POL00021559
POL00021559
POST OFFICE LIMITED BOARD MEETING
Strictly Confidential
MINUTES OF A MEETING OF THE BOARD OF DIRECTORS OF POST OFFICE LIMITED HELD ON TUESDAY 27
NOVEMBER 2018 AT 20 FINSBURY STREET, LONDON EC2Y 9AQ AT 11.45 AM
Present: Tim Parker Chairman (TP) i;
Paula Vennells Group Chief Executive (PV)
Ken McCall Senior Independent Director (KM)
Tom Cooper Non-Executive Director (TC)
Tim Franklin Non-Executive Director (TF)
Shirine Khoury-Haq Non-Executive Director (SK) }
Carla Stent Non-Executive Director (CS)
Alisdair Cameron Group Chief Financial and Operating Officer (AC)
In Attendance: Jane MacLeod Company Secretary (JM) i
Veronica Branton Head of Secretariat (VB) I
Debbie Smith Chief Executive - Retail (DS) (items 8 & 9)
Lisa Watkins Head of Automation (LW) (item 8)
Tom Moran Network Development Director (TM) (item 8)
Andrew Goddard MD - Payzone (AG) (items 8 & 9)
Mark Siviter MD - Mails and Retail (MS) (item 8)
Martin Kearsley Banking Director (MK) (item 8)
Rob Houghton CIO (RH) (items 9 & 10)
Liz Robson CIO — Retail (LR) (item 9)
Bryan Littlefair Security Consultant (BL) (item 10)
Owen Woodley CEO - FS&T (OW) (items 11-13)
Emma Springham Chief Marketing Officer (ES) (item 11)
Chrysanthy Pispinis Director - PO Money (CP) (item 12)
William Norton Fenchurch (WN) (item 12)
Martin Edwards MD - Digital Identity (ME) (item 13)
Apologies: None
ACTION
1 WELCOME AND CONFLICTS OF INTEREST
A quorum being present, the Chairman opened the meeting.
The Directors declared that they had no conflicts of interest in the matters to be I
considered at the meeting in accordance with the requirements of section 177 of the I
Companies Act 2006 and the Company’s Articles of Association.
2. MINUTES OF PREVIOUS BOARD AND COMMITTEE MEETINGS INCLUDING STATUS
REPORT
The minutes of the meeting of the Board held on 30" October 2018 were APPROVED and
AUTHORISED for signature by the Chairman.
3. CEO REPORT
Irrelevant
Post Office Limited is registered in England and Wales. Registered No. 2154540
Registered Office Finsbury Dials, 20 Finsbury Street, London, EC2Y AQ PostOffice.co.uk
Post Office and the Post Office logo are registered trade marPag Goit Offik5Limited I
3.2
3.3
41
4.2
POST OFFICE LIMITED BOARD MEETING
Strictly Confidential
The Board NOTED the CEO’s report.
FINANCIAL PERFORMANCE REPORT
Al Cameron introduced the report and highlighted a number of issues, including:
. ash in circulation
before Christmas represented good progress. It meant that we were borrowing less in
the second half of the year to do the same amount of business. We were now able to
see the amount of excess cash in branches week by week. Discussions had taken place
with the Bank of England to help manage our cash further and a Working Group on this
would start in January 2019. The Board asked for the team to be commended on their
work.
A number of points raised, including:
e the increase in temporary branch closures and the need to monitor this figure in order
to maintain the network. An update on maintaining the network was requested in two
parts a) what was happening in the network; and b) the new work on franchising
models. These will come back with the Retail Strategy in March.
Page 2 of 15
POL00021559
POL00021559
do:
bcutive
Ds
Ds
I
I
4.3
54
Sd
6.2
POL00021559
POL00021559
I
I
POST OFFICE LIMITED BOARD MEETING I
Strictly Confidential
© an update on the number of “trapped” branches and what was happening with these
was requested To do:
© FRES and the contribution YTD. It was noted that the contribution YTD was up 27% but AC/TC
that this was because there had been a different accrual method during the year
versus the prior year. AC and TC would discuss this issue.
The Board NOTED the Financial Performance Report.
CASH MANAGEMENT AND FUNDING
AC introduced the report noting that we were not planning to borrow more money than
flexibility we needed over the holiday period and until the end of the back office
transformation programme. Additional borrowing would need to be approved by the
CFOO and cash would be brought back in quickly at the end of the period.
The Board APPROVED the derogation to draw the Government Loan up to £850 million,
subject to the approval of the CFOO, for the period from 28 November 2018 to 24
February 2019.
In respect of the £50 million short-term credit facility with the Secretary of State for
Business, Energy and Industrial Supply (“BEIS”), the Board:
¢ APPROVED the arrangement of a £50 million short-term credit facility with BEIS (the
“Facility Agreement”)
¢ DELEGATED AUTHORITY to the Chief Financial Operating Officer and other individuals
named in the resolutions to carry out all tasks necessary in order to arrange such
Facility Agreement
¢ AUTHORISED the arrangement and execution of the Facility Agreement and any other
documents to be entered into in connection with the Facility Agreement.
The Board APPROVED the wording of the resolution as set out at appendix 1.
Irrelevant
Page 3 of 15
POL00021559
POL00021559
I
POST OFFICE LIMITED BOARD MEETING
Strictly Confidential
Irrelevant
7. POSTMASTER LITIGATION — Strictly Confidential and subject To Legal Privilege (do not
forward)
Feb Jane MacLeod reported on the first phase of the common issues trial dealing with the
construct of the contract. The witness statements had been filed and both sides had been
cross examined on their witness statements.
Our QC had sought to ascertain the six lead claimants’ understanding of their
responsibilities as PMs on appointment and whether they had received a contract.
The claimants’ QC had focussed on the terms they argued could be implied into the
contract and on what PO had or had not done since the contract had been issued. I
A significant volume of evidence had been tabled. Much of this evidence was not relevant
to the construct of the contract but as previously reported we had not been successful in
our application to have inadmissible evidence struck out. Strictly, the only admissible
evidence was that which was known by both parties at the time the contract came into
force.
Each side would have two days in the final week of hearing to present their closing
arguments. Should either side appeal the judgment, it could take between 6 and 10
months to hear the appeal. JM noted that she expected the Horizon trial to go ahead even
if the common issues trial went to appeal; however an appeal could impact on the
timelines for the breach trial which had already moved from May 2019 to October 2019.
JM anticipated the commons issues trial judgement could be issued before Christmas or in
early January 2019 but did not know at this stage whether we would receive a draft in
advance of the formal judgement being issued. Urgent consideration would need to be
given as to whether there were grounds for appeal. JM noted that an adverse finding
would have ramifications for a much wider group than just claimants,
It was noted that the court expected the parties to attempt mediation as part of the trial
process and the Judge had originally flagged that he expected us to enter mediation
following receipt of the Common Issues judgment. Asa result the legal team were VB:
considering who we might wish to have appointed as mediator. There would be some “red hater
+ For example, stickers on vans stating that no money or goods were left inside the vehicle had been shown to reduce the i
incidents of theft.
Page 4 of 15
7.2
8.1
8.2
POL00021559
POST OFFICE LIMITED BOARD MEETING
Strictly Confidential
lines” for us in any mediation process and we proposed to discuss these with the Board =
POL00021559
wary
019
Sub-committee in January 2019.
Press coverage had been relatively limited to date. We anticipated the judge criticising
some PO behaviour in his judgement and receiving some adverse publicity as a result of
this.
We were preparing for the Horizon trial which would start on 11 March 2019 and Post
Office would be represented by Antony de Garr Robinson QC. Witness statements had
been filed by the claimants, and both experts’ reports were due to be filed in Court shortly.
It was suggested that we should discuss the circumstances in which we might consider
appealing the judgement on the common issues trial with the lawyers at BEIS. JM
The Board thanked Jane MacLeod for her work on the case.
Irrelevant
Page 5 of 15
POL00021559
POL00021559
POST OFFICE LIMITED BOARD MEETING
Strictly Confidential
Irrelevant
2 It was noted that exclusivity applied to both parties but generally worked in RM’s favour.
3 Circa 10 years in addition to the 2-3 years to run of the current contract.
Page 6 of 15
8.5
9.1
POST OFFICE LIMITED BOARD MEETING
Strictly Confidential
We would need to consider the construction of the contract in future because of the
timelines for governance processes in the banks; for example, we already knew that
Barclays would have to terminate the contract in the short term because they required
Board approval to renew the contract, and would not be able to achieve this in time. The
complex structure of the banks also meant that there was no single point of contact for us
to discuss the Banking Framework; this meant that multiple conversations took place and
we did not yet have the banks’ considered positions on Banking Framework 2.
The banks had requested an extension of the period in which they could decide whether or
not to participate in Banking Framework 2. They wished to extend the decision period
until the end of May 2019 and we were minded to offer an extension until the end of
March 2019. We had devised a process that would preserve our termination right as well
as the banks. The extension risk for us was that the banks would start to act in concert.
The proposed extension and the risks surrounding this were discussed. It was noted that
the banks would be focussing on their end of year results and plans for the next financial
year over the next quarter. The Board APPROVED an extension of the period in which the
banks could decide whether or not to participate in Banking Framework 2 until the end of
March 2019.
COMPLIANCE WITH PCI-DSS
Rob Houghton and Liz Robson joined the meeting.
Post Office had to date been unable to obtain Payment Card Industry (PCI) ‘Record of
Compliance (‘ROC’). Without a RoC Post Office was technically in breach of contractual
arrangements with banking and payment partners. This could be material in the event of a
data breach. Nevertheless, the issue was caused by a failure to prove compliance within a
number of our outsourcers, rather than a failure to meet security standards. Our branch
security was robust and we could evidence this.
PCI Standards continued to increase and we had previously satisfied our PCI auditors.
However HNGA which was supplied and managed by Computacenter and multiple
Page 7 of 15
POL00021559
POL00021559
POL00021559
POL00021559
POST OFFICE LIMITED BOARD MEETING
Strictly Confidential
systems managed by Fujitsu, were now in scope and there was significant remediation
work required by both Computacenter and Fujitsu. We expected that Fujitsu would be
able to demonstrate compliance in due course however the challenge lay with
Computacenter who were seeking to argue that PCI compliance was not a contractual
obligation.
We had concluded that the most effective way to obtain a RoC was to move as much of
the estate out of scope of PCI as possible. This could be achieved by having point-to-point
Encryption and Network Segmentation as this removed all of Computacenter’s data
centres and much of the Horizon Network from the scope, allowing us to securely
manage a smaller estate with robust controls. As point-to-point encryption was rolled
out to branches our risk would begin to reduce but we would not be fully compliant until
it was in place in all branches.
We had received enquiries from payment services customers and banks about the current
status of Post Office’s RoC. We were informing those concerned that we had a secure I
private network and providing details of the controls in place but confirming that we were
not currently PCI compliant. We were having twice weekly conversations with Barclays.
The joint Compliance committee established under the Banking Framework had been I
briefed the previous week and a conversation would take place with HSBC the following
week. PO relationship managers were having conversations with bill payment clients.
9.2 A number of points were raised, including:
* that we should take care to refer to the customer position when reporting on
compliance and IT security issues.
© whether we were prioritising the rollout to branches so that those which had a high
level of transactions received point-to-point encryption first?
« whether the estimated costs of obtaining PCI compliance through point-to-point
encryption had been broken down and challenged? It was reported that the original
cost estimate had been around £10m and had been reported to the ARC. These figures
had subsequently been reviewed, tested and challenged and as result, the cost
estimate had now reduced to £8.631m. A number of options had been considered and
various risks had needed to be balanced. It was AGREED that it would be helpfulto RH/LR
see the bridge between the original figures considered at the ARC, the figures included
in the Board paper and the breakdown of these figures.
9.3 The Board APPROVED: I
© the approach to compliance with PCI-DSS set out in the paper and the business case to I
move to an encrypted design and update the existing pin pad estate
© the funding request of £8.631 million of which £1.855 million was for 2018/19
¢ delegation of authority to the CEO - Retail to oversee operational deployment and
approve drawdown of £6.77 million in 2019/20.
While full delegation was approved, the Board asked that relevant issues be flagged to
them as we worked to achieve PCI compliance.
10. SECURITY STRATEGY }
10.1 ‘Bryan Littlefair and Rob Houghton introduced the report.
Page 8 of 15
POL00021559
POL00021559
I
POST OFFICE LIMITED BOARD MEETING
Strictly Confidential
PO’s digital footprint was expanding rapidly and PO needed to make sure that it had an
appropriate security strategy in place to reflect the services it now offered. Hacking attacks
were prevalent across the industry, with a number of recent high profile breaches. Some
of these breaches could have been prevented and the susceptibility of the organisation I
was often more significant than the sophistication of the attack as hacking services could I
be procured on-line at modest cost, so the barrier to entry was low. There was also a new I
strain of “super” malware which encrypted all company data, aiming to cause maximum
disruption. The introduction of GDPR laws had increased fine levels for firms which failed
to comply with data protection requirements.
It was reported that the branch network was secure but that a “red team review” had
been undertaken recently using a team of external ethical hackers to attack the PO’s
systems via a phishing attempt. Although the ultimate goal had not been accessed, the
exercise demonstrated that much more needed to be done to develop a security culture
within Post Office. We had also tested the strength of employees’ passwords and had re-
enforced the key IT security issues with colleagues.
10.2 =Anumber of points were raised, including that:
¢ the paper had assumed knowledge of technical IT issues and had not spelt out
acronyms. Papers should be adapted to their audience
© the paper was not sufficiency clear or granular. We needed to be clear which actions
remained open from the previous IT security audit. We needed to be sure that the
assurances provided to the ARC on information security were robust. We needed to be
clear about our risks, that we were mitigating these quickly enough, were getting
accurate and regular reporting and third party testing
© we needed IT security systems in place that could detect attacks on or infiltration of
our systems. We could not guarantee that an individual would not open the wrong I
email but should be able to detect attacks
* we needed to be confident about third parties’ management of our customers’ data,
especially where this included personal data, as was the case with Digidentity.
10.3. After discussion, the Board concluded that the paper should be withdrawn because there
were elements that appeared to be inaccurate. The Board AGREED that:
. another third party review should be commissioned and the reviewer would be
charged with identifying gaps and producing a strategy to close those gaps RH/
. Shirine Khoury-Haq would discuss the wider issues and review requirements with SK-H
the IT team
° the output from the review and its recommendations should set out our priorities,
our short term and long term actions, determine our risk appetite and consider the
costs associated with closing gaps identified. A paper should then be produced for
the Board.
11.
* Irrelevant
Page 9 of 15
11.2
POST OFFICE LIMITED BOARD MEETING
Irrelevant
Page 10 of 15
POL00021559
POL00021559
POL00021559
POL00021559
POST OFFICE LIMITED BOARD MEETING
Strictly Confidential
12.
12.1
12.2
Page 11 of 15 I
POL00021559
POL00021559
POST OFFICE LIMITED BOARD MEETING I
Strictly Confidential
13.
13.1
13.2
14. ITEMS FOR NOTING
14.1 Sealings
The Board RESOLVED that the affixing of the Common Seal of the Company to the
documents set out against items numbered 1711 to 1728 inclusive in the seal
register was confirmed.
14.2 Future Meeting Dates
The future meeting dates were NOTED. It was AGREED that meeting dates would also be VB
emailed to non PO email addresses.
14.3. Forward Agenda
The forward agenda was NOTED.
15.
15.1
a
“The Code applies to listed companies.
}
I
I
Page 12 of 15 I
POL00021559
POL00021559
POST OFFICE LIMITED BOARD MEETING
Strictly Confidential
Tim Parker reported that the Board evaluation questionnaire would be issued on 28
November 2018 for completion in mid-December. A discussion on the Chairman’s
performance would be led by Ken McCall, Senior Independent Director, after the January
2019 Board Meeting. The timetable would be circulated to Board Members. VB
The meeting closed at 4.00 pm.
24: 0l« 201d
~ Chairman Date I
Page 13 of 15
POL00021559
POL00021559
I
I
I
I
POST OFFICE LIMITED BOARD MEETING I
Strictly Confidential I
Appendix 1
Form of Resolution — item 5. Cash Management and Funding
For the purposes of the form of resolution, below, the following definitions apply:
a) “Transaction” - a committed short-term credit facility arrangement for up to £50 million between Post Office
Limited (the “Company”) and the Secretary of State for Business, Energy and Industrial Strategy (the “Facility
Agreement”),
b) “Transaction Documents”
e the Facility Agreement and any additional documentation required to be entered into in connection with
the Transaction; and
e such other documents necessary to bring the Transaction into effect.
Form of Resolution
IT WAS RESOLVED that: L
1. it would be most likely to promote the success of the Company for the benefit of its members as a whole to
enter into the proposed Transaction;
2. the performance by the Company of its obligations under each of the Transaction Documents, and the related
terms and transactions contemplated by the Transaction Documents, be and is hereby approved and the
Company shall execute and, in the case of any document to be entered into as a deed deliver, the Transaction
Documents, subject to the necessary consent of the Special Shareholder being in place as required under the
Company’s Articles of Association; I
3. the Chief Executive Officer (“CEO”) or the Chief Financial and Operating Officer (“CFOO”), or the Head of
Treasury (acting individually) be and is hereby authorised, for and on behalf of the Company, to agree the
terms of the Transaction Documents as they shall deem appropriate; the CEO, CFOO, Company Secretary or
any authorised signatory of the Company be and is hereby authorised to sign, seal, execute and deliver all
Transaction Documents in accordance with the Company’s normal execution processes as previously
approved by the Board;
4, the CEO or CFOO (acting individually) be and is hereby authorised to do all acts and things so as to carry into
effect the purposes of the resolutions passed at this meeting and/or to enter into any such other documents
and to give any communication or take any other action required (including signing and/or despatching all
Page 14 of 15
POL00021559
POL00021559
POST OFFICE LIMITED BOARD MEETING
Strictly Confidential
documents and notices, including, any notice or request to draw down under the Facility Agreement, to be
signed and/or despatched) on behalf of the Company in connection with the Transaction and to agree such
amendments, variations or modifications to the Transaction Documents or such notices, communications or
other documents as such person may in his or her absolute discretion think fit.
Page 15 of 15