POL00030452
POL00030452
A REVIEW ON BEHALF OF
THE CHAIRMAN OF POST OFFICE LIMITED
CONCERNING THE STEPS TAKEN IN
RESPONSE TO VARIOUS COMPLAINTS
MADE BY SUB-POSTMASTERS
8 February 2016
INDEX
I. Introduction (paragraph) 1
II. The Scope of this Review 4
III. Post Office Limited, Sub-postmasters and the Horizon System
(A) The POL Business Model 13
(B) The Legal Status of SPMRs 17
(C) The Horizon System 22
(D) Training 37
(E) Support 40
(F) Third Party Business Involvement 46
(G) Accounting Discrepancies 49
(H) Investigation of Discrepancies 54
IV. The Horizon Complaints
(A) Initial Complaints 56
(B) The Second Sight Interim Report 60
(C) The Criminal Cases Review Commission 65
(D) The Mediation Scheme 67
(E) The Substantive Second Sight Reports 76
(F) Parliamentary Debates 84
(G) BBC Panorama Programme 86
(H) Cost to POL 89
V. Criminal Prosecutions 90
(A) Safety of Convictions and Disclosure of Information 92
(B) Sufficiency of Evidence 100
(C) POL as Prosecutor 110
(D) Recommendations 113
VI. The Horizon System 114
(A) Bugs in the Horizon System 117
(B) Thematic Issues 121
(C) Third Party Action 130
(D) Recommendations 149
VII. The Support Provided to SPMRs 150
VIII. Scheme Investigations 161
IX. Summary of Recommendations 175
POL00030452
POL00030452
POL00030452
POL00030452
I Introduction
We have conducted this review on behalf of the Chairman of Post Office
Limited, Tim Parker.
This review arises from complaints made by various sub-postmasters
(“SPMRs”) about their treatment by Post Office Limited (“POL”). Since 2009
POL has faced complaints from SPMRs that cash shortfalls in their branches,
for which they were held responsible by POL were caused by POL’s
computer software, known as Horizon, and POL’s wider operational model.
These matters have been the subject of consideration and investigation by and
on behalf of POL on a number of occasions. The purpose of this review is to
consider whether any further action could now reasonably be taken by POL
to address the matters raised by the SPMRs.
We stress that we have been instructed on behalf of the Chairman to perform
an independent assessment of the work which has been done already to
address the question whether there is any further step/steps that might
reasonably be taken now by POL. We have met with various individuals and
parties who could explain the context and their concerns, but not all of those
matters fell within the scope of this Review. The legal department of POL has
been the source of most of the information provided to us, but we have
determined what information should be provided. No information we have
requested has been withheld from us and we are grateful for the assistance
we have received from both POL and external parties we have spoken to.
POL00030452
POL00030452
Il. The Scope of this Review
The purpose of this review was originally described in the following terms:
“To review the Post Office’s handling of the complaints made by sub-postmasters
regarding the alleged flaws in its Horizon electronic point of sale and branch
accounting systems, and determine whether the processes designed and implemented
by Post Office Limited to understand, investigate and resolve those complaints were
reasonable and appropriate.”
We have been guided by this. But we have concentrated on whether any
further action is reasonable and necessary in respect of these issues. This has
highlighted two principal questions
(1) I What has already been done in the 2010-2015 period?
(2) If there are any gaps in the work done, is there further action that can
reasonably now be taken?
In respect of both these questions, with the agreement of the Chairman, we
have concentrated on four areas: (a) criminal prosecutions; (b) the Horizon
system (i.e. the software); (c) the support provided to SPMRs through training
and helplines; and (d) the investigations into the circumstances of specific
cases where a complaint has been raised. This Review will address both
questions in respect of all four of these areas.
As a part of the second question, we will briefly address what steps POL
should take now to improve the position of SPMRs, and therefore POL, in the
future. However, the more critical focus is on whether anything further can
reasonably be done now in respect of existing cases raised with POL. Where
we have concluded that it can be, we have set out recommendations
accordingly.
10.
11.
12.
POL00030452
POL00030452
We recognise that a great deal of work has been undertaken by POL and
various third parties concerning Horizon and wider related issues since 2010.
It was neither possible nor desirable for us to seek to replicate or duplicate
that work in the time available to us. Nor have we sought to establish the
precise circumstances of any individual SPMR’s case.
We have reviewed a considerable amount of documentation provided to us
by POL at our request. We have also met with POL employees, and external
parties who we considered might be able to assist us in our understanding of
the issues involved and what had already been done. In addition, we received
training ourselves on the operation of a Horizon terminal.
Our meetings were with:
1) Lord Arbuthnot;
(
(2) I Second Sight (lan Henderson and Ron Warmington);
(3) Deloitte (Andrew Whitton and Mark Westbrook);
(4) Fujitsu (Mike Harvey, Pete Newsome and Gareth Jenkins);
(5) I Angela Van Den Bogard, POL Director of Support Services;
(6) Kevin Seller, POL Director of Network Development and
Transformation;
(7) I Kendra Dickinson, POL Senior Contact Centre Manager; and
(8) Shirley Hailstones and Kathryn Alexander, POL Case Investigators.
The Chairman invited Alan Bates, Chairman of the “Justice for Sub-
postmasters Alliance” (“JFSA”) to a meeting with us, but he declined to
attend. We are aware that his reason for the refusal was his loss of trust in
POL and their ability to meet his concerns.
We have not sought to meet with Sir Anthony Hooper, who was Chairman of
the Working Group. The running of the Working Group, and indeed the
POL00030452
POL00030452
decision to bring it to an end, were not matters directly within the scope of
our concern as they are second-order process matters.
(A)
13.
14.
15.
16.
POL00030452
POL00030452
Ill. Post Office Limited, Sub-postmasters and the Horizon System
The POL Business Model
POL is a limited company under the Companies Act 2006. As of 1 April 2012,
POL has been separately owned and managed from Royal Mail. The sole
shareholder of POL is the Secretary of State for Business, Innovation and
Skills but POL acts under the direction of its Chairman and Board of
Directors, rather than Ministerial control. However, because the sole owner of
POL is the Government, it is commonplace and appropriate to describe POL
as expending public funds.
There are approximately 11,500 Post Office branches around the United
Kingdom. They provide a range of mail, telephony, government and financial
products and services to the public. A Post Office branch is often a vital part
of a local community.
Some 350 of those branches are operated directly by POL, known as Crown
branches, in which the staff are employees of POL. These branches have not
been the focus of the complaints or this Review.
The remainder of the branches are run by SPMRs on an agency basis, under
contracts with POL. SPMRs are, accordingly, independent business people.
Many operate additional businesses, and it is common that the Post Office
branch is found within a wider retail business, such as a newsagent or general
store. Every branch has a quantity - varying according to local demand and
branch size - of POL cash and stock (such as stamps) for which the SPMR
must account to POL.
(B)
17.
18.
19.
20.
POL00030452
POL00030452
The Legal Status of SPMRs
It is not necessary for the purposes of this Review to set out a detailed legal
analysis of the position of SPMRs. Although we understand from the wider
documentation that some SPMRs may have believed themselves to be more
akin to an employee, there is no real dispute that SPMRs are agents of POL,
under a contract for services.! We have not seen, and have not asked to see,
the contract between POL and SPMRs, although we have seen quoted clauses
of it in various other documents. We understand that clause 1 of that contract
states in terms that the SPMR is an agent of POL.
At common law an agent is obliged to keep an accurate account of all
transactions entered into within the scope of his agency and has to be ready to
produce that account at any time to his principal. We understand that the
applicable contract contains a clause to the same effect (clause 12.4).
Where an account is produced - such as automatically through an accounting
system - the burden of proof is on the agent to show that the account is
wrong and does not reflect the financial obligations he owes to his principal.
In Camillo Tank Steamship Company Limited v Alexandria Engineering Works
(1921) 38 TLR 134, 143 Viscount Cave noted that:
“The expression “account stated” ... has more than one meaning. It sometimes means
a claim to payment made by one party and admitted by the other to be correct. An
account stated in this sense is no more than an admission of a debt out of court; and
whilst it is no doubt cogent evidence against the admitting party, and throws upon
him the burden of proving that the debt is not due, it may, like any other admission,
be shown to have been made in error.”
The general principle of the agent’s duty to account is contained in Shaw v
Picton (1825) 4 B & C715, 729 per Bayley J:
Indeed, there is a judgment of the Employment Appeal Tribunal holding that SPMRs
are not employees (and not workers for the purposes of various pieces of legislation
either): Inland Revenue Commissioners v Post Office Ltd [2003] ICR 546.
8
21.
(©)
22.
POL00030452
POL00030452
“It is quite clear, that if an agent (employed to receive money, and bound by his duty
to his principal from time to time to communicate to him whether the money is
received or not,) renders an account from time to time which contains a statement
that the money is received, he is bound by that account unless he can shew that that
statement was made unintentionally and by mistake. If he cannot shew that, he is not
at liberty afterwards to say that the money had not been received, and never will be
received, and to claim reimbursement in respect of those sums for which he had
previously given credit.”
The application of these standard agency principles to the SPMR context was
confirmed in Post Office Ltd v Castleton [2007] EWHC 5 (QB); [2007] All ER (D)
125 (Jan) in which POL sued to recover losses shown in the SPMR’s accounts.
Mr Castleton is now one of the cases in the scheme discussed below.
We are not asked to apply those principles to the facts of any particular case
and we do not do so, but we do consider that it is important that the relevant
legal context be clearly set out as it clearly shapes the nature of POL’s own
obligations.
The Horizon System
Horizon is the name given to the computer system provided to POL under
contract by Fujitsu Services Limited (“Fujitsu”), formerly ICL. It is the system
used in all POL Crown branches, sub-Post Offices and outreach branches. We
do not understand the basic history and scope of the Horizon system to be
controversial, and take this summary from various documents including
Second Sight’s Part One Report, legal advice provided by Brian Altman QC,
witness statements provided by Gareth Jenkins of Fujitsu in POL legal
proceedings against SPMRs and other Fujitsu documentation, such as a
presentation on its ‘Core Audit Process’. We stress that in this Review we use
the term Horizon to refer to the computer system used by POL and the
SPMRs only. We do not incorporate within that term a wider definition of all
23.
24,
25.
26.
POL00030452
POL00030452
training, assistance and processes the POL have in place to allow Horizon to
be used; we find that wider definition which has been used by others to be
confusing for our purposes.
Fujitsu was awarded a contract with POL in 1996 to provide the Horizon
system. Horizon was rolled out to all branches between 1999 and 2002.
Branches migrated to an updated system known as Horizon Online (or HNG-
X) over the course of 2010. So far as we understand it, there is no significant
difference between the practical operation of the original Horizon system and
Horizon Online. As the complaints raised have spanned both systems, we
refer to both by the term Horizon.
Under the original Horizon system the data relating to each transaction was
processed and stored by a designated master terminal in each branch before
being transmitted in batches to a central POL data centre. Under Horizon
Online, each branch terminal now communicates directly with the da ta centre
on a transaction by transaction basis. In order to function, Horizon must be
online and each terminal connected to the POL data centre via a secure
communication line with a back-up system, provided by POL, usually
comprising a mobile telephone network.
We note that Horizon is used by over 68,000 users in the 11,500 branches
processing more than six million transactions every working day.
Transactions in Horizon can only be entered by someone with a user ID and
an associated password. Formal approval of a new user can only be carried
out by POL, but new users can be added to the system and allocated a user ID
by an SPMR when POL has given them ‘manager access’. The password is set
by POL or the SPMR and is subsequently managed and changed by the user.
27.
28.
29.
30.
POL00030452
POL00030452
Every record that is written to the transaction log has a unique incrementing
sequence number. This means it is possible to detect if any transaction records
have been lost. While a customer session is in progress, details of the
transactions for that session are normally held in the computer’s memory
until the customer session (often known as the ‘stack’) is settled (ie. payment
is taken). At that point, all details of the transactions, including methods of
payment, are written to the hard disk and replicated. When the stack data is
successfully written the screen is updated, printing the relevant receipt means
the session is completed, to indicate a new customer session can be started.
Each stack, or basket, of a customer session consists of accounting lines. When
a session is settled, the payment process is also added as accounting lines.
When the value of the basket is zero it is sent to the data centre where the
accounting lines are recorded and committed. The effect of this is that either
all of the data, in the form of the accounting lines, is written to the local hard
disk and the data centre or none of it is written. The same approach applies to
back office transactions, such as inputting stock levels or reversing mistaken
transactions.
All data that is written includes a ‘checksum’ value which is checked
whenever the data is read to ensure that it has not been corrupted. Any such
corruptions detected on reading will result in failures being recorded in the
event logs which are held on the local hard disk for a short period, and at the
data centre where they are held for seven years.
Where the data is not written or replicated, further attempts are made at
regular intervals. Once the data reaches the data centre, a further copy is
taken and written to the audit file which is placed into the audit trail where it
is available for retrieval for seven years. Data in the audit trail is digitally
sealed with a secure checksum that is held separately (in the form of a digital
index) to ensure it has not been tampered with or corrupted. Each audit
11
31.
32.
33.
POL00030452
POL00030452
record includes the branch identifier, the counter identifier, the sequence
number (i.e. the sequential transaction identifier), and a counter timestamp.
Any failures to write to a hard disk, after the set number of retries, will result
in the counter failing and needing to be restarted. Such a failure will
accordingly be visible, even if it were not already evident because of, for
example, a loss of power. There is a specific recovery process which must be
followed by the user when the counter is restarted which, we are told,
involves various screen prompts.
Horizon adopts the principle of double-entry bookkeeping. As set out above,
this means that separate accounting lines are also generated for the tender
items (i.e. the methods of payment), resulting in a total value of all of the
accounting lines in a basket adding up to zero. If, when being written, the net
value is not zero then an alert is raised and the basket is discarded.
The way in which the Horizon system is operated was described in accessible
terms in the Castleton judgment at [5]-[7]:
“Each computer terminal included a processor, a touch-sensitive screen, a keyboard, a
barcode scanner and a printer. The laid down practice, in outline, was and is as
follows. The clerk records on the computer all transactions that he makes.
Transactions other than on-line banking are recorded not only on the computer but
also by a document, such as a television licence counterfoil, savings bank deposit or
withdrawal slip or a cheque. Some transactions are known as APS (automated
payment system) transactions. Those are transactions where a customer either uses a
card containing a magnetic strip to pay a bill or pays a bill that is barcoded. There are
corresponding APS slips recording APS transactions. The subpostmaster is
responsible for checking daily the computer records of the transactions of the day
against the documentation. He prints out the computer records of the transactions,
and when satisfied that they tally with the documentation he sends the documentation
in sealed bags or envelopes by the last collection of the day to the relevant centres. He
receives cash, stamps and other cash-type items from time to time in sealed bags and
has to record daily the amount of cash held by reference to the denominations of notes
and coins. The subpostmaster is also responsible for producing a weekly balance...
POL00030452
POL00030452
Every week, after close of business at 5.30 p.m. on Wednesday and before opening at 9
a.m. on Thursday [the stock is checked] as required by Post Office procedures.
It is obvious that the week's accounts of a post office balance if the difference
represented by the receipts minus the payments equals the difference represented by
the value of the stock at the end of the week minus the value of the stock at the end of
the previous week. If those two differences are not equal, there is a discrepancy. If the
former difference is greater than the latter, there is a loss, which is treated as a positive
discrepancy. If the former is less than the latter, there is a gain. That is treated as a
negative discrepancy...”
34, As the judgment explains, the operation of Horizon as an accounting system
is effectively dependent upon the SPMR inputting the correct information into
the system.
35. I One issue which has occurred with some frequency is that an SPMR has
falsely declared onto the Horizon system the cash and/or stock position in
order to conceal a discrepancy. This is likely to constitute the criminal offence
of false accounting. When this has occurred it has rendered it more difficult, if
not impossible, for POL (and possibly the SPMR) after the event, to establish
the last point at which the accounts were correctly declared and locate the
circumstances in which the discrepancy occurred.
36. The Horizon system is the subject of three different industry standard
evaluations: ISAE3402 audits (carried out by Fujitsu and Ernst & Young);
Payment Card Industry Data Security Standards (carried out by Information
Risk Management plc, focussing on cardholder data); and Bureau Veritas
1SO27001 reports (over the Fujitsu networks). We have been provided with,
and looked at, copies of these reports for 2012 as a sample of those available.
(D) Training
37. Although there is good deal of dispute about the level and quality of training
SPMRs received in particular cases, Second Sight’s Part One Report sets out
13
38.
39.
(E)
40.
41.
POL00030452
POL00030452
the levels of training which POL sought to provide at different times, and we
adopt that description here.
In brief, when Horizon was first introduced in 2000-2002, SPMRs were given
classroom training and then 10-11 days of on-site training and support,
followed by one day of support on balancing at the end of a trading period. In
2003-2006 new SPMRs received between five and ten days of classroom
training if they chose it, or five to ten days of on-site training and support,
followed by one day of support on balancing at the end of a trading period. In
2007-2011 new SPMRs received between five to ten days of classroom training
on sales and products and then six days of on-site training and support,
followed by one day of support on balancing at the end of a trading period.
Telephone calls were made at the interval of one and six months, with a one
day site visit after three months.
Training was voluntary and SPMRs who had experience of working in Post
Offices may have chosen not to receive additional training. Further training
could be requested from POL. SPMRs are responsible for the training of their
own staff.
Support
POL provides various methods of support to SPMRs, in relation to Horizon
and the more general operation of the branch. There are two different
telephone helplines which can be called.
The Network Business Support Centre (“NBSC”) is operated by POL
(although prior to 2012 it was effectively operated by Royal Mail) to provide
support for all operational issues arising in branch, including queries on the
operation of Horizon and on balancing issues. It has been in place since 1999.
14
42.
43.
44,
45.
POL00030452
POL00030452
Queries which cannot be resolved by the call-handler, or are not resolved to
the satisfaction of the caller, can be transferred to a second tier of more
experienced call-handlers or to managers. Branch visits may result where a
problem does not appear to be fixed over the telephone.
NBSC call-handlers receive a four week classroom training course which
includes a Horizon test terminal, and then two weeks of supervised call-
handling. Call-handlers will principally answer a query by reference to a
detailed computerised encyclopaedia of explanations known as_ the
Knowledge Base. The Knowledge Base is periodically updated to reflect
changes in products and processes.
The NBSC produces a log of all calls. This records the date, the branch, the
caller, a brief description of the problem, the call-handler and the resolution.
Those logs are available back to 2000, but they are reliant on the notes made
by the call-handlers at the time. In many cases, the resolution notes only that
the caller was given an answer from the Knowledge Base. Calls to the NBSC
were not routinely recorded.
The Horizon Service Desk (“HSD”) was, until 2014, operated by Fujitsu and
deals with technical issues arising out of Horizon which an SPMR has not
resolved through the online information available to them. An engineer will
be sent out where a problem is not resolved. The HSD and NBSC transfer calls
between each other when the SPMR has called the incorrect helpline. HSD call
logs are retained for seven years.
Support is also provided through in-branch field visits by advisors. They visit
branches to provide training, additional training or support when requested
and to carry out audits or other checks. Branches also have managerial
relationships, which may involve on-site visits from time to time.
(F)
46.
47.
48.
POL00030452
POL00030452
Third Party Business Involvement
POL is a point of sale and contact for a variety of products and services
provided by third parties. For example, Government documents such as
DVLA forms can be purchased from Post Offices, and utility bills can be paid
through the Horizon system. Similarly, many customers will pay for
products, or make cash withdrawals, from their bank account at the Post
Office counter.
Important examples of third party involvement are: ATMs, which are (now)
provided through Bank of Ireland and require the SPMR to account for the
cash held in and transacted through the ATM; lottery products, which involve
accounting for the stock of scratchcards and the cash purchases of all lottery
products (and which can require reconciliation where the sales are made
through the SPMR’s separate retail business); and Paystation, which is a
payment device used for certain utility payments and top-ups. All of these
separate products and equipment require manual inputting into the Horizon
system to ensure that the SPMR accounts for the cash and stock passing
through his branch. The third party (such as Bank of Ireland) will receive their
own records directly from the equipment, and discrepancies between those
electronic records and the Horizon records manually inputted by the SPMR
may require adjustment.
It is unnecessary to go into further detail about the range of third party
involvement, but we recognise that the reconciliation exercises can throw up
practical problems for SPMRs, and that the involvement of third parties with
their own separate processes will have a tendency to delay POL’s ability to
resolve any apparent discrepancies between the Horizon accounts and third
party records.
(G)
49,
50.
51.
52.
POL00030452
POL00030452
Accounting Discrepancies
SPMRs are required to balance their accounts at the end of every monthly
trading period. In order to roll over into the next trading period, the account
must balance, i.e. it must not show a positive or a negative discrepancy. Good
SPMR practice will involve the SPMR carrying out a weekly balance to ensure
any discrepancy is promptly identified, and a daily cash declaration on
Horizon to show how much cash is being held in the branch.
Where there is a discrepancy which cannot be corrected by reversing figures
to reflect the true picture (such as to correct an overstatement of stock), the
SPMR may make good that discrepancy. Where the discrepancy is small, and
is likely to be because of minor errors at the counter, this is often the approach
adopted.
Where the sum is larger and the SPMR cannot or does not wish to simply pay
it off, or the SPMR does not understand how it arose, there are two choices.
During the monthly trading periods, the discrepancy can be moved to a local
suspense account while it is investigated by the SPMR with the assistance of
POL. Where there is, or remains, a discrepancy at the end of a trading period
the discrepancy must be settled centrally, ie. placed into a central POL
suspense account, for resolution. We were informed by POL that in order to
settle centrally, an SPMR will be reminded that he is liable for any negative
discrepancy which is not resolved. This reflects the position under the
contract and at common law, as set out above.
A discrepancy may be resolved through the issue of a Transaction Correction
by POL. These may occur in a variety of situations, but will reflect POL
having information that shows that information inputted onto Horizon by a
branch was incorrect. This may be to the benefit or disbenefit of the branch.
For example, Horizon may have been told that more cash was sent back (or
17
53.
(H)
54.
55.
POL00030452
POL00030452
‘remmed out’) to POL in a pouch than the pouch actually contained.
Alternatively, a cheque thought to have been lost may have been discovered.
Sometimes a Transaction Correction will be issued because of information
from a third party, such as a bank, that a transaction was cancelled. A
Transaction Correction issued to a branch must be acknowledged and
accepted by the SPMR before it affects the branch accounting position.
Discrepancies through third party equipment - such as ATMs and
Paystations - are resolved through Transaction Acknowledgements issued via
the third party where there is a difference between the records of the
equipment sent directly to the third party and the figures manually inputted
onto Horizon. Again, a Transaction Acknowledgement issued to a branch
must be acknowledged and accepted by the SPMR before it affects the branch
accounting position.
Investigation of Discrepancies
Where a significant shortfall is discovered at an audit, or is reported to POL,
POL will conduct an investigation into that shortfall and the responsibility of
the SPMR for it. That investigation could lead to a decision as to whether the
contract with the SPMR should be terminated and/or whether criminal
charges should be laid in respect of the SPMR’s conduct. Investigations are
carried out by POL’s own investigations and security department. POL has
shown us figures that indicate that between around 3,000-4,000 audits took
place a year in 2011-2014. Only a small proportion of these were random;
most were either risk-based or on the occasion of a change of SPMR.
In England and Wales, POL conducts private prosecutions of criminal
offences arising out of the misconduct of SPMRs. This is not in exercise of any
special statutory power; it is simply the choice of POL to adopt this course of
action. Thus decisions as to whether charges should be brought and what
18
POL00030452
POL00030452
charges should be brought are made by POL employees (taking account of
appropriate legal advice). Cases in Scotland are prosecuted by the Procurator
Fiscal and in Northern Ireland by the Public Prosecution Service (with the
assistance of POL investigators). We understand the difference between the
approach across the UK reflects the different legal traditions.
(A)
56.
57.
58.
POL00030452
POL00030452
IV. The Horizon Complaints
Initial Complaints
The complaints and allegations made publicly and to POL about the Horizon
system and associated issues commenced in earnest in 2009 with the
establishment of the JFSA. The core of those complaints has always been that
various SPMRs have been the subject of criminal prosecution, civil recovery
and/or contract termination in respect of accounting discrepancies for which
the SPMRs say they were not responsible. Instead, it is said that Horizon is
responsible. A wider element of the allegations is that SPMRs received
insufficient training and support in operating the Horizon system.
During the course of 2010 the JFSA entered into correspondence with
Ministers and Members of Parliament about their concerns. The story
obtained press coverage from the BBC’s ‘Inside Out’ programme and articles
in Private Eye.
From late 2011 to May 2012 James Arbuthnot MP pursued the allegations
made by the JFSA and individual SPMRs with the Minister and POL. In May
2012, at a meeting with James Arbuthnot MP and Oliver Letwin MP, POL
agreed to engage a firm of forensic accountants to review Horizon. During the
course of June and July 2012, following meetings with James Arbuthnot MP,
other MPs and the JFSA, Second Sight Support Services Limited (“Second
Sight”) were instructed by POL to conduct the inquiry. The remit of their
inquiry was to “consider and to advise on whether there are any systemic issues
and/or concerns with the ‘Horizon’ system, including training and support processes,
giving evidence and reasons for the conclusions reached” 2
‘The Second Sight Inquiry - the Detail’, Appendix to the Second Sight Interim
Report.
20
59.
(B)
60.
61.
62.
63.
POL00030452
POL00030452
The deadline for the submission of cases and issues for the consideration of
Second Sight was 28 February 2013. Some 29 cases were submitted through
James Arbuthnot MP and 18 cases through the JFSA. Second Sight issued an
Interim Report on 8 July 2013.
The Second Sight Interim Report
We do not propose to summarise the entirety of the Second Sight Interim
Report. It is sufficient to note some of the core statements that it made. Second
Sight defined the “Horizon system” to include not simply the software, but
also all aspects of using the system, the training and support provided to use
the system and the audit and investigation process into discrepancies shown
by the system (paragraphs 1.4-1.8). Second Sight noted that the limited
number of complaints it received “suggests that the vast majority of SPMRs and
branches are at least reasonably happy with the Horizon system” (paragraph 1.11).
The Interim Report stated that Second Sight had carried out so-called “Spot
Reviews”. These were considerations of particular issues in certain of the
cases referred to them. We have seen a number of those Spot Reviews. Four of
them were appended to the Interim Report. Second Sight stated that
differences between POL and the JFSA had not been resolved, and POL had
accepted only minor errors (paragraphs 5.6-5.7).
Second Sight noted that POL had disclosed to it two defects in the Horizon
software which had impacted branches in 2010 and in 2011-2012, as well as a
further (unspecified) incident (paragraphs 6.4-6.10).
Second Sight criticised POL for a lack of thoroughness in their investigations
of shortfalls, and a focus on asset recovery rather than establishing the
underlying root cause (paragraphs 7.3, 7.6). A list of issues of concern was set
out (paragraph 7.2).
21
64,
(©)
65.
66.
(D)
POL00030452
POL00030452
The Interim Report reached various preliminary conclusions (paragraph 8.2).
Importantly, those included that “We have so far found no evidence of system wide
(systemic) problems with the Horizon software”. They also included conclusions
that unusual combinations of events could give rise to a situation where
timely information is not available to an SPMR; that POL’s attitude to
problems could appear unsympathetic or unhelpful; and that investigations
did not identify root causes.
The Criminal Cases Review Commission
The CCRC is a statutory body with the power to refer criminal cases to the
Court of Appeal where it considers that there is a real possibility a conviction
may be overturned. POL was first contacted by the Criminal Cases Review
Commission (“the CCRC”) in July 2013. Some SPMRs have referred their own.
convictions to the CCRC. This has included some cases in which conviction
followed a guilty plea. None of the convictions was itself the subject of an
appeal. POL is co-operating with any and every request for assistance from
the CCRC.
POL has informed us that at the present time the CCRC is considering 23
cases. 19 of those involve individuals who have made a complaint under the
scheme discussed below. At present it is unknown when the CCRC is likely to
reach decisions on whether any case should be referred back to the Court of
Appeal. POL have informed us that they understand that is unlikely to be
before the summer of 2016.
The Mediation Scheme
22
67.
68.
69.
70.
POL00030452
POL00030452
In an announcement of 26 August 2013, POL established an independent
mediation scheme for SPMRs, overseen by a Working Group (“the Scheme”).
The membership of the Working Group comprised POL, the JFSA and Second
Sight. Sir Anthony Hooper was appointed the Chairman of the Working
Group on 29 October 2013. The Working Group sought applications from
SPMRs who had a complaint about the Horizon system or an associated issue.
Applicants would have their cases investigated by Second Sight, with a view
to mediation of the dispute between the SPMR and POL.
By the time the Scheme closed on 18 November 2013, it had received 150
applications, of which 136 entered the full Scheme (ten were resolved before
entry and four were ineligible). 37 applications were from SPMRs who had
been convicted of a criminal offence.
POL contributed £1,500 (ex-VAT) to each Scheme applicant for the purposes
of obtaining professional advice to articulate the complaint. Each applicant
submitted a case questionnaire review (“CQR”) to POL and Second Sight. In
some cases evidence was supplied. Each case was then the subject of a
detailed investigation by the Post Office Investigations Department which
produced a Post Office Investigation Report (“POIR”) for each case on the
basis of the evidence which could be examined, given the passage of time.
This evidence - depending on the application of the seven year data retention
period - included Horizon transaction records, NBSC call logs, HSD call logs,
training records, audit records and other related correspondence. The POIR
and supporting evidence were provided to Second Sight, who would examine
the material and issue a case review report (“CRR”) setting out the areas of
agreement and disagreement, the conclusions Second Sight could draw and
whether mediation was appropriate.
The Scheme applicant was provided with the POIR and the CRR (having been
given the opportunity to comment on a draft of the CRR). The Working
Group considered the suitability of each case for mediation. Cases which were
23
71.
72.
73.
74.
POL00030452
POL00030452
accepted as suitable, and which POL agreed to mediate, were referred to the
Centre for Effective Dispute Resolution (“ CEDR”) for mediation to take place.
POL met the costs of the mediation, and provided up to £1,250 (ex-VAT) and
expenses to applicants for professional advice in relation to the mediation.
During the course of 2014, real concern grew on the part of POL and the JFSA
about the slow progress which was being made concerning Scheme
investigations. (We have seen POL Board minutes which indicate that this
concern actually started in mid-2013, along with real concerns over the
performance and capabilities of Second Sight.) The JFSA objected to POL’s
approach to mediation. Public criticism of POL, including of its approach to
the Scheme, on the part of MPs (particularly James Arbuthnot MP) grew
during the year. On 9 December 2014, James Arbuthnot MP appeared on the
Today programme and contended that POL was sabotaging the Scheme and
refusing to mediate 90% of cases. (This figure does not appear to us to have
been accurate, but POL has considered itself bound by confidentiality and so
has not published any different figure.)
By early June 2014 POL was having internal discussions through the Board’s
Project Sparrow Sub-Committee about the possibility of closing down the
Working Group and resolving the cases in another way. POL was also
considering the replacement of Second Sight.
On 10 March 2015 POL announced it would mediate all Scheme cases, save
for those which had been the subject of a court ruling (whether or not to
mediate those cases was to be considered case-by-case). This decision
effectively removed the core purpose of the Working Group. POL announced
the closure of the Working Group the same day.
Second Sight were instructed to complete the outstanding CRRs, and did so in
July 2015. This brought to an end their engagement by POL.
24
75.
(E)
76.
77.
78.
79.
80.
POL00030452
POL00030452
The Scheme cases continue to go through the mediation process, although we
note that the JFSA encouraged applicants to withdraw from any mediation
process and a number have done so.
The Substantive Second Sight Reports
During the course of the Scheme, Second Sight issued their substantive report
in two parts. The Part One Report was issued on 25 July 2014. It was in
essence a narrative describing how a Post Office branch worked, the systems
used, and the types of products and issues dealt with by SPMRs on a regular
basis. Part III of this Review covers similar ground, but in considerably less
detail.
A first version of the Part Two Report was issued by Second Sight on 21
August 2014. POL produced a reply document in September. Following the
closure of the Working Group, POL also instructed Second Sight on 10 March
2015 to issue a completed version of their Part Two Report.
The final Part Two Report was issued on 9 April 2015. Where we refer to the
Part Two Report in this Review, we mean the final version of it. POL also
produced a reply to the Part Two Report.
We do not intend to summarise POL’s reply, and it would be
disproportionate to summarise the entirety of the Part Two Report. However,
it is appropriate to highlight some key elements and conclusions of that
Report which are particularly relevant to our work.
Second Sight report that their work was limited by POL’s refusal, with which
they did not agree, to provide three categories of information. Those were: (a)
the complete legal files; (b) the complete email records of POL employees
25
81.
82.
83.
POL00030452
POL00030452
working at Fujitsu’s Bracknell office for 2008; and (c) detailed transactional
records relating to POL’s suspense account (paragraphs 2.1-2.19). As a result
of this failure, Second Sight concluded that POL “did have, and may still have,
the ability to directly alter branch records without the knowledge of the relevant”
SPMR (paragraph 2.12).
The contract between POL and SPMRs was not always provided to SPMRs
and the contractual terms, placing responsibility for losses on SPMRs, is
“unfair” (paragraphs 3.6-3.8, 6.1-6.16).
Horizon was insufficiently error repellent, in that “the majority of branch losses
were caused by ‘errors made at the counter’”, which could have been avoided if
the systems had been improved. Second Sight took the view that POL had
little incentive to do so (paragraphs 3.11-3.14).
The Report addressed 19 thematic issues drawn from the Scheme cases
(paragraph 1.10). (Only the more significant ones are addressed here.)
(1) IThe ATMs introduced a vulnerability to error and fraud, had on two
occasions printed corrupted data and were likely at some point to have
been the subject of malware and/or criminal theft/fraud (paragraphs
7.1-7.38).
(2) Accounting for foreign currency transactions was fundamentally
flawed because Horizon is a single currency system and individual
transactions could not be seen by POL (paragraphs 9.1-9.12).
(3) The sale of lottery scratch cards prior to 2012 had too easily allowed for
errors in stock scanning, coupled with inconsistent NBSC advice and
delays in the issue of Transaction Corrections (paragraphs 10.1-10.15).
26
(4)
6)
(6)
(7)
POL00030452
POL00030452
Training was “probably adequate for people who had reasonable levels of IT
skills, numeracy and accuracy”, but it was not sufficiently clearly
monitored that the training was properly delivered and the ability to
request training did not help those who did not realise what they were
doing wrong (paragraphs 11.1-11.9).
Errors were less attributable to inadequate training than adequate
support from the NBSC, which would have benefitted from sending
written instructions. Second Sight recorded the complaint that SPMRs
would be told that “it will sort itself out” but did not uphold or reject
that complaint. They accepted that the NBSC could not be expected to
determine how discrepancies arose and expectations of that facility
were unreasonable (paragraphs 12.1-12.9).
The periods of delay in issuing Transaction Corrections, often of high
value, posed real difficulties for SPMRs and might cause a temptation
to falsify the accounts in the hope that a subsequent Correction would
resolve the problem (paragraphs 13.9-13.14.)
Second Sight addresses the POL denial that it is possible to amend
branch data remotely, referring to a number of documents disclosed to
it from 2008 and 2010 which refer to correcting live data without the
knowledge of the SPMR, altering balances at the branch, although there
was no detail as to whether such amendments had been made
(paragraphs 14.1-14.19). They also recommended that where Horizon
has reversed a transaction (because a terminal is timed out before
transaction is settled and completed), the records should clearly show
that it was the system which carried out the reversal rather than the
user. There was no dispute that this would not have caused a loss
(paragraphs 15.1-15.7).
27
(8)
(9)
(10)
(11)
(12)
POL00030452
POL00030452
Cash errors at the counter would be hard to detect, particularly
following the removal by POL of paying-in paper slips in 2008
(paragraphs 20.1-20.20).
It was possible for losses to occur in a branch as a result of power and
telecommunications failures, where it has not been possible for the
SPMR to follow the correct recovery procedures, particularly where the
power to a screen does not return and so messages are not displayed to
the user (paragraphs 21.5-21.15).3 It was possible, but unclear, that
hardware equipment failures could have caused losses (paragraphs
23.1-23.4).
Some of the people appointed to an SPMR role “may have been unsuited”
to that role (paragraph 21.25). POL’s selection processes failed to reject
candidates who showed signs of inadequacy at interview and “proved
themselves to be wholly unsuitable” (paragraph 21.26).
In the “specific and limited circumstances” of a person who was
“unsuitable, inexperienced or inadequately trained” who encountered
problems (particularly relating to the recovery process) Horizon was
not “fit for purpose” (paragraph 21.27).
POL is responsible for detecting and acknowledging system or
procedural flaws that have allowed errors to repeatedly occur and not
providing the improvements to reduce or remove those errors
(paragraphs 21.30-21.31).
We confess that we find this difficult to follow. As the recovery process cannot be
commenced without a user being logged onto Horizon, and logging on would
require the screen to be working, it is not easy to understand how Horizon could be
functioning in order to go through the recovery process whilst the screen does not
work for the user to see any messages. However, we accept that the recovery process
may well be complicated (as indeed Fujitsu has told us) and the SPMR faced with a
customer at the counter and power failures may well make mistakes under pressure.
28
POL00030452
POL00030452
(13) POL investigators were focussed on seeking evidence of false
accounting to aid asset recovery rather than identifying the root cause
of losses. In some cases, a charge of theft did not seem to have been
supported by the evidence and was dropped as part of a plea bargain.
Some of those decisions may have been contrary to the prosecutor's
code (paragraphs 25,1-25.24).
(14) In some circumstances Horizon “can be systemically flawed from a user's
perspective and Post Office has not necessarily provided an appropriate level of
support” (paragraph 26.8).
(F) Parliamentary Debates
84. I We are aware of a number of Parliamentary discussions of the impact of the
Horizon system of SPMRs. We have seen and considered the records of the
following occasions:
(1) I House of Commons debate of 9 July 2013;
(2) I Westminster Hall debate of 17 December 2014;
(3) I The hearing before and evidence given to the Business, Innovation
and Skills Select Committee on ‘The Post Office Mediation Scheme
and the Horizon IT System’ on 3 February 2015;
(4) I House of Commons debate of 29 June 2015; and
(5) Prime Minister’s Questions on 1 July 2015.
85. I We do not propose to further summarise or discuss these publicly available
records. It is evident that there has been an on-going and high level of
Parliamentary interest in the issue.
(G) BBC Panorama Programme
29
86.
87.
88.
(A)
89.
POL00030452
POL00030452
On 17 August 2015 the BBC broadcast a Panorama programme ‘Trouble at the
Post Office’. It featured a number of SPMRs (who have been the subject of
criminal convictions, including some who had pleaded guilty to criminal
charges), James Arbuthnot MP, Professor Charles McLachlan (who had.
appeared as an expert witness in defence of Seema Misra when she was
convicted by a jury of theft, having pleaded guilty to false accounting) and a
former Fujitsu employee named Richard Roll.
Mr Roll’s participation was the only genuinely new information we have seen
in the broadcast, but it was of potential significance. He said that he and his
fellow Fujitsu employees saw a “lot of errors, a lot of glitches” on the Horizon
system and that they “went in the backdoor and made changes. Sometimes you
would be putting in several lines of code in at a time. If we hadn't done that then the
counters would have stopped working” .
We have been provided with various correspondence between POL and the
BBC in which POL complains about the reporting of the BBC. We do not
propose to address any of that material.
Cost to POL
POL has informed us that as at the beginning of December 2015, it has spent
some £10 million on this matter. It has incurred over £1.5 million on Second
Sight and some £3.3 million on other professional fees, including legal advice.
The investigations by POL of each of the 150 Scheme cases cost £3.7 million.
More than £500,000 has been spent in POL’s contributions to Scheme
applicants receiving professional advice on their complaints.
30
90.
91.
POL00030452
POL00030452
Vv. Criminal Prosecutions
It is not surprising that it is the prosecution of SPMRs by POL which has been
the most emotive issue we have seen in the course of this Review. 43 of the
Scheme applicants’ cases involved criminal convictions, 37 of them of the
SPMR directly. The vast majority of these were for the offence of false
accounting (contrary to section 17 of the Theft Act 1968). In at least some
cases, SPMRs were also the subject of a charge of theft (contrary to section 7 of
the Theft Act 1968). Both offences require the prosecution to prove
dishonesty, but the offences are directed at different conduct and an SPMR
may be guilty of false accounting without being guilty of theft, in large part
because the false accounting offence is committed even where the SPMR
falsely declares he has more cash than he actually does, even where this
suggested gain is only intended to be a temporary accounting gain in the
hope that the money will turn up (R v Eden (1971) 55 Cr App R 193).
Those subject to criminal convictions, or those on their behalf, have raised
broad areas of concern:
(a) whether their convictions were consequent on flaws in the Horizon
system and/or because of a failure properly to disclose such flaws during the
criminal proceedings, and for such reasons are not safe;
(b) whether POL acted appropriately in cases where it pursued charges both
of false accounting and of theft (or whether POL pursued theft charges in
cases where there was no proper basis in evidence to do so simply to
encourage a guilty plea to the false accounting charge); and
(c) whether it is appropriate for POL to conduct private investigations and
prosecutions (rather than leaving matters to the police and the CPS).
31
(A)
92.
93.
94.
95.
POL00030452
POL00030452
Safety of Convictions and Disclosure of Information
We have not sought to review the safety of any particular individual’s
conviction. As indicated above, the CCRC is considering 23 cases (including
19 Scheme applicants). Consideration of these cases by the CCRC is the
appropriate course. POL is co-operating with the CCRC. That is the
appropriate course of action for POL to take.
It has been suggested to us that POL should write to the CCRC accepting that
the prosecutions should never have been brought and requesting that they be
referred to the Court of Appeal. We do not agree. This is not how we
understand the CCRC to operate; it will form its own view on the merits of
the cases, what happens to them (and each of them involves a conviction by a
criminal court) is not now within the gift of POL. POL cannot simply
withdraw a conviction, whether following a trial or a guilty plea. Moreover,
based on what we have seen, we do not consider there to be any substantive
basis upon which it would be appropriate for POL to act in this way.
It has also been suggested to us that POL seek to support applications for
Royal Pardons. We do not agree that this would be appropriate either.
Pardons are ordinarily granted (in exercise of prerogative powers) only where
the Queen is satisfied that that no criminal offence took place. Thus the
standard for action goes beyond that presently being considered by the
CCRC.
We emphasise that none of the Second Sight reports identify systemic flaws in
the Horizon system likely to have caused the losses incurred at the Scheme
branches. Rather, operator errors at the counter is the usual cause identified
by Second Sight (with the likelihood of those errors being exacerbated by a
32
96.
97.
98.
99.
POL00030452
POL00030452
problems in training and support). We address Horizon in more detail in the
next section, but POL is entitled to note at this point in time that there is no
evidence that the Horizon system - i.e. the computer system - is responsible
for the losses which have resulted in convictions.
So far as it concerns disclosure, POL has undertaken a considerable exercise
reviewing its compliance with its disclosure obligations (past and present). In
2013 it instructed Cartwright King Solicitors to review all criminal
prosecutions POL commenced since 1 January 2010 with a particular focus on
identifying those cases in which disclosure should now be made of the
Second Sight Interim Report and/or the Helen Rose Report (which we
address in the next part of this Review). Cartwright King is the firm which
conducts criminal law work on behalf of POL. The scope and scale of that
review was the subject of oversight and advice from Brian Altman QC, who
delivered interim advice on 2 August 2013 and a general review on 15
October 2013. We have read those opinions and it is clear to us that Mr
Altman QC considered both the process adopted by Cartwright King, and
their actual decisions in a sample of cases, to be reasonable and appropriate.
We have also reviewed a small sample of the reviews conducted by
Cartwright King in Scheme cases M060, M103 and M149. Without being
criminal law experts, it also seemed to us that Cartwright King were
approaching their review logically and in detail, being unafraid to require
disclosure be made where they felt it appropriate, and to recognise where it
was irrelevant in the light of the particular facts of the case.
We are accordingly content that POL has acted reasonably in its handling of
disclosure issues arising in relation to past criminal prosecutions.
We are also content that it would be inappropriate for POL to conduct a wider
review of the safety of any particular conviction when that work is being
33
(B)
100.
101.
102.
POL00030452
POL00030452
independently carried out by the CCRC. POL should continue to co-operate
with and support the CCRC process and address any matters which arise as a
result in due course.
Sufficiency of Evidence
As we understand it, the allegation is that POL has too readily brought a
charge of theft, which is said to be more serious than false accounting, with
aim or effect that the SPMR is pressurised into pleading guilty to false
accounting in the hope that the theft charge is dropped, and because a theft
charge would more readily enable POL to recover its losses. We understand
that there are approximately 18 Scheme cases in which this, or something
similar, occurred. We have also read the full trial transcript in R v Seema Misra
in which a jury convicted the defendant of theft (following a guilty plea to the
charge of false accounting).
Whether POL had sufficient evidence to bring a charge of theft alongside
charges of false accounting is an accusation raised by a number of Scheme
applicants, as well as by Lord Arbuthnot with us. It has also been a matter
raised by Second Sight in their Part Two Report.
We are aware that the suggestion has gained particular traction in Scheme
case M035 (a case in which there was guilty plea to false accounting, in return
for which the theft charge was not pursued ). In this case certain documents in
the prosecution file indicated that initial POL investigators could not find
evidence of theft (although there was clear evidence of false accounting), but
theft was nonetheless charged. We have seen those documents and have
noted the absence of clear documented rationale for charging theft.*
We do not assume, as we suspect some have done, that the absence of a documented
rationale means that no rationale existed or could have existed. Counsel clearly felt
34
103.
104.
105.
106.
POL00030452
POL00030452
We note Brian Altman QC’s advice of 8 March 2015 that it is not a helpful
question to ask whether theft and false accounting are offences of equal
seriousness, both being dishonesty offences with a maximum sentence of
seven years’ imprisonment, because the seriousness is dependent on the
nature of the specific allegation rather than the charge per se.
We entirely accept that the decision to plead guilty is a matter for the
defendant alone. Any concerns they have about the legal advice they received
at the time is a matter only the defendant can pursue and is not the
responsibility of POL. Similarly, it is always open to the defendant to
challenge the sufficiency of the evidence disclosed to him or her and seek to
have that charge dismissed.
POL’s position is that its prosecutorial decisions are always taken in
accordance with the Code for Crown Prosecutors, which requires that there
be sufficient evidence to provide a realistic prospect of conviction, and the
prosecution must be in the public interest. POL has referred us to the
Cartwright King disclosure review exercise, noting that Cartwright King also
expressed views in their advice as to whether POL should oppose any appeal
brought, suggesting that they must therefore have considered the evidence
involved. POL has also explained to us that because of these points, and
because any review would be carried out with the benefit of hindsight, it
would not be an appropriate course of action to review now the prosecution
files to reconsider the sufficiency of evidence issue.
We do not agree. We have reached the view that this issue is one of real
importance to the reputation of POL, and is something which can feasibly and
properly able to settle the theft charge. However, the lack of clear reasons for this
decision does inevitably give rise to cause for doubt.
35
107.
108.
POL00030452
POL00030452
reasonably be addressed now’. It is clear that it is not an exercise which has
been carried out so far, and Cartwright King were not asked to consider the
sufficiency of the evidence when undertaking their disclosure review. We do
not think it is safe to infer that any advice Cartwright King gave on POL’s
position on any appeal must have involved a full evidential review. The
allegation that POL has effectively bullied SPMRs into pleading guilty to
offences by unjustifiably overloading the charge sheet is a stain on the
character of the business. Moreover, it is not impossible that an SPMR would.
have felt pressurised into pleading guilty to false accounting believing it to be
less serious when they might not otherwise have done so; the phenomenon of
false confessions is well known. For the avoidance of doubt, we do not
consider that this issue arises in cases where there has been a conviction
following trial; the concern is only where an SPMR has pleaded guilty, and an
additional charge has been dropped as a result.
Considering this point now will also address one of the areas of concern
expressly raised by Second Sight in their Part Two Report, namely that the
full legal files of cases were not provided to them. We express no criticism of
POL in this regard. Whatever else Second Sight were qualified to express a
view on, they were not well-placed to opine on the appropriateness of
prosecution decisions or the impact of those decisions upon the safety of any
subsequent convictions. But this does not mean that no-one else should
undertake the task.
However, we harbour some doubts about whether the bringing of a charge
without sufficient evidence to provide a realistic prospect of conviction could
be said, under the criminal law, to cast doubt upon the safety of the
conviction of a defendant who has pleaded guilty. We recognise POL’s
We are aware from references in POL’s Board minutes that before 2012, the
prosecutorial decisions relating to SPMRs were in fact being taken by the Royal Mail
part of the business. However, as they were being done in the name of, and on behalf
of, POL we do not consider that a material issue.
36
109.
(C)
110.
111.
POL00030452
POL00030452
position in this respect. Accordingly, we recommend as a first step that advice
be specifically sought - perhaps from Brian Altman QC - as to whether such
circumstances could amount to evidence that the conviction on a guilty plea
was unsafe.
Following that advice, it will be a matter for POL to consider whether it is
reasonable to instruct external lawyers - again, perhaps under the supervision
of Brian Altman QC - to review the prosecution files of the relevant Scheme
cases to establish, on the basis of the facts and law at the relevant time,
whether there was sufficient evidence in accordance with the Code to bring
the charges which were brought. Assuming the legal advice is that the safety
of the existing conviction could be impacted by an unjustified charge, we take
the view that it would be reasonable for POL to take this step and we so
recommend.
POL as Prosecutor
Criticism has been levelled at POL for conducting private prosecutions, in
reliance on its own investigations. It is said (a) that POL does not have the
benefit of the specialist criminal expertise of the police; and (b) that
prosecution decisions lack the independent view that is applied by the CPS.
However, POL is as entitled to bring private prosecutions as any other legal
person (although few major commercial entities do so for internal matters)
and their investigations and prosecution decisions are designed to be carried
out to the equivalent police and CPS standards. Ensuring the police
investigate complicated financial records and transaction logs may also not
always be easy to ensure.
We do not address this issue in detail because nothing can now be done about
the historical exercise of the prosecution function. Any alteration would be for
37
112.
(D)
113.
(1)
(2)
POL00030452
POL00030452
future cases only. We have seen the detailed legal advice provided by Brian
Altman QC, dated 31 October 2013, on this topic and asked POL for a formal
letter explaining how it was responding to the recommendations made by Mr
Altman QC. POL provided us that letter on 18 December 2015, along with a
detailed Prosecution Policy for England and Wales which is to be submitted.
to the Board for approval on 22 January 2016.
In the light of the detailed advice already received by POL, we do not propose
to make any recommendations on these matters. We note that the proposed
new policy does not propose ceasing to do so in England and Wales. That is a
matter for the business and reputational judgment of POL.
Recommendations
We recommend as follows.
Legal advice be sought from counsel as to whether the decision to
charge an SPMR with theft and false accounting could undermine the
safety of any conviction for false accounting where (a) the conviction
was on the basis of a guilty plea, following which and/or in return for
which the theft charge was dropped, and (b) there had not been a
sufficient evidential basis to bring the theft charge.
If such a conviction could be undermined in those circumstances, that
counsel review the prosecution file in such cases to establish whether,
applying the facts and law applicable at the relevant time, there was a
sufficient evidential basis to conclude that a conviction for theft was a
realistic prospect such that the charge was properly brought.
38
114.
115.
116.
POL00030452
POL00030452
VI. The Horizon System
As elsewhere in this Review, when we refer to the Horizon system, we mean
the computer programme and software developed and supplied to POL by
Fujitsu, and which POL requires to be used across all of its branches. This is
this how an ordinary person would interpret a reference to the Horizon
system. It also reflects the roots of the concerns of the SPMRs, although the
reach of those concerns has expanded over time. In essence, the allegation
since 2009 has been that Horizon is a flawed system which causes, through
software errors and possible third party action, branch balances to be altered
to the disadvantage of the SPMR. SPMRs are, it is said, being held responsible
for losses which are incorrectly generated by Horizon such that they do not
reflect real losses to POL. POL has always denied that there is any evidence
that Horizon, as opposed to user error on the part of SPMRs and their staff,
has caused the shortfalls for which the SPMRs are accountable.
We have been provided a great deal of documentation by POL and Fujitsu
relating to the functioning of the Horizon system. We have reviewed all of
that documentation, notwithstanding that it is highly technical. However, we
are not information technology or computer coding experts and we have not
sought to investigate, review or test the functioning or schematics of the
Horizon system ourselves. Instead, we have considered the broad areas in
issue, what has occurred and whether anything might now be done.
We consider that there are three broad areas of concern and we address them
in turn:
(a) Horizon system bugs;
(b) The thematic issues identified by Second Sight; and
39
(A)
117.
118.
POL00030452
POL00030452
(c) Whether branch balances can be affected by third party alterations
without SPMR knowledge.
Bugs in the Horizon System
It seems to us entirely unremarkable that the Horizon system, which is
enormous in terms of the range of matters it deals with and the number of
users it has, will occasionally discover bugs, errors or glitches in the way that
it works. (For ease we will refer to these as bugs.) Some of those bugs may
impact on the financial position of a branch, either positively or negatively.
We do not understand POL or Fujitsu to suggest anything otherwise. The
important point is the ease with which such bugs are noticed and corrected,
with remedial action to any financial position taken where necessary.
We are aware of a number of bugs which have been detected by Fujitsu
through their own work or the reporting of problems to them by SPMRs via
POL. These instances appear to be as follows.
(1) The Calendar Square, Falkirk problem discovered in 2005 (fixed in
2006). We have seen this described in some detail in the evidence and
cross-examination of Mr Jenkins of Fujitsu in the criminal trial of R v
Seema Misra. It involved a failure by Horizon to recognise transfers
between different stock units and was visible as a receipts and
payments mismatch. Due to the antiquity of the issue, Fujitsu could
not confirm to us whether any other branches had been affected by
this problem.
(2) The receipts and payments mismatch problem, discovered in 2010
(see the Interim Report, paragraph 6.5). This impacted 62 branches.
40
(3)
(4)
6)
POL00030452
POL00030452
The local suspense account problem, which occurred in 2011 and 2012
(and fixed in 2013) (see the Interim Report, paragraphs 6.6-6.9). This
impacted 14 branches. Fujitsu explained to us that it reoccurred
because a particular balance reappeared each year in the annual
accounts between 2011-2013 until it was drawn to their attention and
fixed.
The Second Sight Interim Report refers at paragraph 6.10 to another
bug which was disclosed in witness evidence in court proceedings. It
is not clear to us whether that was the Calendar Square incident, or
the unusual non-polling event for 12 days at Winford Post Office
referred to by Mr Jenkins in his statement in R v Grant Allen, to which
we have seen reference.
We have also seen a reference in articles in Computer Weekly in
November 2015 to a further bug which lead to a branch being
recorded as having remmed out cash to an outreach branch four times
instead of once. Having raised this, we have been provided with
Fujitsu’s analysis of this bug to POL dated 10 December 2015 which
explains that the problem arises where a certain succession of actions
concerning cash pouches are entered, and then the system is left to
time out, rather than being logged out on completion. Fujitsu describe
the issue as having occurred 112 times since 2010 but that 108 of those
were corrected at the time either by a transaction reversal by the
SPMR spotting the duplication, or by a Transaction Correction issued
by POL. Four occasions appear not have been corrected at the time.
None of the uncorrected instances relate to Scheme cases.®
Following the completion of the draft of this Review, Fujitsu informed us of a further
bug which, between 29 June 2015 and 13 September 2015, caused all Transaction
Corrections to be accepted (even if the SPMR pressed ‘cancel’). Again, this could
have affected any branch, although Fujitsu has told us that the problem was only
raised by seven branches.
41
119.
120.
(B)
121.
122.
POL00030452
POL00030452
Fujitsu confirmed to us that all of these bugs were generic ones; i.e. they could
have affected any branch. The reasons they affected only certain branches
were accidents of processing, as the particular chain of actions and steps
required for the bug to apply happened to occur only on those occasions in
those branches. (Or, in the November 2015 bug, because the situation could
only arise where there were outreach branches.) We accept, on this basis, that
the general point POL makes that the Horizon system works effectively and
accurately for the overwhelming majority of the time for the overwhelming
majority of its users is accurate.
We have seen nothing to suggest that these specific bugs identified have been
the cause of wider loss to SPMRs in the Scheme cases or otherwise. We see no
basis upon which to recommend any further action in relation to those
identified bugs now.
Thematic Issues
Second Sight’s Part Two Report addresses a number of areas of complaint
raised in Scheme cases which they describe as ‘thematic issues’. We agree
with the analysis of POL and Fujitsu that few, if any, of those issues can
sensibly be said to relate to any error in the operation of the Horizon system.
Second Sight recognise, largely implicitly, that the themes they see are regular
forms of errors at the counter on the part of SPMRs and their staff. It is
notable that nowhere in their Part Two Report do Second Sight revise or
disavow their conclusion in the Interim Report that they have found no
evidence of systemic problems with the Horizon software.
We have reviewed a considerable amount of documentation concerning those
thematic issues, including: the Second Sight Reports; POL’s responses to those
42
123.
124.
125.
POL00030452
POL00030452
reports, including in draft; Spot Review paperwork; witness evidence
provided by Fujitsu in the course of criminal and civil trials which explain
some apparent concerns; and the detailed investigation work done in POIRs
and CRRs for a sample of the Scheme cases. While we recognise that not every
issue raised by SPMRs has been the subject of a categorical answer or
explanation (still less an accepted one), we consider that is inevitable in
circumstances where the events in question happened some time ago and an
understanding of how the problem arose is dependent upon an accurate
explanation on the part of the SPMR.
In those circumstances, and alongside the very detailed investigations carried
out into the specific facts of the 150 Scheme cases (discussed in more detail in
Part VIII below), we do not consider it reasonable to recommend any further
investigative work into the thematic issues specifically identified by Second
Sight.
However, one aspect of the investigations carried out by POL into the Scheme
cases does give rise to a potential area of further work. The investigations
work was carried out by POL field support agents and some security
personnel (who investigate potential criminal cases). Those individuals are
experienced in the working of Horizon and in reading transaction logs, but
they are not computing experts.
As discussed in (A) above, the Horizon system does occasionally suffer from
bugs which have caused losses in some branches. Those bugs have been
generic in the sense that they have the potential to affect any branch,
depending on how it is structured. It is often the case that those bugs are
identified when an SPMR draws the attention of POL and Fujitsu to an odd
situation which she cannot explain and which appears to have caused a
discrepancy. We were told by POL that when carrying out their investigations
into Scheme cases, investigators were looking out for unusual or unexplained
43
126.
127.
POL00030452
POL00030452
patterns of transactions which might have required further technical
examination by Fujitsu to confirm whether there was a wider bug. POL told
us that no instance arose and Fujitsu were not asked to look at the records in
any case. Fujitsu confirmed to us that they did not carry out any analysis of
Scheme case records.
We consider that there is the possibility that an alternative approach to the
transaction analysis would have provided greater certainty that there was no
bug which had affected some of the Scheme branches. We take this view
because POL’s approach was necessarily ‘bottom up’, in the sense that it
started from and focussed on the specific circumstances of the branch, looking
at the transaction logs where necessary to review a particular complaint, be it
general or specific (such as an allegation that Horizon had generated
reversals, or Transaction Corrections came too late and were incorrect). A
different, but complementary, approach would have been to also have a ‘top
down’ analysis of the transaction logs of the Scheme branches undertaken by
Fujitsu or an independent qualified party to search for patterns of unusual
behaviour in individual branches, and across branches, on a purely data-
driven analytical basis which might suggest a wider problem, which could
then be cross-referenced with the branch fact-specific work carried out by
POL (which may have explained some of those instances).
In our meeting with Deloitte, it was confirmed that this type of exercise was
something they would have expected could be carried out across the relevant
dataset (including non-Scheme branches as a control) to look for oddities or
reconciliation errors. We are mindful that external organisations are more
likely to suggest possible sources of work they could carry out, but the
suggestion aligns with our own view of work which is at least potentially
useful to rule out more comprehensively the possibility of a system bug
affecting some Scheme cases.
44
128.
129.
(C)
130.
131.
POL00030452
POL00030452
We recognise that this has the potential to be a costly exercise. Deloitte
suggested to us that it would be likely to take two people approximately four
weeks to set the parameters of the work (which would include ensuring that
they fully understood how transactions were recorded), and a further
unspecified period to carry out the analysis. Fujitsu would obviously be in a
position to carry out such a task more rapidly.
In the light of this, we do not consider it appropriate to recommend that POL
take this step, but rather we suggest that it consider doing so. This is likely to
involve costing the work and then balancing that cost against the possible
benefits in the light of existing, substantial, spend on this matter and the other
recommendations we make.
Third Party Action
SPMRs have alleged that certain transactions appear in their transactions
records which they did not perform. There is, as a result, an allegation -
usually generic rather than specific - that branch records can be remotely
altered by POL and/or Fujitsu to the detriment of the SPMR.
We have seen through the Scheme investigations that in the vast majority of
cases specific transactions of concern have been readily explicable by
common-sense explanations; such as sharing of user identifications, or SPMRs
being on leave, or mistakes as to the timings. Other types of amendment of
branch records - Transaction Acknowledgements relating to third party
information, and Transaction Corrections issued by POL - require the
acceptance of the SPMR before they are adopted into the accounts on
Horizon. (In some of the Scheme cases, the shortfalls included unaccepted
Transaction Corrections.)
45
132.
133.
POL00030452
POL00030452
A slightly different category is that discussed in the report drafted by Helen
Rose on 12 June 2013 in respect of the Lepton branch, which formed part of
Second Sight’s Spot Review 1 consideration. That discusses a Horizon record
that a transaction was reversed, and the assertion of the SPMR that he had not
carried out the reversal. Ms Rose discusses the fact that it only became clear
through detailed discussions with Fujitsu (in the person of Gareth Jenkins)
that the transaction was automatically reversed because of a system failure
before completion, but that this was only clear at level of raw data not
apparent in the transaction logs available to the SPMR and POL. Ms Rose
raised the fact that the data available may appear misleading. In our view, the
Rose report is evidently important and her suggestion for a change in data
recording is eminently sensible. It is not, however, a true example of the
system altering branch records, as it is really Horizon not completing a
transaction due to a system failure of some kind. While this may have caused
confusion on some occasions due to the lack of clarity in identifying that it
was an automatic reversal, we do not consider that it gives rise to any wider
issue which needs further consideration.” Ms Rose’s report was available to
Second Sight who agreed with her that the clarity of the transaction logs
should be improved.
We are aware that the consistent position of POL and Fujitsu has been to the
effect that transaction records, and therefore branch balances, cannot be
remotely altered without SPMR knowledge. For example, in Fujitsu’s
response to a draft of the Part Two Report, dated 15 September 2014,
paragraph 11.2 states “To be clear, any system generated transaction requires a
branch user to acknowledge and accept this transaction and it is this operative's id
that is recorded as the primary id”. As an example of POL’s expression of the
position, we take its Response to the Westminster Hall Debate of 17 December
We note that Fujitsu’s response to a draft of the Part Two Report stresses that a
receipt is printed when an automatic reversal occurs to inform the SPMR, and that
the SPMR in Spot Review 1 had indeed had such a receipt (paragraph 12.2 of the
response).
46
134.
135.
POL00030452
POL00030452
2014, dated January 2015, responding to the concerns raised by MPs during
that debate. At paragraph 47, POL states that “There is no functionality in
Horizon for either a branch, Post Office or Fujitsu (suppliers of the Horizon system)
to edit, manipulate or remove transaction data once it has been recorded in a branch's
accounts.” At paragraph 48, POL discusses Transaction Acknowledgements
and Transaction Corrections, reiterating that both be must be accepted by the
SPMR.
The issue of the ability to remotely alter branch balances derives from the case
considered in Spot Review 5, where an SPMR alleged that he had visited the
Fujitsu Bracknell site in 2008, had been shown around by a member of POL
staff, and had been shown the ability of the team to alter the recorded
holdings of a branch. In their Part Two Report, Second Sight refer to their
having requested email records for all of the POL staff working at Bracknell in
2008 but only having been provided with those for August 2008 (when the
visit took place). Second Sight state these emails would be “ the most compelling
evidence on this point” (paragraph 2.10). Second Sight confirmed to us that it is
only those wider tranche of emails to which they refer in paragraph 2.13 when
they state that it is “regrettable that we have not been provided with the further
evidence we have requested in order to reach a properly researched conclusion”. They
nonetheless concluded at paragraph 2.12 that their “current, evidence based
opinion, is that Fujitsu / Post Office did have, and may still have, the ability to
directly alter branch records without the knowledge of the relevant Subpostmaster” .
We have seen a draft witness statement from Martin Rolfe, who is the POL
employee who carried out the tour in question. He explains, as POL has
always stressed and Fujitsu have confirmed, that POL employees at that time
only had access to a test environment which was not connected to the
Horizon network. He believes that the SPMR must have misunderstood what
he was seeing, because the test screens would have looked like the Horizon
system but were not live or connected to actual branches. Fujitsu have
47
136.
137.
138.
POL00030452
POL00030452
stressed to us that the live network is accessible only to Fujitsu employees in a
secure area on a different floor of the Bracknell building.
This secure area is, we assume, what was being referred to by Mr Roll when
he spoke to the BBC Panorama programme, in which it is said by the reporter
that Mr Roll told him that “financial records were sometimes changed remotely
without the postmaster knowing” and which Mr Roll describes as going “in
through the back door”. Mr Roll, as we understand it, was a Fujitsu employee in
the level of line support which would have had access to the secure area. The
specific comments in the Panorama programme are, however, ambiguous and
unclear as to precisely what is being suggested was done. It is difficult to deal
with or respond to those comments as a result.
Second Sight’s Part Two Report also obtained and quoted from documents
between Fujitsu and POL in 2008 and 2010, which suggested that Fujitsu had
the capability to amend or correct live branch data. We have read the
documents quoted in the Part Two Report at paragraphs 14.8-14.15 and it is
undeniable that those documents clearly suggest that Fujitsu does have the
ability to “manually write an entry value to the local branch account”. POL are
noted by Second Sight to say that the references in those documents to
amendments and corrections are inaccurate, because the system only allows
additions to the records which can be seen by the SPMR.
Unlike Second Sight, we have also read two documents produced for POL by
Deloitte in May and June 2014, entitled ‘Horizon: Desktop Review of
Assurance Sources and Key Control Features’ and an accompanying ‘Board
Briefing’. As we understand it, POL instructed Deloitte to carry out some
review work as to how Horizon functions, the controls in place and the extent
to which it was achieving the objectives of the system. Deloitte’s work was a
desktop review of the operating documentation, including discussions with
Fujitsu and POL. It did not involve access to the system itself or testing
processes.
48
139.
140.
141.
POL00030452
POL00030452
Deloitte’s Board Briefing highlights two aspects of Horizon which are relevant
to this part of the Review and which we found to be more clearly set out than
in any other document we have seen on this subject.
Deloitte note, following a review of the technical documentation, the
ISAE3402 and verbal discussions with POL and Fujitsu, that database access
privileges which “would enable a person to delete a digitally signed basket” do
exist, but are “ restricted to authorised administrators at Fujitsu”. Those privileges
“would enable a person to create or amend a basket and re-sign it with a ‘fake’ key,
detectable if appropriately checked”. Deloitte had not identified specific controls
to prevent a person with the appropriate authorisation carrying out this
exercise in an unauthorised manner. The Briefing goes on to state that
administrators had the ability to “delete data from the Audit Store during the
seven year period, which was a matter...contrary to POL’s understanding...This
could allow suitably authorised staff in Fujitsu to delete a sealed set of baskets and
replace them with properly sealed baskets, although they would have to fake the digital
signatures”. When we spoke to Deloitte, they described this functionality as
resulting, in essence, from the level of security contained in Horizon being a
level down from the maximum.
We have seen a response from Fujitsu concerning this aspect of Deloitte’s
investigation, which is based upon a summary of it provided by POL rather
than the original Board Briefing itself. Fujitsu appear to accept that Deloitte’s
interpretation is technically correct, but emphasise the wide range of security
measures in the software, hardware and environment which reduce the risk
of interference. Fujitsu also, properly, stress that there is no evidence that any
such action has occurred and that likelihood of all the security measures being
overcome is so small that it does not represent a credible line of further
enquiry.
49
142.
143.
POL00030452
POL00030452
The fact that such activity is possible does not, of course, indicate that it has
actually occurred. We find it difficult to see why it would have done so.
Second Sight suggested to us orally that Fujitsu employees could, in theory,
run a fraud in collusion with an SPMR whereby transactions were added to
the branch records generating cash payments out. Even if it may be
theoretically possible, there is no evidence for this and it is inherently
improbable. An alternative may be closer to Mr Roll’s account, which would
be that Fujitsu would use the functionality to correct system bugs without
drawing them to the attention of POL or SPMRs in order to avoid any form of
contractual penalty.8
The second issue expressly noted by Deloitte, but not clearly seen elsewhere
in the documentation we have reviewed, is the existence of a third mechanism
by which errors can be corrected: a Balancing Transaction. This is “an
emergency process, accessible only to restricted individuals in Fujitsu, which can
create transactions directly in Branch ledgers. This process creates an identifiable
transaction in the ledger, verbally asserted by POL staff to be visible to Sub-
postmasters in their branch reporting tool, but does not require positive acceptance or
approval by the Sub-postmaster.” Deloitte explain that they were told that this
In our discussion with Second Sight, we were told that Mr Roll had said (in a
recorded interview with them) that he and his colleagues could, and did, make
alterations which affected the account balances in branches. Moreover, he is reported
as saying that on one night he and his colleagues had had to secretly correct 500,000
glitches in one night which could affect branch balances. Second Sight said that Mr
Roll had told them that under the contract Fujitsu would be fined by POL £10 for
every glitch which was reported to them. We asked Fujitsu for their response to this
allegation, which Fujitsu did not recognise and could not explain. Fujitsu suggested
that it would probably not be possible to correct 500,000 software glitches in one
night and certainly was not true. They could not suggest a plausible alternative
scenario which the allegation might have been confused with. Mr Roll’s allegation is,
of course, second-hand via Second Sight and without any sort of detail or
accompanying evidence. It does not appear in the Part Two Report. It does not seem
to us to be a solid basis upon which we could criticise either POL or Fujitsu. We also
note that the existence of a recording came as something of a surprise to us, as we
had not seen any reference to Second Sight possessing such evidence before. We do
not know the status of that recording or the extent to which POL is entitled to have
access to it as material gathered under Second Sight’s terms of engagement.
50
144.
145.
146.
POL00030452
POL00030452
tool had only been used once since 2008 - in 2010 - and generated a full audit
trail.
Although it is not entirely clear, it is likely that the admitted 2010 instance is
the same, or linked to, the 2010 documents referred to by Second Sight in their
Part Two Report. However, Deloitte have carried out no work to assure
themselves that it has only be used on the one occasion, or as to the position
before 2008. It is not clear to us why 2008 was the cut-off period for
information, as this pre-dates the introduction of Horizon Online.
It seems to us that the Deloitte documents in particular pose real issues for
POL. First, both the existence of the Balancing Transaction capability and the
wider ability of Fujitsu to ‘fake’ digital signatures are contrary to the public
assurances provided by Fujitsu and POL about the functionality of the
Horizon system. Fujitsu’s comment we quote above seems to us to be simply
incorrect, and POL’s Westminster Hall Response is incomplete. To the extent
that POL has sought to contend that branch data cannot be remotely
‘amended’ because a Balancing Transaction does not amend existing
transactions but adds a new one, we do not consider this is a full picture of
Horizon’s functionality. The reality is that a Balancing Transaction is a
remotely introduced addition to branch records, added without the need for
acceptance by the SPMR, which affects the branch’s balance; that is its express
purpose.’ POL has always known about the Balancing Transaction capability,
although the Deloitte reports suggest the digital signature issue is something
contrary to POL’s understanding.
We recognise that the existence of the two matters highlighted by Deloitte are
most likely to be wild goose chases. It is improbable that they have been used.
We note that POL did refer to the existence of the Balancing Transaction in its Reply
to the Part Two Report of April 2015 at paragraph 14.5 (but had not done so in its
earlier Reply of 22 September 2014 to the draft Part Two Report). However, it equates
a Balancing Transaction with a Transaction Acknowledgment, without reflecting the
fact that a Balancing Transaction does not require acceptance in the same way.
51
POL00030452
POL00030452
beyond the identified instance. However, in the light of the consistent
impression given that they do not exist at all, we consider that it is now
incumbent on POL to commission work to confirm the position insofar as
possible. Accordingly we make a recommendation to that effect.
147. Second, the Deloitte reports, or at least the information cont ained within them,
may be disclosable under POL’s on-going duties as a criminal prosecutor. We
suspect that it is likely that such functionality would have been something an
SPMR’s defence team would have considered relevant to their case, even if
the likelihood of remote Fujitsu interference is very limited. We do not know
whether this information has been provided to the CCRC. But given that POL
used a Balancing Transaction in 2010, it cannot say that the functionality was
not known to it, and we have seen no reference to such capabilities in the
witness evidence given by Gareth Jenkins of Fujitsu. These are matters on
which specialist legal advice from external counsel, perhaps Brian Altman
QC, should be sought and we so recommend.
148. However, we also wish to make clear that we do not consider any further
steps need be taken in respect of the Bracknell test area issue raised by Second
Sight. We consider that POL’s explanation of the misunderstanding is
convincing and that a review of all emails from 2008, even if possible, would
be an unreasonable use of resources.!0 We are confirmed in that view by the
fact that in our meeting with them Second Sight accepted that the Bracknell
emails were a ‘red herring’ and that they no longer thought it was an issue
which required pursuing either. As we understand it, Second Sight took that
view because they thought the focus of investigation should be around the
allegations of Mr Roll, which implicitly recognise that it was Fujitsu
employees with the ability to affect branch records rather than POL staff. We
10 Fujitsu have informed us that they do not have a data retention policy for emails, and
that when emails are deleted they are not retrievable. In any event, we do not
consider it necessary to pursue emails from 2008, be they of POL or Fujitsu
employees.
52
(D)
149.
POL00030452
POL00030452
agree, but base our view on the work of Deloitte rather than the ambiguously
reported suggestions of Mr Roll, which neither we nor POL have ever seen
the detail of.
Recommendations
We recommend as follows:
(3)
(4)
(5)
(6)
POL consider instructing a suitably qualified party to carry out an
analysis of the relevant transaction logs for branches within the
Scheme to confirm, insofar as possible, whether any bugs in the
Horizon system are revealed by the dataset which caused
discrepancies in the accounting position of any of those branches.
POL instruct a suitably qualified party to carry out a full review of
the use of Balancing Transactions throughout the lifetime of the
Horizon system, insofar as possible, to independently confirm from
Horizon system records the number and circumstances of their use.
POL instruct a suitably qualified party to carry out a full review of
the controls over and use of the capability of authorised Fujitsu
personnel to create, amend or delete baskets within the sealed audit
store throughout the lifetime of the Horizon system, insofar as
possible.
POL seek specialist legal advice from external counsel as to whether
the Deloitte reports, or the information within them concerning
Balancing Transactions and Fujitsu’s ability to delete and amend
data in the audit store, should be disclosed to defendants of
criminal prosecutions brought by POL. This advice should also
53
POL00030452
POL00030452
address whether disclosure should be made, if it has not been, to
the CCRC.
54
150.
151.
152.
POL00030452
POL00030452
VII. The Support Provided to SPMRs
A consistent theme of the complaints made by SPMRs is that the training they
were provided was insufficient, particularly in relation to the accounting side
of their role, and that the support provided to SPMRs in office through the
NBSC was unhelpful or misleading. We have seen allegations that NBSC call-
handlers advised SPMRs that discrepancies would ‘sort themselves out’ and
we are aware that SPMRs have alleged that NBSC advised them to submit
false accounts.
These issues have been addressed as comprehensively as possible by both
POL and Second Sight through their investigations of all the Scheme cases.
Although training records were not always available, NBSC call logs were
available back to around the year 2000.
We consider it inevitable that the ability of any investigation to definitively
deal with each individual allegation would be hampered by a number of
factors:
(1) Even where training records exist, if an applicant alleges that they
received less training than they should have done it will be very
difficult now to establish the correct position. Individual trainers, even
if still employed, are highly unlikely to remember training sessions
many years ago.
(2) The NBSC call logs do not tend to provide the details of the call-
handler’s answer to any issue. They are often helpful in identifying the
issue for which assistance is sought, but the answer recorded is very
often simply that the SPMR was given an answer from the Knowledge
55
153.
(3)
(4)
(6)
POL00030452
POL00030452
Base, but not which part of the Base or precisely what was said. Calls
were not routinely recorded.
The call logs are filled in by the call-handlers. It is highly unlikely that
even if a call-handler had suggested that an SPMR falsely account, the
advice would have been logged.
As with the training, even if individual call-handlers were still
employed it is highly unlikely that they would be able to remember the
details of any individual call.
SPMRs have generally been unable to recall with any specificity the
dates or precise content of advice they received from the NBSC or HSD.
This is similarly unsurprising.
A number of instances were alleged by SPMRs whereby their
discrepancy doubled (or worse) when they followed the advice of the
NBSC. The advice given by NBSC - who had no access to the branch
systems - was dependent upon the caller correctly identifying the
problem to the call-handler. If the problem was misunderstood, then
the corrective action proposed might in fact exacerbate the problem.
Working out now whether the SPMR identified the correct problem, or
the NBSC gave the incorrect advice is not likely to be possible.
In those circumstances, we consider that the work already done by POL and
Second Sight on the individual cases is generally likely to have addressed
these issues in relation to applicant SPMRs insofar as it is now possible. We
address the detail of that work on Scheme cases in more detail in Part VIII
below.
56
154.
155.
POL00030452
POL00030452
During the course of our interviews with POL staff, one matter arose which
we consider could be now be a strand of reasonable further investigation.
Calls to the NBSC were recorded against the identity of the call-handler, and
we were told that call-handlers were and are the subject of performance
monitoring as we would expect. That performance monitoring would
presumably include references to any complaints about an individual call-
handler’s advice. It is therefore possible that POL could cross-reference
specific complaints that the NBSC provided misleading advice (particularly
advice to falsely account) against the personnel files of possible call-handlers
to establish whether anything in the performance monitoring or complaints
might indicate that it was more likely that a particular call-handler had
provided misleading advice. We accept that it may well be the case that no
further information would come to light. We accept that SPMR complaints
have usually not been specific about dates or call-handlers, but we consider
that a narrow focus on clear complaints (rather than general allegations that
the NBSC was not helpful) would be manageable. We also understand that
POL may not still have access to the relevant personnel files, because they
have been destroyed or because they are in the custody of Royal Mail Group.
It may be the case that no further information is discovered as a result of a
combination of these factors, but we nonetheless consider that it would be
reasonable for POL to conduct this relatively self-contained exercise to
establish whether any further relevant information could be uncovered.
Accordingly, we recommend as follows.
(7) POL cross-reference specific complaints about misleading advice
from NBSC call-handlers with the possible employees who provided
that advice and consider their personnel files, where available, for
evidence as to the likelihood that the complaint may be well-
founded.
57
156.
157.
158.
159.
POL00030452
POL00030452
We note that Second Sight concluded in their Part Two Report that the
training provided by POL was “probably adequate”, at least for SPMRs with
reasonable levels of IT skills, numeracy and accuracy (paragraph 11.1). When
read with the criticisms of the unqualified nature of some of the SPMRs
appointed at paragraph 21.25, we understand this to effectively mean that the
training was adequate for SPMRs who were properly qualified and appointed
to be appointed to run a branch. We also note that Second Sight reiterate this
finding at paragraph 12.5 when they say that the errors at the counter made
by SPMRs are more likely to be the result of inadequate support than
inadequate training. However, Second Sight are unable to reach any
evidenced view as to the allegations about the NBSC and HSD in the light of
the limited evidence now available (paragraph 12.8).
However, we also recognise that Second Sight do suggest that POL’s training
programme required more product-specific training (paragraph 11.1), greater
accounting and balancing training (paragraph 11.2) and that there was an
insufficient degree of quality control to deliver effective training (paragraph
117).
We understand that POL accept that improvements to both its training and
support can and should be made. We endorse that view. We are aware of the
Business Support Programme established in 2013, which has made various
refinements to the training programme for SPMRs, to providing express
balancing support advice from the Branch Support Team and increasing the
tools available to the NBSC in assisting callers, including access to branch
transaction data and the recording of all calls (with a retention period yet to
be determined). All of these changes are extremely positive ones.
We have also seen the ‘Lessons Learnt Log’ produced by Angela Van Den
Bogerd (POL Director of Support Services), dated 11 November 2015, which
sets some 30 pages of proposed changes to POL processes to address issues
58
POL00030452
POL00030452
arising from the Scheme investigations and the views of Second Sight. We do
not go through that document here but, again, we consider this to have been
an extremely constructive and sensible exercise.
160. With the exception of the one recommendation we have made, we consider
that the training and support provided to SPMRs cannot now reasonably be
the subject of further work by POL which looks at past cases. It is the area in
which the greatest amount of work can be done to improve the situation in
future, and it is clear to us that POL has accepted the need to do that work
across all areas of the business and in detail.
59
161.
162.
163.
POL00030452
POL00030452
VIII. Scheme Investigations
Those SPMRs who complained to POL via the Scheme about losses for which
they had been held accountable have had their cases and complaints
investigated by both POL and Second Sight. We recognise that there may be
other SPMRs who feel that POL has not treated them fairly in some respect,
but as any SPMR who wished to do so was entitled to apply to the Scheme
with considerable attendant publicity, we consider that POL is entitled to
treat only those applicants to the Scheme as raising serious or material
complaints about Horizon and POL’s treatment of them.
An applicant to the Scheme would submit a case questionnaire review setting
out their grievance and what they wished to achieve from any mediation,
along with any supporting evidence that they had available. In some cases,
this was considerable. In many, it was minimal or limited. Many applicants
took advantage of the contribution POL made towards the cost of a
professional advisor.
POL would then investigate the details of that complaint and gather as much
documentary evidence as they were able to find, reaching what conclusions
they were able to on each aspect of the complaint. Depending on the age of
the events in question, POL was normally able to retrieve from Fujitsu the
transaction logs for the branch, any NBSC call logs and logs of calls to the
HSD or to Fujitsu. In some cases, POL was able to find training records and
other correspondence. POL also sought the audit records for the branch which
uncovered the shortfall, and the correspondence between POL and the SPMR
during the investigation and termination processes. POL produced a POIR
which addressed the specifics of the grievance by reference to the evidence
collected.
60
164.
165.
166.
167.
POL00030452
POL00030452
The POIRs were produced by two teams of POL investigators, made up of
field support advisors, who carry out the branch training and audit work, and
some security personnel (who would usually carry out internal criminal
investigations). We were told that all investigators were experienced on
Horizon and many were former SPMRs. They were not computer system
experts, and we were told Fujitsu did not conduct their own analytical review
of the relevant transaction logs.
This material was then passed to Second Sight, who reviewed it, might speak
to the SPMR, and produced their own CRR expressing a view as to whether
mediation was suitable, along with findings in relation to the complaints
made by the SPMR. This work took some 18 months to complete, following
the closure of the Scheme in November 2013.
In order to better understand the nature of the complaints made, and the
work done in the POIRs and CRRs, we reviewed a sample of the
documentation for the Scheme cases. There were 150 applicants to the
Scheme. For the purposes of our review, we excluded from our sample any of
the 37 cases in which the applicant had been convicted. This was on the basis
that no investigation or mediation could overturn a criminal conviction. (We
add that in the three criminal Scheme cases we reviewed for the purposes of
Part V of this Review, two of the CQRs - in cases M103 and M149 - sought
outcomes which included POL publicly apologising for its prosecution and
assisting the SPMR in overturning their conviction. In case M060 the SPMR
sought an express agreement from POL that she had not stolen any money.)
This left some 113 non-criminal case. We considered a 10% sample was
appropriate: 11 cases.
We reviewed the so-called thematic issues identified by Second Sight in their
Part Two Report and sought, by virtue of a helpful spreadsheet of all Scheme
cases produced by POL, to sample our cases for review randomly but to
61
168.
169.
POL00030452
POL00030452
ensure coverage of the full range of issues raised by Scheme applicants. We
accordingly selected the following cases for review: M014, M026, M037, M058,
M070, M088, M100, M114, M131, M133, and M148. Our reading focussed on
the CQRs, POIRs and CRRs, but also involved some sampling of the
substantive evidence collected.
We were impressed at the work carried out by POL. In many cases significant
amounts of evidence were able to be collated. Having reviewed the CQRs, it
was clear that very many of the SPMRs (for understandable reasons) were
unable to give much by way of specific instances of concern, or anything
other than vague and generic complaints. Most of the cases involved a
shortfall at audit of between £10,000-20,000, but two cases were over £60,000
and one case involved a staggering shortfall of over £450,000. The cases we
reviewed involved a mix of time periods. Some spanned both the original
Horizon system and Horizon Online, some involved only one or the other.
Most involved losses over approximately a two-three year period, but some
involved much lengthier periods. Two cases involved losses identified in 2004
and 2005 and therefore of considerable antiquity, which posed real and
understandable problems of evidential clarity, along with data retention.
Although the POIRs might have sometimes erred on the side of conclusions
which were overly robust in rejecting the possibility of anything other than
operator error, we generally found that Second Sight broadly accepted the
analysis of the evidence set out in the POIR. Where it did not, it was usually
because Second Sight felt unable to express a concluded view. Often this
appeared justified, but we considered that on a surprising number of
occasions Second Sight felt unable to choose between a bare assertion on the
part of the SPMR and the indications provided in the evidence trail. In none
of the cases we sampled were Second Sight willing to conclude that the
shortfall was due to the Horizon computer system causing those losses,
although they did speculate that the disproportionate appearance of power
62
170.
171.
172.
POL00030452
POL00030452
failures in the CQRs was likely to contribute to some extent. In general,
Second Sight accepted that the most likely cause of shortfalls was operator
error on the part of SPMRs and their staff. This accords with the conclusions
in the Part Two Report.
Both the POIRs and CRRs were often unable to identify a specific cause of
losses. We do not consider this surprising. Most cases involved very little
assistance from the SPMR to highlight potential causes or even time periods.
Where there was assistance, the dates given often proved to be incorrect when
the evidence was examined. Moreover, the integrity of the transaction records
is essentially dependent upon the information inputted at the branch. It is
extremely difficult for any third party - or the SPMR after the passage of time
- to review those records to identify precisely what went wrong, although
likely causes were identifiable in many instances. However, we were
surprised at just how many of the cases involved blatant instances of false
accounting, rendering POL’s task of assisting the SPMR in working out where
problems had arisen very much harder without an accurate reference point
from which to work.
In only one of the Scheme cases we sampled did the Second Sight CRR
suggest further investigative work might have been carried out, in case M014
for technical evidence on communications interference problems. This is good
evidence in our view that POL’s investigation during the course of the
Scheme was detailed and thorough. It leaves very limited available ‘gaps’
which might now be filled by yet further work.
We understand that the material collated in the investigation process has been
provided to the Scheme applicants. That is entirely appropriate. In the light of
POL’s decision to mediate all remaining Scheme cases not involving a court
judgment, all cases can be approached in an evidence-based way at
63
173.
174.
POL00030452
POL00030452
mediation. We assume that POL will continue to approach the mediation
process in a constructive and realistic manner.
There is one issue which potentially relates directly to the Scheme cases but
which has not, so far as we are aware, been the subject of any specific
analysis. That issue was the one raised by Second Sight in their Part Two
Report between paragraphs 2.14-2.19, and relates to the handling by POL of
unmatched credit balances in its own suspense account (or similarly named
account) in respect of third party clients (such as Santander or Bank of
Ireland). The point Second Sight raise is that where there are significant sums
in unmatched balances, it is possible that at least some of that money would.
reflect uncorrected transaction discrepancies in particular branches. We
consider that this is logically possible, and is at the least worthy of express
investigation and clarification. Accordingly, we recommend that:
(8) POL commission forensic accountants to review the unmatched
balances on POL’s general suspense account to explain the
relationship (or lack thereof) with branch discrepancies and the
extent to which those balances can be attributed to and repaid to
specific branches.
The recommendations we have made in Parts VI and VII feed into the
investigation of individual cases. Having reviewed the lengthy and costly
work already done by POL and Second Sight, and with the single exception
set out above, we do not consider that it would be reasonable to recommend
any further additional investigative recommendations be made.
64
175.
POL00030452
POL00030452
IX. Summary of Recommendations
We make the following recommendations to the Chairman.
()
(2)
(3)
(4)
6)
Legal advice be sought from counsel as to whether the decision to
charge an SPMR with theft and false accounting could undermine
the safety of any conviction for false accounting where (a) the
conviction was on the basis of a guilty plea, following which and/or
in return for which the theft charge was dropped, and (b) there had
not been a sufficient evidential basis to bring the theft charge.
If such a conviction could be undermined in those circumstances,
that counsel review the prosecution file in such cases to establish
whether, applying the facts and law applicable at the relevant time,
there was a sufficient evidential basis to conclude that a conviction
for theft was a realistic prospect such that the charge was properly
brought.
POL consider instructing a suitably qualified party to carry out an
analysis of the relevant transaction logs for branches within the
Scheme to confirm, insofar as possible, whether any bugs in the
Horizon system are revealed by the dataset which caused
discrepancies in the accounting position of any of those branches.
POL instruct a suitably qualified party to carry out a full review of
the use of Balancing Transactions throughout the lifetime of the
Horizon system, insofar as possible, to independently confirm from
Horizon system records the number and circumstances of their use.
POL instruct a suitably qualified party to carry out a full review of
the controls over and use of the capability of authorised Fujitsu
personnel to create, amend or delete baskets within the sealed audit
65
(6)
(7)
(8)
POL00030452
POL00030452
store throughout the lifetime of the Horizon system, insofar as
possible.
POL seek specialist legal advice from external counsel as to whether
the Deloitte reports, or the information within them concerning
Balancing Transactions and Fujitsu’s ability to delete and amend
data in the audit store, should be disclosed to defendants of criminal
prosecutions brought by POL. This advice should also address
whether disclosure should be made, if it has not been, to the CCRC.
POL cross-reference specific complaints about misleading advice
from NBSC call-handlers with the possible employees who provided
that advice and consider their personnel files, where available, for
evidence as to the likelihood that the complaint may be well-
founded.
POL commission forensic accountants to review the unmatched
balances on POL’s general suspense account to explain the
relationship (or lack thereof) with branch discrepancies and the
extent to which those balances can be attributed to and repaid to
specific branches.
JONATHAN SWIFT QC
CHRISTOPHER KNIGHT
8 February 2016
11, King’s Bench Walk,
Temple. EC4Y 7EQ.
66
POL00030452
POL00030452
A REVIEW ON BEHALF
OF THE CHAIRMAN OF
POST OFFICE LIMITED
CONCERNING THE
STEPS TAKEN IN
RESPONSE TO VARIOUS
COMPLAINTS MADE BY
SUB-POSTMASTERS
67