POL00032162
POL00032162
Post Office Ltd — Strictly Confidential
RISK.AND COMPLIANCE COMMITTEE
29'September 2005 — Meeting Ref:05
Members:
Sir Mike Hodgkinson (Chair)
Peter Corbett
In Attendance
Rod Ismay
Alwen Lyons
Secretar
Apologies’
lan Anderson
Alan Cook
Keith Woollard
SUMMARY ACTION POINTS
(TEM. [ACTION LEAD
0501 Further correspondence required with DWP regarding dis- I RI I 2
satisfaction at product anti-fraud features and liability, and I ' ue
' follow on to the paper on cash cheques referred to in'0407.
0502 I Submit the Terms of Reference and the note on “Audit I RI
Recommendations. and Oversight’ to the Post Office Ltd Board
for approval f
0503 «.' I Branch segmentation to identify underlying high risk.branches I MD F
and a plan of how they could.all be audited in a.3 year period EI
0504 Update Compliance Matrix for Branch Audit compliance KW
coverage
0505 Update Compliance Matrix with lead owners for each row and I KW
column, aligned'to the Post Office Ltd organisation chart
0506 Update Compliance Matrix to make ‘Training’ more explicit, KW
and with core lead role through the Sales line in the Chief
Operating Officer's Directorate.
0507 Update: the Vital Few Controls. matrix to ensure Sales have I RI
° ultimate responsibility for .product training, and to overlay
ownership by Business.Function
0508 Perform product:reviews.in addition to key control reviews. RL
0509 Confirmation of adherence to ethical guidelines re the sale of I KW
PPl insurance
0510 Confirmation that PPI would not be sold to self employed KW
applicants as they would be unable to be covered by it -
0511 Buréau counterfeits — ensure that Crusader. House make Sales’I RI
Account Managers aware of the relevant branches
0512 Invite Head of Cash to present on risks and controls around I RI
Cash In Transit
0513 Conclude on TUPE risks raised in former. discussions about I RI
branch cover
1.
Post Office Ltd — Strictly Confidential
MINUTES FROM LAST MEETING
Meeting Ref 04 - minutes approved.
2.
STATUS OF ACTIONS FROM THE PREVIOUS MEETING
POL00032162
POL00032162
ITEM
ACTION AND UPDATE
LEAD
0401
Suspensions — what is the indicative cost of a suspension in
terms of cover pay and overheads?
The cost of maintaining a branch varies dependent on the type
of branch, the number of staff employed, the ‘rent charged by
the suspended Subpostmaster-and how importantit is that we
maintain the service. The scenarios vary from
"Cost largely unchanged — new agent paid in same way or
on past trends
= Agent paid at a premium to secure services, to
= Worst case of no long term solution, and POL-underwriting
the redundancy costs of the sub postmaster's'staff
in the.network. I
The Service. Team currently considers.: that there-is a
satisfactory . response .. for . suspensions, but «is . exploring
trained resource: .
opportunities. with: firms who: may’ be:able:to:provide-pools. of}:
RI
Closed to
business as
usual
The économi€ cost is:that all options may 'be:cheaper:than-gaps I". vs
0402
‘I Revisit ‘Sévenoaks:following new: Branch Manager=and-Sales
Account.Manager. .
Audited in June. The new BM has implemented the supervisory
controls required.
-MD =
Closed
0403
Increase scope of Branch Control forum reports to top 20
instead of top 10. 2S
areas.
Done, and similar ranked approach being extended to. other I
RI
Closed
0404
Turners Hill — ensure property assets are investigated for
recovery .
Subpostmaster lives in rented accommodation and appears to
have little in assets. Property is investigated 4s a matter of
course in all cases :
RI
Closed
0405
Confirm what security features are incorporated within the PO
saving stamps, and whether high value postage stamps could
Be used : .
Losses to date have mainly arisen from encashment of stolen
stamps. PO Saving Stamps are similar to postage stamps in
RI
Closed
2
Post Office Ltd — Strictly Confidential
POL00032162
POL00032162
security features (fluorescent ink which responds to UV, colour
shifting ink which makes photocopying difficult, and elliptical
perforations which are difficult to counterfeit).
Use of high value postage stamps would create branding issues
for Post Office Ltd and for Royal Mail, and would add
complexity to billing and commission arrangements, and
understanding what the stamp:has been sold for.
In. July, POL ceased encashment of saving stamps for
“negotiable instruments’ (primarily bureau de change).
Subsequent counterfeit levels have been small.
0406
Install UV scanners at 3 DMB's to ascertain the benefits for
installing at all DMB's
All DMBs already have UV lights (being part of the 1700 ‘on
demand’ and Euro/Dollar branches where UV has been
deployed). However, usage by staff has been mixed. February
and March 2005 averaged £32,000 of $100 bills compared to
the same months. in. 2003 (pre UV lights) where the: average
..I was £7,500.
However, the higher rate also reflects the centralised bureau
checking and policy of not recycling high value currency notes
in branches. There have been past examples. of customers
alleging they received counterfeits from branches.
-I There have been various anti fraud initiatives with branches
(including workaid and guidance on identifying forged notes)
An approach on Sterling, which. is supported by the. NFSP, is
planned to be adopted for bureau whereby branches would be
liable for counterfeits.
"RUPC
Closed
0407
Confirm that we have written to DWP to highlight cash cheques
concerns
Banking have confirmed writing to DWP and that our concerns
have also been minuted at meetings before and after this
Compliance Committee action.
A paper and recommendations were submitted to the Chief
Operating Officer and Banking & Financial Services Director in
July. Following that paper, a trial of UV lights has been planned
for selected post offices before Christmas. A. proposal for
negotiating with DWP through A&L is being drafted with a view
to speedier return of cheques from A&L and limiting liability.
Work also continues with Security to identify hotspot areas for
focussed fraud warnings. -
RI
Closed
Post Office Ltd - Strictly Confidential
POL00032162
POL00032162
0408
Bureau — why are high: value bills ($100 etc) being returned to
Hemel when we have note scanners in the branches? *
Consequence of poor compliance noted at 0406 above. The
losses and reputational risk are less this way (given branch
compliance levels).
RI
Closed
0409
Destructions and returns ‘could some DMBs.be used to recycle
stock from closed offices instead of returning for destruction
centrally?
Our past experience of inter-office transfers led to cessation of
such practices. For cost/benefit reasons it is still not considered
an option.. More accounting irregularities arose on inter office
transfers than on central teturns.
RI
Closed
0410
Corporate Risk Chart - How did we get some of the monetary
value — revisit using inherent risk/residual risk?
Values are, best estimates from product and process owners.
Inherent and residual risk is reported’ by ‘the owner. For
RI
Closed to
business .as
usual:
simplicity, the.chart circulated at the last Committee reflected I...
residual:risk-only:. Values:will‘be reviewed: by.the.Head_of Ris!
and: the. Finance, Director,.and’ submitted. to’ EC.colleagues:for. I: ~ -
approval.
“loan
ID theft: tisk. = provide further ‘detail: on
comparison‘of*branch versus‘call" centre J
Branch risks:include.use:of data to impersonate customers and:
to create ID's, obtaining PINs and sale of customer information.
However, there has been little incidence to date. Call centre
data is inherently more ‘attractive to fraudsters due to the
economy of scale of mass data theft.
The recently reinstated Post Office Ltd Information Security
Forum will consider completeness and deployment of policy in I
this area, amongst others and invite feedback from Banking &
Financial Services. Its next meeting will be in November.
Closed. to
-business.:as.
‘usual
0412
Bank account. ‘theft & flight’ — what sort of accounts are
involved and how isthe money being stolen?
This applies to accounts where we take on-line cash deposits.
e.g., a fraudulent branch could make a fictitious deposit of £10k
at 11.00am, initiate a CHAPS payment to-another bank account
at 11.01am and continue to divert the funds'to their Personal '
account. To put the’risk in context,
(a) We have had no:such cases since on-line deposits started;
(b) Partner banks have controls to question funds transfer,
although there is no proof that they would spot these
RI
Closed to
business as
usual
4
POL00032162
POL00032162
Post Office Ltd — Strictly Confidential
incidents
(c) Maximum personal banking deposit is £20k and client
agreement is being reached to revise the remaining areas
of business.deposit limits
(d) The Banking Fraud Team analyse large deposits at O800hrs,
1200hrs and 1.600hrs each working day and would instigate
immediate enquiries if suspicious large deposits arise.
3. MATTERS DISCUSSED AT THE MEETING AND NEW ACTIONS REQUESTED
The issues discussed included the following iterns (which are expanded on as shown):
31 Actions from previous meetings
3:2 Committee terms of reference and communication
3.3 Branch Audit.2005/2006 revised plan
34 Compliance functions
35 Banking and Financial Services compliance
3.6 Vital few controls — assurance plan
37 Update on major incidents
38 AOB
vat
Actions from previous meetings 8
All actions brought forward were agreed as closed. Regarding action 0401 (agent
suspensions) there are now higher rates of actual suspension following irregularities
3 identified. at audit and the Service Team considers that there are adequate
contingency arrangements to provide'branch continuity. ss
Action 0501 :
Further correspondence required with DWP regarding dis-satisfaction at product
anti-fraud features and liability. .
3.5.2 Committee terms of reference and communication
Proposed terms of reference were circulated and agreed.
Action 0502 : :
Submit the Terms of Reference and the note’ on “Audit Recommendations and
Oversight’ to the Post Office Ltd Board for approval.
3.5.3 Branch Audit 2005/2006 revised plan
Revised audit plan was discussed. The reduction inthe number of risk audits planned
for 2005/06 compared to the paper reviewed in April is due to headcount reductions
in the Branch Audit team. Revised plan endorsed by committee. But further
information requested for consideration at future meetings — possibility of
segmenting the network into low, medium and high risk was discussed and the scope
to ensure all high-risk areas are covered within 3 years. It was noted that.this may
POL00032162
POL00032162
Post Office Ltd — Strictly Confidential
conflict with a pufe risk based approach to auditing, but the committee agreed it
would be:helpful to review such an analysis
Action 0503
Branch segmentation to identify underlying high-risk branches and a plan of how
they could all be audited in a 3 year period.
3.5.4 Compliance functions
A draft compliance matrix, ‘part of a Banking & Financial Services paper, was
presented to the committee.
Action 0504
Update Compliance Matrix for Branch Audit compliance coverage.
Action 0505
Update Compliance Matrix with lead owners for each row and.column, aligned to the
Post Office Ltd organisation chart.
Action 0506
Update Compliance Matrix to make ‘Training’ more explicit, and with core lead role
through the Sales line in the Chief Operating Officer's Directorate.
3.5.5 Banking.and.Financial Services.compliance...... .°
Quarterly:performance.was discussed.andithe favourable trend:in‘compliance noted;.
..but.also:the:worst:performance:being:the lack:of evidence of:branich:training records.
It was.noted that Sales-are‘adopting,a tactical.approach.to-anyone visiting a:branch:
to.ensure all Salés Account. Managers areawaresof:training. records and:ask:to:see
evidence of them. The'next lowest indicator relates to knowledge: of complaint
handling.
3.5.6 Vital few controls — assurance plan
The paper proposing key control areas for Post Office Ltd.was noted. It was agreed
that an alternative assurance approach may be based on end-to-end Product review
and this is to be considered in addition to VFCS. :
Action 0507
Update the Vital Few Controls matrix to ensure Sales have ultimate responsibility for
product training, and to overlay ownership by Business Function.
Action 0508 :
Perform product'reviews in addition to key control reviews.
3.5.7. Update on major incidents
Post Office Ltd has a principle of undertaking criminal prosecutions for.all cases
where it is in the public interest, but noting that likelihood of recovery and
circumstances of the defendants and the victims may be relevant to'that decision.
POL00032162
POL00032162
Post Office Ltd — Strictly Confidential
The historic inconsistency between Police support in providing Financial
Investigators can be due to differences in approach between local Police forces. Post
Office Ltd now has its own Financial Investigator.
4 -ANY OTHER BUSINESS
The committee considered relevant topics for future meetings.
Internal Audit and Risk Management (IARM) reviews within POL
Examine level of losses and where they come from
Risk and control around Cash In Transit trunking routes
Major risks reported to IARM
Hostage risk
UBWN=
Anupdate on the IMPACT program was given. IMPACT is moving ahead to timetable
and targets are being met. As expected some issues have arisen, but remedial action
is being taken. Branch Trading is being rolled out in 4 trenches. DMBs are in the first
tranche. The 3 key issues to date were noted as:
1 Data migration — it was known that there were issues with the data in the old
system and these are being cleaned up
2 There are issues in-the detailed flow of management information including
“sales data. There are workarounds, which will give short interruptions to
Service teams but not to customers. The main issues felate to the loading of
sales targets and the definition of data in the warehouses
3%, Increased calls are expected from agents to NBSC, but so far the calls have foe
been more about why they have not received the system yet as opposed to .
technical issues. ,
Action.0509: oa
Confirmation of adherence to ethical guidelines re 2 the sale of PPI insurance.
Action 0510
Confirmation that PP! would not be sold to self employed applicants, as they would
be unable to be covered by it.
Action 0511
Bureau counterfeits — ensure that Crusader House make Sales Account Managers
aware of the relevant branches.
Action 0512
Invite Head of Cash to present on risks and controls around Cash In Transit
Action 0513
Conclude on TUPE risks raised in former discussions.about branch cover:
5. DATE OF NEXT MEETING
8" November 9:30-11:30 in 80 Old Street.
Future Agenda Items
CIT trunking routes and Audit coverage at Cash Centre/CIT audits
Attendees to include
Keith Rann