POL00167707
POL00167707
A REVIEW ON BEHALF OF
THE CHAIRMAN OF POST OFFICE LIMITED
CONCERNING THE STEPS TAKEN IN
RESPONSE TO VARIOUS COMPLAINTS
MADE BY SUB-POSTMASTERS
8 February 2016
INDEX
I. Introduction (paragraph) 1
II. The Scope of this Review 4
III. Post Office Limited, Sub-postmasters and the Horizon System
(A) The POL Business Model 13
(B) The Legal Status of SPMRs 17
(C) The Horizon System 22
(D) Training 37
(E) Support 40
(F) Third Party Business Involvement 46
(G) Accounting Discrepancies 49
(H) Investigation of Discrepancies 54
IV. The Horizon Complaints
(A) Initial Complaints 56
(B) The Second Sight Interim Report 60
(C) The Criminal Cases Review Commission 65
(D) The Mediation Scheme 67
(E) The Substantive Second Sight Reports 76
(F) Parliamentary Debates 84
(G) BBC Panorama Programme 86
(H) Cost to POL 89
V. Criminal Prosecutions 90
(A) Safety of Convictions and Disclosure of Information 92
(B) Sufficiency of Evidence 100
(C) POL as Prosecutor 110
(D) Recommendations 113
VI. The Horizon System 114
(A) Bugs in the Horizon System 117
(B) Thematic Issues 121
(C) Third Party Action 130
(D) Recommendations 149
VII. The Support Provided to SPMRs 150
VIII. Scheme Investigations 161
IX. Summary of Recommendations 175
POL00167707
POL00167707
POL00167707
POL00167707
L Introduction
We have conducted this review on behalf of the Chairman of Post Office
Limited, Tim Parker.
This review arises from complaints made by various sub-postmasters
(“SPMRs’) about their treatment by Post Office Limited (“POL”). Since 2009
POL has faced complaints from SPMRs that cash shortfalls in their branches,
for which they were held responsible by POL were caused by POL’s computer
software, known as Horizon, and POL’s wider operational model. These
matters have been the subject of consideration and investigation by and on
behalf of POL on a number of occasions. The purpose of this review is to
consider whether any further action could now reasonably be taken by POL to
address the matters raised by the SPMRs.
We stress that we have been instructed on behalf of the Chairman to perform
an independent assessment of the work which has been done already to
address the question whether there is any further step/steps that might
reasonably be taken now by POL. We have met with various individuals and
parties who could explain the context and their concerns, but not all of those
matters fell within the scope of this Review. The legal department of POL has
been the source of most of the information provided to us, but we have
determined what information should be provided. No information we have
requested has been withheld from us and we are grateful for the assistance we
have received from both POL and external parties we have spoken to.
POL00167707
POL00167707
Il. The Scope of this Review
The purpose of this review was originally described in the following terms:
“To review the Post Office's handling of the complaints made by sub-postmasters
regarding the alleged flaws in its Horizon electronic point of sale and branch accounting
systems, and determine whether the processes designed and implemented by Post Office
Limited to understand, investigate and resolve those complaints were reasonable and
appropriate.”
We have been guided by this. But we have concentrated on whether any further
action is reasonable and necessary in respect of these issues. This has
highlighted two principal questions
(1) I What has already been done in the 2010-2015 period?
(2) If there are any gaps in the work done, is there further action that can
reasonably now be taken?
In respect of both these questions, with the agreement of the Chairman, we
have concentrated on four areas: (a) criminal prosecutions; (b) the Horizon
system (i.e. the software); (c) the support provided to SPMRs through training
and helplines; and (d) the investigations into the circumstances of specific cases
where a complaint has been raised. This Review will address both questions in
respect of all four of these areas.
Asa part of the second question, we will briefly address what steps POL should
take now to improve the position of SPMRs, and therefore POL, in the future.
However, the more critical focus is on whether anything further can reasonably
be done now in respect of existing cases raised with POL. Where we have
concluded that it can be, we have set out recommendations accordingly.
10.
11.
12.
POL00167707
POL00167707
We recognise that a great deal of work has been undertaken by POL and
various third parties concerning Horizon and wider related issues since 2010.
It was neither possible nor desirable for us to seek to replicate or duplicate that
work in the time available to us. Nor have we sought to establish the precise
circumstances of any individual SPMR’s case.
We have reviewed a considerable amount of documentation provided to us by
POL at our request. We have also met with POL employees, and external
parties who we considered might be able to assist us in our understanding of
the issues involved and what had already been done. In addition, we received
training ourselves on the operation of a Horizon terminal.
Our meetings were with:
(1) — Lord Arbuthnot;
(2) Second Sight (lan Henderson and Ron Warmington);
(3) Deloitte (Andrew Whitton and Mark Westbrook);
(4) Fujitsu (Mike Harvey, Pete Newsome and Gareth Jenkins);
(5) Angela Van Den Bogard, POL Director of Support Services;
(6) Kevin Seller, POL Director of Network Development and
Transformation;
(7) Kendra Dickinson, POL Senior Contact Centre Manager; and
(8) Shirley Hailstones and Kathryn Alexander, POL Case Investigators.
The Chairman invited Alan Bates, Chairman of the “Justice for Sub-postmasters
Alliance” (“JFSA”) to a meeting with us, but he declined to attend. We are
aware that his reason for the refusal was his loss of trust in POL and their ability
to meet his concerns.
We have not sought to meet with Sir Anthony Hooper, who was Chairman of
the Working Group. The running of the Working Group, and indeed the
POL00167707
POL00167707
decision to bring it to an end, were not matters directly within the scope of our
concern as they are second-order process matters.
(A)
13.
14.
15.
16.
POL00167707
POL00167707
Ill. Post Office Limited, Sub-postmasters and the Horizon System
The POL Business Model
POL is a limited company under the Companies Act 2006. As of 1 April 2012,
POL has been separately owned and managed from Royal Mail. The sole
shareholder of POL is the Secretary of State for Business, Innovation and Skills
but POL acts under the direction of its Chairman and Board of Directors, rather
than Ministerial control. However, because the sole owner of POL is the
Government, it is commonplace and appropriate to describe POL as expending
public funds.
There are approximately 11,500 Post Office branches around the United
Kingdom. They provide a range of mail, telephony, government and financial
products and services to the public. A Post Office branch is often a vital part of
a local community.
Some 350 of those branches are operated directly by POL, known as Crown
branches, in which the staff are employees of POL. These branches have not
been the focus of the complaints or this Review.
The remainder of the branches are run by SPMRs on an agency basis, under
contracts with POL. SPMRs are, accordingly, independent business people.
Many operate additional businesses, and it is common that the Post Office
branch is found within a wider retail business, such as a newsagent or general
store. Every branch has a quantity - varying according to local demand and
branch size - of POL cash and stock (such as stamps) for which the SPMR must
account to POL.
(B)
17.
18.
19.
POL00167707
POL00167707
The Legal Status of SPMRs
It is not necessary for the purposes of this Review to set out a detailed legal
analysis of the position of SPMRs. Although we understand from the wider
documentation that some SPMRs may have believed themselves to be more
akin to an employee, there is no real dispute that SPMRs are agents of POL,
under a contract for services.! We have not seen, and have not asked to see, the
contract between POL and SPMRs, although we have seen quoted clauses of it
in various other documents. We understand that clause 1 of that contract states
in terms that the SPMR is an agent of POL.
At common law an agent is obliged to keep an accurate account of all
transactions entered into within the scope of his agency and has to be ready to
produce that account at any time to his principal. We understand that the
applicable contract contains a clause to the same effect (clause 12.4).
Where an account is produced - such as automatically through an accounting
system - the burden of proof is on the agent to show that the account is wrong
and does not reflect the financial obligations he owes to his principal. In Camillo
Tank Steamship Company Limited v Alexandria Engineering Works (1921) 38 TLR
134, 143 Viscount Cave noted that:
“The expression “account stated” ... has more than one meaning. It sometimes means
a claim to payment made by one party and admitted by the other to be correct. An
account stated in this sense is no more than an admission of a debt out of court; and
whilst it is no doubt cogent evidence against the admitting party, and throws upon him
the burden of proving that the debt is not due, it may, like any other admission, be
shown to have been made in error.”
Indeed, there is a judgment of the Employment Appeal Tribunal holding that SPMRs
are not employees (and not workers for the purposes of various pieces of legislation
either): Inland Revenue Commissioners v Post Office Ltd [2003] ICR 546.
8
POL00167707
POL00167707
20. The general principle of the agent’s duty to account is contained in Shaw v
Picton (1825) 4 B & C715, 729 per Bayley J:
“It is quite clear, that if an agent (employed to receive money, and bound by his duty
to his principal from time to time to communicate to him whether the money is received
or not,) renders an account from time to time which contains a statement that the
money is received, he is bound by that account unless he can shew that that statement
was made unintentionally and by mistake. If he cannot shew that, he is not at liberty
afterwards to say that the money had not been received, and never will be received, and
to claim reimbursement in respect of those sums for which he had previously given
credit.”
The application of these standard agency principles to the SPMR context was
confirmed in Post Office Ltd v Castleton [2007] EWHC 5 (QB); [2007] All ER (D)
125 (Jan) in which POL sued to recover losses shown in the SPMR’s accounts.
Mr Castleton is now one of the cases in the scheme discussed below.
21. We are not asked to apply those principles to the facts of any particular case
and we do not do so, but we do consider that it is important that the relevant
legal context be clearly set out as it clearly shapes the nature of POL’s own
obligations.
(Cc) The Horizon System
22. Horizon is the name given to the computer system provided to POL under
contract by Fujitsu Services Limited (“Fujitsu”), formerly ICL. It is the system
used in all POL Crown branches, sub-Post Offices and outreach branches. We
do not understand the basic history and scope of the Horizon system to be
controversial, and take this summary from various documents including
Second Sight’s Part One Report, legal advice provided by Brian Altman QC,
witness statements provided by Gareth Jenkins of Fujitsu in POL legal
proceedings against SPMRs and other Fujitsu documentation, such as a
presentation on its ‘Core Audit Process’. We stress that in this Review we use
23.
24.
25.
26.
POL00167707
POL00167707
the term Horizon to refer to the computer system used by POL and the SPMRs
only. We do not incorporate within that term a wider definition of all training,
assistance and processes the POL have in place to allow Horizon to be used; we
find that wider definition which has been used by others to be confusing for
our purposes.
Fujitsu was awarded a contract with POL in 1996 to provide the Horizon
system. Horizon was rolled out to all branches between 1999 and 2002.
Branches migrated to an updated system known as Horizon Online (or HNG-
X) over the course of 2010. So far as we understand it, there is no significant
difference between the practical operation of the original Horizon system and
Horizon Online. As the complaints raised have spanned both systems, we refer
to both by the term Horizon.
Under the original Horizon system the data relating to each transaction was
processed and stored by a designated master terminal in each branch before
being transmitted in batches to a central POL data centre. Under Horizon
Online, each branch terminal now communicates directly with the data centre
on a transaction by transaction basis. In order to function, Horizon must be
online and each terminal connected to the POL data centre via a secure
communication line with a back-up system, provided by POL, usually
comprising a mobile telephone network.
We note that Horizon is used by over 68,000 users in the 11,500 branches
processing more than six million transactions every working day.
Transactions in Horizon can only be entered by someone with a user ID and an
associated password. Formal approval of a new user can only be carried out by
POL, but new users can be added to the system and allocated a user ID by an
SPMR when POL has given them ‘manager access’. The password is set by POL
or the SPMR and is subsequently managed and changed by the user.
10
27.
28.
29.
30.
POL00167707
POL00167707
Every record that is written to the transaction log has a unique incrementing
sequence number. This means it is possible to detect if any transaction records
have been lost. While a customer session is in progress, details of the
transactions for that session are normally held in the computer’s memory until
the customer session (often known as the ‘stack’) is settled (i.e. payment is
taken). At that point, all details of the transactions, including methods of
payment, are written to the hard disk and replicated. When the stack data is
successfully written the screen is updated, printing the relevant receipt means
the session is completed, to indicate a new customer session can be started.
Each stack, or basket, of a customer session consists of accounting lines. When
a session is settled, the payment process is also added as accounting lines.
When the value of the basket is zero it is sent to the data centre where the
accounting lines are recorded and committed. The effect of this is that either all
of the data, in the form of the accounting lines, is written to the local hard disk
and the data centre or none of it is written. The same approach applies to back
office transactions, such as inputting stock levels or reversing mistaken
transactions.
All data that is written includes a ‘checksum’ value which is checked whenever
the data is read to ensure that it has not been corrupted. Any such corruptions
detected on reading will result in failures being recorded in the event logs
which are held on the local hard disk for a short period, and at the data centre
where they are held for seven years.
Where the data is not written or replicated, further attempts are made at regular
intervals. Once the data reaches the data centre, a further copy is taken and
written to the audit file which is placed into the audit trail where it is available
for retrieval for seven years. Data in the audit trail is digitally sealed with a
secure checksum that is held separately (in the form of a digital index) to ensure
11
31.
32.
33.
POL00167707
POL00167707
it has not been tampered with or corrupted. Each audit record includes the
branch identifier, the counter identifier, the sequence number (i.e. the
sequential transaction identifier), and a counter timestamp.
Any failures to write to a hard disk, after the set number of retries, will result
in the counter failing and needing to be restarted. Such a failure will
accordingly be visible, even if it were not already evident because of, for
example, a loss of power. There is a specific recovery process which must be
followed by the user when the counter is restarted which, we are told, involves
various screen prompts.
Horizon adopts the principle of double-entry bookkeeping. As set out above,
this means that separate accounting lines are also generated for the tender items
(ie. the methods of payment), resulting in a total value of all of the accounting
lines in a basket adding up to zero. If, when being written, the net value is not
zero then an alert is raised and the basket is discarded.
The way in which the Horizon system is operated was described in accessible
terms in the Castleton judgment at [5]-[7]:
“Each computer terminal included a processor, a touch-sensitive screen, a keyboard, a
barcode scanner and a printer. The laid down practice, in outline, was and is as follows.
The clerk records on the computer all transactions that he makes. Transactions other
than on-line banking are recorded not only on the computer but also by a document,
such as a television licence counterfoil, savings bank deposit or withdrawal slip or a
cheque. Some transactions are known as APS (automated payment system)
transactions. Those are transactions where a customer either uses a card containing a
magnetic strip to pay a bill or pays a bill that is barcoded. There are corresponding APS
slips recording APS transactions. The subpostmaster is responsible for checking daily
the computer records of the transactions of the day against the documentation. He
prints out the computer records of the transactions, and when satisfied that they tally
with the documentation he sends the documentation in sealed bags or envelopes by the
last collection of the day to the relevant centres. He receives cash, stamps and other
cash-type items from time to time in sealed bags and has to record daily the amount of
cash held by reference to the denominations of notes and coins. The subpostmaster is
also responsible for producing a weekly balance...
34.
35.
36.
(D)
37.
POL00167707
POL00167707
Every week, after close of business at 5.30 p.m. on Wednesday and before opening at 9
a.m. on Thursday [the stock is checked] as required by Post Office procedures.
It is obvious that the week's accounts of a post office balance if the difference represented
by the receipts minus the payments equals the difference represented by the value of the
stock at the end of the week minus the value of the stock at the end of the previous week.
If those two differences are not equal, there is a discrepancy. If the former difference is
greater than the latter, there is a loss, which is treated as a positive discrepancy. If the
former is less than the latter, there is a gain. That is treated as a negative
discrepancy...”
As the judgment explains, the operation of Horizon as an accounting system is
effectively dependent upon the SPMR inputting the correct information into
the system.
One issue which has occurred with some frequency is that an SPMR has falsely
declared onto the Horizon system the cash and/or stock position in order to
conceal a discrepancy. This is likely to constitute the criminal offence of false
accounting. When this has occurred it has rendered it more difficult, if not
impossible, for POL (and possibly the SPMR) after the event, to establish the
last point at which the accounts were correctly declared and locate the
circumstances in which the discrepancy occurred.
The Horizon system is the subject of three different industry standard
evaluations: ISAE3402 audits (carried out by Fujitsu and Ernst & Young);
Payment Card Industry Data Security Standards (carried out by Information
Risk Management plc, focussing on cardholder data); and Bureau Veritas
1SO27001 reports (over the Fujitsu networks). We have been provided with,
and looked at, copies of these reports for 2012 as a sample of those available.
Training
Although there is good deal of dispute about the level and quality of training
SPMRs received in particular cases, Second Sight’s Part One Report sets out the
13
38.
39.
(E)
40.
41.
POL00167707
POL00167707
levels of training which POL sought to provide at different times, and we adopt
that description here.
In brief, when Horizon was first introduced in 2000-2002, SPMRs were given
classroom training and then 10-11 days of on-site training and support,
followed by one day of support on balancing at the end of a trading period. In
2003-2006 new SPMRs received between five and ten days of classroom
training if they chose it, or five to ten days of on-site training and support,
followed by one day of support on balancing at the end of a trading period. In
2007-2011 new SPMRs received between five to ten days of classroom training
on sales and products and then six days of on-site training and support,
followed by one day of support on balancing at the end of a trading period.
Telephone calls were made at the interval of one and six months, with a one
day site visit after three months.
Training was voluntary and SPMRs who had experience of working in Post
Offices may have chosen not to receive additional training. Further training
could be requested from POL. SPMRs are responsible for the training of their
own staff.
Support
POL provides various methods of support to SPMRs, in relation to Horizon and
the more general operation of the branch. There are two different telephone
helplines which can be called.
The Network Business Support Centre (“ NBSC’”) is operated by POL (although
prior to 2012 it was effectively operated by Royal Mail) to provide support for
all operational issues arising in branch, including queries on the operation of
Horizon and on balancing issues. It has been in place since 1999. Queries which
14
42.
43.
44,
45.
POL00167707
POL00167707
cannot be resolved by the call-handler, or are not resolved to the satisfaction of
the caller, can be transferred to a second tier of more experienced call-handlers
or to managers. Branch visits may result where a problem does not appear to
be fixed over the telephone.
NBSC call-handlers receive a four week classroom training course which
includes a Horizon test terminal, and then two weeks of supervised call-
handling. Call-handlers will principally answer a query by reference to a
detailed computerised encyclopaedia of explanations known as the Knowledge
Base. The Knowledge Base is periodically updated to reflect changes in
products and processes.
The NBSC produces a log of all calls. This records the date, the branch, the
caller, a brief description of the problem, the call-handler and the resolution.
Those logs are available back to 2000, but they are reliant on the notes made by
the call-handlers at the time. In many cases, the resolution notes only that the
caller was given an answer from the Knowledge Base. Calls to the NBSC were
not routinely recorded.
The Horizon Service Desk (“HSD”) was, until 2014, operated by Fujitsu and
deals with technical issues arising out of Horizon which an SPMR has not
resolved through the online information available to them. An engineer will be
sent out where a problem is not resolved. The HSD and NBSC transfer calls
between each other when the SPMR has called the incorrect helpline. HSD call
logs are retained for seven years.
Support is also provided through in-branch field visits by advisors. They visit
branches to provide training, additional training or support when requested
and to carry out audits or other checks. Branches also have managerial
relationships, which may involve on-site visits from time to time.
(F)
46.
47.
48.
(G)
POL00167707
POL00167707
Third Party Business Involvement
POL is a point of sale and contact for a variety of products and services
provided by third parties. For example, Government documents such as DVLA
forms can be purchased from Post Offices, and utility bills can be paid through
the Horizon system. Similarly, many customers will pay for products, or make
cash withdrawals, from their bank account at the Post Office counter.
Important examples of third party involvement are: ATMs, which are (now)
provided through Bank of Ireland and require the SPMR to account for the cash
held in and transacted through the ATM; lottery products, which involve
accounting for the stock of scratchcards and the cash purchases of all lottery
products (and which can require reconciliation where the sales are made
through the SPMR’s separate retail business); and Paystation, which is a
payment device used for certain utility payments and top-ups. All of these
separate products and equipment require manual inputting into the Horizon
system to ensure that the SPMR accounts for the cash and stock passing
through his branch. The third party (such as Bank of Ireland) will receive their
own records directly from the equipment, and discrepancies between those
electronic records and the Horizon records manually inputted by the SPMR
may require adjustment.
It is unnecessary to go into further detail about the range of third party
involvement, but we recognise that the reconciliation exercises can throw up
practical problems for SPMRs, and that the involvement of third parties with
their own separate processes will have a tendency to delay POL’s ability to
resolve any apparent discrepancies between the Horizon accounts and third
party records.
Accounting Discrepancies
49.
50.
51.
52.
POL00167707
POL00167707
SPMRs are required to balance their accounts at the end of every monthly
trading period. In order to roll over into the next trading period, the account
must balance, i.e. it must not show a positive or a negative discrepancy. Good
SPMR practice will involve the SPMR carrying out a weekly balance to ensure
any discrepancy is promptly identified, and a daily cash declaration on
Horizon to show how much cash is being held in the branch.
Where there is a discrepancy which cannot be corrected by reversing figures to
reflect the true picture (such as to correct an overstatement of stock), the SPMR
may make good that discrepancy. Where the discrepancy is small, and is likely
to be because of minor errors at the counter, this is often the approach adopted.
Where the sum is larger and the SPMR cannot or does not wish to simply pay
it off, or the SPMR does not understand how it arose, there are two choices.
During the monthly trading periods, the discrepancy can be moved to a local
suspense account while it is investigated by the SPMR with the assistance of
POL. Where there is, or remains, a discrepancy at the end of a trading period
the discrepancy must be settled centrally, i.e. placed into a central POL
suspense account, for resolution. We were informed by POL that in order to
settle centrally, an SPMR will be reminded that he is liable for any negative
discrepancy which is not resolved. This reflects the position under the contract
and at common law, as set out above.
A discrepancy may be resolved through the issue of a Transaction Correction
by POL. These may occur in a variety of situations, but will reflect POL having
information that shows that information inputted onto Horizon by a branch
was incorrect. This may be to the benefit or disbenefit of the branch. For
example, Horizon may have been told that more cash was sent back (or
‘remmed out’) to POL in a pouch than the pouch actually contained.
Alternatively, a cheque thought to have been lost may have been discovered.
17
53.
(A)
54,
55.
POL00167707
POL00167707
Sometimes a Transaction Correction will be issued because of information from
a third party, such as a bank, that a transaction was cancelled. A Transaction
Correction issued to a branch must be acknowledged and accepted by the
SPMR before it affects the branch accounting position.
Discrepancies through third party equipment - such as ATMs and Paystations
- are resolved through Transaction Acknowledgements issued via the third
party where there is a difference between the records of the equipment sent
directly to the third party and the figures manually inputted onto Horizon.
Again, a Transaction Acknowledgement issued to a branch must be
acknowledged and accepted by the SPMR before it affects the branch
accounting position.
Investigation of Discrepancies
Where a significant shortfall is discovered at an audit, or is reported to POL,
POL will conduct an investigation into that shortfall and the responsibility of
the SPMR for it. That investigation could lead to a decision as to whether the
contract with the SPMR should be terminated and/or whether criminal charges
should be laid in respect of the SPMR’s conduct. Investigations are carried out
by POL’s own investigations and security department. POL has shown us
figures that indicate that between around 3,000-4,000 audits took place a year
in 2011-2014. Only a small proportion of these were random; most were either
risk-based or on the occasion of a change of SPMR.
In England and Wales, POL conducts private prosecutions of criminal offences
arising out of the misconduct of SPMRs. This is not in exercise of any special
statutory power; it is simply the choice of POL to adopt this course of action.
Thus decisions as to whether charges should be brought and what charges
should be brought are made by POL employees (taking account of appropriate
legal advice). Cases in Scotland are prosecuted by the Procurator Fiscal and in
18
POL00167707
POL00167707
Northern Ireland by the Public Prosecution Service (with the assistance of POL
investigators). We understand the difference between the approach across the
UK reflects the different legal traditions.
(A)
56.
57.
58.
59.
POL00167707
POL00167707
IV. The Horizon Complaints
Initial Complaints
The complaints and allegations made publicly and to POL about the Horizon
system and associated issues commenced in earnest in 2009 with the
establishment of the JFSA. The core of those complaints has always been that
various SPMRs have been the subject of criminal prosecution, civil recovery
and/or contract termination in respect of accounting discrepancies for which
the SPMRs say they were not responsible. Instead, it is said that Horizon is
responsible. A wider element of the allegations is that SPMRs received
insufficient training and support in operating the Horizon system.
During the course of 2010 the JFSA entered into correspondence with Ministers
and Members of Parliament about their concerns. The story obtained press
coverage from the BBC's ‘Inside Out’ programme and articles in Private Eye.
From late 2011 to May 2012 James Arbuthnot MP pursued the allegations made
by the JFSA and individual SPMRs with the Minister and POL. In May 2012, at
a meeting with James Arbuthnot MP and Oliver Letwin MP, POL agreed to
engage a firm of forensic accountants to review Horizon. During the course of
June and July 2012, following meetings with James Arbuthnot MP, other MPs
and the JFSA, Second Sight Support Services Limited (“Second Sight”) were
instructed by POL to conduct the inquiry. The remit of their inquiry was to
“consider and to advise on whether there are any systemic issues and/or concerns with
the ‘Horizon’ system, including training and support processes, giving evidence and
reasons for the conclusions reached” 2
The deadline for the submission of cases and issues for the consideration of
Second Sight was 28 February 2013. Some 29 cases were submitted through
‘The Second Sight Inquiry - the Detail’, Appendix to the Second Sight Interim Report.
20
(B)
60.
61.
62.
63.
POL00167707
POL00167707
James Arbuthnot MP and 18 cases through the JFSA. Second Sight issued an
Interim Report on 8 July 2013.
The Second Sight Interim Report
We do not propose to summarise the entirety of the Second Sight Interim
Report. It is sufficient to note some of the core statements that it made. Second
Sight defined the “Horizon system” to include not simply the software, but also
all aspects of using the system, the training and support provided to use the
system and the audit and investigation process into discrepancies shown by
the system (paragraphs 1.4-1.8). Second Sight noted that the limited number of
complaints it received “suggests that the vast majority of SPMRs and branches are
at least reasonably happy with the Horizon system” (paragraph 1.11).
The Interim Report stated that Second Sight had carried out so-called “Spot
Reviews”. These were considerations of particular issues in certain of the cases
referred to them. We have seen a number of those Spot Reviews. Four of them
were appended to the Interim Report. Second Sight stated that differences
between POL and the JFSA had not been resolved, and POL had accepted only
minor errors (paragraphs 5.6-5.7).
Second Sight noted that POL had disclosed to it two defects in the Horizon
software which had impacted branches in 2010 and in 2011-2012, as well as a
further (unspecified) incident (paragraphs 6.4-6.10).
Second Sight criticised POL for a lack of thoroughness in their investigations of
shortfalls, and a focus on asset recovery rather than establishing the underlying
root cause (paragraphs 7.3, 7.6). A list of issues of concern was set out
(paragraph 7.2).
21
64.
(©)
65.
66.
(D)
67.
POL00167707
POL00167707
The Interim Report reached various preliminary conclusions (paragraph 8.2).
Importantly, those included that “We have so far found no evidence of system wide
(systemic) problems with the Horizon software”. They also included conclusions
that unusual combinations of events could give rise to a situation where timely
information is not available to an SPMR; that POL’s attitude to problems could
appear unsympathetic or unhelpful; and that investigations did not identify
root causes.
The Criminal Cases Review Commission
The CCRC is a statutory body with the power to refer criminal cases to the
Court of Appeal where it considers that there is a real possibility a conviction
may be overturned. POL was first contacted by the Criminal Cases Review
Commission (“the CCRC”) in July 2013. Some SPMRs have referred their own
convictions to the CCRC. This has included some cases in which conviction
followed a guilty plea. None of the convictions was itself the subject of an
appeal. POL is co-operating with any and every request for assistance from the
CCRC.
POL has informed us that at the present time the CCRC is considering 23 cases.
19 of those involve individuals who have made a complaint under the scheme
discussed below. At present it is unknown when the CCRC is likely to reach
decisions on whether any case should be referred back to the Court of Appeal.
POL have informed us that they understand that is unlikely to be before the
summer of 2016.
The Mediation Scheme
In an announcement of 26 August 2013, POL established an independent
mediation scheme for SPMRs, overseen by a Working Group (“the Scheme”).
22
68.
69.
70.
POL00167707
POL00167707
The membership of the Working Group comprised POL, the JFSA and Second
Sight. Sir Anthony Hooper was appointed the Chairman of the Working Group
on 29 October 2013. The Working Group sought applications from SPMRs who
had a complaint about the Horizon system or an associated issue. Applicants
would have their cases investigated by Second Sight, with a view to mediation
of the dispute between the SPMR and POL.
By the time the Scheme closed on 18 November 2013, it had received 150
applications, of which 136 entered the full Scheme (ten were resolved before
entry and four were ineligible). 37 applications were from SPMRs who had
been convicted of a criminal offence.
POL contributed £1,500 (ex-VAT) to each Scheme applicant for the purposes of
obtaining professional advice to articulate the complaint. Each applicant
submitted a case questionnaire review (“CQR”) to POL and Second Sight. In
some cases evidence was supplied. Each case was then the subject of a detailed
investigation by the Post Office Investigations Department which produced a
Post Office Investigation Report (“POIR”) for each case on the basis of the
evidence which could be examined, given the passage of time. This evidence -
depending on the application of the seven year data retention period - included
Horizon transaction records, NBSC call logs, HSD call logs, training records,
audit records and other related correspondence. The POIR and supporting
evidence were provided to Second Sight, who would examine the material and
issue a case review report (“CRR”) setting out the areas of agreement and
disagreement, the conclusions Second Sight could draw and whether
mediation was appropriate.
The Scheme applicant was provided with the POIR and the CRR (having been
given the opportunity to comment on a draft of the CRR). The Working Group
considered the suitability of each case for mediation. Cases which were
accepted as suitable, and which POL agreed to mediate, were referred to the
Centre for Effective Dispute Resolution (“CEDR”) for mediation to take place.
23
71.
72.
73.
74.
POL00167707
POL00167707
POL met the costs of the mediation, and provided up to £1,250 (ex-VAT) and
expenses to applicants for professional advice in relation to the mediation.
During the course of 2014, real concern grew on the part of POL and the JFSA
about the slow progress which was being made concerning Scheme
investigations. (We have seen POL Board minutes which indicate that this
concern actually started in mid-2013, along with real concerns over the
performance and capabilities of Second Sight.) The JFSA objected to POL’s
approach to mediation. Public criticism of POL, including of its approach to the
Scheme, on the part of MPs (particularly James Arbuthnot MP) grew during
the year. On 9 December 2014, James Arbuthnot MP appeared on the Today
programme and contended that POL was sabotaging the Scheme and refusing
to mediate 90% of cases. (This figure does not appear to us to have been
accurate, but POL has considered itself bound by confidentiality and so has not
published any different figure.)
By early June 2014 POL was having internal discussions through the Board’s
Project Sparrow Sub-Committee about the possibility of closing down the
Working Group and resolving the cases in another way. POL was also
considering the replacement of Second Sight.
On 10 March 2015 POL announced it would mediate all Scheme cases, save for
those which had been the subject of a court ruling (whether or not to mediate
those cases was to be considered case-by-case). This decision effectively
removed the core purpose of the Working Group. POL announced the closure
of the Working Group the same day.
Second Sight were instructed to complete the outstanding CRRs, and did so in
July 2015. This brought to an end their engagement by POL.
24
75.
(E)
76.
77.
78.
79.
80.
POL00167707
POL00167707
The Scheme cases continue to go through the mediation process, although we
note that the JFSA encouraged applicants to withdraw from any mediation
process and a number have done so.
The Substantive Second Sight Reports
During the course of the Scheme, Second Sight issued their substantive report
in two parts. The Part One Report was issued on 25 July 2014. It was in essence
a narrative describing how a Post Office branch worked, the systems used, and
the types of products and issues dealt with by SPMRs on a regular basis. Part
III of this Review covers similar ground, but in considerably less detail.
A first version of the Part Two Report was issued by Second Sight on 21 August
2014. POL produced a reply document in September. Following the closure of
the Working Group, POL also instructed Second Sight on 10 March 2015 to
issue a completed version of their Part Two Report.
The final Part Two Report was issued on 9 April 2015. Where we refer to the
Part Two Report in this Review, we mean the final version of it. POL also
produced a reply to the Part Two Report.
We do not intend to summarise POL’s reply, and it would be disproportionate
to summarise the entirety of the Part Two Report. However, it is appropriate to
highlight some key elements and conclusions of that Report which are
particularly relevant to our work.
Second Sight report that their work was limited by POL’s refusal, with which
they did not agree, to provide three categories of information. Those were: (a)
the complete legal files; (b) the complete email records of POL employees
working at Fujitsu’s Bracknell office for 2008; and (c) detailed transactional
25
81.
82.
83.
POL00167707
POL00167707
records relating to POL’s suspense account (paragraphs 2.1-2.19). Asa result of
this failure, Second Sight concluded that POL “did have, and may still have, the
ability to directly alter branch records without the knowledge of the relevant” SPMR
(paragraph 2.12).
The contract between POL and SPMRs was not always provided to SPMRs and
the contractual terms, placing responsibility for losses on SPMRs, is “unfair”
(paragraphs 3.6-3.8, 6.1-6.16).
Horizon was insufficiently error repellent, in that “the majority of branch losses
were caused by ‘errors made at the counter”, which could have been avoided if the
systems had been improved. Second Sight took the view that POL had little
incentive to do so (paragraphs 3.11-3.14).
The Report addressed 19 thematic issues drawn from the Scheme cases
(paragraph 1.10). (Only the more significant ones are addressed here.)
(1) The ATMs introduced a vulnerability to error and fraud, had on two
occasions printed corrupted data and were likely at some point to have
been the subject of malware and/or criminal theft/fraud (paragraphs
7.1-7.38).
(2) Accounting for foreign currency transactions was fundamentally flawed
because Horizon is a single currency system and individual transactions
could not be seen by POL (paragraphs 9.1-9.12).
(3) The sale of lottery scratch cards prior to 2012 had too easily allowed for
errors in stock scanning, coupled with inconsistent NBSC advice and
delays in the issue of Transaction Corrections (paragraphs 10.1-10.15).
(4) Training was “probably adequate for people who had reasonable levels of IT
skills, numeracy and accuracy”, but it was not sufficiently clearly
26
6)
(6)
(7)
(8)
POL00167707
POL00167707
monitored that the training was properly delivered and the ability to
request training did not help those who did not realise what they were
doing wrong (paragraphs 11.1-11.9).
Errors were less attributable to inadequate training than adequate
support from the NBSC, which would have benefitted from sending
written instructions. Second Sight recorded the complaint that SPMRs
would be told that “it will sort itself out” but did not uphold or reject that
complaint. They accepted that the NBSC could not be expected to
determine how discrepancies arose and expectations of that facility were
unreasonable (paragraphs 12.1-12.9).
The periods of delay in issuing Transaction Corrections, often of high
value, posed real difficulties for SPMRs and might cause a temptation to
falsify the accounts in the hope that a subsequent Correction would
resolve the problem (paragraphs 13.9-13.14.)
Second Sight addresses the POL denial that it is possible to amend
branch data remotely, referring to a number of documents disclosed to
it from 2008 and 2010 which refer to correcting live data without the
knowledge of the SPMR, altering balances at the branch, although there
was no detail as to whether such amendments had been made
(paragraphs 14.1-14.19). They also recommended that where Horizon
has reversed a transaction (because a terminal is timed out before
transaction is settled and completed), the records should clearly show
that it was the system which carried out the reversal rather than the user.
There was no dispute that this would not have caused a loss (paragraphs
15.1-15.7).
Cash errors at the counter would be hard to detect, particularly
following the removal by POL of paying-in paper slips in 2008
(paragraphs 20.1-20.20).
27
POL00167707
POL00167707
(9) It was possible for losses to occur in a branch as a result of power and
telecommunications failures, where it has not been possible for the
SPMR to follow the correct recovery procedures, particularly where the
power to a screen does not return and so messages are not displayed to
the user (paragraphs 21.5-21.15).3 It was possible, but unclear, that
hardware equipment failures could have caused losses (paragraphs 23.1-
23.4).
(10) Some of the people appointed to an SPMR role “ may have been unsuited”
to that role (paragraph 21.25). POL’s selection processes failed to reject
candidates who showed signs of inadequacy at interview and “proved
themselves to be wholly unsuitable” (paragraph 21.26).
(11) Inthe “specific and limited circumstances” of a person who was “unsuitable,
inexperienced or inadequately trained” who encountered problems
(particularly relating to the recovery process) Horizon was not “fit for
purpose” (paragraph 21.27).
(12) POL is responsible for detecting and acknowledging system or
procedural flaws that have allowed errors to repeatedly occur and not
providing the improvements to reduce or remove those errors
(paragraphs 21.30-21.31).
(13) POL investigators were focussed on seeking evidence of false accounting
to aid asset recovery rather than identifying the root cause of losses. In
some cases, a charge of theft did not seem to have been supported by the
evidence and was dropped as part of a plea bargain. Some of those
We confess that we find this difficult to follow. As the recovery process cannot be
commenced without a user being logged onto Horizon, and logging on would require
the screen to be working, it is not easy to understand how Horizon could be
functioning in order to go through the recovery process whilst the screen does not
work for the user to see any messages. However, we accept that the recovery process
may well be complicated (as indeed Fujitsu has told us) and the SPMR faced with a
customer at the counter and power failures may well make mistakes under pressure.
28
POL00167707
POL00167707
decisions may have been contrary to the prosecutor's code (paragraphs
25.1-25.24).
(14) In some circumstances Horizon “can be systemically flawed from a user's
perspective and Post Office has not necessarily provided an appropriate level of
support” (paragraph 26.8).
(F) Parliamentary Debates
84. I We are aware of a number of Parliamentary discussions of the impact of the
Horizon system of SPMRs. We have seen and considered the records of the
following occasions:
(1) I House of Commons debate of 9 July 2013;
(2) Westminster Hall debate of 17 December 2014;
(3) The hearing before and evidence given to the Business, Innovation and
Skills Select Committee on ‘The Post Office Mediation Scheme and the
Horizon IT System’ on 3 February 2015;
(4) House of Commons debate of 29 June 2015; and
(5) Prime Minister’s Questions on 1 July 2015.
85. I We do not propose to further summarise or discuss these publicly available
records. It is evident that there has been an on-going and high level of
Parliamentary interest in the issue.
(G) BBC Panorama Programme
86. On17 August 2015 the BBC broadcast a Panorama programme ‘Trouble at the
Post Office’. It featured a number of SPMRs (who have been the subject of
criminal convictions, including some who had pleaded guilty to criminal
29
POL00167707
POL00167707
charges), James Arbuthnot MP, Professor Charles McLachlan (who had
appeared as an expert witness in defence of Seema Misra when she was
convicted by a jury of theft, having pleaded guilty to false accounting) and a
former Fujitsu employee named Richard Roll.
87. Mr Roll’s participation was the only genuinely new information we have seen
in the broadcast, but it was of potential significance. He said that he and his
fellow Fujitsu employees saw a “lot of errors, a lot of glitches” on the Horizon
system and that they “went in the backdoor and made changes. Sometimes you would
be putting in several lines of code in at a time. If we hadn't done that then the counters
would have stopped working” .
88. I We have been provided with various correspondence between POL and the
BBC in which POL complains about the reporting of the BBC. We do not
propose to address any of that material.
(H) — Cost to POL
89. POL has informed us that as at the beginning of December 2015, it has spent
some £10 million on this matter. It has incurred over £1.5 million on Second
Sight and some £3.3 million on other professional fees, including legal advice.
The investigations by POL of each of the 150 Scheme cases cost £3.7 million.
More than £500,000 has been spent in POL’s contributions to Scheme applicants
receiving professional advice on their complaints.
30
90.
91.
POL00167707
POL00167707
Vv. Criminal Prosecutions
It is not surprising that it is the prosecution of SPMRs by POL which has been
the most emotive issue we have seen in the course of this Review. 43 of the
Scheme applicants’ cases involved criminal convictions, 37 of them of the
SPMR directly. The vast majority of these were for the offence of false
accounting (contrary to section 17 of the Theft Act 1968). In at least some cases,
SPMRs were also the subject of a charge of theft (contrary to section 7 of the
Theft Act 1968). Both offences require the prosecution to prove dishonesty, but
the offences are directed at different conduct and an SPMR may be guilty of
false accounting without being guilty of theft, in large part because the false
accounting offence is committed even where the SPMR falsely declares he has
more cash than he actually does, even where this suggested gain is only
intended to be a temporary accounting gain in the hope that the money will
turn up (R v Eden (1971) 55 Cr App R 193).
Those subject to criminal convictions, or those on their behalf, have raised
broad areas of concern:
(a) whether their convictions were consequent on flaws in the Horizon
system and/or because of a failure properly to disclose such flaws during the
criminal proceedings, and for such reasons are not safe;
(b) whether POL acted appropriately in cases where it pursued charges both of
false accounting and of theft (or whether POL pursued theft charges in cases
where there was no proper basis in evidence to do so simply to encourage a
guilty plea to the false accounting charge); and
(c) whether it is appropriate for POL to conduct private investigations and
prosecutions (rather than leaving matters to the police and the CPS).
31
(A)
92.
93.
94.
95.
POL00167707
POL00167707
Safety of Convictions and Disclosure of Information
We have not sought to review the safety of any particular individual's
conviction. As indicated above, the CCRC is considering 23 cases (including 19
Scheme applicants). Consideration of these cases by the CCRC is the
appropriate course. POL is co-operating with the CCRC. That is the appropriate
course of action for POL to take.
It has been suggested to us that POL should write to the CCRC accepting that
the prosecutions should never have been brought and requesting that they be
referred to the Court of Appeal. We do not agree. This is not how we
understand the CCRC to operate; it will form its own view on the merits of the
cases, what happens to them (and each of them involves a conviction by a
criminal court) is not now within the gift of POL. POL cannot simply withdraw
a conviction, whether following a trial or a guilty plea. Moreover, based on
what we have seen, we do not consider there to be any substantive basis upon
which it would be appropriate for POL to act in this way.
It has also been suggested to us that POL seek to support applications for Royal
Pardons. We do not agree that this would be appropriate either. Pardons are
ordinarily granted (in exercise of prerogative powers) only where the Queen is
satisfied that that no criminal offence took place. Thus the standard for action.
goes beyond that presently being considered by the CCRC.
We emphasise that none of the Second Sight reports identify systemic flaws in
the Horizon system likely to have caused the losses incurred at the Scheme
branches. Rather, operator errors at the counter is the usual cause identified by
Second Sight (with the likelihood of those errors being exacerbated by a
problems in training and support). We address Horizon in more detail in the
32
96.
97.
98.
99.
POL00167707
POL00167707
next section, but POL is entitled to note at this point in time that there is no
evidence that the Horizon system - i.e. the computer system - is responsible
for the losses which have resulted in convictions.
So far as it concerns disclosure, POL has undertaken a considerable exercise
reviewing its compliance with its disclosure obligations (past and present). In
2013 it instructed Cartwright King Solicitors to review all criminal prosecutions
POL commenced since 1 January 2010 with a particular focus on identifying
those cases in which disclosure should now be made of the Second Sight
Interim Report and/or the Helen Rose Report (which we address in the next
part of this Review). Cartwright King is the firm which conducts criminal law
work on behalf of POL. The scope and scale of that review was the subject of
oversight and advice from Brian Altman QC, who delivered interim advice on
2 August 2013 and a general review on 15 October 2013. We have read those
opinions and it is clear to us that Mr Altman QC considered both the process
adopted by Cartwright King, and their actual decisions in a sample of cases, to
be reasonable and appropriate.
We have also reviewed a small sample of the reviews conducted by Cartwright
King in Scheme cases M060, M103 and M149. Without being criminal law
experts, it also seemed to us that Cartwright King were approaching their
review logically and in detail, being unafraid to require disclosure be made
where they felt it appropriate, and to recognise where it was irrelevant in the
light of the particular facts of the case.
We are accordingly content that POL has acted reasonably in its handling of
disclosure issues arising in relation to past criminal prosecutions.
We are also content that it would be inappropriate for POL to conduct a wider
review of the safety of any particular conviction when that work is being
independently carried out by the CCRC. POL should continue to co-operate
33
POL00167707
POL00167707
with and support the CCRC process and address any matters which arise as a
result in due course.
(B) Sufficiency of Evidence
100. As we understand it, the allegation is that POL has too readily brought a charge
of theft, which is said to be more serious than false accounting, with aim or
effect that the SPMR is pressurised into pleading guilty to false accounting in
the hope that the theft charge is dropped, and because a theft charge would
more readily enable POL to recover its losses. We understand that there are
approximately 18 Scheme cases in which this, or something similar, occurred.
We have also read the full trial transcript in R v Seema Misra in which a jury
convicted the defendant of theft (following a guilty plea to the charge of false
accounting).
101. Whether POL had sufficient evidence to bring a charge of theft alongside
charges of false accounting is an accusation raised by a number of Scheme
applicants, as well as by Lord Arbuthnot with us. It has also been a matter
raised by Second Sight in their Part Two Report.
102. Weare aware that the suggestion has gained particular traction in Scheme case
M035 (a case in which there was guilty plea to false accounting, in return for
which the theft charge was not pursued). In this case certain documents in the
prosecution file indicated that initial POL investigators could not find evidence
of theft (although there was clear evidence of false accounting), but theft was
nonetheless charged. We have seen those documents and have noted the
absence of clear documented rationale for charging theft.4
4 We do not assume, as we suspect some have done, that the absence of a documented
rationale means that no rationale existed or could have existed. Counsel clearly felt
properly able to settle the theft charge. However, the lack of clear reasons for this
decision does inevitably give rise to cause for doubt.
34
103.
104.
105.
106.
POL00167707
POL00167707
We note Brian Altman QC’s advice of 8 March 2015 that it is not a helpful
question to ask whether theft and false accounting are offences of equal
seriousness, both being dishonesty offences with a maximum sentence of seven
years’ imprisonment, because the seriousness is dependent on the nature of the
specific allegation rather than the charge per se.
We entirely accept that the decision to plead guilty is a matter for the defendant
alone. Any concerns they have about the legal advice they received at the time
is a matter only the defendant can pursue and is not the responsibility of POL.
Similarly, it is always open to the defendant to challenge the sufficiency of the
evidence disclosed to him or her and seek to have that charge dismissed.
POL’s position is that its prosecutorial decisions are always taken in accordance
with the Code for Crown Prosecutors, which requires that there be sufficient
evidence to provide a realistic prospect of conviction, and the prosecution must
be in the public interest. POL has referred us to the Cartwright King disclosure
review exercise, noting that Cartwright King also expressed views in their
advice as to whether POL should oppose any appeal brought, suggesting that
they must therefore have considered the evidence involved. POL has also
explained to us that because of these points, and because any review would be
carried out with the benefit of hindsight, it would not be an appropriate course
of action to review now the prosecution files to reconsider the sufficiency of
evidence issue.
We do not agree. We have reached the view that this issue is one of real
importance to the reputation of POL, and is something which can feasibly and
reasonably be addressed now’. It is clear that it is not an exercise which has
We are aware from references in POL’s Board minutes that before 2012, the
prosecutorial decisions relating to SPMRs were in fact being taken by the Royal Mail
part of the business. However, as they were being done in the name of, and on behalf
of, POL we do not consider that a material issue.
35
107.
108.
POL00167707
POL00167707
been carried out so far, and Cartwright King were not asked to consider the
sufficiency of the evidence when undertaking their disclosure review. We do
not think it is safe to infer that any advice Cartwright King gave on POL’s
position on any appeal must have involved a full evidential review. The
allegation that POL has effectively bullied SPMRs into pleading guilty to
offences by unjustifiably overloading the charge sheet is a stain on the character
of the business. Moreover, it is not impossible that an SPMR would have felt
pressurised into pleading guilty to false accounting believing it to be less
serious when they might not otherwise have done so; the phenomenon of false
confessions is well known. For the avoidance of doubt, we do not consider that
this issue arises in cases where there has been a conviction following trial; the
concern is only where an SPMR has pleaded guilty, and an additional charge
has been dropped as a result.
Considering this point now will also address one of the areas of concern
expressly raised by Second Sight in their Part Two Report, namely that the full
legal files of cases were not provided to them. We express no criticism of POL
in this regard. Whatever else Second Sight were qualified to express a view on,
they were not well-placed to opine on the appropriateness of prosecution
decisions or the impact of those decisions upon the safety of any subsequent
convictions. But this does not mean that no-one else should undertake the task.
However, we harbour some doubts about whether the bringing of a charge
without sufficient evidence to provide a realistic prospect of conviction could
be said, under the criminal law, to cast doubt upon the safety of the conviction
of a defendant who has pleaded guilty. We recognise POL’s position in this
respect. Accordingly, we recommend as a first step that advice be specifically
sought - perhaps from Brian Altman QC - as to whether such circumstances
could amount to evidence that the conviction on a guilty plea was unsafe.
36
POL00167707
POL00167707
109. Following that advice, it will be a matter for POL to consider whether it is
reasonable to instruct external lawyers - again, perhaps under the supervision
of Brian Altman QC - to review the prosecution files of the relevant Scheme
cases to establish, on the basis of the facts and law at the relevant time, whether
there was sufficient evidence in accordance with the Code to bring the charges
which were brought. Assuming the legal advice is that the safety of the existing
conviction could be impacted by an unjustified charge, we take the view that it
would be reasonable for POL to take this step and we so recommend.
(C) POLas Prosecutor
110. Criticism has been levelled at POL for conducting private prosecutions, in
reliance on its own investigations. It is said (a) that POL does not have the
benefit of the specialist criminal expertise of the police; and (b) that prosecution
decisions lack the independent view that is applied by the CPS. However, POL
is as entitled to bring private prosecutions as any other legal person (although
few major commercial entities do so for internal matters) and _ their
investigations and prosecution decisions are designed to be carried out to the
equivalent police and CPS standards. Ensuring the police investigate
complicated financial records and transaction logs may also not always be easy
to ensure.
111. We do not address this issue in detail because nothing can now be done about
the historical exercise of the prosecution function. Any alteration would be for
future cases only. We have seen the detailed legal advice provided by Brian
Altman QC, dated 31 October 2013, on this topic and asked POL for a formal
letter explaining how it was responding to the recommendations made by Mr
Altman QC. POL provided us that letter on 18 December 2015, along with a
detailed Prosecution Policy for England and Wales which is to be submitted to
the Board for approval on 22 January 2016.
37
POL00167707
POL00167707
112. In the light of the detailed advice already received by POL, we do not propose
to make any recommendations on these matters. We note that the proposed
new policy does not propose ceasing to do so in England and Wales. That is a
matter for the business and reputational judgment of POL.
(D) Recommendations
113. We recommend as follows.
(1) Legal advice be sought from counsel as to whether the decision to charge
an SPMR with theft and false accounting could undermine the safety of
any conviction for false accounting where (a) the conviction was on the
basis of a guilty plea, following which and/or in return for which the theft
charge was dropped, and (b) there had not been a sufficient evidential
basis to bring the theft charge.
(2) If such a conviction could be undermined in those circumstances, that
counsel review the prosecution file in such cases to establish whether,
applying the facts and law applicable at the relevant time, there was a
sufficient evidential basis to conclude that a conviction for theft was a
realistic prospect such that the charge was properly brought.
38
114.
115.
116.
POL00167707
POL00167707
VI. The Horizon System
As elsewhere in this Review, when we refer to the Horizon system, we mean
the computer programme and software developed and supplied to POL by
Fujitsu, and which POL requires to be used across all of its branches. This is
this how an ordinary person would interpret a reference to the Horizon system.
It also reflects the roots of the concerns of the SPMRs, although the reach of
those concerns has expanded over time. In essence, the allegation since 2009
has been that Horizon is a flawed system which causes, through software errors
and possible third party action, branch balances to be altered to the
disadvantage of the SPMR. SPMRs are, it is said, being held responsible for
losses which are incorrectly generated by Horizon such that they do not reflect
real losses to POL. POL has always denied that there is any evidence that
Horizon, as opposed to user error on the part of SPMRs and their staff, has
caused the shortfalls for which the SPMRs are accountable.
We have been provided a great deal of documentation by POL and Fujitsu
relating to the functioning of the Horizon system. We have reviewed all of that
documentation, notwithstanding that it is highly technical. However, we are
not information technology or computer coding experts and we have not
sought to investigate, review or test the functioning or schematics of the
Horizon system ourselves. Instead, we have considered the broad areas in
issue, what has occurred and whether anything might now be done.
We consider that there are three broad areas of concern and we address them
in turn:
(a) Horizon system bugs;
(b) The thematic issues identified by Second Sight; and
39
POL00167707
POL00167707
(c) Whether branch balances can be affected by third party alterations
without SPMR knowledge.
(A) Bugs in the Horizon System
117. It seems to us entirely unremarkable that the Horizon system, which is
enormous in terms of the range of matters it deals with and the number of users
it has, will occasionally discover bugs, errors or glitches in the way that it
works. (For ease we will refer to these as bugs.) Some of those bugs may impact
on the financial position of a branch, either positively or negatively. We do not
understand POL or Fujitsu to suggest anything otherwise. The important point
is the ease with which such bugs are noticed and corrected, with remedial
action to any financial position taken where necessary.
118. Weare aware of anumber of bugs which have been detected by Fujitsu through
their own work or the reporting of problems to them by SPMRs via POL. These
instances appear to be as follows.
(1) The Calendar Square, Falkirk problem discovered in 2005 (fixed in
2006). We have seen this described in some detail in the evidence and
cross-examination of Mr Jenkins of Fujitsu in the criminal trial of R v
Seema Misra. It involved a failure by Horizon to recognise transfers
between different stock units and was visible as a receipts and
payments mismatch. Due to the antiquity of the issue, Fujitsu could not
confirm to us whether any other branches had been affected by this
problem.
(2) The receipts and payments mismatch problem, discovered in 2010 (see
the Interim Report, paragraph 6.5). This impacted 62 branches.
40
POL00167707
POL00167707
(3) The local suspense account problem, which occurred in 2011 and 2012
(and fixed in 2013) (see the Interim Report, paragraphs 6.6-6.9). This
impacted 14 branches. Fujitsu explained to us that it reoccurred
because a particular balance reappeared each year in the annual
accounts between 2011-2013 until it was drawn to their attention and
fixed.
(4) The Second Sight Interim Report refers at paragraph 6.10 to another
bug which was disclosed in witness evidence in court proceedings. It
is not clear to us whether that was the Calendar Square incident, or the
unusual non-polling event for 12 days at Winford Post Office referred
to by Mr Jenkins in his statement in R v Grant Allen, to which we have
seen reference.
(5) We have also seen a reference in articles in Computer Weekly in
November 2015 to a further bug which lead to a branch being recorded
as having remmed out cash to an outreach branch four times instead of
once. Having raised this, we have been provided with Fujitsu’s analysis
of this bug to POL dated 10 December 2015 which explains that the
problem arises where a certain succession of actions concerning cash
pouches are entered, and then the system is left to time out, rather than
being logged out on completion. Fujitsu describe the issue as having
occurred 112 times since 2010 but that 108 of those were corrected at
the time either by a transaction reversal by the SPMR spotting the
duplication, or by a Transaction Correction issued by POL. Four
occasions appear not have been corrected at the time. None of the
uncorrected instances relate to Scheme cases.°
Following the completion of the draft of this Review, Fujitsu informed us of a further
bug which, between 29 June 2015 and 13 September 2015, caused all Transaction
Corrections to be accepted (even if the SPMR pressed ‘cancel’). Again, this could have
affected any branch, although Fujitsu has told us that the problem was only raised by
seven branches.
41
119.
120.
(B)
121.
122.
POL00167707
POL00167707
Fujitsu confirmed to us that all of these bugs were generic ones; i.e. they could
have affected any branch. The reasons they affected only certain branches were
accidents of processing, as the particular chain of actions and steps required for
the bug to apply happened to occur only on those occasions in those branches.
(Or, in the November 2015 bug, because the situation could only arise where
there were outreach branches.) We accept, on this basis, that the general point
POL makes that the Horizon system works effectively and accurately for the
overwhelming majority of the time for the overwhelming majority of its users
is accurate.
We have seen nothing to suggest that these specific bugs identified have been
the cause of wider loss to SPMRs in the Scheme cases or otherwise. We see no
basis upon which to recommend any further action in relation to those
identified bugs now.
Thematic Issues
Second Sight’s Part Two Report addresses a number of areas of complaint
raised in Scheme cases which they describe as ‘thematic issues’. We agree with
the analysis of POL and Fujitsu that few, if any, of those issues can sensibly be
said to relate to any error in the operation of the Horizon system. Second Sight
recognise, largely implicitly, that the themes they see are regular forms of errors
at the counter on the part of SPMRs and their staff. It is notable that nowhere
in their Part Two Report do Second Sight revise or disavow their conclusion in
the Interim Report that they have found no evidence of systemic problems with
the Horizon software.
We have reviewed a considerable amount of documentation concerning those
thematic issues, including: the Second Sight Reports; POL’s responses to those
42
123.
124,
125.
POL00167707
POL00167707
reports, including in draft; Spot Review paperwork; witness evidence provided
by Fujitsu in the course of criminal and civil trials which explain some apparent
concerns; and the detailed investigation work done in POIRs and CRRs for a
sample of the Scheme cases. While we recognise that not every issue raised by
SPMRs has been the subject of a categorical answer or explanation (still less an
accepted one), we consider that is inevitable in circumstances where the events
in question happened some time ago and an understanding of how the problem
arose is dependent upon an accurate explanation on the part of the SPMR.
In those circumstances, and alongside the very detailed investigations carried
out into the specific facts of the 150 Scheme cases (discussed in more detail in
Part VIII below), we do not consider it reasonable to recommend any further
investigative work into the thematic issues specifically identified by Second
Sight.
However, one aspect of the investigations carried out by POL into the Scheme
cases does give rise to a potential area of further work. The investigations work
was carried out by POL field support agents and some security personnel (who
investigate potential criminal cases). Those individuals are experienced in the
working of Horizon and in reading transaction logs, but they are not
computing experts.
As discussed in (A) above, the Horizon system does occasionally suffer from
bugs which have caused losses in some branches. Those bugs have been generic
in the sense that they have the potential to affect any branch, depending on
how it is structured. It is often the case that those bugs are identified when an
SPMR draws the attention of POL and Fujitsu to an odd situation which she
cannot explain and which appears to have caused a discrepancy. We were told
by POL that when carrying out their investigations into Scheme cases,
investigators were looking out for unusual or unexplained patterns of
transactions which might have required further technical examination by
43
126.
127.
128.
POL00167707
POL00167707
Fujitsu to confirm whether there was a wider bug. POL told us that no instance
arose and Fujitsu were not asked to look at the records in any case. Fujitsu
confirmed to us that they did not carry out any analysis of Scheme case records.
We consider that there is the possibility that an alternative approach to the
transaction analysis would have provided greater certainty that there was no
bug which had affected some of the Scheme branches. We take this view
because POL’s approach was necessarily ‘bottom up’, in the sense that it started
from and focussed on the specific circumstances of the branch, looking at the
transaction logs where necessary to review a particular complaint, be it general
or specific (such as an allegation that Horizon had generated reversals, or
Transaction Corrections came too late and were incorrect). A different, but
complementary, approach would have been to also have a ‘top down’ analysis
of the transaction logs of the Scheme branches undertaken by Fujitsu or an
independent qualified party to search for patterns of unusual behaviour in
individual branches, and across branches, on a purely data-driven analytical
basis which might suggest a wider problem, which could then be cross-
referenced with the branch fact-specific work carried out by POL (which may
have explained some of those instances).
In our meeting with Deloitte, it was confirmed that this type of exercise was
something they would have expected could be carried out across the relevant
dataset (including non-Scheme branches as a control) to look for oddities or
reconciliation errors. We are mindful that external organisations are more
likely to suggest possible sources of work they could carry out, but the
suggestion aligns with our own view of work which is at least potentially useful
to rule out more comprehensively the possibility of a system bug affecting some
Scheme cases.
We recognise that this has the potential to be a costly exercise. Deloitte
suggested to us that it would be likely to take two people approximately four
44
129.
(C)
130.
131.
132.
POL00167707
POL00167707
weeks to set the parameters of the work (which would include ensuring that
they fully understood how transactions were recorded), and a further
unspecified period to carry out the analysis. Fujitsu would obviously be in a
position to carry out such a task more rapidly.
In the light of this, we do not consider it appropriate to recommend that POL
take this step, but rather we suggest that it consider doing so. This is likely to
involve costing the work and then balancing that cost against the possible
benefits in the light of existing, substantial, spend on this matter and the other
recommendations we make.
Third Party Action
SPMRs have alleged that certain transactions appear in their transactions
records which they did not perform. There is, as a result, an allegation - usually
generic rather than specific - that branch records can be remotely altered by
POL and/or Fujitsu to the detriment of the SPMR.
We have seen through the Scheme investigations that in the vast majority of
cases specific transactions of concern have been readily explicable by common-
sense explanations; such as sharing of user identifications, or SPMRs being on
leave, or mistakes as to the timings. Other types of amendment of branch
records ~ Transaction Acknowledgements relating to third party information,
and Transaction Corrections issued by POL - require the acceptance of the
SPMR before they are adopted into the accounts on Horizon. (In some of the
Scheme cases, the shortfalls included unaccepted Transaction Corrections.)
A slightly different category is that discussed in the report drafted by Helen
Rose on 12 June 2013 in respect of the Lepton branch, which formed part of
Second Sight’s Spot Review 1 consideration. That discusses a Horizon record
45
133.
POL00167707
POL00167707
that a transaction was reversed, and the assertion of the SPMR that he had not
carried out the reversal. Ms Rose discusses the fact that it only became clear
through detailed discussions with Fujitsu (in the person of Gareth Jenkins) that
the transaction was automatically reversed because of a system failure before
completion, but that this was only clear at level of raw data not apparent in the
transaction logs available to the SPMR and POL. Ms Rose raised the fact that
the data available may appear misleading. In our view, the Rose report is
evidently important and her suggestion for a change in data recording is
eminently sensible. It is not, however, a true example of the system altering
branch records, as it is really Horizon not completing a transaction due to a
system failure of some kind. While this may have caused confusion on some
occasions due to the lack of clarity in identifying that it was an automatic
reversal, we do not consider that it gives rise to any wider issue which needs
further consideration.” Ms Rose’s report was available to Second Sight who
agreed with her that the clarity of the transaction logs should be improved.
We are aware that the consistent position of POL and Fujitsu has been to the
effect that transaction records, and therefore branch balances, cannot be
remotely altered without SPMR knowledge. For example, in Fujitsu’s response
to a draft of the Part Two Report, dated 15 September 2014, paragraph 11.2
states “To be clear, any system generated transaction requires a branch user to
acknowledge and accept this transaction and it is this operative’s id that is recorded as
the primary id”. As an example of POL’s expression of the position, we take its
Response to the Westminster Hall Debate of 17 December 2014, dated January
2015, responding to the concerns raised by MPs during that debate. At
paragraph 47, POL states that “There is no functionality in Horizon for either a
branch, Post Office or Fujitsu (suppliers of the Horizon system) to edit, manipulate or
remove transaction data once it has been recorded in a branch's accounts.” At
We note that Fujitsu’s response to a draft of the Part Two Report stresses that a receipt
is printed when an automatic reversal occurs to inform the SPMR, and that the SPMR
in Spot Review 1 had indeed had such a receipt (paragraph 12.2 of the response).
46
134.
135.
136.
POL00167707
POL00167707
paragraph 48, POL discusses Transaction Acknowledgements and Transaction
Corrections, reiterating that both be must be accepted by the SPMR.
The issue of the ability to remotely alter branch balances derives from the case
considered in Spot Review 5, where an SPMR alleged that he had visited the
Fujitsu Bracknell site in 2008, had been shown around by a member of POL
staff, and had been shown the ability of the team to alter the recorded holdings
of a branch. In their Part Two Report, Second Sight refer to their having
requested email records for all of the POL staff working at Bracknell in 2008
but only having been provided with those for August 2008 (when the visit took
place). Second Sight state these emails would be “ the most compelling evidence on
this point” (paragraph 2.10). Second Sight confirmed to us that it is only those
wider tranche of emails to which they refer in paragraph 2.13 when they state
that it is “regrettable that we have not been provided with the further evidence we have
requested in order to reach a properly researched conclusion”. They nonetheless
concluded at paragraph 2.12 that their “current, evidence based opinion, is that
Fujitsu / Post Office did have, and may still have, the ability to directly alter branch
records without the knowledge of the relevant Subpostmaster” .
We have seen a draft witness statement from Martin Rolfe, who is the POL
employee who carried out the tour in question. He explains, as POL has always
stressed and Fujitsu have confirmed, that POL employees at that time only had
access to a test environment which was not connected to the Horizon network.
He believes that the SPMR must have misunderstood what he was seeing,
because the test screens would have looked like the Horizon system but were
not live or connected to actual branches. Fujitsu have stressed to us that the live
network is accessible only to Fujitsu employees in a secure area on a different
floor of the Bracknell building.
This secure area is, we assume, what was being referred to by Mr Roll when he
spoke to the BBC Panorama programme, in which it is said by the reporter that
Mr Roll told him that “financial records were sometimes changed remotely without
47
137.
138.
139.
140.
POL00167707
POL00167707
the postmaster knowing” and which Mr Roll describes as going “in through the
back door”. Mr Roll, as we understand it, was a Fujitsu employee in the level of
line support which would have had access to the secure area. The specific
comments in the Panorama programme are, however, ambiguous and unclear
as to precisely what is being suggested was done. It is difficult to deal with or
respond to those comments as a result.
Second Sight’s Part Two Report also obtained and quoted from documents
between Fujitsu and POL in 2008 and 2010, which suggested that Fujitsu had
the capability to amend or correct live branch data. We have read the
documents quoted in the Part Two Report at paragraphs 14.8-14.15 and it is
undeniable that those documents clearly suggest that Fujitsu does have the
ability to “manually write an entry value to the local branch account”. POL are noted
by Second Sight to say that the references in those documents to amendments
and corrections are inaccurate, because the system only allows additions to the
records which can be seen by the SPMR.
Unlike Second Sight, we have also read two documents produced for POL by
Deloitte in May and June 2014, entitled ‘Horizon: Desktop Review of Assurance
Sources and Key Control Features’ and an accompanying ‘Board Briefing’. As
we understand it, POL instructed Deloitte to carry out some review work as to
how Horizon functions, the controls in place and the extent to which it was
achieving the objectives of the system. Deloitte’s work was a desktop review of
the operating documentation, including discussions with Fujitsu and POL. It
did not involve access to the system itself or testing processes.
Deloitte’s Board Briefing highlights two aspects of Horizon which are relevant
to this part of the Review and which we found to be more clearly set out than
in any other document we have seen on this subject.
Deloitte note, following a review of the technical documentation, the ISAE3402
and verbal discussions with POL and Fujitsu, that database access privileges
48
POL00167707
POL00167707
which “would enable a person to delete a digitally signed basket” do exist, but are
“restricted to authorised administrators at Fujitsu”. Those privileges “would enable
a person to create or amend a basket and re-sign it with a ‘fake’ key, detectable if
appropriately checked”. Deloitte had not identified specific controls to prevent a
person with the appropriate authorisation carrying out this exercise in an
unauthorised manner. The Briefing goes on to state that administrators had the
ability to “delete data from the Audit Store during the seven year period, which was a
matter...contrary to POL’s understanding... This could allow suitably authorised staff
in Fujitsu to delete a sealed set of baskets and replace them with properly sealed baskets,
although they would have to fake the digital signatures”. When we spoke to Deloitte,
they described this functionality as resulting, in essence, from the level of
security contained in Horizon being a level down from the maximum.
141. We have seen a response from Fujitsu concerning this aspect of Deloitte’s
investigation, which is based upon a summary of it provided by POL rather
than the original Board Briefing itself. Fujitsu appear to accept that Deloitte’s
interpretation is technically correct, but emphasise the wide range of security
measures in the software, hardware and environment which reduce the risk of
interference. Fujitsu also, properly, stress that there is no evidence that any such
action has occurred and that likelihood of all the security measures being
overcome is so small that it does not represent a credible line of further enquiry.
142. The fact that such activity is possible does not, of course, indicate that it has
actually occurred. We find it difficult to see why it would have done so. Second
Sight suggested to us orally that Fujitsu employees could, in theory, runa fraud
in collusion with an SPMR whereby transactions were added to the branch
records generating cash payments out. Even if it may be theoretically possible,
there is no evidence for this and it is inherently improbable. An alternative may
be closer to Mr Roll’s account, which would be that Fujitsu would use the
49
POL00167707
POL00167707
functionality to correct system bugs without drawing them to the attention of
POL or SPMRs in order to avoid any form of contractual penalty.8
143. The second issue expressly noted by Deloitte, but not clearly seen elsewhere in
the documentation we have reviewed, is the existence of a third mechanism by
which errors can be corrected: a Balancing Transaction. This is “an emergency
process, accessible only to restricted individuals in Fujitsu, which can create
transactions directly in Branch ledgers. This process creates an identifiable transaction
in the ledger, verbally asserted by POL staff to be visible to Sub-postmasters in their
branch reporting tool, but does not require positive acceptance or approval by the Sub-
postmaster.” Deloitte explain that they were told that this tool had only been
used once since 2008 - in 2010 - and generated a full audit trail.
144, Although it is not entirely clear, it is likely that the admitted 2010 instance is
the same, or linked to, the 2010 documents referred to by Second Sight in their
Part Two Report. However, Deloitte have carried out no work to assure
themselves that it has only be used on the one occasion, or as to the position
before 2008. It is not clear to us why 2008 was the cut-off period for information,
as this pre-dates the introduction of Horizon Online.
8 In our discussion with Second Sight, we were told that Mr Roll had said (in a recorded
interview with them) that he and his colleagues could, and did, make alterations which
affected the account balances in branches. Moreover, he is reported as saying that on
one night he and his colleagues had had to secretly correct 500,000 glitches in one night
which could affect branch balances. Second Sight said that Mr Roll had told them that
under the contract Fujitsu would be fined by POL £10 for every glitch which was
reported to them. We asked Fujitsu for their response to this allegation, which Fujitsu
did not recognise and could not explain. Fujitsu suggested that it would probably not
be possible to correct 500,000 software glitches in one night and certainly was not true.
They could not suggest a plausible alternative scenario which the allegation might
have been confused with. Mr Roll’s allegation is, of course, second-hand via Second
Sight and without any sort of detail or accompanying evidence. It does not appear in
the Part Two Report. It does not seem to us to be a solid basis upon which we could
criticise either POL or Fujitsu. We also note that the existence of a recording came as
something of a surprise to us, as we had not seen any reference to Second Sight
possessing such evidence before. We do not know the status of that recording or the
extent to which POL is entitled to have access to it as material gathered under Second
Sight’s terms of engagement.
50
145.
146.
147.
POL00167707
POL00167707
It seems to us that the Deloitte documents in particular pose real issues for POL.
First, both the existence of the Balancing Transaction capability and the wider
ability of Fujitsu to ‘fake’ digital signatures are contrary to the public
assurances provided by Fujitsu and POL about the functionality of the Horizon
system. Fujitsu’s comment we quote above seems to us to be simply incorrect,
and POL’s Westminster Hall Response is incomplete. To the extent that POL
has sought to contend that branch data cannot be remotely ‘amended’ because
a Balancing Transaction does not amend existing transactions but adds a new
one, we do not consider this is a full picture of Horizon’s functionality. The
reality is that a Balancing Transaction is a remotely introduced addition to
branch records, added without the need for acceptance by the SPMR, which
affects the branch’s balance; that is its express purpose.° POL has always known
about the Balancing Transaction capability, although the Deloitte reports
suggest the digital signature issue is something contrary to POL’s
understanding.
We recognise that the existence of the two matters highlighted by Deloitte are
most likely to be wild goose chases. It is improbable that they have been used
beyond the identified instance. However, in the light of the consistent
impression given that they do not exist at all, we consider that it is now
incumbent on POL to commission work to confirm the position insofar as
possible. Accordingly we make a recommendation to that effect.
Second, the Deloitte reports, or at least the information contained within them,
may be disclosable under POL’s on-going duties as a criminal prosecutor. We
suspect that it is likely that such functionality would have been something an
SPMR’s defence team would have considered relevant to their case, even if the
We note that POL did refer to the existence of the Balancing Transaction in its Reply
to the Part Two Report of April 2015 at paragraph 14.5 (but had not done so in its
earlier Reply of 22 September 2014 to the draft Part Two Report). However, it equates
a Balancing Transaction with a Transaction Acknowledgment, without reflecting the
fact that a Balancing Transaction does not require acceptance in the same way.
51
148.
(D)
149.
10
POL00167707
POL00167707
likelihood of remote Fujitsu interference is very limited. We do not know
whether this information has been provided to the CCRC. But given that POL
used a Balancing Transaction in 2010, it cannot say that the functionality was
not known to it, and we have seen no reference to such capabilities in the
witness evidence given by Gareth Jenkins of Fujitsu. These are matters on
which specialist legal advice from external counsel, perhaps Brian Altman QC,
should be sought and we so recommend.
However, we also wish to make clear that we do not consider any further steps
need be taken in respect of the Bracknell test area issue raised by Second Sight.
We consider that POL’s explanation of the misunderstanding is convincing and.
that a review of all emails from 2008, even if possible, would be an
unreasonable use of resources.!° We are confirmed in that view by the fact that
in our meeting with them Second Sight accepted that the Bracknell emails were
a ‘red herring’ and that they no longer thought it was an issue which required
pursuing either. As we understand it, Second Sight took that view because they
thought the focus of investigation should be around the allegations of Mr Roll,
which implicitly recognise that it was Fujitsu employees with the ability to
affect branch records rather than POL staff. We agree, but base our view on the
work of Deloitte rather than the ambiguously reported suggestions of Mr Roll,
which neither we nor POL have ever seen the detail of.
Recommendations
We recommend as follows:
(3) POL consider instructing a suitably qualified party to carry out an
analysis of the relevant transaction logs for branches within the
Fujitsu have informed us that they do not have a data retention policy for emails, and
that when emails are deleted they are not retrievable. In any event, we do not consider
it necessary to pursue emails from 2008, be they of POL or Fujitsu employees.
52
(4)
6)
(6)
POL00167707
POL00167707
Scheme to confirm, insofar as possible, whether any bugs in the
Horizon system are revealed by the dataset which caused
discrepancies in the accounting position of any of those branches.
POL instruct a suitably qualified party to carry out a full review of
the use of Balancing Transactions throughout the lifetime of the
Horizon system, insofar as possible, to independently confirm from
Horizon system records the number and circumstances of their use.
POL instruct a suitably qualified party to carry out a full review of
the controls over and use of the capability of authorised Fujitsu
personnel to create, amend or delete baskets within the sealed audit
store throughout the lifetime of the Horizon system, insofar as
possible.
POL seek specialist legal advice from external counsel as to whether
the Deloitte reports, or the information within them concerning
Balancing Transactions and Fujitsu’s ability to delete and amend
data in the audit store, should be disclosed to defendants of criminal
prosecutions brought by POL. This advice should also address
whether disclosure should be made, if it has not been, to the CCRC.
53
150.
151.
152.
POL00167707
POL00167707
VII. The Support Provided to SPMRs
A consistent theme of the complaints made by SPMRs is that the training they
were provided was insufficient, particularly in relation to the accounting side
of their role, and that the support provided to SPMRs in office through the
NBSC was unhelpful or misleading. We have seen allegations that NBSC call-
handlers advised SPMRs that discrepancies would ‘sort themselves out’ and
we are aware that SPMRs have alleged that NBSC advised them to submit false
accounts.
These issues have been addressed as comprehensively as possible by both POL
and Second Sight through their investigations of all the Scheme cases. Although
training records were not always available, NBSC call logs were available back
to around the year 2000.
We consider it inevitable that the ability of any investigation to definitively deal
with each individual allegation would be hampered by a number of factors:
(1) Even where training records exist, if an applicant alleges that they
received less training than they should have done it will be very difficult
now to establish the correct position. Individual trainers, even if still
employed, are highly unlikely to remember training sessions many years
ago.
(2) I The NBSC call logs do not tend to provide the details of the call-handler’s
answer to any issue. They are often helpful in identifying the issue for
which assistance is sought, but the answer recorded is very often simply
that the SPMR was given an answer from the Knowledge Base, but not
which part of the Base or precisely what was said. Calls were not
routinely recorded.
54
153.
154.
(3)
(4)
6)
(6)
POL00167707
POL00167707
The call logs are filled in by the call-handlers. It is highly unlikely that
even if a call-handler had suggested that an SPMR falsely account, the
advice would have been logged.
As with the training, even if individual call-handlers were still employed
it is highly unlikely that they would be able to remember the details of
any individual call.
SPMRs have generally been unable to recall with any specificity the
dates or precise content of advice they received from the NBSC or HSD.
This is similarly unsurprising.
A number of instances were alleged by SPMRs whereby their
discrepancy doubled (or worse) when they followed the advice of the
NBSC. The advice given by NBSC - who had no access to the branch
systems - was dependent upon the caller correctly identifying the
problem to the call-handler. If the problem was misunderstood, then the
corrective action proposed might in fact exacerbate the problem.
Working out now whether the SPMR identified the correct problem, or
the NBSC gave the incorrect advice is not likely to be possible.
In those circumstances, we consider that the work already done by POL and
Second Sight on the individual cases is generally likely to have addressed these
issues in relation to applicant SPMRs insofar as it is now possible. We address
the detail of that work on Scheme cases in more detail in Part VIII below.
During the course of our interviews with POL staff, one matter arose which we
consider could be now be a strand of reasonable further investigation. Calls to
the NBSC were recorded against the identity of the call-handler, and we were
told that call-handlers were and are the subject of performance monitoring as
55
155.
156.
POL00167707
POL00167707
we would expect. That performance monitoring would presumably include
references to any complaints about an individual call-handler’s advice. It is
therefore possible that POL could cross-reference specific complaints that the
NBSC provided misleading advice (particularly advice to falsely account)
against the personnel files of possible call-handlers to establish whether
anything in the performance monitoring or complaints might indicate that it
was more likely that a particular call-handler had provided misleading advice.
We accept that it may well be the case that no further information would come
to light. We accept that SPMR complaints have usually not been specific about
dates or call-handlers, but we consider that a narrow focus on clear complaints
(rather than general allegations that the NBSC was not helpful) would be
manageable. We also understand that POL may not still have access to the
relevant personnel files, because they have been destroyed or because they are
in the custody of Royal Mail Group. It may be the case that no further
information is discovered as a result of a combination of these factors, but we
nonetheless consider that it would be reasonable for POL to conduct this
relatively self-contained exercise to establish whether any further relevant
information could be uncovered.
Accordingly, we recommend as follows.
(7) POL cross-reference specific complaints about misleading advice from
NBSC call-handlers with the possible employees who provided that
advice and consider their personnel files, where available, for
evidence as to the likelihood that the complaint may be well-founded.
We note that Second Sight concluded in their Part Two Report that the training
provided by POL was “probably adequate”, at least for SPMRs with reasonable
levels of IT skills, numeracy and accuracy (paragraph 11.1). When read with
the criticisms of the unqualified nature of some of the SPMRs appointed at
paragraph 21.25, we understand this to effectively mean that the training was
56
157.
158.
159.
POL00167707
POL00167707
adequate for SPMRs who were properly qualified and appointed to be
appointed to runa branch. We also note that Second Sight reiterate this finding
at paragraph 12.5 when they say that the errors at the counter made by SPMRs
are more likely to be the result of inadequate support than inadequate training.
However, Second Sight are unable to reach any evidenced view as to the
allegations about the NBSC and HSD in the light of the limited evidence now
available (paragraph 12.8).
However, we also recognise that Second Sight do suggest that POL’s training
programme required more product-specific training (paragraph 11.1), greater
accounting and balancing training (paragraph 11.2) and that there was an
insufficient degree of quality control to deliver effective training (paragraph
11.7).
We understand that POL accept that improvements to both its training and
support can and should be made. We endorse that view. We are aware of the
Business Support Programme established in 2013, which has made various
refinements to the training programme for SPMRs, to providing express
balancing support advice from the Branch Support Team and increasing the
tools available to the NBSC in assisting callers, including access to branch
transaction data and the recording of all calls (with a retention period yet to be
determined). All of these changes are extremely positive ones.
We have also seen the ‘Lessons Learnt Log’ produced by Angela Van Den
Bogerd (POL Director of Support Services), dated 11 November 2015, which
sets some 30 pages of proposed changes to POL processes to address issues
arising from the Scheme investigations and the views of Second Sight. We do
not go through that document here but, again, we consider this to have been
an extremely constructive and sensible exercise.
57
POL00167707
POL00167707
160. With the exception of the one recommendation we have made, we consider that
the training and support provided to SPMRs cannot now reasonably be the
subject of further work by POL which looks at past cases. It is the area in which
the greatest amount of work can be done to improve the situation in future, and
it is clear to us that POL has accepted the need to do that work across all areas
of the business and in detail.
58
161.
162.
163.
POL00167707
POL00167707
VIII. Scheme Investigations
Those SPMRs who complained to POL via the Scheme about losses for which
they had been held accountable have had their cases and complaints
investigated by both POL and Second Sight. We recognise that there may be
other SPMRs who feel that POL has not treated them fairly in some respect, but
as any SPMR who wished to do so was entitled to apply to the Scheme with
considerable attendant publicity, we consider that POL is entitled to treat only
those applicants to the Scheme as raising serious or material complaints about
Horizon and POL’s treatment of them.
An applicant to the Scheme would submit a case questionnaire review setting
out their grievance and what they wished to achieve from any mediation, along
with any supporting evidence that they had available. In some cases, this was
considerable. In many, it was minimal or limited. Many applicants took
advantage of the contribution POL made towards the cost of a professional
advisor.
POL would then investigate the details of that complaint and gather as much
documentary evidence as they were able to find, reaching what conclusions
they were able to on each aspect of the complaint. Depending on the age of the
events in question, POL was normally able to retrieve from Fujitsu the
transaction logs for the branch, any NBSC call logs and logs of calls to the HSD
or to Fujitsu. In some cases, POL was able to find training records and other
correspondence. POL also sought the audit records for the branch which
uncovered the shortfall, and the correspondence between POL and the SPMR
during the investigation and termination processes. POL produced a POIR
which addressed the specifics of the grievance by reference to the evidence
collected.
59
164.
165.
166.
167.
POL00167707
POL00167707
The POIRs were produced by two teams of POL investigators, made up of field
support advisors, who carry out the branch training and audit work, and some
security personnel (who would usually carry out internal criminal
investigations). We were told that all investigators were experienced on
Horizon and many were former SPMRs. They were not computer system
experts, and we were told Fujitsu did not conduct their own analytical review
of the relevant transaction logs.
This material was then passed to Second Sight, who reviewed it, might speak
to the SPMR, and produced their own CRR expressing a view as to whether
mediation was suitable, along with findings in relation to the complaints made
by the SPMR. This work took some 18 months to complete, following the
closure of the Scheme in November 2013.
In order to better understand the nature of the complaints made, and the work
done in the POIRs and CRRs, we reviewed a sample of the documentation for
the Scheme cases. There were 150 applicants to the Scheme. For the purposes
of our review, we excluded from our sample any of the 37 cases in which the
applicant had been convicted. This was on the basis that no investigation or
mediation could overturn a criminal conviction. (We add that in the three
criminal Scheme cases we reviewed for the purposes of Part V of this Review,
two of the CQRs - in cases M103 and M149 - sought outcomes which included
POL publicly apologising for its prosecution and assisting the SPMR in
overturning their conviction. In case M060 the SPMR sought an express
agreement from POL that she had not stolen any money.) This left some 113
non-criminal case. We considered a 10% sample was appropriate: 11 cases.
We reviewed the so-called thematic issues identified by Second Sight in their
Part Two Report and sought, by virtue of a helpful spreadsheet of all Scheme
cases produced by POL, to sample our cases for review randomly but to ensure
coverage of the full range of issues raised by Scheme applicants. We
60
168.
169.
POL00167707
POL00167707
accordingly selected the following cases for review: M014, M026, M037, M058,
M070, M088, M100, M114, M131, M133, and M148. Our reading focussed on the
CQRs, POIRs and CRRs, but also involved some sampling of the substantive
evidence collected.
We were impressed at the work carried out by POL. In many cases significant
amounts of evidence were able to be collated. Having reviewed the CQRs, it
was clear that very many of the SPMRs (for understandable reasons) were
unable to give much by way of specific instances of concern, or anything other
than vague and generic complaints. Most of the cases involved a shortfall at
audit of between £10,000-20,000, but two cases were over £60,000 and one case
involved a staggering shortfall of over £450,000. The cases we reviewed
involved a mix of time periods. Some spanned both the original Horizon
system and Horizon Online, some involved only one or the other. Most
involved losses over approximately a two-three year period, but some involved
much lengthier periods. Two cases involved losses identified in 2004 and 2005
and therefore of considerable antiquity, which posed real and understandable
problems of evidential clarity, along with data retention.
Although the POIRs might have sometimes erred on the side of conclusions
which were overly robust in rejecting the possibility of anything other than
operator error, we generally found that Second Sight broadly accepted the
analysis of the evidence set out in the POIR. Where it did not, it was usually
because Second Sight felt unable to express a concluded view. Often this
appeared justified, but we considered that on a surprising number of occasions
Second Sight felt unable to choose between a bare assertion on the part of the
SPMR and the indications provided in the evidence trail. In none of the cases
we sampled were Second Sight willing to conclude that the shortfall was due
to the Horizon computer system causing those losses, although they did
speculate that the disproportionate appearance of power failures in the CQRs
was likely to contribute to some extent. In general, Second Sight accepted that
61
170.
171.
172.
POL00167707
POL00167707
the most likely cause of shortfalls was operator error on the part of SPMRs and
their staff. This accords with the conclusions in the Part Two Report.
Both the POIRs and CRRs were often unable to identify a specific cause of
losses. We do not consider this surprising. Most cases involved very little
assistance from the SPMR to highlight potential causes or even time periods.
Where there was assistance, the dates given often proved to be incorrect when
the evidence was examined. Moreover, the integrity of the transaction records
is essentially dependent upon the information inputted at the branch. It is
extremely difficult for any third party - or the SPMR after the passage of time
- to review those records to identify precisely what went wrong, although
likely causes were identifiable in many instances. However, we were surprised
at just how many of the cases involved blatant instances of false accounting,
rendering POL’s task of assisting the SPMR in working out where problems
had arisen very much harder without an accurate reference point from which
to work.
In only one of the Scheme cases we sampled did the Second Sight CRR suggest
further investigative work might have been carried out, in case M014 for
technical evidence on communications interference problems. This is good
evidence in our view that POL’s investigation during the course of the Scheme
was detailed and thorough. It leaves very limited available ‘gaps’ which might
now be filled by yet further work.
We understand that the material collated in the investigation process has been
provided to the Scheme applicants. That is entirely appropriate. In the light of
POL’s decision to mediate all remaining Scheme cases not involving a court
judgment, all cases can be approached in an evidence-based way at mediation.
We assume that POL will continue to approach the mediation process in a
constructive and realistic manner.
62
173.
174.
POL00167707
POL00167707
There is one issue which potentially relates directly to the Scheme cases but
which has not, so far as we are aware, been the subject of any specific analysis.
That issue was the one raised by Second Sight in their Part Two Report between
paragraphs 2.14-2.19, and relates to the handling by POL of unmatched credit
balances in its own suspense account (or similarly named account) in respect
of third party clients (such as Santander or Bank of Ireland). The point Second
Sight raise is that where there are significant sums in unmatched balances, it is
possible that at least some of that money would reflect uncorrected transaction
discrepancies in particular branches. We consider that this is logically possible,
and is at the least worthy of express investigation and clarification.
Accordingly, we recommend that:
(8) POL commission forensic accountants to review the unmatched
balances on POL’s general suspense account to explain the
relationship (or lack thereof) with branch discrepancies and the extent
to which those balances can be attributed to and repaid to specific
branches.
The recommendations we have made in Parts VI and VII feed into the
investigation of individual cases. Having reviewed the lengthy and costly work
already done by POL and Second Sight, and with the single exception set out
above, we do not consider that it would be reasonable to recommend any
further additional investigative recommendations be made.
63
175.
POL00167707
POL00167707
IX. Summary of Recommendations
We make the following recommendations to the Chairman.
()
(2)
(3)
(4)
6)
Legal advice be sought from counsel as to whether the decision to
charge an SPMR with theft and false accounting could undermine the
safety of any conviction for false accounting where (a) the conviction
was on the basis of a guilty plea, following which and/or in return for
which the theft charge was dropped, and (b) there had not been a
sufficient evidential basis to bring the theft charge.
If such a conviction could be undermined in those circumstances, that
counsel review the prosecution file in such cases to establish whether,
applying the facts and law applicable at the relevant time, there was a
sufficient evidential basis to conclude that a conviction for theft was a
realistic prospect such that the charge was properly brought.
POL consider instructing a suitably qualified party to carry out an
analysis of the relevant transaction logs for branches within the
Scheme to confirm, insofar as possible, whether any bugs in the
Horizon system are revealed by the dataset which caused
discrepancies in the accounting position of any of those branches.
POL instruct a suitably qualified party to carry out a full review of the
use of Balancing Transactions throughout the lifetime of the Horizon
system, insofar as possible, to independently confirm from Horizon
system records the number and circumstances of their use.
POL instruct a suitably qualified party to carry out a full review of the
controls over and use of the capability of authorised Fujitsu personnel
to create, amend or delete baskets within the sealed audit store
throughout the lifetime of the Horizon system, insofar as possible.
64
(6)
(7)
(8)
POL00167707
POL00167707
POL seek specialist legal advice from external counsel as to whether
the Deloitte reports, or the information within them concerning
Balancing Transactions and Fujitsu’s ability to delete and amend data
in the audit store, should be disclosed to defendants of criminal
prosecutions brought by POL. This advice should also address
whether disclosure should be made, if it has not been, to the CCRC.
POL cross-reference specific complaints about misleading advice from
NBSC call-handlers with the possible employees who provided that
advice and consider their personnel files, where available, for
evidence as to the likelihood that the complaint may be well-founded.
POL commission forensic accountants to review the unmatched
balances on POL’s general suspense account to explain the
relationship (or lack thereof) with branch discrepancies and the extent
to which those balances can be attributed to and repaid to specific
branches.
JONATHAN SWIFT QC
CHRISTOPHER KNIGHT
8 February 2016
11, King’s Bench Walk,
Temple. EC4Y 7EQ.
65
POL00167707
POL00167707
A REVIEW ON BEHALF
OF THE CHAIRMAN OF
POST OFFICE LIMITED
CONCERNING THE
STEPS TAKEN IN
RESPONSE TO VARIOUS
COMPLAINTS MADE BY
SUB-POSTMASTERS
66