the contract tender process requires Fraud Assurance and policies to be provided. Security have
also been asked to assess the viability of using Paystation as a supplement to out of hours encashments.
Action: Whilst DWP assess the tender bid during the coming months Security will support the project with necessary expertise
and guidance.
Issue: New mails drop off service for volume transaction customers who pay a premium to avoid queuing in Post Office
Branches
Action: The product is moving towards trial with some issues addressed and security is working with the project manager to
address other outstanding issues.
Issue: Procurement of a new supplier for POL Retail is underway with a revised specification from current services.
Action: Security met with procurement to understand the new business model and tender. Security are involved in security
requirements for the overall procurement process as necessary. The new business model addresses some key areas of
security and loss control
GRO
formance:
Post Office? Pack (Commercial Security: Joanne Hancock -4
POL00338297
POL00338297
A20. Information Security Key.
Mails & Retail
‘Support is being provided for a number of projects in support of the provision of Mails and Retail Services
Risk: Failure to manage the ongoing security of the service could result in breaches to the system, lack of clarity on
the overall security posture and failure of legal and regulatory requirements.
Issue: The change to the service and contractual position with the migration to HNG-X provides opportunities to
enhance the management of Information Security for the service, but also a risk that some existing good practice mat
be lost. Engagement with Service Delivery is not yet fully completed and some work needs to be done on the
Service Schedules to ensure ISec requirements are on board and being monitored.
Action: Work with Fujitsu on their 18027001 certification has resulted in the completion of a successful audit and
significant improvements in the management and understanding of risk. Further work with Fujitsu and Service
Delivery on reporting and monitoring is underway to improve and enhance the management of Fujitsu as a provider
of the security services.
Post Office®
Risk: The auditors may not be satisfied that the evidence presented to them is sufficient to demonstrate adherence
with the standard.
Issue: The audit is not yet complete and there remains the possibility that the auditor may find some areas where
controls are not fully met. Gaps may exist in the existing service schedules with Fujitsu such that additional
commercial discussions may be required to ensure the requirements are met.
Action: A analysis of the gaps between the existing service and that required to satisfy the PCI requirements has
been conducted and only one specific area does not appear to be fully covered. A PCI specific penetration test is
due to be conducted to meet the auditor's requirements and the provision of compensating controls and evidence of
(Information Security: Sue Lowther —
POL00338297
POL00338297
21. Information Security
Government Services
Resource is being provided in support of existing and new initiatives for Government Services where progress,
generally, has been good.
Risk: Failure to maintain the necessary accreditation and assurance level through periods of system and product
change.
Issue: Ongoing requirements from clients for accreditation of changes to the system components results in the need
for repeated re-accreditation activities which are time and resource intensive. Ongoing management of these client
expectations requires frequent engagement and resource especially as that which was dedicated to the project is
now no longer available.
Action: The latest accreditation document set has been submitted and is expected to be “passed”. The security
review boards are scheduled with clients and are being used as a forum for the exploration of any outstanding issues
and provision of client assurance.
Post Office®
Risk: Key components may not met the necessary security requirements.
Issue: A risk has been raised around the lack of control in counter operating procedures which has been flagged on
numerous previous occasions, meeting resistance from product owners due to the implications for transaction times
Acomponent of the HNG-X infrastructure is planned to be used as part of the fulfilment process and assurance of
the suitability for this purpose needs to be obtained.
Action: The risks surrounding the operational controls continue to be monitored and assessed against the other
system controls and opportunities. A penetration test of the HNG-X component is being undertaken as is a further
review of the design documentation.
formance
(Information Security: Sue Lowther
A22. Information Security
Financial Services
Engagement in the change of existing products and development of new ones continues to improve and recent
activities have enhanced the progress through the “Gating” process.
POL00338297
POL00338297
Risk: Changes to banking systems in support of non-relevant PCI requirements may result in failures of interfaces.
Issue: Those interfaces which may be changed are being reconfigured, although there remain legacy interfaces
where any change would result in the failure of communication.
Action: The changes to the interfaces have been assessed for the legacy systems and the changes are being
addressed by the client.
Post Office®
Risk: Governance from BO! may not be appropriate to address regulatory and commercial concems.
Issue: There is a lack of clarity around responsibility in BOV/POFTS for information security. The Bank structure is
not as clear as in POL and this continues to result in issues with gathering the right group for a forum.
: Escalation through the appropriate forums and via the collaboration work with Service Delivery continues.
formance
(Information Security: Sue Lowther
POL00338297
POL00338297
A23. Information Security
Post Offic
Telephony
Direct involvement in this area is currently directed towards the Homephone/broadband product, although many other
areas impact here as well.
Risk: Our suppliers outsource and offshore to Third parties without the necessary assurance that Security
requirements can be maintained
Issue: Offshoring and outsourcing activity is continuing with pressure being brought to bear by BT without the
necessary support and involvement of their own security people
Action: Collaboration with the product owner, legal and BT security is resulting in improvements to the visibility of
controls being deployed and under the control of the contract.
Programmes & Infrastructure
Programmes to look at the use of administrator accounts, vulnerabilities on the infrastructure and training and
awareness are currently underway. Engagement with POL project to replace Lotus Notes.
Risk: RMG fail to provide essential information security improvements with a corresponding impact of POL's ability to
do business accordingly.
Issue: Some RMG projects continue to reach quite advanced stages without involvement from POL, despite the
business being affected
Action: Current issues mainly affect the web re-platform and here engagement with RMG security is being pursued
through regular update meetings.
formance
(Information Security: Sue Lowther
Grapevine
Grapevine Incidents / Police Intel Reports / SMS Blasts
700
600
500
2 400 =o Polies inter Reports]
5 =Total sms
S 200 — incidents
200
100
°
Pa PS PG PT PB PO PIO PIT P12 PT PZ PS PA
Period
‘Commentary
+ There were 528 suspicious activities reported into Grapevine during period 4, bringing the cumulative total to 1667 year to date.
+ There were 380 SMS biasts sent to 54,565 recipients during period 4, bringing the cumulative totals to 1246 SMS blasts and 188,298 recipients.
+ 47 Police intelligence reports (5x5x5's) were sent to the Police during period 4, bringing the cumulative total to 180 year to date.
+ _ The Grapevine database now contains 15861 entries.
Mitigating Actions, Update and progress
Period 4 saw 506 addtional Grapevine registrations, bringing the total to 4998 registered branches (7236 total members including Crowns and Supply
Ges Th Macronss i operons fe lagely duo w occa unple resieetons and sign oclvty by the Freud Ackioo
Period 4 saw 168 calls from RoMEC for out of hours issues, a further increase on the previous month.
“The Taskforce operative with a crew from London Central made observations of a sus vehicle following a text blast, which were forwarded to Vanguard
who were grateful for the intel.
“Following a text alerts, staff at various branches including Saltford BS31, Oldiand Common BS30 & Aspatria CA7 received bogus phone calls from a
male under the name of ‘Colin’ & ‘Todd’ requesting emergency cash for a customer. When the customers arrived, the spmr used delay tactics whilst
‘contact was made wit the police on two occasions. Arrests were made at two locations.
GD
curity Team Performance <7)
c (Crime Risk: Mark Dinsdale -,iieS Yo}
POL00338297
POL00338297