CONFIDENTIAL
Version History
POL00027928
POL00027928
SCHEDULE A5
POST OFFICE RESPONSIBILITIES
Version No. Date Comments
1.0 31/08/06 Agreed version as at date of signature of CCN
1200
1.1 26/09/06 Minor corrections by PO
1.2 11/10/06 Further corrections from FS
1.3 19/01/07 Further minor corrections
1.4 22/01/07 Further corrections
2.0 24/01/07 Baseline copy of 1.4
2.1 05/05/09 Applying changes as per CCN1224a
6.0 06/07/09 Moving all schedules to V6.0 as agreed with
Fujitsu
6.1 31/03/10 Applying changes as per CCN1276a
6.2 01/04/10 Applying changes as per CCN1270
7.0 24/05/10 Moving schedule to version 7.0
8.0 21/02/12 Applying changes as per CCN1304b,
CCN1310b and CCN1294d
9.0 13/01/14 Applying changes as per CCN1349,
CCN1307a, CCN1329a and CCN1346
10.0 10/09/15 CCD reference update, applying changes as
per CCN1346 and moving all Schedules to
v10.0 in accordance with CCN1506
11.0 31/03/16 Applying changes as per CCN 1423c, CCN
1427, CCN 1504a and moving all Schedules
to v11.0 in accordance with CCN1604
12.0 03/07/17 Applying changes as per CCN1614a,
CCN1618a and moving all Schedules to v12.0
13.0 Updating as per CCN1613a, CCN1616b,
CCN1647 and moving all Schedules to v13.0
Schedule AS Version 13.0
Page 1 of 23
CONFIDENTIAL
SCHEDULE A5
POST OFFICE RESPONSIBILITIES
12 INTRODUCTION
14 This Schedule AS:
241A
2.2
bP sets out in Annex A, certain Post Office Responsibilities that Post Office shall
perform to enable Fujitsu Services to perform the HNG-X Services;
1.1.2 sets out in Annex B, certain Post Office Responsibilities which Post Office
shall perform to enable Fujitsu Services to perform the BCSF Service and
shall take effect at Trigger Point T5 (Data Centre Ready for HNG-X);
1.1.3 identifies in Annex C, the Banking Responsibilities; and
1.1.4 Identifies in Annex D, the Banking Obligations.
1.1.5 identifies in paragraph 4, the Azure Responsibilities”.
Subject to paragraph 2.3, Post Office shall perform all Post Office Responsibilities
whether or not set out or referred to in this Schedule.
POST OFFICE RESPONSIBILITIES RELATED TO THE BANKING FUNCTION AND
DEBIT CARD
In respect of Horizon, the provisions of (i) the appendix to the CCD entitled “Debit Card
MoP Functional Description” (EF/SER/001) and (ii) Annex C and Annex D to this
Schedule, set out the Banking Responsibilities, Banking Obligations, Debit Card
Responsibilities and Debit Card Obligations or identify where they are located in this
Agreement.
In respect of HNG-x, the provisions of Annex B to this Schedule, set out the Banking
Responsibilities, Banking Obligations, Debit Card Responsibilities and Debit Card
Obligations or identify where they are located in this Agreement
The omission from the provisions referred to in paragraph 2.1A and 2.1B of an obligation
or responsibility of Post Office connected with the Banking Functions or Debit Card
shall, for the purposes of paragraphs 2.3 to 2.8:
Schedule A5 Version 13.0
Page 2 of 23
POL00027928
POL00027928
CONFIDENTIAL
23)
24
2.5
2.6
27
2.2.1 if the obligation is stated as something for which Post Office "shall be
responsible", result in that obligation being classed as a “Banking
Responsibility" or “Debit Card Responsibility’ (as applicable);
2.2.2 if the obligation is stated to be something which Post Office "shall do", result
in that obligation being classed as a “Banking Obligation" or “Debit Card
Obligation” (as applicable);
2.2.3 if the obligation is to make payment to Fujitsu Services, result in that
obligation being classed as a "Banking Obligation” or “Debit Card Obligation”
(as applicable); and
2.2.4 in all other cases shall be, as the context so requires, a Banking Obligation
or Banking Responsibility or Debit Card Obligation or Debit Card
Responsibility.
Any failure by Post Office to carry out a Banking Responsibility or a Debit Card
Responsibility shall not be a Default under this Agreement.
As soon as reasonably practicable prior to Trigger Point T5 (Data Centre ready for
HNG-X) the Parties shall review the Banking Obligations, Banking Responsibilities,
Debit Card Obligations and Debit Card Responsibilities set out in Annex B to this
Schedule in order to agree under the Change Control Procedure any amendments,
additions or deletions to those Post Office Responsibilities reasonably required in
relation to the detailed design of the Business Capabilities and Support Facilities and
provision of the HNG-X Services, once that design is available.
Fujitsu Services shall not be liable to Post Office:
2.5.1 in respect of any breach of its obligations in relation to the Banking Functions
(including its obligations to achieve any Service Level which measures
Fujitsu Services’ performance in relation to the Banking Functions) (the
“Dependent Obligations") or any delay in performing the Dependent
Obligations to the extent that such breach or delay was caused by the failure
by Post Office to carry out a Banking Obligation or a Banking Responsibility
(whether or not a Default) (a "Dependency Failure"); or
2.5.2 for any failure to perform or delay in performing its obligations in relation to
Debit Card where Fujitsu Services proves that such failure or delay was
directly caused by the failure of Post Office to perform a Debit Card
Responsibility or a Debit Card Obligation (whether or not a Default).
Fujitsu Services shall notify Post Office in writing as soon as reasonably practicable
after Fujitsu Services becomes aware of any Dependency Failure or becomes aware of
any matters or circumstances which would with the effluxion of time result in a
Dependency Failure.
In the event of a Dependency Failure, Fujitsu Services shall be entitled to recover from
Post Office such reasonably incurred, increased costs and expenses (if any) which it
Schedule A5 Version 13.0
Page 3 of 23
POL00027928
POL00027928
CONFIDENTIAL
POL00027928
POL00027928
incurs in performing the Dependent Obligation in question to the extent that such
increased costs and expenses were the result of the Dependency Failure. Fujitsu
Services shall provide a statement of such increased costs and expenses incurred for
approval by Post Office, such approval not to be unreasonably withheld.
28 Fujitsu Services shall use all reasonable endeavours to mitigate the amounts (if any)
payable under paragraph 2.7.
3. ASSOCIATED DOCUMENTS
3.1 The following CCDs are associated with this Schedule AS:
Document Reference
Document Title
1. EF/SER/001 (Withdrawn)
REQ/GEN/REP/1091
Debit Card MoP _— Functional
Description (Withdrawn)
Note — this only applies to Horizon
Mapping Schedule B3.2 to the HNG-
X Solution
2: CS/PRD/058
Fujitsu Services / Post Office Ltd
Interface Agreement for Operational
Business Change - Reference Data
3. PA/PER/033
Horizon Capacity Management and
Business Volumes
4. SVM/SEC/POL/0003
RMGA Information Security Policy
5. NB/IFS/025
EMV Banking and Retail NBX -
CAPO Application Interface
Specification
6. NB/IFS/024
EMV Banking and Retail NBX —
LINK Application Interface
Specification
7. DES/NET/TIS/0006
CAPO to HNG-X Technical Interface
Specification
8. DES/NET/TIS/0008
VOCALINK - HNG-X Technical
Interface Specification
9. DES/NET/TIS/1839
Santander — HNG-X_ Technical
Interface Specification
10. NB/IFS/029 (Withdrawn)
NBX - A&L Technical Interface
Specification (Withdrawn)
Schedule A5 Version 13.0
Page 4 of 23
POL00027928
POL00027928
CONFIDENTIAL
DES/NET/TIS/1839
Santander HNG-X Technical
Interface
11. Withdrawn in CCN1616b
12. Withdrawn
13. Withdrawn in CCN1616b
14, ET/IFS/001 Application Interface Specification:
Horizon to e-pay
15. DES/NET/TIS/0009. "e-pay — HNG-X Technical Interface
Specification
16. BP/SPE/046 APOP Definition
17. CS/SPE/011 Network Banking End to End
Reconciliation Reporting
18. SVM/SDM/STD/0001 Post Office Ltd Operational Business
Change —-_ Branch, Interface
Agreement
19. BP/SPE/035 NBS Definition
Note — this only applies to Horizon
20. CS/SER/016 (Withdrawn) Service Description for the Security
Management Service (Withdrawn)
Note - this only applies to Horizon
SVM/SDM/SD/0017 Security Management Service:
Service Description
21. CS/SER/010 Transaction Benchmark Service:
Service Description
Note — this only applies to Horizon
22. NB/SPE/003 Network Banking: Counter Dialogue -
Activity & Screen Flows.
Note — this only applies to Horizon
23. NB/PRP/004 EMV Banking: User Interface Design
Proposal.
Note — this only applies to Horizon
Schedule A5 Version 13.0
Page 5 of 23
CONFIDENTIAL
POL00027928
POL00027928
24.
SD/STD/001 (Withdrawn)
Horizon Office Platform Service Style
Guide (Withdrawn)
Note - this only applies to Horizon
DES/APP/STD/0001 HNGX-UI Style Guide
25. SVM/SDM/SD/0015 Reconciliation Service: Service
Description
26 AP/IFS/063 Horizon APOP Authorisation Service
Application Interface Specification
27 DES/NET/TIS/0005 HNG-X RGM Technical Interface
Specification
3.2 The following CRDs are associated with this Schedule AS:
Document Reference
Document Title
NO CRDs APPLICABLE
4. POST OFFICE RESPONSIBILITIES RELATED TO THE USE OF MICROSOFT
AZURE SERVICES FOR THE HOSTING OF THE SERVICES
44 Post Office shall accept and agree to the terms of the Customer Agreement and
undertakes to comply with such terms at all times during which Fujitsu Services uses
the Microsoft Azure Services in providing Services to Post Office.
42 Fujitsu Services shall notify Post Office of any changes to the Customer Agreement
made by Microsoft from time to time. Post Office's continuing use of the Microsoft
Azure Services shall constitute acceptance of any such changes to the Customer
Agreement.
Post Office shall ensure that it continues to comply with the Customer
Agreement and any updates and changes made to it by Microsoft from time to time.
43 Post Office shall:
4.3.4
4.3.2
43.3
nominate a named individual whose name, phone number and email
address shall be manually recorded as having read and accepted the
Customer Agreement on behalf of the Post Office.
inform Fujitsu Services promptly of any material breach by Post Office of
the Customer Agreement.
authorise Fujitsu Services to place orders for Microsoft Azure Services on
behalf of the Post Office, if required.
Schedule A5 Version 13.0
Page 6 of 23
CONFIDENTIAL
1.6
1.7
ANNEX A
POST OFFICE RESPONSIBILITIES IN RELATION TO THE HNG-X SERVICES
Post Office shall provide and maintain Reference Data in accordance with Post Office
business requirements and as specified in the CCD entitled “Fujitsu Services / Post
Office Ltd Interface Agreement for Operational Business Change - Reference Data”
(CS/PRD/058).
Save as expressly provided otherwise in this Agreement, any CCN or Work Order, Post
Office shall be responsible for:
1.2.1 the provision of all training for its employees, agents, contractors and sub-
contractors; and
1.2.2 the production of all training material required,
in connection with any new and/or modified Services and Applications introduced under
the Change Control Procedure and/or the Work Ordering Procedure.
Post Office shall ensure that all ETU Transactions carried out at Counter Positions are
correctly processed by e-pay according to the AIS entitled “Application Interface
Specification: Horizon to e-pay” (ET/IFS/001) and that daily reconciliation files are
produced and processed according to that AIS.
In relation to the POLSAP Services, Post Office shall be responsible for having
appropriate and sufficiently trained staff available for the provision of Replacement
Services to the POLSAP applications support (whether such staff reside within Post
Office or within the Next Supplier of Replacement Services) to investigate and progress
operational and application issues relating to the POLSAP applications support 24 hours
a day.
In relation to BNR, Post Office shall be responsible for bearing the risk for the wireless
hardware once installed until it is returned to Fujitsu Services in the same condition that
it was in when installed, subject to fair wear and tear.
In relation to the CCD “Horizon Capacity Management and Business Volumes”
(PA/PER/033), section 2.6 Post Office will:
1.6.1 provide information on forecast changes to business volumes; and
1.6.2 endeavour to provide timely information on all likely and possible changes
to business volumes,
within current or new Post Office Services.
In relation to the CCD _ entitled “RMGA_ Information Security Policy”
(SVM/SEC/POL/0003), Post Office shall be responsible for:
Schedule A5 Annex A Version 12.0
Page 7 of 23
POL00027928
POL00027928
CONFIDENTIAL
1.8
1.10
1.7.1 assessment and regular review of compliance; and
1.7.2 incident reporting (joint responsibility dependent on area of responsibility).
From 1st April 2015, in relation to Fujitsu continuing to deliver Services which previously
had dependencies on the Engineering Service and to facilitate Fujitsu's delivery of those
Services, Post Office will be responsible for:
1.8.1 for planning the timings of Counter Gold Build releases and requesting
them, using the Change Control Procedure;
1.8.2 the Next Supplier accepting and resolving Incidents raised in respect of
Branch Hardware requiring repair or replacement, identified through pro-active
monitoring; and
1.8.3 the Next Supplier accepting and fulfilling requests to perform investigation,
repair or replacement activities on Branch Hardware (e.g. quiet line test or
branch router reset) to support the resolution of Incidents.
From 1st April 2015, Post Office will be responsible for maintaining the Initial Branch
Infrastructure (as defined in paragraph 2.1.1 of Schedule B3.4 - Branch Infrastructure)
to the specification described in CCD entitled “Counter Hardware Design Specification”
(BP/DES/003) in all Branches and any other Post Office authorised locations.
Post Office will be responsible for ensuring that communications related Incidents
and/or problems in respect of Branches where Replacement Services to the VSAT BB
communications method of the Branch Network Service are being provided by the Next
Supplier, are routed to the Next Supplier and not to Fujitsu Services.
Itis agreed that title of previously installed BT VSAT BB dishes, mounts, cabling, indoor-
units and Cisco VPN router hardware in the Branches (“VSAT Equipment’) shall transfer
from Fujitsu Services to Post Office on the day of migration of the VSAT BB networking
element for that Branch in accordance with the details set out in the Asset Transfer
Agreement in Attachment 2. For the avoidance of doubt, Post Office shall pay a Transfer
Payment of £1 in accordance with paragraph 7.1.2 of Schedule E for the VSAT
Equipment on signature of CCN1614, receipt of which is hereby acknowledged by
Fujitsu Services. Post Office will be responsible, on transfer of such title, for the removal
and compliant disposal of all VSAT Equipment removed from Branches as part of such
Branches’ migration from the VSAT BB communications method to Branches to the
Replacement, which will be supplied by the Next Supplier. The Parties agree that the
approach being adopted for the transfer of ownership and responsibility for removal and
disposal of VSAT Equipment is particular only to the VSAT Equipment listed in the said
Asset Transfer Agreement and does not create any contractual, commercial or
operational precedent for any other equipment removal and disposal activities which
may be required in future at any other Branches.
For Branches where the VSAT BB communications method to Branches are
beingreplaced by Replacement Services, Post Office will ensure the timely procurement
of the Replacement Services.
Schedule A5 Annex A Version 12.0
Page 8 of 23
POL00027928
POL00027928
CONFIDENTIAL
1.13 Post office will ensure that the following test environments based at the Fujitsu Services
Bracknell location;
1.Solution Verification & Integration (SV&I Rig)
2. Live System Test (LST Rig)
will be modified to contain representative Branch VSAT BB communications infrastructure
(providing Replacement Services to the VSAT BB communications method to Branches
previously provided by Fujitsu Services) by the Next Supplier. In the event that there are failure(s)
as a consequence of such communications infrastructure provided by the Next Supplier or of any
Services during the remaining period when Fujitsu Services is providing these test environments,
Fujitsu Services will raise new Incident(s) with the Post Office service desk for the attention of the
Next Supplier supplying Replacement Services to the VSAT BB communications method to
Branches to ensure the support of the Fujitsu Services test environments, including but not limited
to enabling the replacement of failed part(s) by Post Office and/or the Next Supplier or reinstating
services to the test environments by Post Office and/or the Next Supplier. It is agreed that this
support will be provided by Post Office at no cost to Fujitsu Services. Fujitsu Services will exercise
reasonable care and skill in accordance with its own established internal procedures when
housing and/or using the equipment to perform the Services.
1.14 Post Office acknowledges that the HNG-X Test Infrastructure will operate until at least
34st March 2022.
Schedule A5 Annex A Version 12.0
Page 9 of 23
POL00027928
POL00027928
CONFIDENTIAL
ANNEX B
POST OFFICE RESPONSIBILITIES IN RELATION TO THE BCSF SERVICES
1. BANKING BUSINESS CAPABILITY
The following Post Office responsibilities relate to the Banking Business Capability:
1.1 Post Office shall ensure the security, safe keeping and proper management (as defined
in ISO 11568 parts 1 to 3) of all keys shared between the Data Centre and CAPO and
Santander on the CAPO and Santander sides of the interfaces. [B.ObI.]
1.2 Post Office shall be responsible for ensuring that the links from CAPO and LINK to the
Data Centres and information transmitted from CAPO and LINK to Fujitsu Services
across those links shall be in accordance with the CCDs entitled “EMV Banking and
Retail NBX- CAPO Application Interface Specification” (NB/IFS/025) and “EMV Banking
and Retail NBX — LINK Application Interface Specification" (NB/IFS/024) and "CAPO to
HNG-X Technical Interface Specification” (DES/NET/TIS/0006) and “VOCALINK —
HNG-X Technical Interface Specification” (DES/NET/TIS/0008). [B.Res.]
1.3 Post Office shall be responsible for ensuring that the information transmitted from
Santander to Fujitsu Services across the Santander Circuit shall be in accordance with
the CCD's entitled "NBX - A&L Application Interface Specification" (NB/IFS/026) and
“Santander — HNG-X Technical Interface Specification" (DES/NET/TIS/1839). [B.Res.]
2. BUREAU SERVICE BUSINESS CAPABILITY
The following Post Office responsibilities relate to the Bureau Service Business Capability:
2.1 Post Office shall be responsible for installing and ensuring that to the extent required by
law all Rate Boards comply and are maintained in compliance with all relevant
legislation (current and future), including all relevant Governmental Regulations and,
from the date of UK implementation, EU Directives and EU Regulations. Without
prejudice to the generality of the foregoing, Post Office shall ensure that the Rate Boards
comply with the Electromagnetic Compatibility ("EMC") Regulations 1992, which
implement Council Directive 89/336/EEC (as amended by Directive 91/26/EEC,
Directive 92/31/EEC and Directive 93/86/EEC).
2.2 Post Office shall:
2.2.1 ensure that all Rate Boards are compatible with Counter Equipment using
models as specified in the CCD entitled “Counter Hardware Design
Specification” (BP/DES/003);
2.2.2 be responsible for the provision of all cabling necessary to connect the Rate
Boards to Counter Equipment and shall ensure that such cabling is in
accordance with the CCD entitled “Rate Board Cables” (AS/REP/013);
Schedule A5 Annex B Version 12.0
Page 10 of 23
POL00027928
POL00027928
CONFIDENTIAL
3.
2.2.3 once each Rate Board has been connected to Counter Equipment, carry out
all maintenance of that Rate Board and of the associated cabling,. This
responsibility extends to all cabling used in making the connection to a
Counter Position; and
2.2.4 provide mains electrical power to each Rate Board (or where more than one
in a Branch, the Rate Boards in that Branch together) from power circuits
that are separate from the power circuit dedicated to the Counter Position.
ELECTRONIC TOP-UP BUSINESS CAPABILITY
The following Post Office responsibilities relate to the Electronic Top-up Business Capability:
3.1
44
4.2
4.3
44
Post Office shall be responsible for ensuring that the link from e-pay to the Data Centres
and information transmitted from e-pay to Fujitsu Services across that link shall be in
accordance with the CCDs entitled "Application Interface Specification: Horizon to e-
pay” (ET/IFS/001) and “e-pay -— HNG-X Technical Interface Specification”
(DES/NET/TIS/0009).
APOP BUSINESS CAPABILITY
The following Post Office Ltd Responsibilities are included in the CCD entitled “APOP
Definition” (BP/SPE/046),such Post Office Ltd Responsibilities relate to the APOP
Business Capability.
Post Office Ltd shall specify that the Post Office Data Gateway generates an APOP
verification file as defined in the CCD entitled “Horizon APOP Authorisation Service
Application Interface Specification” (AP/IFS/063) if required for an APOP Service
APS transactions shall conform to the specification defined in the CCD entitled “AP-
ADC Reference Manual” (DES/GEN/MAN/0002)
User access to the APOP administration service shall be from within the Post Office Ltd
domain and no Post Office Ltd clients will have direct access to data held on the APOP
database.
l.e. Post Office Ltd will not grant access from outside the Post Office Ltd domain
APOP Service Authorisation Service
4.5
4.6
The APOP authorisation service definition for an APOP Service shall conform to the
specification defined in the CCD entitled “APOP Reference Manual” (AP/MAN/003).
Post Office Ltd shall conform to the security rules for the creation of administrators and
users of the APOP administration service and the use of the APOP administration
service by administrators and users as defined in the APOP Administration Service User
Interface Design Proposal.
Schedule A5 Annex B Version 12.0
Page 11 of 23
POL00027928
POL00027928
CONFIDENTIAL
47
The APOP Service Definition shall be constructed using the parameters defined in the
CCD entitled “APOP Reference Manual”(AP/MAN/003).
48 Post Office Ltd shall define the service definition for an APOP Service which conforms
to the CCD entitled “APOP Reference Manual”(AP/MAN/003) and deliver the service
definition to Fujitsu Services.
49 Post Office Ltd shall define the format of the reports derived from data extracted from
the APOP database and delivered to Post Office Ltd by the APOP reporting service.
4.10 Post Office Ltd/Prism shall build and maintain the APOP administration service server
and workstations which shall include schema files to support the rendering of the extract
files produced by the APOP reporting service.
4.11 Not Used
4.12 Transactions to be processed by the APOP batch service shall conform to the CCD
entitled “Horizon APOP Authorisation Service Application Interface Specification”
(AP/IFS/063).”
4.13 On-line branch transactions initiated at a Post Office Horizon counter position shall
conform to the specification defined in the CCD entitled “APOP Authorisation Service-
On-line Application Interface Specification “(AP/IFS/064).
New APOP Services
4.14 For each new APOP Service:
e Post Office Ltd will produce a specification of the APOP Service business
requirements and business process definition as defined in the APOP User
Guide.
« Post Office Ltd will produce the AP-ADC counter transactions.
e Post Office Ltd will produce the service definition for the APOP Service.
4.15 For each new APOP Service, Post Office Ltd shall, subject to the Work Ordering
Procedure, require Fujitsu Services to produce:
« Voucher receipt templates;
« Customer and Branch receipt templates;
e Counter and Branch weekly reports.
4.16 For each Counter and Branch weekly report, Post Office Ltd shall define the:
Schedule A5 Annex B Version 12.0
Page 12 of 23
POL00027928
POL00027928
CONFIDENTIAL
4.17
e List of products;
e Report title;
e Cut-off requirements
For each new APOP Service with an external authorisation service, Post Office Ltd shall,
subject to the Work Ordering Procedure, require Fujitsu Services to produce:
e An APOP web service, web services agent and (optionally) a web server
platform:
« An interface between the Horizon domain and the external authorisation service
Changes to APOP Services
4.18
Post Office Ltd shall, subject to the Work Ordering Procedure, require Fujitsu Services to
produce changes to Fujitsu Services supplied components of an APOP Service.
DEBIT CARD
The following Post Office Responsibilities are Debit Card Responsibilities:
Debit Card Responsibilities
5.1
5.2
5.3
5.4
5.5
Post Office shall be responsible for providing, through Post Office Reference Data, DC
Token definitions to cover the DC Token ranges supported by Fujitsu Services.
Post Office shall be responsible for following procedures for Debit Card Transaction
settlement and exception reporting in accordance with the CCD entitled “Network
Banking End to End Reconciliation Reporting” (to be renamed End to End Reconciliation
Reporting) (CS/SPE/011) to the extent Post Office is required to do so.
Post Office shall be responsible for generating and transmitting (as reasonably required
by the Fujitsu Services) test Reference Data for testing purposes.
Post Office shall be responsible for ensuring that Fujitsu Services has at all times a
sufficient number of MIDs and TIDs to enable Fujitsu Services to allocate such MIDs
and TIDs to the Branches and Counter Positions respectively.
Post Office shall be responsible for supplying an agreed batch of MIDs to Fujitsu
Services in accordance with the OLA “DC Operational Level Agreement” to ensure that
one MID is available for each new Branch, whenever the supplies of unallocated MIDs
held by Fujitsu Services fall below a threshold limit agreed between Post Office and
Fujitsu Services
Schedule A5 Annex B Version 12.0
Page 13 of 23
POL00027928
POL00027928
CONFIDENTIAL
5.6
5.7
5.8
5.9
Post Office shall be responsible for supplying an agreed batch of TIDs to Fujitsu
Services through the Change Control Procedure whenever the supplies of unallocated
TIDs held by Fujitsu Services fall below a threshold limit agreed between Post Office
and Fujitsu Services.
Post Office shall be responsible for following the reconciliation and incident
management procedures for the investigation, reporting and resolution of business
incidents related to the use of Debit Card (supported by the Payment Management
Business Capability) as set out in the applicable provisions of paragraph 2.8 of the CCD
entitled "Reconciliation Service: Service Description” (SVM/SDM/SD/0015)
Post Office shall be responsible for providing MIDs and TIDs in accordance with the
processes for business change described in the CCD entitled “Post Office Ltd
Operational Business Change — Branch, Interface Agreement” (SVM/SDM/STD/0001).
Post Office shall be responsible for procuring the provision of an EMIS to supply a data
feed to the Reconciliation Support Facility from the Merchant Acquirer in accordance
with the document entitled “Technical Specification for the Electronic Management
Information Service” (SU/SPE/024).
The following Post Office Responsibilities are Debit Card Obligations:
Debit Card Obligations
5.10
5.11
5.12
5.13
Post Office shall be responsible for verifying and validating all Debit Card related Post
Office Reference Data for use in connection with the DC MoP, save to the extent that
Fujitsu Services is obliged to do so (for the purposes of the use of such Post Office
Reference Data within the Infrastructure) in accordance with the CCD entitled “ Fujitsu
Services / Post Office Ltd Interface Agreement for Operational Business Change —
Reference Data” (CS/PRD/058). For the avoidance of doubt, the Change Control
Procedure shall be used if Post Office requires any Debit Card related Reference Data
validation or testing outside the scope of the CCD entitled “Fujitsu Services / Post Office
Ltd Interface Agreement for Operational Business Change - Reference Data”
(CS/PRD/058).
Post Office shall procure a service designed to ensure that the EMIS file shall be
available for collection from the Merchant Acquirer by 15:00 hours daily between
Monday and Friday excluding English Bank Holidays. Where the EMIS file is not
available by that time, Fujitsu Services shall follow the procedures set out in the relevant
OLA.
Post Office shall follow the procedure set out in the OLA entitled “DC Operational Level
Agreement” for reporting potential/actual breaches of security within either the Merchant
Acquirer or Infrastructure.
Post Office shall ensure the security, safe keeping and proper management of all
passwords/passphrases used to generate keys shared between the Data Centre and
Schedule A5 Annex B Version 12.0
Page 14 of 23
POL00027928
POL00027928
POL00027928
POL00027928
CONFIDENTIAL
the Merchant Acquirer on the Merchant Acquirer side of the interface between the Data
Centre and the Merchant Acquirer.
6. GENERIC WEB SERVICE SUPPORT FACILITY
The following Post Office Responsibilities are Generic Web Service Responsibilities:
6.1 For each Generic Web Service Post Office shall be responsible for:
6.1.1 the Post Office tasks as defined in the ‘Web Service Client Connection
Process’ (REQ/GEN/PRO/1 386) for the:
(a) the Generic Web Service qualification stage;
(b) the Generic Web Service specification stage;
(c) the Generic Web Service build and test stage;
(d) the Generic Web Service introduction stage;
6.1.2 the provision of the baselined WSDL for the Client web service;
6.1.3 the Client specific elements of the Technical Interface Specification between
the Generic Web Service and the Post Office Client;
6.1.4 the design, development and testing of the APS transactions conforming to
the specification defined in the CCD entitled “AP-ADC Reference Manual”
(DES/GEN/MAN/002);
6.1.5 the security assessment of the APS service and the associated Generic Web
Service for the Post Office Client.
7. PAF SUPPORT FACILITY
Tel Post Office shall be responsible for supplying to Fujitsu Services the monthly Royal Mail
PAF address data on a CD in ‘Royal Mail Compressed Standard™' format described in
the ‘Royal Mail PAF Programmers’ Guide’ Edition 7 Version 4.0 (REQ/APP/AIS/1526)
7.2 Post Office shall be responsible for supplying to Fujitsu Services the monthly Royal Mail
PAF address data on a CD in accordance with the CCD ‘Fujitsu Services/Post Office
Ltd Interface Agreement for Operational Business Change — Reference Data
(CS/PRD/058);
7.3 Post Office shall be responsible for supplying PAF additional address data to Fujitsu
Services conforming to the application interface specification ‘Post Office Limited to PAF
Application Interface Specification’ (REQ/APP/AIS/1503);
Schedule A5 Annex B Version 12.0
Page 15 of 23
CONFIDENTIAL
7.4
75
8.
Post Office shall be responsibly for managing and securely destroying the Royal Mail
PAF data CDs after 12 months.
Post Office shall be responsible for the integrity and accuracy of data provided in
accordance with sections 9.2 and 9.3 and any rectifications required as a result of
erroneous or corrupt data supplied shall be made at Post Office's sole expense.
POST OFFICE DATA GATEWAY
The following Post Office Responsibilities are Post Office Data Gateway Responsibilities. For
each Post Office Data Gateway Data File transfer:
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
9.1
10.
Post Office shall be responsible for supplying to Fujitsu Services approved Application
Interface Specifications (AIS) for Data File transformations to be performed by the Post
Office Data Gateway Support Facility using the approved pro-forma;
Post Office shall be responsible for supplying to Post Office Clients the specification of
the data in Data Files to be transferred from the Post Office Data Gateway to the Client;
Post Office shall be responsible for producing, as Post Office requires, Data File delivery
reports from Post Office Data Gateway data supplied to Post Office Ltd by Fujitsu
Services;
Post Office shall be responsible for producing Post Office to Post Office Client
Operational Level Agreements for each Post Office Client sending Data Files to, or
receiving Data File from, the Post Office Data Gateway Support Facility;
Post Office shall be responsible for ensuring that Fujitsu Services is permitted to
process the data received by the Post Office Data Gateway Support Facility on behalf
of the data owner;
Post Office shall be responsible for ensuring that the Data Files transferred between the
Post Office Client and the Post Office Data Gateway Support Facility shall be in
accordance with the relevant Post Office Data Gateway to Post Office Client Application
Interface Specification;
Post Office shall be responsible for ensuring that the link between the Post Office Client
and the Post Office Data Gateway Support Facility will be in accordance with the ‘Post
Office Data Gateway to Post Office Clients Technical Interface Specification’
(DES/NET/TIS/1499).
Post Office shall be responsible for supplying the information and ensuring that the
content within the PODG Client Connection pack is correct.
Post Office shall be responsible for the ownership and content within the Post Office
Data Gateway (PODG) Route spreadsheets.
CLIENT FILE DELIVERY
Post Office shall be responsible for supplying to Fujitsu Services approved Application
Interface Specifications for Data Files from Post Office Clients (to HNG-X) Clients to be
processed by the Client File Delivery Support Facility.
POST OFFICE DATA GATEWAY CLIENT CONNECTION
Schedule A5 Annex B Version 12.0
Page 16 of 23
POL00027928
POL00027928
CONFIDENTIAL
The following Post Office Responsibilities are PODG Client Connection Service Responsibilities.
10.1
10.2
10.3
10.4
10.5
Post Office shall be responsible for supplying to Fujitsu Services a completed OBC19
form for each request with details of the changes required.
Post Office shall be responsible for ensuring that Fujitsu Services is permitted to
process the data received by Fujitsu Services under the PODG Client Connection
Service on behalf of the data owner.
Post Office shall be responsible for obtaining security credentials directly from Post
Office Clients and to provide Fujitsu Services with the security credentials required to
fulfil a PODG Client Connection Service request as defined in “Post Office Data
Gateway (PODG) Secure Transfer Procedure” (SVM/SEC/PRO/1784).
Post Office shall be responsible for obtaining all necessary consents, authorisations and
notifications from relevant Data Controllers, to enable personal data to be processed by
Fujitsu Services as part of PODG Client Connection Service, in compliance with the
latest Data Protection Act. Post Office Ltd shall indemnify Fujitsu Services in respect of
any losses suffered by Fujitsu Services in connection with the performing the PODG
Client Connection Service as a result of any Post Office Ltd failure to have obtained
appropriate data protection related consents, authorisations and notifications...
Post Office shall be responsible for managing the service provided to the Client by the
Post Office Data Gateway Service
Schedule A5 Annex B Version 12.0
Page 17 of 23
POL00027928
POL00027928
CONFIDENTIAL
ANNEX C
BANKING RESPONSIBILITIES
HORIZON BANKING RESPONSIBILITIES
The following table identifies the Banking Responsibilities set out elsewhere in this
Agreement that shall apply from the Amendment Date until Trigger Point T6 (Counter
Application Rollout Complete). For the purposes of such identification only, the table
replicates the wording of those Banking Responsibilities and gives their location in this
Agreement.
Where the location of any Banking Responsibility set out below is a CCD, when that
CCD is updated in accordance with the provisions of Attachments 1 and 4 of CCN1200
or otherwise, any amendments, additions or deletions to that Banking Responsibility or
its location in that CCD shall be deemed to have been made also in the table below.
In the event of any conflict or inconsistency between the wording of the Banking
Responsibilities set out below and that used in this Agreement where that Banking
Responsibility is located, the wording used where the Banking Responsibility is located
shall prevail.
Schedule A5 Annex C Version 12.0
Page 18 of 23
POL00027928
POL00027928
CONFIDENTIAL
POL00027928
POL00027928
Number Post Office Responsibility Location in Agreement or
CCD as at date of signature
of CCN1200
1 The Contractor shall update the TIS required for those NBS Definition (BP/SPE/035)
interfaces for approval by POCL, such approval not to be I v1.0,
unreasonably withheld.
Section 3.3
2 The Contractor and POCL shall agree from time to time NBS Definition (BP/SPE/035)
the procedures which each party shall follow and the v1.0,
responsibilities of each party in respect of the
transmission of POCL Reference Data which shall be Section 3.5
documented in Working Documents.
3 Post Office Ltd shall be responsible for verifying all NBS I Fujitsu Services / Post Office
related Post Office Reference Data for use in End to End I Ltd Interface Agreement for
Banking, save to the extent that Fujitsu Services is obliged I Operational Business Change
to do so (for the purposes of the use of such Post Office I - Reference Data
Reference Data within the Post Office Service
Infrastructure). (CS/PRD/058) v11.0,
Section 2.6.1.2
4 The counter dialogue for the NBS shall be as NBS Definition (BP/SPE/035)
documented in the CCD entitled "Network Banking: v1.0,
Counter Dialogue - Activity & Screen Flows"
(NB/SPE/003) and "EMV Banking: User Interface Design I Section 4.1
Proposal" (NB/PRP/004) and by the applicable date
specified in the NB Project Plan the Contractor shall
propose and POCL shall agree (such agreement not to
be unreasonably withheld) any enhancements required to
the CCD entitled “HNGX-U/ Style Guide”
(DES/APP/STD/001) (formerly “Horizon Office Platform
Service Style Guide” (SD/STD/001)) for the NBS.
5 POCL shall be responsible for the integration of tte NBS__I NBS Definition (BP/SPE/035)
and the NB System into End to End Banking.
v1.0,
Section 5.2.1
Schedule A5 Annex C Version 12.0
Page 19 of 23
CONFIDENTIAL
POL00027928
POL00027928
POCL shall be responsible for ensuring that Bank's
systems supports receipt of CO Confirmations sent to
them, and are able to generate C4 Confirmations to the
DRSH, as applicable.
NBS Definition (BP/SPE/035)
v1.0
Section 5.3.6
7 Following transmission of the NB Request for such NBS Definition (BP/SPE/035)
Banking Transaction, POCL shall ensure that the amount I v1.0
which is permitted to be withdrawn shall be included in
the NB Authorisation. Section 5.9.2
8 The provision of information required via the Banks for NBS Definition (BP/SPE/035)
printing on a NB Receipt is the responsibility of POCL. v1.0
Section 5.12.4.3
9 It shall be POCL's responsibility to ensure that Users of Schedule B4.3 and NBS
the NBS, log-on with separate log-on “IDs” and do not Definition (BP/SPE/035) v1.0,
perform Banking Transactions under a different log-on ID I paragraph 5.2.5
in order that the User responsible for each Banking
Transaction may be identified from audit trail data.
10 POCL shall submit: Security Management Service:
(a) Banking Transaction Record Queries to the
Horizon System Help Desk which will pass the Record
Query to the Contractor's customer service management
support unit; and
(b) Audit Record Queries and Old Format Queries to
the Contractor's customer service security prosecution
support section.
Service Description
(SVM/SDM/SD/0017)
(Formerly “Service Description
for the Security Management
Service” (CS/SER/016) v2.0
Section 3.10.7
Schedule A5 Annex C Version 12.0
Page 20 of 23
CONFIDENTIAL
POL00027928
POL00027928
POCL shall be responsible for ensuring that the link from
the information transmitted from Santander to Fujitsu
Services across the link to the Data Centres and
information transmitted to the Contractor across that link
shall be in accordance with the CCDs entitled “Santander
HNG-X Technical Interface Specification”
(DES/NET/TIS/1839) and “EMV Banking and Retail NBX
—-A&L Application Interface Specification" (NB/IFS/026).
Post Office shall be responsible for ensuring that the links
from CAPO and LiNK to the Data Centres and
information transmitted from Card Account and LiNK to
Fujitsu Services across that link shall be in accordance
with the CCD’s entitled “EMV Banking and Retail NBX -
CAPO Application Interface Specification” (NB/IFS/025)
and “EMV Banking and Retail NBX - LiNK Application
Interface Specification" (NB/IFS/024) and “CAPO- HNG-X
Technical Interface Specification” (DES/NET/TIS/0006)
and “VOCALINK — HNG-X Technical Interface
Specification” (DES/NET/TIS/0008).
NBS Definition (BP/SPE/035)
v1.0,
Section 8.1.4.9
12 Such periods shall be scheduled by agreement with Post I Schedule B4.4
Office in accordance with current practices used in
respect of the Applications (other than the NBS) and the
Infrastructure Services, such agreement not to be
unreasonably withheld.
2 HNG-X BANKING RESPONSIBILITIES
21 The Banking Responsibilities that will apply from Trigger Point T5 (Data Centre ready
for HNG-X) are designated "[B.Res.]" in Annex B to this Schedule A5.
2.2 Where the same or a substantially similar Banking Responsibility is applicable during
the Roll Out Phase under both paragraphs 1.1 and 2.1 of this Annex C (but not
applicable in respect of the NBS and the Banking Business Capabilitiy separately), Post
Office need only perform that Banking Responsibility once on each occasion that it is
due to be performed.
Schedule A5 Annex C Version 12.0
Page 21 of 23
POL00027928
POL00027928
CONFIDENTIAL
ANNEX D
BANKING OBLIGATIONS
1. HORIZON BANKING OBLIGATIONS
1.1 The following table identifies the Banking Obligations set out elsewhere in this
Agreement that shall apply from the Amendment Date until Trigger Point T6 (Counter
Application Rollout Complete). For the purposes of such identification only, the table
replicates the wording of those Banking Obligations and gives their location in this
Agreement.
1.2 Where the location of any Banking Obligation set out below is a CCD, when that CCD
is updated in accordance with the provisions of Attachments 1 and 4 of CCN1200, or
otherwise any amendments, additions or deletions to that Banking Obligation or its
location in that CCD shall be deemed to have been made also in the table below.
1.3 In the event of any conflict or inconsistency between the wording of the Banking
Obligations set out below and that used in this Agreement where that Banking
Obligation is located, the wording used where the Banking Responsibility is located shall
prevail.
Number I Post Office Responsibility Location in Agreement or
CCD as at date of signature
of CCN1200
1 Post Office complying with (and ensuring that any third Schedule B4.3 and Schedule
party Post Office uses for siting or storage of such B3.3
equipment complies with) the following:
- provision of a suitable physical operating environment
for Fujitsu Services’ equipment used for or in connection
with the communications link including the following:
° ensuring the physical security of all equipment
which is located on Post Office and/or any such
third party's premises to protect against
unauthorised access; and
. provision of environmental conditions as
reasonably required by Fujitsu Services.
- permitting Fujitsu Services to gain access (at reasonable
times and on reasonable notice) to all locations where
such equipment is held or is to be installed, in order to
enable Fujitsu Services to effect or procure the
Schedule A5 Annex D Version 12.0
Page 22 of 23
CONFIDENTIAL
POL00027928
POL00027928
Number
Post Office Responsibility
Location in Agreement or
CCD as at date of signature
of CCN1200
installation, maintenance, repair, renewal and support of
such equipment.
2 Post Office shall report to Fujitsu Services any actual or Security Management Service:
potential threats or breaches that may have a material Service Description
effect on the NBS itself or End to End Banking in SVM/SDM/SD/0017
accordance with agreed procedures.
(formerly “Service Description
for the Security Management
Service” (CS/SER/016))
Section 3.7
3 Post Office shall ensure the security, safe keeping and NBS Definition (BP/SPE/035)
proper management (as defined in ISO 11568 parts 1 to v1.0,
3) of all keys shared between the Data Centre and on the
CAPO and Santander side of the interface between the Section 8.1.4.8
Data Centre and CAPO and Santander.
4 The Post Office and Fujitsu Services shall agree (such Management Information
agreement not to be unreasonably withheld) a method of Service: Service Description
rectification, including a timetable, (a “Rectification Plan”) (SVM/SDM/SD/0016)
for each Benchmark Time Discrepancy (which plan may
involve the agreement of an adjustment to the Target (formerly “Transaction
Times) (as in SVM/SDM/SD/0016) (formerly section Benchmark Service: Service
1.5.7.1 of CS/SER/010). Description” (CS/SER/010))
Section 3.1.10.1
2. HNG-X BANKING OBLIGATIONS
21 The Banking Obligations that shall apply from Trigger Point T5 (Data Centre ready for
HNG-X) are designated "[B.ObI.]" in Annex B to this Schedule.
2.2 Where the same or a substantially similar Banking Obligation is applicable during the
Roll Out Phase under both paragraphs 1.1 and 2.1 of this Annex D (but not applicable
in respect of the NBS and the Banking Business Capability separately), Post Office need
only perform that Banking Obligation once on each occasion that it is due to be
performed.
Schedule A5 Annex D Version 12.0
Page 23 of 23