POL00411820
POL00411820
Post Office Legal Department
An Overview of the Legal & Regulatory Framework at Post Office
Ben Foat — Legal Director
ARC Training 25 September 2017
(0)
Y)
Post Office® Strictly Confidential
POL-BSFF-0233653
POL00411820
POL00411820
Structure E>
* Introduction
* Scope
* Context
¢ POL’s regulators
¢ POL’s legal and regulatory framework
* High level overview of recent legal and regulatory requirements:
- IDD
* DPA/GDPR
¢ Modern Slavery
° AML
* CFA
¢ Future steps to enhance controls
@)
Post Office® Strictly Confidential
POL-BSFF-0233653_0001
POL00411820
POL00411820
Post Office’s Legal & Regulatory Framework E>
Scope
- Hundreds of pieces of legislation and regulation
- Vast web of laws, regulations, contracts, licences, & disputes
- Purpose:
Outline material and most frequently encountered legislation and regulation.
Who is accountable (ownership of the risk) and responsible (those who need to
comply or follow direction of the accountable owner) within POL.
Outline the basic controls that mitigate the risk and through which assurance
can be given that the risk is being appropriately managed.
Necessarily high level but Legal would be pleased to provide deep dives into
any topic.
Post Office®
(2
Strictly Confidential
POL-BSFF-0233653_0002
POL00411820
POL00411820
Post Office’s Legal & Regulatory Framework E>
Context
Multi-line Business
* Financial Services, Telecoms, Retail, Government Services, and Mails
* Perform Transactional, Advisory and Contentious Legal Work
Public Ownership
* Additional obligations e.g Public Procurement Rules
Highly Unionised Workforce
* Various collective bargaining agreements requiring IR and ER support
Importance of Brand
* Strong and trusted brand. One of our biggest assets.
LEGAL FRAMEWORK / RISK = COMPLEX AND BROAD
(3)
Post Office® Strictly Confidential
POL-BSFF-0233653_0003
Regulatory Oversight
POL00411820
POL00411820
®
Direct Regulators
ico.
Information ommisloners Otice
Civil Aviation
Authority
Indirect Regulators
‘oN BANK OF ENGLAND
és I PRUDENTIAL REGULATION
IS) AUTHORITY
Ofcom
making communications work
for everyone
Ofcom
cma: freer ators work
Competition & Markets Authority
e
HM Revenue
& Customs Security Industry Authority
(4
Post Office® YY
POL-BSFF-0233653_0004
POL00411820
POL00411820
Legislative & Regulatory Framework °
Red Category
Material Legislation / Regulation Business Area I CEO FS& Retail Strategy I HR IT LRG/CoSec Ops Comms, Brand
Paula Telco Kevin Martin Martin I Rob Jane Al & Corporate
Vennells I Nick Gilliland I Edwards I Kirke Houghton I Macleod Cameron I Affairs
Kennett Mark Davies
Companies Act 2006 CEO, LRG, Ops
Data Protection Act 1998 & GDPR All
Gross Negligence Manslaughter Ops, Retail
Health & Safety at Work Act 1974 Ops, HR,
Retail
IMD & Insurance Distribution FS, Retail
MioektiveSlavery Act 2015 HR, Ops,
Retail
MLR 2017 FS, Retail, LRG
Privacy and Electronic LRG, FS, Tel
Communications Regulations
20S MitBLOhess ERerprise and Ops, Brand
Employment Act 2015
Senior Managers & Certification HR, FS
Regime
(5)
Post Office® Strictly Confidential
POL-BSFF-0233653_0005
Legislative & Regulatory Framework
Amber Category
POL00411820
POL00411820
®
Material Legislation / Regulation
Business Area
Bribery Act 2010
All
Communications Act 2003
FS, Tel, Retail
CEO.
Paula
Vennells
Competition Act 1998
All
FS & Retail Strategy
Telco Kevin Martin
Nick Gilliland I Edwards
Kennett
HR
Martin
Kirke
IT
Rob
Houghton
LRG/CoSec
Jane
MacLeod
Ops Comms, Brand
Al & Corporate
Cameron I Affairs
Mark Davies
Corporate Manslaughter and Ops
Corporate Homicide Act 2007
Criminal Finances Act 2017 All
Digital Economy Act 2017 Retail, Ops,
IT, FS, Tel,
Enterp +2002 (competition) Brand
Environmental Legislation and Ops
Regulations
Environmental Protection Act 1990 Ops
Equality Act 2010 All
Financial Services and Markets Act CEO, FS,
2000/FCA Handbook Retail
Freedom of Information Act 2000 LRG
Intellectual Property Laws (various) FS, Ret, Br, IT
Payment Services Regulations 2017 FS, Retail
Public Interest Disclosure Act 1998 All
(whistleblowing)
Trade Unions and Labour Relations HR
(Consolidation) Act 1992 (TULRCA)
Value Added Tax Act 1994 Ops
Post Office®
Strictly Confidential
(6)
Q)
POL-BSFF-0233653_0006
Legislative & Regulatory Framework
Green Category
POL00411820
POL00411820
®
Material Legislation / Regulation Business Area I CEO Fs & Retail Strategy I HR IT LRG/CoSec Ops Comms, Brand
Paula Telco Kevin Martin Martin I Rob Jane Al & Corporate
Vennells I Nick Gilliland I Edwards I Kirke Houghton I Macleod Cameron I Affairs
Kennett Mark Davies
Business Rates Ops
Consumer Insurance (Disclosure and I FS, Retail
Representations) Act 2012
Employment Rights Act 1996 All
Energy Acts Directives and Ops
Regulations (various)
Enterprise Act 2016 (pay cap) All
FCA Conduct of Business Sourcebook I CEO, FS,
(COBS/ICOBS) Retail
Insurance Act 2015 FS, Retail
Landlord and Tenant Acts Ops
Law of Property Acts; Land Ops
Registration Act 2002; 2003 Rules
Ofcom’s Conditions of Entitlement FS, Retail,
Brand
Postal Services Act 2011 FS, Retail,
Strategy
Public Contracts Regulations 2015 All
Reforming the Intermediaries HR
Legislation (IR35)
Re-use of Public Sector Information LRG
Regulations
The Consumer Rights Act 2015 Retail, FS
The Payment Card Industry Data FS, Retail
Security Standard
The Welsh Language (Wales) Retail, FS,
Measure 2011 and associated Brand
Regulations
Town and Country Planning Act 1990 I Ops
and various others
Post Office®
Strictly Confidential
WO
POL-BSFF-0233653_0007
POL00411820
POL00411820
®
Transfer of Undertakings (Protection All
of Employment) Regulations 2006
Treaty on the Functioning of the Retail, LRG,
European Union - State Aid Strategy, Ops
Universal Postal Union Retail
Convention/CAA
(3)
Post Office® SS
POL-BSFF-0233653_0008
POL00411820
POL00411820
®
Data Protection Act / GDPR
DPA regulates Data Controllers in respect of processing personal data. Data Controllers need to comply
with 8 Principles. GDPR will come into effect 25 May 2018 and will enhance the DPA framework. ICO is the
UK regulator of personal data.
GDPR new areas include:
. Obtaining consents
. Accountability & Evidence
. Data Protection by Design (PIA)
. Individual Rights
. Reporting of breaches
. Appointment of DPO
Penalty of Non-Compliance
* DPA £500K fine; GDPR 4% annual global turnover; personal criminal liability on directors if breach with
their consent, connivance, or neglect.
Accountable and Responsible
« Jane MacLeod (A) and rest of GE (R)
Controls
« IPA team, DPA and Information Policies, DPA clauses in contracts incl. house position, Data maps,
records inventory, GDPR Steerco
(9)
Q
POL-BSFF-0233653_0009
Post Office® Strictly Confidential
Modern Slavery Act
POL00411820
POL00411820
®
Modern Slavery Act is aimed at tackling the global problem of slavery and human trafficking. The Act
requires certain commercial organisations to publish a “slavery and human trafficking” statement for
each financial year setting out steps (if any) it has taken to ensure that slavery and human trafficking is
not taking place in its business or supply chain.
Penalty of Non-Compliance
SoS can seek to enforce the obligation by obtaining an injunction in the High Court. Adverse publicity
and reputational damage likely.
Personal criminal liability for individuals with the maximum sentence for modern slavery / human
trafficking offences is life imprisonment.
Accountable and Responsible
Martin Kirke (A) and Al Cameron and Kevin Gilliland (R)
Controls
Modern Slavery Steerco chaired by John Whitefoot. Code of business standards and Whistleblowing
policy have been updated. Procurement & Network processes have been updated. Statement was
signed off by the RRC in May and ARC in June 2017. The 16/17 Statement to be presented to the
Board on 31 October. Communication and training plan are also being developed.
(16)
Ww
Post Office® Strictly Confidential
POL-BSFF-0233653_0010
POL00411820
POL00411820
IDD — indirect application
IDD applies to POMS but as a result of the MSA, ARA, and Distribution Agreement between POL and
POMS, there are implications for POL. IDD aims to enhance consumer protection and competition.
By 23 February 2018, insurance intermediaries must provide the exact amount of fees payable by the
customer, including the post contract fees a customer may incur during the life of a policy e.g
commissions. There is a new product information document which is to replace the current policy
summary. The insurance intermediary is responsible for distributing it and staff distributing products
must undertake minimum of 15 hours of CPD. POL is impacted by those distribut in branch e.g Travel,
Life.
Penalty of Non-Compliance
Accountable and Responsible (POL)
* Nick Kennett (A) and Kevin Gilliland (R) for IDD
Controls
~
Post Office Strictly Confidential
POL-BSFF-0233653_0011
POL00411820
POL00411820
Criminal Finances Act
CFA comes into force on 30 September 2017 and introduces a new corporate offence of failing to
prevent the facilitation of criminal UK or foreign tax evasion by an Associated Person. Associated
Persons include employees, postmasters/agents, suppliers, contractors and consultants. It is a defence
for the Post Office to show that it had reasonable procedures in place to prevent facilitation or that it
was not reasonable to expect it to have such procedures. The HMRC guidance makes it clear that the
Act is not intended to hold bodies to account for their customers or agents tax crimes but rather to
require them not to turn a blind eye where their associated persons deliberately assists others to evade
tax.
Penalty of Non-Compliance
* — Criminal corporate offence and potentially unlimited fine.
Accountable and Responsible
« Al Cameron is [proposed] (A) and all GE (R)
Controls
* Finance Crime Policy
« Law and Trends Forum identified this new Act and established a cross functional CFA working group to
implement the requirements of the Act and in particular establish a “reasonable procedures” defence to
the new corporate offence.
« New contractual obligations are imposed on postmasters, suppliers, contractors and further
communication is planned for employees.
@
Post Office® Strictly Confidential
POL-BSFF-0233653_0012
POL00411820
POL00411820
Money Laundering Regulations
MLR govern money services businesses, such as POL, due to it providing a currency exchange and
money transmitting services. A board member or senior management must be appointed as the officer
responsible for compliance with MLR 2017. POL must maintain up to date premises register with
HMRC of all premises where regulated money services business is conducted. Fit and proper tests
must be undertaken. POL must have adequate mechanisms for receipt, review, investigation and
disclosure of SARs to NCA. POL must carry out customer due diligence (ID) to prevent ML or TF.
Penalty of Non-Compliance
* — Criminal offences including recklessly making a false or misleading statement in the context of ML.
Directors and Officers can have financial penalties imposed on them and further sanctions (such as
being prevented from holding a management role in the FS industry.
Accountable and Responsible
« Nick Kennett and Jane MacLeod (A) and Kevin Gilliland (R)
Controls
« AML and Financial Crime Policies
¢ Financial Crime Team
* Complete risk assessments carried out
« — Annual Training to relevant stakeholders, employees and branch
« SARS
+ Reporting to RCC and ARC (43)
Post Office® Strictly Confidential
POL-BSFF-0233653_0013
POL00411820
POL00411820
Next Steps : Enhancement of Controls 2
- POL is developing its three line of defence model and clarifying
accountabilities and responsibilities across the organisation.
- Legal supports the business to manage legal risk through its legal
policy, legal operating charter, legal business manuals, & regulatory
developments tracker.
- Legal established the Law & Trends Forum this year which consists of
cross functional representation to proactively manage emerging
legislative and regulatory trends and risks.
- External Affairs Steering Group is being developed to ensure a
coordinated and aligned approach on how POL should respond to
public consultations.
(4)
Post Office® Strictly Confidential
POL-BSFF-0233653_0014
POL00411820
POL00411820
Questions?
(5)
Post Office® Strictly Confidential ~
POL-BSFF-0233653_0015