POL00447947
POL00447947
GROUP POLICY
Financial Crime
Version — V8.0
Chief Executive’s Endorsement
The Post Office Group is committed to doing things correctly. Our Values
and Behaviours represent the conduct we expect. This policy supports these
to help us ensure the highest standards of financial crime prevention,
detection and management are maintained.
POL00447947
POL00447947
Contents
1. Overview
1.1. Introduction by the Policy Owner ...............cceeeee
1.2. Purpose...
1.3. Core Principles
1.4. Application
1.5. Legislation
1.6. The Risk
2. Risk Appetite and Minimum Control Standards
2.1. Risk Appetite
2.2. Policy Framework
2.3. Who must comply?
2.4. Minimum Control Standards
3. Where to go for help ....
3.1. Additional Policies
3.2. How to raise a concern
3.3. Who to contact for more information ...............cccceeee
4. Governance
4.1. Governance Responsibilities
4.2. Tools
5. Document Control
5.1. Document Control Record
5.2. Oversight Committee: Risk and Compliance Committee / Audit and Risk Committee
5.3. Company Details
INTERNAL Page 2 of 18 Financial Crime Policy v8.0 July 2023
POL00447947
POL00447947
1. Overview
1.1. Introduction by the Policy Owner
The General Counsel has overall accountability to the Board of Directors for the design and
implementation of controls to prevent or deter financial crime. Financial crime is covered within the
Compliance agenda item for the Audit and Risk Committees and the Post Office Board is updated as
required.
1.2. Purpose
This Policy has been established to set the minimum operating standards relating to the design and
implementation of controls to prevent or deter financial crime throughout the Group’.
Itis one of a set of policies which provide a clear risk and governance framework and an effective system
of internal control for the mitigation of risk across the Group. Compliance with these policies supports
the Group in meeting its business objectives and to balarce the needs of shareholders, staff and other
stakeholders.
1.3. Core Principles
The governance arrangements described in this Policy are based upon the following core principles:
e The interests of stakeholders are protected by ensuring that excessive powers are not delegated to
individuals;
e Decisions taken by management are consistent with the Group’s strategic objectives and Risk
Appetite, which are approved by the Board;
e Appropriate conduct is demonstrated in executing the requirements contained within the Policy;
e Every member of staff is responsible for understanding and managing the risk they take on behalf
of the Group;
e Clear accountabilities are delegated by management to people who have the right level of skill,
competency and experience;
e All staff are required to comply with Group Policies.
1.4. Application
This Policy is applicable to all areas within the Group and defines the minimum standards to control
financial loss, customer impact, regulatory breaches and reputational damage in line with the Group’s
Risk Appetite.
In exceptional circumstances, where risk sits outside of the Group’s accepted Risk Appetite a Risk
Exception can be granted.
Further information in relation to the risk exception process, together with a template can be foundhere.
‘In this Policy “Post Office” and “Group” mean Post Office Limited and any wholly owned subsidiary that formally adopts this
policy
2 In this policy “employee” and “staff means all persons working for the Group or on our behalf in any capacity including
employees at all levels, directors, officers, agency workers, seconded workers, volunteers, interns, and contractors.
INTERNAL Page 3 of 18 Financial Crime Policy v8.0 July 2023
POL00447947
POL00447947
While Post Office does not tolerate events that are criminal in nature and which may give rise to
unacceptable and illegal behaviour, it recognises that despite its many endeavours, it is not possible to
eliminate all risk of internal and external financial crime and as a result Post Office may incur losses,
and therefore takes a risk based approach to financial crime.
Failure to comply with the requirements of this policy by any member of staff will be regarded as a
significant breach impacting on the Group’s risk and control environment and may lead to disciplinary
action up to and including dismissal and possible prosecution.
The risk to the Group in relation to financial crime is reviewed annually and as required by the Board.
1.5. Legislation
“Financial crime” is any offence involving: fraud or dishonesty, misconduct in, or misuse of information
or handling the proceeds of crime. It can be internal (by individuals within an organisation) or external
(by criminals using an organisation to facilitate financial crime). Financial crime is commonly considered
as including one or a combination of the following offences:
e° Fraud
e Cyber crime
e Money laundering
e Terrorist financing
e Bribery and corruption
* Tax evasion facilitation
e Information security breaches.
There are a number of relevant UK legal and regulatory requirements which deal with financial crime
including (but not limited to):
«The Fraud Act 2006
«The Bribery Act 2010
«The Theft Act 1968
¢ Common Law Offences of Fraud in Scotland
e The Proceeds of Crime Act 2002
e The Criminal Finances Act 2017
¢ Policing and Crime Act 2017
« The Terrorism Act 2000
* The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer)
Regulations 2017 (known as Money Laundering Regulations 2017) (as amended by the Money
Laundering and Terrorist Financing (Amendment) Regulation 2019 and Money Laundering and
Terrorist Financing (Amendment) (EU Exit) Regulations 2020)
« Forgery and Counterfeiting Act 1981
« Sanctions and Anti Money Laundering Act 2018
« Identity Documents Act 2010
« Economic Crime (Transparency and Enforcement) Act 2022
The Group has regard for guidance and other assistance offered by regulatory, industry and other
specialist bodies, for example UK Finance (which incorporates BBA, UK Payments and Financial Fraud
Action UL), and Link, etc., which publish trends and analysis on current threats and issues.
INTERNAL Page 4 of 18 Financial Crime Policy v8.0 July 2023
POL00447947
POL00447947
1.6. The Risk
Failure to manage financial crime risks and incidents appropriately could result in financial loss,
customer impact, regulatory breaches, fines, prosecution, prevention from selling a particular product,
loss of existing or future contracts/relationships and damage to reputation.
These risks include, but are not limited to, the following:
External Financial Crime:
The risk of external events due to acts of a type intended to defraud, steal or misappropriate assets/
property, or which seek to circumvent the law, by a third party. Examples would include:
«Any dishonest or fraudulent act,
e Theft of assets from an organisation or its customers,
e Card or account abuse or account takeover by a third party,
e Counterfeit payment instruments (cards, cheques, etc.) and identity documents,
« ATM fraud and theft,
* Online or mobile fraud,
« Facilitating money laundering
e Cyber crime, and
e Social engineering fraud.
Internal Financial Crime
The risk of internal events due to acts of a type intended to defraud, steal or misappropriate
assets/property, or which seek to circumvent regulations or the law applicable to an organisation or its
contracts or internal policies or procedures. Examples would include:
«Any dishonest or fraudulent act circumventing regulations or law,
¢ Profiteering as a result of insider knowledge of an organisation's activities,
e Theft of assets from an organisation or its customers,
e Manipulation of transactional data at point of sale,
e False expense or payroll claims,
e Manipulation of accounts or financial statements, and
e Breach of internal processes or controls for personal gain.
The Group takes the above internal risks and financial crime seriously and will take appropriate action
against any person including disciplinary, dismissal and possible prosecution of anyone involved in such
events.
INTERNAL Page 5 of 18 Financial Crime Policy v8.0 July 2023
POL00447947
POL00447947
2. Risk Appetite and Minimum Control Standards
2.1. Risk Appetite
Risk Appetite is the extent to which Post Office will accept that a risk might happen in pursuit of day to
day businesses transactions. It therefore defines the boundaries of activity and levels of exposure that
Post Office are willing and able to tolerate.
The risk tolerance level will be varied against each business unit. Information should be sought from the
Central Risk Team with regards to the agreed appetite relevant to the policy being written.
Post Office have a five scale approach to risk appetite, Averse, Cautious, Neutral, Flexible and Open.
The Group takes its legal and regulatory responsibilities seriously and consequently has*:
An averse appetite to being non-compliant with our Statutory & Regulatory requirements.
Post Office acknowledges however that in certain scenarios even after extensive controls have been
implemented a product or transaction may still sit outside the agreed Risk Appetite. In this situation, a
risk exception waiver will be required. (See section 1.4 for further details)
2.2. Policy Framework
Post Office has established a suite of Financial Crime policies and procedures, on a risk sensitive
approach, which are subject to annual review. The policy suite is designed to combat money laundering,
terrorist financing, bribery and corruption and fraud and ensure adherence to relevant sanctions
regimes. They have been developed to comply with applicable legislation and regulation and cover the
following specifically:
« The identification through documented risk assessment of potential or inherent and residual
financial crime risks and the effectiveness of controls associated with them,
* Completing compliance oversight monitoring to test the Group’s controls and confirm effectiveness
and adherence to financial crime policies,
« Onarisk sensitive basis, performing due diligence on our employees, agents and third parties,
e Where the Group has primary or contractual responsibility for the customer relationship ensuring
Customer Due Diligence, Enhanced Due Diligence and Sanctions checking are set at any
appropriate level commensurate with the risk,
e Establishing and maintaining standards for Management Information on financial crime. This
includes, but is not limited to, record keeping, customer identity documents, reporting of suspicious
activity* and details of staff training.
This policy provides an overview of the financial crime risk and governance framework and the effective
system of internal control for the mitigation of financial crime risk required across the Group. The Key
Financial Crime policies covering the major risk areas to the Group include:
e Anti-Bribery and Corruption Policy
e Anti-Money Laundering and Counter Terrorist Finance Policy
e HMRC Fit & Proper Policy
e Whistleblowing Policy
° The Risk appetite was agreed by the ARC March 2021
“ For more information in relation to the completion and submission of a Suspicious Activity Report please see the Anti -Money
Laundering and Counter Terrorism Policy
INTERNAL Page 6 of 18 Financial Crime Policy v8.0 July 2023
POL00447947
POL00447947
e Financial Crime Policy
Associated Policies and Processes include:
« Acceptable Use Policy
« Protecting Personal Data Policy
e Cyber & Information Security Policy
e Investigations Policy
Each of the above policies should be considered and read in conjunction with any other policy where
relevant. These policies are supported by the Risk Exceptions process.
2.3. Who must comply?
Compliance with this Policy is mandatory for all Post Office employees and applies wherever in the
world the Groups business is undertaken. All third parties who do business with the Group, including
consultants, suppliers and business and franchise partners, will be required to agree contractually to
this policy or to have their own equivalent Policy. Where non-compliance is identified the matter must
be referred to the Policy Owner. Any investigations will be carried out in accordance with the
Investigations Policy. Where it is identified that an instance of non-compliance is caused through wilful
disregard or negligence, this will be treated as a disciplinary offence.
All Post Office employees are required to report any knowledge or suspicions (internal or external) in
relation to financial crime please see 3.2 and a failure to do so may amount to a disciplinary offence.
INTERNAL Page 7 of 18 Financial Crime Policy v8.0 July 2023
2.4. Minimum Control Standards
POL00447947
POL00447947
A minimum control standard is an activity which must be in place in order to manage therisks, so they remain within the defined Risk Appetite statements. There
must be mechanisms in place within each business unit to demonstrate compliance. The minimum control standards can cover a range of control types, i.e.
directive, detective, corrective and preventive which are required to ensure risks are managed to an acceptable level and within the defined Risk Appetite.
The table below sets out the relationships between identified risk and the required minimum control standards in consideration of the stated risk appetite. The
subsequent pages define the terms used in greater detail:
Risk Area Description of Risk Minimum Control Standards Who is responsible When
Proposed Products, services or relationships Preventative Control:
product or with third parties may rely on As part of the design of a new product or service: Product Managers During design
service systems or processes where e A Product Information Pack (see 4.2 below) phase
prevention or detection of financial must be complete and be fully up to date.
crime has not been considered in * Product or service risks must be considered
the design, resulting in financial loss and documented using the Financial Crime
(whether to the Group, its Engagement Tool (see 4.2 below) during initial
customers or suppliers), engagement for Business Readiness Assurance
reputational damage and/or at PROVE stage.
regulatory sanctions.
Prior to launch, the Product Information Pack (PIP) I Product Managers and Prior to launch
must be reviewed and approved by the Financial Financial Crime Team
Crime Team. The Financial Crime Team adopts a
risk-based approach to determine when the full risk
assessment should be completed, and the PIP will
provide them with key information to make an
informed decision. If the product is deemed high
risk, the assessment will be completed prior to
launch, following which the Financial Crime Team
may require the Product Manager to make changes
to reduce the risks prior to launch.
INTERNAL, Page 8 of 18 Financial Crime Policy v8.0 July 2023
POL00447947
POL00447947
Risk Area Description of Risk Minimum Control Standards Who is responsible When
Proposed The product manager/management team is Product Managers Ongoing
product or responsible for ensuring their product complies with
service legal and regulatory requirements in relation to
(continued)
financial crime.
Existing
products and
services
Due to changes in law, regulation,
incidents, threats or practices over
time, there is a risk that the controls
to prevent and detect financial
crime are no longer adequate.
Preventative Control:
Risk assessments must be undertaken at least
annually for high risk products and services, where
any changes to the product or service (including
supplier changes) are made, where an issue is
highlighted, significant risk is identified, an incident
occurs, or the regulations change.
The product manager/management team is
responsible for ensuring their product complies with
legal and regulatory requirements in relation to
financial crime.
Prior to the scheduled risk assessment, the Product
Information Pack (PIP) must be reviewed and
updated by Product Management and provided to
the Financial Crime Team.
Prior to any significant product or service changes
being implemented, the Product Information Pack
(PIP) must be reviewed and updated by Product
Management. The Financial Crime Team adopts a
risk-based approach to determine when the full risk
assessment should be completed, and the PIP will
provide them with key information to make an
informed decision. If the product is deemed high
risk, the assessment will be completed prior to
change going live.
Product Managers
Product Managers
Product Managers
Product Managers
Annually, or at
any time there is
a change
Ongoing
Ongoing
When there is a
significant
change, material
issue or incident
INTERNAL
Page 9 of 18
Financial Crime Policy v8.0 July 2023
POL00447947
POL00447947
Risk Area Description of Risk Minimum Control Standards Who is responsible When
Existing Where no initial risk assessment was undertaken, Product Managers and Any time there is
products and product management must complete a new Product I Financial Crime Team a change
services Information pack and provide this to the Financial
(continued)
Crime Team. The Financial Crime Team will then
agree a timescale to complete a risk assessment.
Where the reassessed/assessed risk is considered
by the Financial Crime Team to rest outside of the
Group’s Risk Appetite, or where the strength of the
controls is deemed inadequate, as part of the Close
Down report produced by the team,
recommendations will be provided to the Product
Manager to implement or improve controls to
mitigate the risks. The Product Manager is
responsible for recording all product risks on the
GRC Tool and take appropriate actions to mitigate
the risks as per the Group Risk Policy. Where risks
cannot be sufficiently mitigated in line with the
Group's risk appetite then then the risk exception
process must be followed.
Corrective Control:
Product Management must implement escalation
procedures for when an incident is identified, so
that the Financial Crime Team are made aware, and
if the product is outsourced to a third party, the
third party is made aware. Product Management are
responsible for addressing and overseeing any
control failings to mitigate financial crime risks.
A risk assessment may be undertaken where an
issue is highlighted by monitoring or an incident
occurs that is deemed to be systemic.
Financial Crime Team
and Product Managers
Product Managers
Financial Crime Team
and Product Managers
Annually or when
there is a
material issue or
incident
As and when an
incident is
identified
As and when an
incident is
identified
INTERNAL
Page 10 of 18
Financial Crime Policy v8.0 July 2023
POL00447947
POL00447947
Risk Area Description of Risk Minimum Control Standards Who is responsible When
Human Due to inadequate screening, there I Preventative Control:
Resources is a risk that the Group employs To minimise the risk of financial crime by Group Chief People Pre-employment
individuals who do not have the employees, Post Office completes employee Officer and ongoing
legal right to work in the UK or are screening prior to employment. In addition to this, where required
unfit to undertake the role. on a regular basis (proportionate to the role)
additional checks will be completed to ensure that
there is no risk of internal collusion by any of our
employees. For further information please see the
employee vetting policy.
Operations Inadequate training, monitoring and I Directive Control:
control of internal processes and Post Office has developed a Code of Business Group Chief People Ongoing
systems may lead to internal fraud Standards and model behaviours that set out the Officer
or theft by employees expected standards for all employees and
contractors — this is made available to all new and
existing staff and reinforced in communications All Employees
Preventative Control:
Access to Post Office systems is via unique user Chief Information Officer I Ongoing system
log-ins and annual mandatory compliance training is design and
provided to all staff and contractors. The People Function are I delivery
responsible for any Pre-employment
Post Office expenses and payroll systems include incidents where further and ongoing
management checks and controls. action is required and where required
ensuring completion of
mandatory training
Detective Control:
Audit trails for system access are maintained and Internal Audit Ongoing
monitored appropriately
INTERNAL, Page 11 of 18 Financial Crime Policy v8.0 July 2023
POL00447947
POL00447947
Risk Area Description of Risk Minimum Control Standards Who is responsible When
Operations Inadequate building and systems Preventative Controls:
access controls may lead to Relevant business areas including the property and I Head of Property Ongoing
financial crime that results in security teams must assess and assure risks Equipment and Security
financial loss (whether to the relating to employee and customer access to sites,
Group, its customers or suppliers), I secured areas, systems and software,
reputational damage and/or recommending and implementing additional
regulatory sanctions. controls where appropriate.
All business areas are responsible for maintaining All employees Ongoing
documented processes and procedures and
deploying adequate monitoring and controls to
prevent and detect unauthorised access to sites,
secured areas, systems and software to prevent
financial crime.
Detective Control:
Audit trails must be maintained so that building, and I Chief Information Officer I Ongoing
system access can be monitored. and Head of Property
Equipment and Security
Internal Audit
To ensure that the Group's controls remain effective Ongoing
the Group undertakes internal audits to test and
assess their effectiveness.
Financial Inadequate controls and audit trails I Preventative Controls:
settlement and I relating to financial settlement and Relevant business areas must assess and assure Chief Financial Officer Ongoing
reconciliation reconciliation may result in financial I risks relating to financial settlement and
loss (whether to the Group, its reconciliation and are responsible for maintaining
customers or suppliers), documented processes and procedures and
reputational damage and/or deploying adequate monitoring and control to
regulatory sanctions. prevent and detect financial crime.
Detective Control:
Audit trails must be maintained so that system Chief Information Officer I Ongoing
access can be monitored.
INTERNAL
Page 12 of 18
Financial Crime Policy v8.0 July 2023
POL00447947
POL00447947
Risk Area Description of Risk Minimum Control Standards Who is responsible When
To ensure that the Group's controls remain effective I Internal Audit Ongoing
the Group undertakes internal audits to test and
assess their effectiveness.
Financial Inadequate controls and audit trails I Preventative Controls:
settlement and I relating to financial settlement and Relevant business areas must assess and assure Chief Financial Officer Ongoing
reconciliation reconciliation may result in financial I risks relating to financial settlement and
loss (whether to the Group, its reconciliation and are responsible for maintaining
customers or suppliers), documented processes and procedures and
reputational damage and/or deploying adequate monitoring and control to
regulatory sanctions. prevent and detect financial crime.
Detective Control:
Audit trails must be maintained so that system Chief Information Officer I Ongoing
access can be monitored.
To ensure that the Group's controls remain effective I Internal Audit Ongoing
the Group undertakes internal audits to test and
assess their effectiveness.
Criminal Inadequate controls lead to Post Preventative controls:
facilitation of Office failing to prevent criminal Post Office ensures that guidance is issued to Group Tax and Head of I Ongoing
tax evasion facilitation, by its associated agents that they must not facilitate tax evasion by Postmaster
persons (which includes any company or person. Agents are expected to Remuneration
employees, agents, clients, have in place reasonable prevention procedures to I Development
suppliers, contractors, etc.), of a UK I avoid breaching the Criminal Finances Act 2017
or foreign criminal tax evasion and Post Office’s obligations and relevant clauses
are included in all supplier contracts.
Post Office has a Group wide training programme to I The People Function are I Ongoing
ensure that all customer facing staff, back office staff I responsible for any
and contractors receive adequate training. Staff and I incidents where further
contractors are required to complete mandatory I action is required and
compliance training within 30 days of joining Post I ensuring completion of
Office and annually. mandatory training
Criminal Detective Controls:
facilitation of Ongoing
INTERNAL
Page 13 of 18
Financial Crime Policy v8.0 July 2023
POL00447947
POL00447947
Risk Area Description of Risk Minimum Control Standards Who is responsible When
tax evasion Pass rate and number of failures of specific test Financial Crime Team is
(continued) questions is monitored to identify risk areas, any responsible for
additional training or guidance required or those reviewing training
areas of training that need to be enhanced. effectiveness
Internal Controls to deter, prevent and Directive Control:
Financial detect financial crime and fraud are I Post Office has developed a Code of Business Group Chief People Ongoing
Crime/Fraud not adequate to prevent crime by Standards and model behaviours that set out the Officer
employees expected standards for all employees and
contractors — this is made available to all new and
existing staff and reinforced in communications.
Staff are also encouraged to report suspicions or
actual wrong-doing to Grapevine or via the
Whistleblowing reporting avenues.
Detective Controls:
All reports received of or instances identified of Head of Internal Audit Ongoing
internal fraud will be fully investigated and where and General Counsel
appropriate, Post Office will prosecute individuals.
INTERNAL Page 14 of 18 Financial Crime Policy v8.0 July 2023
POL00447947
POL00447947
3. I Where to go for help
3.1. Additional Policies
This Policy is one of a set of policies. The full set of policies can be found on the SharePoint Hub under
Policies.
3.2. How to raise a concern
Any Post Office employee who suspects that Post Offices products, services or processes have been
used to facilitate money laundering, terrorist financing, or dishonest or fraudulent activity has a duty to
raise a Suspicious Activity Report by calling Grapevine oni
Any Post Office employee who suspects that there is a breach in this Policy should report this without
any undue delay, staff may:
Their line manager, or
A senior member of the HR Team, or
Direct to the Whistleblowing Manager (whistleblowing) _
Contacting the “Speak Up” line, a confidential reporting service which is run by an
independent company Converce'
o Telephone Number:
o http://speakup.postoffice.co.uk/ which is a secure on-line web portal
3.3. Who to contact for more information
contact financial.crimel GRO }
If you need further information about this policy or wish to report an issue in relation to this policy, please
INTERNAL Page 15 of 18 Financial Crime Policy v8.0 July 2023
POL00447947
POL00447947
4. Governance
4.1. Governance Responsibilities
The policy sponsor, responsible for overseeing this policy is the General Counsel of Post Office Limited.
The policy owner is the Director of Compliance who is responsible for ensuring that the Financial Crime
Team conducts an annual review of this policy and tests compliance across the Group. Additionally, the
Director of Compliance and the Financial Crime Team are responsible for providing appropriate and
timely reporting to the Risk and Compliance Committee and the Audit and Risk Committee.
The Audit and Risk Committee are responsible for approving the policy and overseeing compliance.
The Board is responsible for setting the groups risk appetite.
4.2. Tools
The Financial Crime Engagement Tool
The Financial Crime Engagement Tool has been created by the Financial Crime Team and enables
Product Managers to provide the Financial Crime Team with key details about their project so that the
team have an understanding of the financial crime risks posed and support the Product Manager with
their project. The Compliance Engagement Too! takes into account inherent risks (e.g. payment method,
channel, customer demographic etc.), UK regulations and legislation and industry best practice,
enabling the Financial Crime Team to ensure that appropriate controls and product features are in place
to mitigate the inherent risks and meet regulatory and legal requirements
The Financial Crime Engagement Tool can be found here.
Product Information Pack
Product Management are responsible for keeping the Product Information Pack (PIP) up to date in line
with any product changes. The purpose of the PIP is to provide an overview of the product or service,
including customer/transactional journey, parties involved, any contractual responsibilities, monitoring
and control requirements. It should consider the inherent risks the product is exposed to from a Group
and customer perspective and the framework for the effective risk mitigation of the product.
The existence of detailed operating policies, procedures and processes may be referred to throughout
this document and is to be used to illustrate how the risks associated with the product are reduced.
The Product Information Pack can be found here.
Financial Crime Risk Assessment
The Financial Crime Team will conduct a risk assessment using the information provided by the Product
Manager within the PIP. The team will issue a final report to the Product Team highlighting all the
financial crime risks identified and recommendations on how to improve the controls in place. The
Product Manager is responsible for recording all product risks on the GRC Tool and take appropriate
actions to mitigate the risks as per the Group Risk Policy.
More information on the Financial Crime Risk Assessment can be found here.
INTERNAL Page 16 of 18 Financial Crime Policy v8.0 July 2023
POL00447947
POL00447947
5. I Document Control
5.1. Document Control Record
SUMMARY
GE Policy Sponsor I Policy Owner I Policy Author Policy Approver
Group General Group Compliance Head of Financial Crime RCC & ARC
Counsel Director
’ ‘
Version I ee etod I Policy effective date Policy location
i ‘eriod
8.0 Annually July 2023 Sharepoint Hub
REVISION HISTORY
Version I Date I Changes Updated by
1 November 2016 Roll out of Final version Georgina Blair
1.3 July 2017 Final draft Thomas Richmond
1.4 July 2017 POL R&CC approval Sally Smith
2 September 2017 Final Version approved by ARC. Sally Smith
24 October 2018 Annual review and amends Sally Smith
2.2 October 2018 POL R&CC approval Sally Smith
2.3 October 2018 POL ARC approval Sally Smith
24 December 2018 POMS ARC Approval 7 Thomas Richmond
3 December 2018 Final draft Thomas Richmond
3.1 September 2019 Annual review and amends Sally Smith
3.2 September 2019 POL R&CC approval Sally Smith
4.0 September 2019 Final version approved by ARC’s Sally Smith
44 April 2020 Updated with new Speak Up service Sally Smith
contact details
4.2 June 2020 Annual review and amends Sally Smith
4.3 July 2020 POL RCC approval Sally Smith
5.0. July 2020 _ Final version approved by ARC’s SallySmith
5.1 June 2021 Annual Revisions and Legal Review Sally Smith/Sarah Gray
5.2 July 2021 RCC Approved Sally Smith
6.0 July 2021 Final version approved by ARC’s Sally Smith
6.1 June 2022 Transfer to new template and annual Sally Smith
revisions
6.2 June 2022 RCC approval Sally Smith
7.0 Oct 2022 Final version approved by ARC’s Sally Smith
7.1 June 2023 Annual Revisions and Legal Review; Sally Smith/Jane Beeko
new legislative addition and new
company registered address
7.2 June 2023 POL RCC approval Sally Smith
8.0 July 2023 Final version approved by POL and Sally Smith
POMS ARC
INTERNAL Page 17 of 18 Financial Crime Policy v8.0 July 2023
POL00447947
POL00447947
5.2. Oversight Committee: Risk and Compliance Committee / Audit and
Risk Committee
Committee Date Approved
POL R&CC 27" June 2023
POL ARC 10" July 2023
POMS ARC 10" July 2023
Next Policy Annual Review Date: July 2024
5.3. Company Details
Post Office Limited and Post Office Management Services Limited are registered in England and Wales. Registered numbers 2154540 and 08459718
respectively. Registered Office: 3rd Floor, 100 Wood Street, London EC2V 7ER.
Post Office Management Services Limited is authorised and regulated by the Financial Conduct Authority (FCA), FRN 630318, Its Information
Commissioners Office registration number is ZAQ90585.
Post Office Limited is authorised and regulated by Her Majesty's Revenue and Customs (HMRC), REF 12137104. Its Information Commissioners
Office registration number is 24866081.
Payzone Bill Payment Limited is a limited company
registered in England and Wales under company number: 11310918.
VAT registration number GB 172 6705 02. Registered office: 3rd Floor, 100 Wood Street, London EC2V 7ER
INTERNAL
Page 18 of 18
Financial Crime Policy v8.0 July 2023