POL00460567
POL00460567
Ge
GROUP POLICY
Legal Policy
Version — V2.1
POL00460567
POL00460567
1. Overview
1.1. Governance
1.2. Purpose ...
1.3. Core Principles
1.4. Application
1.5. The Risk
2. Legal Teams — Structure, Authority, Roles, Standards
2.1. Delegation of Authority..........
2.2. Legal Risk — Roles and Responsibilities
2.3. Legal Professional Standards ....
3. Risk Appetite Minimum Control Standards
3.1. Risk Appetite
4. Where to go for help ...
4.1. How to raise a concern..........
4.2. Who to contact for more information
5. Governance
5.1. Governance Responsibi
5.2. Definitions ....
6. Document Control
6.1. Document Control Record
6.2. Oversight Committee: Risk and Compliance Committee / Audit and Risk Committee 22
6.3. Company Details...
Appendix1 - Applicable Legislation and Regulation
Appendix 2 - Legislation and Regulation Matrix ...............
INTERNAL. Page 2 of 26 Legal Policy V2.1 2024
POL00460567
POL00460567
1. Overview
1.1. Governance
The Group General Counsel has overall accountability for the design and implementation of controls to
support the business in managing their legal risk and in complying with the risk appetite approved by
the Board of Directors.
Legal risk is managed in line with the Group Risk policy and therefore is subject to regular and
appropropriate oversight and monitoring through the RCC and ARC.
The Group General Counsel, Group Legal Director, and Interim Inquiry General Counsel have the
authority to raise and esclalate concerns or matters of material legal risk, current or emerging, directly
to the Board of Directors.
The Policy Owner is the Group Legal Director who is responsible for ensuring that the BAU Legal Team
conducts an annual review of this Policy and regularly tests and monitors adherence to this Policy within
the BAU Legal Team and across the Group. The Public Inquiry Director’ and Remediation Unit Legal
Services Director support the Group Legal Director in this by testing and monitoring adherence to this
Policy within their own Legal teams and reporting to the Group Legal Director.
This Policy, including the Legislation and Regulation Matrix (see Appendix 2) will be subject to annual
reviews and approvals by the ARC.
1.2. Purpose
This Policy sets out the minimum operating standards relating to the management of the legal and
regulatory risks and clarifies the roles and responsibilities throughout the Group.
The Policy should be read in conjunction with other relevant Group policies and procedures, and in
context to applicable legislation and regulation (see Appendix 1).
It also sets out the professional standards of competence, and the legal and regulatory requirements to
which the BAU Legal Team, the Inquiry Legal Team and Remediation Unit Legal Team (together, the
Legal Teams) should be adhering.
The implementation of this Policy supports the Group? in achieving its objectives. This includes
balancing the needs of its shareholder, staff and other stakeholders, including its network of agent
Postmasters, whilst operating within the Board approved risk appetites, and legislative and regulatory
frameworks within which the Group operates.
To ensure lessons from historical issues have been embedded, and the likelihood of these are
minimised, the Policy incorporates key findings and learnings from the Group Litigation Order (GLO),
the Horizon Issues Judgment (HIJ), Common Issues Judgment (ClJ) and Hamilton Judgment on which
the Legal Teams will train the business and provide support and advice. Where these issues are
engaged and any of the Legal Teams believe they are not being acted upon/taken seriously by the
business, the Group General Counsel, Group Legal Director, Interim Inquiry General Counsel, Public
Inquiry Director and Remediation Unit Legal Services Director may escalate directly to the Board of
Directors.
1.3. Core Principles
To support and enable the Post Office providing valuable local services to its customers and act in the
‘ This role is vacant at the time of writing and may be retitled in the future
?Post Office Limited, Payzone and Post Office Management Services Limited
INTERNAL. Page 3 of 26 Legal Policy V2.1 2024
POL00460567
POL00460567
interest of its Postmasters, and remain compliant with applicable regulation and legislation, the legal
and regulatory risk appetite overall has been set at averse, with a cautious tolerence®.
The following core principles form the basis of this Policy:
e Post Office has devised policies and associated procedures in relation to legal and regulatory
obligations that reflects the necessity for compliance and the complexity of the business;
« Post Office’s Legal Teams are mandated to provide and engage expert support to the business
in effective identification, minimisation and managament of legal, regulatory and reputational
risks;
e Post Office ensures that “reserved legal activities”* are carried out by appropriately qualified
individuals on behalf of the company;
e Decisions taken by management have regard to the Board's strategic objectives and Risk
Appetite, and where a decision is taken that is outside the Board’s risk appetite, the appropriate
derogations are documented and approved by the Board;
« All staff are responsible for understanding and managing the risks they take on behalf of the
Group;
e Clear accountabilities are delegated by management to the Group's staff, who have the right
level of skill, comptency and experience;
e All Group staff are required to comply with Group Policies and act within the limits of their
authority; and
« Exceptionally, the Legal Teams may need access to urgent legal advice in contravention of the
Procurement Policy, where the benefit and need outweighs the risk, this can be approved on a
case by case basis by the Group General Counsel.
1.4. Application
Compliance with this Policy is mandatory for all Post Office staff* and Group entities.
Third parties will be required to agree contractually to this Policy or demonstrate alignment with their
own equivalent Policy.
Where non-compliance is identified, the matter must be referred to the Group Legal Director and/or the
Interim Inquiry General Counsel, as relevant. Alternatively, staff and third parties can use the
whistleblowing and speak up proceedures to raise concerns in a confidential manner.
Any investigations will be carried out in accordance with the Group Investigations & Co-operation with
Law Enforcement Policy. Where it is identified that an instance of non-compliance is caused through
wilful disregard or negligence, this will be treated in accordance with the disciplinary process.
° Risk appetite and tolerance is the extent to which the Group will accept that a risk might happen in pursuit of the businesses
day-to-day transactions (Please refer to Section 3)
* As defined in section 12 and Schedule 2 to the Legal Services Act 2007
5 Permanent employees, temporary staff including agency workers, contractors, consultants and anyone working for or on behalf
of Post Office
INTERNAL Page 4 of 26 Legal Policy V2.1 2024
POL00460567
POL00460567
1.5. The Risk
Post Office is a complex business with a network of 11,500+ branches across the UK, providing a wide
range of products and services, including mails services, banking services, insurance products and
identity services.
For example:
« Post Office contracts with regulated entities, either directly or through its subsidiary, Post Office
Management Services Limited (POMS).
« Asan Appointed Representative of Capital One, Bank of Ireland and POMS, Post Office Limited
is contractually obliged to comply with various Financial Conduct Authority (FCA) regulatory
flow through obligations, including ensuring adequate systems and controls are in place.
e POMS is directly exposed to regulatory fines and censure if the FCA determines that the
systems and controls associated with this Policy are not effectively implemented. This Policy
contributes to Post Office’s compliance with these regulatory obligations.
« Post Office is directly regulated by His Majesty’s Revenue & Customs (HMRC) with respect to
our Branch Travel Money business and has to demonstrate compliance with Money Laundering
and Counter Terrorist Financing Regulations.
Accordingly, the Group is subject to a broad array of laws®, regulations and contractual requirements,
including regulation and investigation by the FCA, Ofcom, HMRC, the Competition & Markets Authority,
and the Information Commissioner's Office. The Group also cooperates with and refers matters to the
Police, the Intelligence Services, and the Serious Fraud Office.
The Group has a clear standard to comply with all legal and regulatory requirements. It acknowledges
that there may be certain circumstances where a higher risk exposure may be tolerated, with Board
approval, for a period of time to ensure we meet business objectives.
Therefore, the Group’s risk appetite for BAU legal risks is very low, and set at ‘averse’ overall, with a
risk tolerence set at ‘cautious’. For further details, see Section 3.1. Risk Appetite.
For details on the Board's risk appetite for the Remediation Unit , see the RU Enterprise Risks table (as
amended biannually (or more frequently as requested) for RCC and ARC).
Risks relating to the Inquiry Legal Team are not provided for in this policy document due to Inquiry
imposed restrictions on the sharing of inquiry confidential material.
® Please refer to Appendices 1 & 2
INTERNAL. Page 5 of 26 Legal Policy V2.1 2024
POL00460567
POL00460567
2. Legal Teams — Structure, Authority, Roles,
Standards
2.1. Delegation of Authority
To ensure the Group operates within legal risk appetite and tolerance, the Board of Directors has
delegated authority to the Group General Counsel, the Interim Inquiry General Counsel, and the Legal
Teams to provide legal support and guidance to the business.
This delegated authority flows as follows:
BOARD
GROUP GENERAL
INTERIM INQUIRY
GENERAL COUNSEL
INSEL
Famed q----, <----~,
\ \
!
H GROUP LEGAL Hie PUBLICINQUIRY fi REMEDIATION UNIT [ig
H DIRECTOR Hime = DIRECTOR [TBC] { DIRECTOR H
i '
H it '
' it ' REMEDIATION UNIT [i]
\
fm HEADSOF LEGAL [MRMME HEADSOF LEGAL fi HEME
H i H DIRECTOR I
1 it ' '
I ot 1 1
' tt 1 '
I SENIOR LEGAL COUNSEL, 4 4 SENIOR LEGAL COUNSEL, H H
' LEGAL COUNSEL, it LEGAL COUNSEL, 1 1
1 i SENIOR LEGAL COUNSEL,
' TRAINEES, PARALEGALS 4 H TRAINEES, PARALEGALS Hl LEGAL COUNSEL, !
H H I \ TRAINEES, PARALEGALS i
\ Ht . po ?
INQUIRY LEGAL TEAM REMEDIATION UNIT LEGAL
TEAM
The Group General Counsel, Interim Inquiry General Counsel, Group Legal Director, Public Inquiry
Director and Remediation Unit Legal Services Director have the authority to esclalate concerns or
matters of current or emerging material legal risk, directly to the Board of Directors, where they believe:
e The business has or is exposing the Group to legal risks beyond agreed risk tolerences;
* Business decisions are being made without the timely support or guidance from the Legal
Teams;
e Where matters involve the SEG and there is a clear conflict of interest;
¢ Horizon, ClJ or HlJ issues are engaged by the business and not being appropriately dealt with,
despite legal advice to the contrary;
e Any of the Legal Teams are being unduly influenced to alter their advice or assessment of legal
risk;
INTERNAL Page 6 of 26 Legal Policy V2.1 2024
POL00460567
POL00460567
e Any of the Legal Teams are aware of matters which the business is not, and upon which it is
therefore inapproriate or difficult to advise (e.g. whistleblowing, internal investigations);
e Any of the Legal Teams are being deliberately excluded from key decisions, committees, boards
and governance or engaged at the execution phase and cannot perform its duties
e Any of the Legal Teams are being asked to act as ‘first line’ where the business is not taking
accountability or ownership of legal risk.
Note: The Legal Teams will continue to report and provide relevant information to the SEG and Board
on all of the above, as part of their normal operational activities.
2.2. Legal Risk — Roles and Responsibilities
The role of the BAU Legal Team is to support and guide the business to manageits legal risk within the
Board set risk appetite (averse) and tolerance (cautious).
The role of the Inquiry Legal Team is to support and advise the business in complying with its legal
obligations in respect of the Post Office Horizon IT Inquiry;
The role of the RU Legal Team is advise on and support the schemes designed to provide redress to
postmasters connected with the Horizon IT scandal, and support overturning the convictions of
postmasters who were wrongfully convicted.
The Legal Teams are advisory functions to the business and are not accountable for making decisions
on behalf of the Business. The Legal Teams are responsible for providing timely legal opinions, for
advising and supporting to enable the business to reach suitable outcomes.
Each member of the Legal Teams does this by providing legal and regulatory support and advice
including, but not limited to:
e Assisting the business with contractual negotiation and formation, as well as interpretation of
contractual terms;
e Advice regarding complying with legislation and co-operating with regulators, such as FCA,
HMRC, ICO etc;
e Advising on disputes that may arise in the course of business;
« Acting as a single point of contact for the engagement of external legal support;
* Horizon scanning for new legislation, regulations and guidance which may impact the Group;
e Advising the business in connection with the discharge of its statutory obligations in respect of
the Inquiry; and
e Advising the business in connection with the administration of the redrress schemes and
supporting the overturnning of convictions of posstmasters who were wrongfully convicted.
For the Legal Teams to discharge their responsibilities in a timely and effective manner, the Business
are responsible for:
e Engaging the Legal Teams are instructed in a timely manner on matters of strategic importance;
(meaning at the outset/ structuring phase);
« Providing full, timely and factually accurate instructions to the Legal Teams (particularly where
these are required in order to discharge a statutory obligation) ;
«Applying diligent consideration to legal advice;
* Maintaining the confidentiality of legal advice and legal commuications to ensure legal
professional privilege is preserved;
INTERNAL Page 7 of 26 Legal Policy V2.1 2024
POL00460567
POL00460567
e Ensuring that Inquiry relevant material is preserved in accordance with the business’ policies
on document retention and preservation;
e Onadvice from the Inquiry legal team, ensuring that confidentiality obligations to the Inquiry are
upheld;
e Ensuring that relevant documentation and information is provided to support the redress
schemes and criminal appeals processes (both court processes and and
e Refraining from seeking to unduly influence or alter the legal advice provided.”
For avoidance of doubt, the Business is accountable for decision making, and any legal
opinion or advice provided and or sought are key inputs for their diligent consideration. Any
decisions or actions taken or to be taken remain the responsibility of the accountable
Business owner.
2.3. Legal Professional Standards
Each member of the Legal Teams who is a solicitor must adhere to the Solicitors Regulation Authority
(SRA) Code of Conduct and the Professional Standards required of qualified lawyers in England and
Wales.® These include:
« Maintaining independence in their judgement and advice;
e Remaining vigilant for any conflicts of interest which may arise, and proactively identifying any
such conflicts to one of the Heads of Legal, Remediation Unit Legal Services Director, Public
Inquiry Director or Group Legal Director at the earliest opportunity;
e Maintaining confidentiality in legally privileged documents, documents containing confidential
business information and/or trade secrets;
« Complying with the statutory requirements for the direction and supervision of reserved legal
activities, including:
o Ensuring that litigation is undertaken under the supervision of a solicitor and not
outsourced to a Business team, and
co Only outsourcing reserved legal activities to qualified individuals who are authorised to
conduct such activities;
* Complying with the specific requirements for those acting in litigation matters, including
upholding the law and proper administration of justice;
e Undertaking regular professional development training to maintain a level of competence
appropriate to their work and level of responsibility;
e Identifying, monitoring, and managing risks in compliance with all the principles, rules and
outcomes and other requirements of the SRA’s Handbook’; and
e Maintaining appropriate records of the legal advice and support given.
7 This does not prohibit the asking of questions, seeking of clarification as to meaning, challenging whether the advice change s
if additional facts come to light
® Barristers must adhere to the Bar Standards Board (BSB) Handbook, including the BSB Core Duties.
° Or the BSB Handbook, if barrister.
INTERNAL. Page 8 of 26 Legal Policy V2.1 2024
POL00460567
POL00460567
Therefore, all qualified lawyers of the Legal Teams must:
e Act with independence, honesty and integrity;
e Only act for Post Office Limited or its Group Companies;
« Ensure they have sufficient information and expertise to advise fully;
e Not permit any business team or individual to exert influence or pressure on the advice that
they give; and
« Escalate promptly any potential conflicts of interest or challenges to their independence to a
Head of Legal or the Group Legal Director / Public Inquiry Director / Remediation Unit Legal
Services Director, as appropriate.
To support the above standards and principles, the Group Legal Director, Public Inquiry Director and
Remediation Unit Legal Services Director will have appropriate processes and procedures embedded
within their Legal teams to ensure":
e Clear governance and reporting lines exists;
«Only qualified Legal Counsel or more senior members of the Legal Teams may engage and
supervise any 3rd party lawyers (whether solicitors or barristers);
e Annual written attestations are obtained from all qualified lawyers affirming their compliance
with SRA’s'' professional development and professional standards requirements;
« The Legal Teams can demonstrate appropriate oversight and challenge of external legal costs;
e Members of the Legal Teams regularly undertake training to improve their legal and
professional skills and knowledge;
e All work undertaken by paralegals and trainees will be supervised by a qualified lawyer;
e Heads of Legal will be responsible for the supervision (where required) of members of their
team and for their output;
e The Legal Teams will periodically remind the Business about Managing Public Monies and
Value For Money (VFM) requirements and provide training;
e The Legal Teams will comply with VFM and ensure that it has appropriate controls which are
enforced in respect of the management of legal costs;
e The BAU Legal Team will advise the Business on Public Contracts Regulations (PCR)
obligations and provide training (in conjunction with Procurement);
e The Legal Teams will actively consider emerging legal and commercial issues which may
impact the Group;
« The Legal Teams will comply with the specific requirements for those acting in litigation (uphold
the law and proper administration of justice);
«From a historical and Group litigation perspective, all members of the Legal Teams must:
o Complete the GLO Awareness Training Module assigned on SuccessFactors and be
able to demonstrate a good understanding of the the Group Litigation and impact on
the POL; and
"© The Public Inquiry and Historical Matters Legal Services Director will have equivalent processes with the Inquiry and HMU
Legal teams.
"or BSB in the case of barristers.
INTERNAL. Page 9 of 26 Legal Policy V2.1 2024
POL00460567
POL00460567
o Understand HIJ, ClJ and Hamilton and their impact on POL, and where relevant shall
provide advice and support that has regard to the principles established by those
judgments.
In addition, where the Legal Teams outsource legal activities or any operational function that is critical
to the delivery of any legal activities, the Group Legal Director’? will ensure the outsource of these
activities:
e Does not adversely affect the Legal Team's ability to comply with, or the SRA’s (or, if applicable,
the BSB’s) ability to monitor the Legal Team’s compliance with its obligations in the handbook;
« Is subject to contractual arrangements that enable the SRA, (or if applicable BSB), or its agent
to obtain information from, inspect the records, including electronic records, or enter the
premises of the third party in relation to outsources activities or functions;
e Does not alter the Legal Team’s obligations towards its clients;
« Does not cause the Legal Team’s to breach the conditions with which its lawyers must comply
in order to be authorised and to remain so;
« Requires completion of an eSRF; and
e Includes a process for effective oversight of the outsourced work such that the instructing
lawyer from the relevant Legal Team remains appraised of developments and is able, (if
appropriate/ required), to report key risks to SEG and/or the Board (in good time) to ensure
proper governance.
A ‘New Proposal Checklist’ is available under ‘Useful Links and Documents’ on the BAU
Legal Team's homepage on the intranet hub (accessible from the LCASR page) and this
should be considered by all Legal Team members. This checklist will seek to ensure that
any new proposal such as introducing a new contract, product, service, or way of working
for Postmasters, must take into account the issues and findings from the GLO, HlJ, and
ClJ (to the extent they remain good law).
2 Or the Interim Inquiry General Counsel, Public Inquiry Director and/or Remediation Unit Legal Services Director in the case of
externalised legal work relating to the Inquiry or Remediation Unit legal teams.
INTERNAL. Page 10 of 26 Legal Policy V2.1 2024
POL00460567
POL00460567
3. Risk Appetite Minimum Control Standards
3.1. Risk Appetite
Risk appetite and tolerence is the extent to which the Group will accept that a risk might happen in pursuit of day to day businesses transactions. It therefore
defines the boundaries of activity and levels of exposure that the Group are willing and able to tolerate.
The Group takes its legal and regulatory responsibilities seriously and consequently has a:
e Averse risk appetite for statutory and regulatory requirements;
e Averse risk appetite for employment, pensions and associated disputes;
e Averse risk appetite for data governance and cyber security;
e Neutral risk appetite for contract and transaction management obligations;
e Neutral risk appetite for disputes and litigation (excluding GLO);
e Neutral risk appetite for intellectual property and brand related issues; and
« Cautious risk appetite for compliance and control environment issues.
The Group acknowledges, however, that in certain scenarios even after extensive controls have been implemented, a product ortransaction may still sit outside
the agreed Risk Appetite. In this situation, approval from RCC and ARC will be required. If a risk falls outside this Policy, a Risk Exception will be required.
The Risk Appetite in respect of Remediation Unit matters is as set in the the RU Enterprise Risks table (as amended biannually (or more frequently as requested)
for RCC and ARC.
3.2. Minimum Control Standards
A minimum control standard is an activity which must be in place in order to manage therisks, so they remain within the defined Risk Appetite statements. There
must be mechanisms in place within each Business unit to demonstrate compliance. The minimum control standards can cover a range of control types, i.e.
directive, detective, corrective and preventive which are required to ensure risks are managed to an acceptable level and within the defined Risk Appetite.
INTERNAL Page 11 of 26
POL00460567
POL00460567
The table below sets out the relationships between identified risk and the required minimum control standards in consideration of the stated risk appetite. The
subsequent pages define the terms used in greater detail:
Risk Area
Description of Risk
Minimum Control Standards
Who is responsible
When
Legislative &
Regulatory
Requirements
and Contract
Management
The Group does not comply with
its contractual or regulatory
obligations.
Directive Control:
The Group has a suite of policies which along with
POL's risk and governance framework should
provide for a system of internal control for the
management of risk and adherence to key legislation
and regulations across the Group (Please refer to
Appendix 1%).
Directive Control:
The Board has delegated authority to each SEG
member to enter into contracts relevant to their
areas of management, with appropriate support from
the BAU Legal Team. Each SEG member is required
to monitor and report regularly on the contractual
and regulatory compliance in their areas of
management to the Board.
Directive Control:
The Company Secretariat Team maintains registers
of delegated authority to ensure contracts are
approved and signed by staff with sufficient authority.
Detective Control:
The Group Legal Director holds regular briefings
with the Heads of Legal in BAU Legal to identify
instances of actual or potential breach of contractual
Group Compliance
Director of Post Office
Limited
The Board
Company Secretariat
Group Legal Director
Ongoing
Ongoing
Ongoing
Ongoing
8 Appendix 1 sets out the key legislation and regulation applicable to POL as at the date of this Policy. The Law & Trends Forum monitors chang es to legislation and regulation and reports regularly
to the GC, RCC and ARC.
INTERNAL
Page 12 of 26
POL00460567
POL00460567
Risk Area
Description of Risk
Minimum Control Standards
Who is responsible
When
and/or regulatory obligation in the business and
ensure remediation steps are taken promptly.
Preventative control:
The business maintains a schedule of mandatory
compliance trainings for all employees which
includes, for example: GLO, AML, ABC, and Modern
Slavery etc.
Preventative control:
The Group Legal Director creates a bi-annual risk
register that highlights key legal risks to the business.
Preventative control:
The Legal Teams review all notices issued by the
SRA and/or BSB periodically to ensure that they are
aware of them and can take them into account in
their interactions with the business and third parties
e.g. the SRA’s SLAPPs notice.
Corrective control:
The Group Legal Director reports to the RCC and
ARC instances of non-compliance and any
regulatory concerns or issues.
Corrective control:
Risk assessments must be undertaken and reported
to ARC where an issue is highlighted, an incident
occurs, or the regulations change.
People Team - L&D
Group Legal Director
Legal Teams
Group Legal Director
Business Team / Legal
Teams
Ongoing
Biannually
Quarterly
Quarterly
Upon a_ new
issue, incident, or
change
Contract
Management
The Group enters
into a
commercial agreement without a
legal risk assessment
undertaken.
being
Preventative Control:
New contracts must be approved in the Contract
Approval Process. This requires sign off from a
qualified lawyer to be logged in order to complete the
process.
Company Secretariat /
Legal Teams
Ongoing
INTERNAL
Page 13 of 26
POL00460567
POL00460567
Risk Area Description of Risk Minimum Control Standards Who is responsible When
Corrective control: Group Legal Director Quarterly
The Group Legal Director reports to the RCC and
ARC instances of non-compliance and any
regulatory concerns or issues.
Contract The Group is unaware of its I Preventative Control:
Management obligations under existing I The business maintains an online contract repository I Legal, Compliance & I Ongoing
contracts and is unable to fully I which contains a digital copy of contracts that the I Governance Operations
enforce its rights and obligations or I Group has entered into. The record for each contract I Director
acts in breach of contractual I includes space for the Contract Owner to note its key
provisions. terms.
Corrective Control:
The BAU Legal Team provides training to the I BAU Legal Team Ongoing
business under the LCG Academy to ensure non
legal colleagues are empowered to understand the
terms of existing contracts. They also provide:
(1) newsletters specific to key business areas
(financial services, retail etc) highlighting new
legislation and guidelines, which may impact the
Group's performance of its contracts.
(2) FAQ documents on key areas on the Legal
intranet site.
Training & I The Group is not aware of existing I Preventative Control:
adherence _to I or new regulations that the Group I New staff are required to complete mandatory I All staff Ongoing
Professional is subject to and acts in breach of I training which will highlight legal and regulatory risks,
Standards those laws and regulations. such as AML/CTF training, GLO, Speak Up and Mails
compliance training.
Directive Control:
Corporate policies have been created and will be I SEG Member Reviewed at least
maintained to provide a proper framework to ensure annually
compliance with key regulations.
Corrective Control:
BAU Legal Team Ongoing
INTERNAL Page 14 of 26
POL00460567
POL00460567
Risk Area
Description of Risk
Minimum Control Standards
Who is responsible
When
The BAU Legal Team provides training to the
business under the LCG Academy to ensure non
legal colleagues are empowered to understand new
legislation and regulations. This includes the Law &
Trends forum, and newsletters specific to key
business areas (financial services, retail etc)
highlighting new legislation and guidelines.
Brand
Protection
The Group does not manage or
enforce its Intellectual Property
Rights (“IPRs”) resulting in
infringement or tarnishing of the
Post Office brand.
Preventative Control:
The Brand Team has implemented branding
guidelines for all staff and those 3° parties who have
permission to use the Group's IPRs.
Preventative Control:
The Brand Team maintains active IP registrations for
all trade marks required by the Group.
Corrective Control:
The BAU Legal Team takes action to assert the
Groups rights in its IPR when infringement is
identified. This may include issuing cease and desist
notices, challenging applications for registrations,
and court action.
Brand Team
Brand Team
BAU Legal Team
Ongoing
Ongoing
Ongoing
Dispute
Management
INTERNAL
Operational and strategic errors
may lead to financial losses and
significant time to resolve as well
as a lack of enforcement of the
Group's legal rights.
Detective Control:
Periodic checks of the court registers are completed
to identify whether claims have been issued against
the Group or the CEO but not yet been served.
Directive Control:
Business teams are not permitted to conduct
litigation without involving a member of the Legal
Teams.
Directive Control:
A Dispute Resolution manual has been developed to
ensure consistency in approach to litigation matters.
Page 15 of 26
BAU Legal Team
All staff
HOL- Dispute Resolution
Ongoing
Ongoing
Ongoing
POL00460567
POL00460567
Risk Area Description of Risk Minimum Control Standards Who is responsible When
It includes the Litigation Checklist setting out the
proper approach to legal claims which have been
served on the Group.
Preventative Control:
A receipt of proceedings process is in force to
ensure that notices received at the registered office I 140) _ Dispute Resoluti oO
or other main Post Office sites are forwarded to the ebiie Mesetven' I engens
BAU Legal Team.
The BAU Legal Team implements litigation hold
notices in the event of actual or anticipated court
proceedings to ensure that it can comply with its HOL- Dispute Resolution I Ongoing
disclosure obligations.
Legal Costs The Group is wholly owned by a I Preventative Control:
Government Department. As such I The pipeline of work is reviewed by the Legal Teams I Legal Teams / Business I Ongoing
it is required to ensure that it I regularly. colleagues
manages its finances in line with P, hoa I:
managing public funds fe haual 6, inal Ch: he E f
requirements, value for money I The Legal Operating Charter sets out the External I I 444) Teams Ongoing
requirements, and its PCR Law Firm Policy. All external legal instructions must
obligations. 7 be routed through the in-house Legal Teams so that
they manage the demand on legal services in the
most strategic and cost-efficient manner. The
external law firm must submit an eSRF for review and
when deemed appropriate approval by the relevant
Legal Team, and a Purchase Order Number must be
raised by the relevant Legal Team.
Corrective Control:
The Group Legal Director reports to the RCC andI Group Legal Director I Ongoin
ARC instances of non-compliance and any preg going
regulatory concerns or issues.
INTERNAL Page 16 of 26
POL00460567
POL00460567
Risk Area Description of Risk Minimum Control Standards Who is responsible When
Legal Teams The legal teams provide incorrect I Directive Control:
guidance or opinions to the I The Legal teams have professionally qualified I Legal Teams Ongoing
business. lawyers providing adequate coverage of key
legislation and regulation applicable to POL.
Directive Control: .
The Legal teams have to adhere to professional I Legal Teams Ongoing
standards and CPDs.
Preventative Control:
The Legal teams have framework agreements in I Legal Teams Ongoing
place with leading law firms for specialist advise and
or opinions.
Legal Teams The business does not involve or I Directive Control:
by-pass the Legal teams or I The Delegation of Authority approved by the Board I Legal Teams / Business I Ongoing
opinions provided. clarifies the Legal Team's authority. colleagues
Directive Control:
The Legal Teams have direct access to ARC and the I Legal Teams / Business I Ongoing
Board to highlight exceptions and/or where business I colleagues
decisions have not diligently considered legal
opinion to the detriment of POL.
Legal The Legal Teams and/or business I Directive Control: Legal Teams Ongoing
Professional fails to preserve the confidentiality I The Legal team have to adhere to professional
Privilege of legally privileged materials. standards and CPDs.
Preventative Control: Legal Teams / Business I Ongoing
The Legal team: colleagues
(1) marks all relevant advices and communications
as “Confidential and subject to Legal Privilege”
or a similar privilege marker.
(2) Identifies circumstances where limited waiver or
common interest privilege apply and acts
accordingly.
INTERNAL Page 17 of 26
POL00460567
POL00460567
Risk Area
Description of Risk
Minimum Control Standards
Who is responsible
When
(3) highlights to the business where advice or
communications should not be shared with
colleagues or third parties.
Preventative Control:
The Board requires that before any legally privileged
materials are disclosed to the Inquiry unredacted
(where these are not already subject to Board’s
existing grant of waiver of privilege for Inquiry
purposes), the Inquiry Legal Team must identify all
the legally privileged materials to the Board over
which a waiver of privilege is sought and highlight
any risks their disclosure to the Inquiry may present
to the Group. Similarly the RU Legal Team identifies
any proposed waiver of privilege to the Board,
highlighting any risks associated with that waiver.
Inquiry Legal Team
Ongoing
INTERNAL
Page 18 of 26
POL00460567
POL00460567
4. Where to go for help
4.1. How to raise a concern
All Post Office staff are required to discuss with therelevant Legal Team or their Line Manager if they suspect
that:
1. There are legal issues in respect of any business activity;
2. Someone has acted outside of the risk framework or in contravention to this Policy; and
3. Where a potential dispute or claim may occur.
Depending on the particular area, the Line Manager should contact the following in-house lawyer, copying in
the Group Legal Director:
«¢ Head of Legal - Corporate, Banking and Financial Services for any issues arising in respect of
Group Companies and Group structure including solvency issues, relationship with POL’s shareholder,
Group funding and finance arrangements, issues arising in respect of the Financial Services (which
including banking products and FRES / foreign exchange) and Post Office Management Services Ltd
business.
¢ Head of Legal - Retail for any issues arising in respect of the network (directly managed branches or
agency branches) as well as Mails and Government Services. They are also the first point of contact
for competition issues.
« Head of Legal-IT and Procurement in respect of all IT and Public Procurement issues and state aid
issues.
« Head of Legal - HR and IR for any issues arising in respect of human resources or industrial relations
« Head of Legal - Dispute Resolution and Brand Protection for any contentious issues arising across
the business including those that could impact the Brand, such as issues with the Post Office trade
mark.
e Head of Legal - Data Protection & FOI Law for any issues arising in respect of data protection
compliance, potential data breaches, and Post Office’s management of freedom of information
requests and information rights requests.
e Head of Legal - Inquiry in respect of all matters which may be relevant to the Post Office Horizon IT
Inquiry's Terms of Reference or List of Issues or may otherwise potentially be of interest to the Inquiry.
e Remediation Unit Legal Services Director for any issues relating to the provision of redress to
postmasters connected with the Horizon IT scandal, and supporting overturning the convictions of
postmasters who were wrongfully convicted.
Itis particularly important to involve the Legal Teams at an early stage as the communication
between the Business and the Legal Teams may be legally privileged. Such communications
will be treated as confidential.
INTERNAL Page 19 of 26
POL00460567
POL00460567
4.2. Who to contact for more information
If you need further information about this Policy or wish to report an issue in relation to this Policy, please
contact the Group Legal Director: Sarah.I.Gray@
INTERNAL Page 20 of 26
POL00460567
POL00460567
5. Governance
5.1. Governance Responsibilities
The Policy Sponsor takes responsibility at SEG level for policies covering their areas.
The Policy Owner is responsible for ensuring that the content is up to date and is capable of being executed.
As part of the review process, the Policy Owner needs to ensure that the minimum controls articulated in the
policy are working, or to identify any gaps and provide an action plan for remediation.
Additionally, the Policy Owner and the Group Compliance Director are responsible for providing appropriate
and timely reporting to the RCC and the ARC as required.
The ARC is responsible for approving the Policy and overseeing compliance.
The Board is responsible for setting the Group's risk appetite.
5.2. Definitions
ARC
Audit, Risk & Compliance Committee.
ClJ
Alan Bates and ors v Post Office Limited - Judgment (No.3) “Common Issues” -
[2019] EWHC 606 (QB).
The Common Issues judgment determined 23 issues relating to the contractual
relationship between Post Office and its Postmasters.
GLO
Group Litigation Order made on 22 March 2017 by Senior Master Fontaine,
referring to the group legal action brought by a group offormer Postmasters against
Post Office Limited, which resulted in the HIJ and ClJ.
Hamilton
Josephine Hamilton and Others v Post Office Limited [2021] EWCA Crim 577
The Court of Appeal quashed the convictions of 39 postmasters who had been
convicted of crimes of dishonesty. The principal questions considered were
whether the prosecutions were an abuse of process of the court and the convictions
were unsafe.
Hid
Alan Bates and ors v Post Office Limited - Judgment (No.6) “Horizon Issues” -
[2019] EWHC 3408 (QB).
The Horizon Issues judgment found that defects existed in the Horizon system and
that it was possible for these to (1) cause discrepancies or shortfalls in branch
accounts or transactions, and (2) to undermine the reliability of Horizon accurately
to process and to record transactions.
Post Office or
Group
Post Office Limited, Payzone, and Post Office Management Services Limited.
RCC Risk & Compliance Committee.
Reserved
Legal As defined in section 12 and Schedule 2 to the Legal Services Act 2007.
Activities
SEG Strategic Executive Group.
Staff Permanent employees, temporary staff including agency workers, contractors,
consultants and anyone working for or on behalf of Post Office.
INTERNAL Page 21 of 26
POL00460567
POL00460567
6. Document Control
6.1. Document Control Record
SUMMARY
Ben Foat Sarah Gray Ben Foat RCC&ARC
F Document Review , 4
Version i Policy — effective date Policy location
Period
v2.0 2024 July 24 Keyipoticies,
‘sharepoint.com)
REVISION HISTORY
Date Changes Updated by
1.0 18.06.2016 1* draft for new policy Ben Foat
11 26.02.2017 2" draft of policy following reorganisation Ben Foat
1.2 22.06.2019 3" draft following annual review Ben Foat
1.3 16.12.2022 4" draft following GLO, incorporating risk Sarah Gray
appetites and tolerances, new policy
requirements and specific controls for
historic matters.
2.0 11.06.2024 1st review of Group Legal Policy following Kirsty O'Connor
publication on 16 May 2024
24 27.06.2024 2nd draft of revised policy following Kirsty O'Connor
reorganisation
6.2. Oversight Committee: Risk and Compliance Committee / Audit and Risk
Committee
Committee Date Approved
POL RCC 13/06/24
POL ARC 23/07/24
POMS ARC TBC
Next Policy Annual Review Date: July 2025
6.3. Company Details
Post Office Limited and Post Office Management Services Limited are registered in England and Wales. Registered numbers 2154540 and 08459718
respectively. Registered Office: 100 Wood Street, London EC2V 7ER.
Post Office Management Services Limited is authorised and regulated by the Financial Conduct Authority (FCA), FRN 630318. Its Information Commissioners
Office registration number is ZA090585.
Post Office Limited is authorised and regulated by Her Majesty's Revenue and Customs (HMRC), REF 12137104. Its Information Commissioners Office
registration number is 24866081.
INTERNAL Page 22 of 26
POL00460567
POL00460567
Appendix1 — Applicable Legislation and Regulation
Post Office has established a suite of policies, which are subject to annual review. The Policy suite is designed
to combat non-compliance with key legilsation and regulations.
The key Legislation and Regulations applicable to POL are listed below:
Postal Services Act
Data Protection Act ( & GDPR) and Freedom of Information Act (FOIA)
Modern Slavery Act
Equality Act
Immigration Act
Enterprise Act
Judicial Review
Regulation of Investigatory Powers Act (RIPA)
Re-use of Public Sector Information Regulations (ROPSI)
Proceeds of Crime Act
Financial Crime legislation (including AML & Counter Terrorism and ABC)
Public Contracts Regulations (PCR)
Reforming the Intermediaries Legislation (IR35)
Health and Safety at Work Act and various regulations
Environmental Protection Act, Planning and Property Acts EU State Aid (SGEl)
Trade Unions and Labour Relations Act (TULRCA)
Competition Act
s.3 Small Business, Enterprise and Employment Act (payment practices reporting)
Criminal Finances Act
Employment Rights Act
Transfer of Undertakings (Protection of Employment) Regulations (TUPE)
Value Added Tax Act
Inquiries Act
Economic Crime & Corporate Transparency Act
INTERNAL Page 23 of 26
Appendix 2 - Legislation and Regulation Matrix"?
POL00460567
POL00460567
Key:
SEG Member / Attendee who is accountable for the Grou
Group CEO is also responsible for the Group's compliance wi
compliance with the relevant legislation / regulatior
the relevant legislation / regula
Material Legislation’ Regulation Business
Area
Bribery Act 2010 All
Business Rates Finance,
Retail
Communications Act 2003 FS, Retail
‘Competition Act 1998 All
Consumer Insurance
Representatives) Act 2012
(Disclosure &
Corporate Manslaughter _& Corporate
Homicide Act 2007
Criminal Finances Act 2017
Data Protection Act 2018 & GDPR All
Digital Economy Act 2017 Retail, Ops,
IT, FS, Brand
Economie Crime & Corporate Transparency I LCASR, FS,
Act 2023 Retail, Ops
Employment Rights Act 1996 All
Energy Acts Directives & Regulations ‘Ops
(various)
Enterprise Act 2002 (competition) All
Enterprise Act 2016 (pay cap) All
Environmental Legislation & Regulations Health &
Safety
Digital, Information
and Technology
Legal, Compliance,
Assurance,
Secretariat and Risk
Commercial
including Retail, FS,
Marketing and Digital
4 Please note: This Appendix does not refer specifically to the key findings and learnings from the Group Litigation Order (GLO), the Horizon Iss_ues Judgment (HIJ), Common Issues Judgment
(Cl) and Hamilton Judgment as these areas are covered in the body of the Policy itself. However, it should be noted that Post Office Group treats these judgments as applicable to all business
areas and central to how the business operates day to day. Each of the accountable roles shown above is expected to have a de tailed understanding of the judgments and how they apply to their
areas of the business.
INTERNAL
Page 24 of 26
POL00460567
POL00460567
Legal, Compliance,
Assurance,
Secretariat and Risk
Commercial
including Retail, FS,
Marketing and Digital
(RIPA)
INTERNAL
Material Legislation’ Regulation Business Digital, Information
Area and Technology
Environmental Protection Act 1900 Health &
Safety
Equality Act 2010 All
FCA Code of Business Sourcebook (COBS/ I_ FS, Retail
ICOBS)
Financial Services & Markets Act 20007 I FS, Retail
Financial Services & Markets Act 2023 / FCA
Handbook
Freedom of information Act 2000 LCASR
Health & Safety at Work Act 1974 All
Immigration Act 2016 People
Intellectual Property Laws (various) FS, Retail, IT,
Brand
Insurance Act 2015 FS, Retail
Inquiries Act 2005 Taquiry
Judicial Review All
Tandiord & Tenants Acts Property
Taw of Property Acts, Land Registration Act I __ Property
2002; 2003 Rules
Modern Slavery Act 2015 All
Money Laundering Regulations 2017 Retail, FS
‘Ofcom's Conditions of Entitlement FS, Retail,
Brand
Payment Services Regulations 2017 FS, Retail
Postal Services Act 2011 FS, Retail,
Strategy
Proceeds of Grime Act 2002 FS, Retail
Public Interest Disclosure Act 1998 All
(whistleblowing)
Public Contracts Regulations 2015 All
Reforming the Intermediaries Legislation People
(IR35)
Regulation of investigatory Powers Act People
Page 25 of 26
POL00460567
POL00460567
Waterial Legislation’ Regulation Business Digital, Information I Legal, Compliance, I Commercial
Area and Technology I Assurance including Retail, FS,
Secretariat and Risk_I Marketing and Digital
Re-use of Public Sector Information TCASR
Regulations
‘Small Business, Enterprise & Employment Retail
Act 2015
The Consumer Rights Act 2015 FS, Retail
The Payment Card Industry Data Security I FS, Retail
Standard
The Welsh Language (Wales) Measure I Retail, FS,
2011 & associated Regulations Brand
Town & Country Planning Act 1990 and I Property
various others
Trade Unions & Labour _ Relations People
(Consolidation) Act 1992 (TULRCA)
Transfer of Undertakings (Protection of People
Employment) Regulation 2006 (TUPE)
Value Added Tax Act 1994 ‘Ops
INTERNAL Page 26 of 26