POL00023458
POL00023458
Confidential and subject to litigation privilege
ALAN BATES & OTHERS v POST OFFICE LIMITED
Agenda and talking points for meeting with Fujitsu on 28 February 2017
PROPOSED AGENDA
1. Overview of the Group Litigation and CCRC review
2. Key questions about Horizon
3. State of Play
4. Way forward.
5. AOB.
MEETING OBJECTIVE
1. To make FJ understand that this is not a Q&A exercise nor an audit but an ongoing and evolving
inquiry process.
2. Tosecure Fujitsu's commitment to supporting all necessary investigations into Horizon whether
in connection with the Group Litigation or the CCRC.
POL00023458
POL00023458
1. OVERVIEW OF THE GROUP LITIGATION AND CCRC REVIEW
Objective
e To give FJ an overview of the Group Litigation
e To ensure that FJ understands that it is exposed to material brand risk
e To subtly message that FJ might be on the hook legally (either directly to the Claimants or by
POL passing on liability)
Briefing
4.41 Group Litigation
1.1.4 198 current and former postmasters have brought a claim against Post Office. The
Claimants have made of a number of allegations that the Horizon system is defective
and the processes associated with it are inadequate.
1.1.2 AGLO has been ordered. Next step is for the parties to formally plead out their cases
before the next Court hearing, likely to be in late October 2017.
1.1.3 Next key step: Post Office's defence needs to be ready by mid-May 2017
(a) NOTE FOR POL: Actual deadline is July but TRQC not available so need to push
for earlier FJ engagement.
1.1.4 Post Office current stance is to fully defend the claims. If this a fully contested piece of
litigation it will take years to conclude (not before end 2018 at the earliest).
1.2 Relevant issues for Fd
1.2.1 The general thrust of the Claimants’ position is that Horizon is at risk of suffering from
defects that could cause false losses to show in branch accounts. They then allege
that either (i) Post Office covered this up or (ii) Post Office negligently ignored this risk
when (a) investigating branch losses, (b) demanding repayment of losses or (c)
terminating postmasters because of losses.
1.2.2 The other key allegation is that Post Office / Fujitsu has the ability to add / delete /
change transactions recorded by branches without the consent / knowledge of a
postmaster and that this may have been the cause of discrepancies in some of the
Claimants’ branch accounts. It has been formulated in several different ways by the
Claimants:-
(i) I Post Office / Fujitsu have the ability to log on remotely to a Horizon terminal
in a branch so to conduct transactions.
(ii) Post Office / Fujitsu have the ability to conduct transactions (either remotely
or locally) under another user 's ID.
(iii) Post Office / FJ can manually re-write data.
1.2.3 There is also an allegation made in the current draft pleading that Post Office
conspired with FJ to defraud postmasters. The precise nature of the allegation is
4A_35166173_2 2
POL00023458
POL00023458
unclear and as yet there has been no indication of any intention to join FJ directly to
the proceedings.
1.2.4 The challenge is that the exact nature of the allegations is still evolving; with the
Claimants avoiding being pinned down despite Post Office's best efforts.
1.3 CCRC Review
1.3.1 CCRC is empowered to review criminal cases for miscarriages of justice. They have
the power to refer cases to the Court of Appeal but cannot overturn convictions
themselves.
1.3.2 CCRC has very broad powers to demand disclosure of documents (including privileged
material). POL has provided over 100,000 documents to the CCRC so far and the
review has been going on for more than 18 months. No end date is currently set.
1.3.3 The relationship with the CCRC is good. They appear a sensible pragmatic body.
They are however very diligent in their work and ask probing questions.
1.3.4 Current focus on their enquiries is into whether Horizon works. The CCRC is
considering instructing its own expert to review Horizon. The exact scope of this work
has not yet been determined.
4A_35166173_2 3
POL00023458
POL00023458
2. KEY QUESTIONS ABOUT HORIZON
Objective
e To make FJ understand the current focus of POL's enquiries.
e To gently note that Fu's historic advice was wrong and that this has led POL into difficulties.
Briefing
2.1 Explain Deloitte's role
2.1.1 Deloitte were engaged to provide an arm's length review of particular Horizon issues.
2.1.2 Deloitte are currently focussed on finding an answer to the "remote access" question
described above. This has revealed two areas of concern — see below.
2.2 Concern 1: Remote Access and Super Users
2.2.1 During the Mediation Scheme, the "remote access" question was raised. When FJ
was asked about it, Post Office was told that there was no capability to edit or delete
transaction data (only new transactions could be added eg. balancing transactions).
2.2.2 During Deloitte's initial review they revealed to Post Office that there are super users at
FJ who have database administrator access and they can effectively edit and delete
transaction data.
2.2.3 By that time, Post Office had already made statements to the effect that transaction
data could not be edited or deleted and it appears that those statements may now be
incorrect. This is a highly contentious point and one on which the media focus.
2.2.4 There is some concern around how this was previously overlooked by FJ but the focus
now is on understanding how Super Users could have changed transaction data.
2.2.5 In particular, Deloitte has found that a limited number of authorised Fujitsu personnel
(Super-Users) have sufficient privileges to theoretically edit and/or delete transactions
in the Branch Database and although Horizon is designed in such a way that “Super-
user activity” should leave behind a footprint showing that changes had been made to
transaction data, it is thought that certain Super-Users may have sufficient access
rights to cover their tracks so that no log / footprint of the changes would be left behind
(i.e. a lack of segregation of duties).
2.3 Concern 2: Gaps and errors in Horizon data
2.3.1 A key control in Horizon is that all transactions are logged with a sequential Journal
Sequence Number and that all baskets should "net to nil".
2.3.2 Deloitte reviewed transactional data relating to the Claimants' branches (extracted from
the audit store by Fujitsu) and identified:-
(a) 212,372 (1.6%) gaps in the audit log/JSN sequencing from a total of 13,666,238
transactions; and
4A_35166173_2 4
POL00023458
POL00023458
(i) 48 (0.0015%) session IDs from a total of 3,124,140 that were out of balance.
2.3.3 Neither of the above should be possible if the controls identified by FJ were operating
effectively.
24 POL needs firm answers to these issues
2.4.1 POL has had clear advice from Leading Counsel that it must investigate these issues
and provide clear, unequivocal responses to the allegations made. It is not sufficient
for POL to state that there is no evidence to suggest that there has never been an
attempt to use the Super-User facility to affect branch accounts outside of any proper
and agreed process. POL needs to find out whether or not Super-Users can cover
their tracks and, if they can, POL needs to provide a full description of ways in which a
Super-User could amend a branch's accounts in a way that would not leave behind a
footprint of their activity is required.
2.4.2 POL has made a number of statements in the past to the effect that branch accounts
cannot be amended by Super-Users, based on assurances provided by Fujitsu, which
have now been shown to be false. We must get accurate answers this time.
2.4.3 The specific questions that POL and Fujitsu need to answer are set out in the Remote
Access paper that [has been/will be] provided.
4A_35166173_2 5
POL00023458
POL00023458
3. STATE OF PLAY
Objective
e Get FJ to recognise that their support so far has been adequate but needs to be more in depth
and quicker.
« Point out there is some concern that FJ are giving stock answers rather than truly answering the
questions with a fresh pair of eyes.
e Lodge with FJ that the deadline for answers is the end of April.
3.1 Remote access and Super Users
3.4.1 Thank you for the work that you have done to date in response to Deloitte's questions.
Generally the support has been good.
3.1.2 The concern is that FJ’ input is not timely. Deloitte often have to wait weeks to get
meetings and information. In a litigation situation, this cannot happen — must be
quicker.
3.1.3 Deloitte have further work to do but are currently paused pending outcome of this
meeting and a decision on whether there are some answers that FJ could do directly.
3.2 Work in relation to data anomalies
3.2.1 FJ appear to be giving stock answers rather than truly answering the questions with a
fresh pair of eyes. This has led to the wrong answers being given and Deloitte having
to go back over old ground.
3.2.2 This is worrying in light of previous incorrect answers back during the Mediation
Scheme.
3.2.3 Post Office relies on FJ's expertise and wants to get back to having confidence in the
answers that are being given.
3.3 Examples
3.3.1 Regarding the missing JSNs in the transaction logs:
(a) On 17 November 2016 Torstein advised that Transaction IDs do not need to be
continuous, but Session IDs should be continuous as they contain the last few
digits of JSNs. Deloitte therefore agreed to check whether there are any gaps in
the Session IDs.
(b) Deloitte re-ran their analysis on that basis but still found gaps. Deloitte provided
Torstein with five example cases (including raw data highlighted to show where
the issues were) and asked whether this is something he'd expect or whether
they were missing anything (such as branches with multiple stock units).
(c) Torstein looked at one example and said that there were haps because JSNs are
used for more than just basket identifiers and so the gaps in the Session Ids are
explained by instances where the JSN has been used against something other
4A_35166173_2 6
4A_35166173_2
POL00023458
POL00023458
than a basket to record a block of data in the audit trail. He said that in the
example he had looked at, the ‘missing’ JSN was used to record assembling a
pouch in the branch. He also stated that the extract produced for this ARQ
confirmed that there were no gaps or duplicates in the JSN sequence on the
summary page (checking this is part of the standard extract process, but the data
that had been extracted into the spreadsheets that Deloitte had been using was
tailored to provide specific pertinent data).
(d) In order to get assurance on this Deloitte selected a sample of 25 Session IDs
with gaps and asked Deloitte to re-do the ARQs to include the additional
transactions for that month (i.e. the session IDs that don't hit the basket) to verify
the completeness of JSNs.
(e) It was agreed that the ARQ requests would be submitted by POL as per the
normal procedure. However, when the ARQ files were provided they were ina
different format (e.g. fewer columns and different column headings) to the first set
that Deloitte had been using. Deloitte asked some questions and Torstein
provided a response on 1 February 2017 which contained an assurance that "the
data in the new queries has been extracted from the same source with all the
checking of digital signatures and other safeguards that we have explained in the
past."
(f) Deloitte recommended that they observe Fujitsu re-running these ARQs. That
suggestion has not been put to Fujitsu.
Regarding the transactions that do not "net to nil"
(a) Torstein redid the first two ARQs from Deloitte's sample of 25 and got them to
balance to zero on 17 November 2016. The explanation given was that the size
of the ARQs extended to two sheets in Excel and Deloitte had missed the
Session IDs on the second sheet.
(i) Deloitte re-performed the analysis but found that 48 of the session ID's still
did not balance (originally it was 59). Deloitte noted that they had been
advised by POL case handlers to perform the exercise in the "SC" (Serve
Customer) mode and queried whether this was correct.
(ii) Torstein responded on 15 December 2016 and explained that after
reviewing the raw data from the ARQ files from a number of relevant cases,
some data was not being extracted into the spreadsheet. Torstein said that
there was a common cause for the failure to extract in the cases that he had
reviewed but asked Deloitte to confirm that the discrepancies they had found
were all: (1) negative; and (2) relatively small.
(iii) Deloitte confirmed that when the analysis was carried out in "SC" mode the
discrepancies they had found were all: (1) negative; and (2) relatively small,
but the discrepancies were bigger if the full population was used. Deloitte
therefore asked Torstein whether the balancing of Session IDs should be
done in "SC" mode only or the full population for a second time. In
response, Torstein said: " / think I saw one instance where it looked as
though the basket would balance if you included a non ‘SC’ item in it. I think
I would go for the full population as being valid for balancing the session.".
(iv) Following some discussion as to whether the analysis should be carried out
over the full population, Torstein stated that from his perspective the
exercise using SC has identified a small number of instances where the data
from the audit trail has not been extracted by the extract tool. Torstein said
that he was in the process of finalising a report that would explain the glitch
and that he was comfortable that for all the cases identified to date we can
POL00023458
POL00023458
see detail in the audit trail which shows what items were sold in the branch
for each session in mode SC (Serve Customer).
(v) Torstein provided his report on 22 December 2016. It attributed the issue to
a Mails application that had been integrated into legacy Horizon which had
not been written by Fujitsu. However, Deloitte pointed out that the
explanation only applied to 8 of the 15 samples they had provided and
suggested a way forward to deal with the balance on 12 January 2017. No
further progress has been made.
4A_35166173_2 8
POL00023458
POL00023458
4, WAY FORWARD
Objective
e To get FJ to commit to producing their paper by mid-March
e To get FJ to acknowledge that they will need to support Post Office in the long term.
Briefing
44 Fujitsu's comprehensive paper
4.44 Thank you for offering to provide a comprehensive paper that sets out the measures
and protections that are in place to ensure that the risk of a Super-User altering
transaction data so as to cause a discrepancy in a postmaster’s branch accounts, and
cover their tracks, is theoretical only.
4.1.2 We [have provided/will be providing] you with a paper which sets out Deloitte's findings
to date and the specific questions that your report needs to address to enable us to
respond to the Claimants’ allegations.
4.13 We have instructed Deloitte to suspend work in relation to Super-User activity pending
your paper. Is that the correct approach?
42 Deloitte are still working on:-
4.24 The transaction data anomalies as described earlier and a small issue around the
controls around non-Counter transactions (e.g. Paystation).
Note for POL: Deloitte are also looking at suspense accounts but that does not involve
Fujitsu.
4.2.2 Need FJ co-operation with Deloitte in relation to these issues to the extent that it is
requested. Needs to be timely and well-considered.
4.23 Can FJ commit to this?
43 Timescales
4.3.1 Given deadline for Post Office defence, POL need Fu's input asap. Final deadline by
when we need rock solid answers is end of April.
4.3.2 Ideally need FJ paper by mid-March so that POL has time to consider.
44 Future support
4.4.4 The Group Litigation is an ongoing matter and, for the reasons we have covered, POL
will require further input from Fujitsu as requested. The Group Litigation is not akin to
an audit and while the paper that you have offered to prepare will undoubtedly assist
us, it is unlikely to be a panacea.
4.4.2 The Claimants may seek to refine and / or augment those allegations as the Group
Litigation progresses, which may lead to Post Office having to answer further
questions
4A_35166173_2 9
4.4.3
4.4.4
45 CCRC
4.5.1
4A_35166173_2
Will FJ support this?
[Rod - do you want to raise costs?]
To be picked up in due course once the scope of the enquiry is clearer.
POL00023458
POL00023458