Post Office Limited — Strictly Confidential
ARC(08)40
ROYAL MAIL HOLDINGS plc
AUDIT & RISK COMMITTEE
POST OFFICE LIMITED ~ POL RISK AND COMPLIANCE ISSUES
Purpose
1. Atits last meeting, the Committee reviewed a summary of the report to POL’s Risk &
Compliance Committee and agreed to request that POL senior management attend
the November meeting of the Committee to report on the key issues for POL, The
purpose of this paper is to provide the Committee with a briefing on those issues in
preparation for the meeting.
2. At the meeting we will seek guidance from the Committee on what regular reports it
would like from POL in this respect.
Executive Summary
3. In August POL commissioned Deloitte and Touche to undertake a review of POL's
financial services compliance arrangements, including its approach to the FSA's
Treating Customers Fairly (TGF) theme. They have now presented their findings to
the POL ET and an implementation plan for their recommendations will be taken back
to the POL ET for approval on 10 November. Key findings to be addressed are:
* Conformance standards in the Network fall well short of those FSA looks for
and are not consistent with POL’s low risk appetite;
* POL may be over reliant on the Bank of Ireland to ensure that POL's interests
are protected
* Work to embed POL's brand values of ‘fairer, easier, better’ will have gone a
long way to deliver FSA's TCF outcomes, but POL should undertake a
detailed gap analysis to be able to demonstrate that and identify any gaps.
The implementation plan will address all the issues raised and target the earliest
possible implementation dates. At a minimum POL will implement measures to meet
its TCF requirements and reduce its reliance on the Bank of Ireland. There are some
ludgementa areas where POL will seek to exceed the minimum requirements for an K
authorised representative without necessarily aspiring in the immediate term to the
level required for a fully authorised company.
—_
4. FSA has challenged whether POL fulfilled TCF principles in launching the Post Office
Christmas Club as a product that is not covered by UK or Irish deposit protection
schemes, but which is targeted at ‘vulnerable’ consumers for whom, they argue, such
protection is essential. POL and the Bank of Ireland as provider do not believe that
we have breached any requirement or Principle and, fortuitously the Christmas Club
funds are now secured by the Irish Government guarantee of Irish bank liabilities.
FSA had sought to involve both HMT and DBERR in seeking to influence POL and
we have agreed that we will review the structure of the product to see whether we
can bring it within the scope of the Irish protection scheme beyond the expiry of the
guarantee.
5. BT Wholesale (BTW) have failed to live up to our expectations in delivering a fully
managed telecoms service for us. As well as damaging our brand and our
subpostmasters' confidence in promoting our telecoms products, failure by BTW has
meant that we are in breach of Ofcom requirements in relation to publication of
Quality of Service measures and accuracy of call metering and billing. An Internal
Audit review completed in August had an ‘improvement required’ rating. We have
RMG00000074-
‘Rwco0000076
Post Office Limited — Strictly Confidential
reorganised our teams to ensure that we manage BTW more effectively and are
agreeing with BTW action plans to address remaining problems. We will be pursuing
redress from BTW for failure to meet SLAs and for any lost income from billing
failures.
6. POL's forecast for losses from controls and compliance failures for 08/09 is £17.25m.
That is broadly in line with previous years and with our plan for this year, but within
that losses through physical crime (robberies etc) are down whilst discovery of
subpostmaster fraud is up. The latter is in part down to more focussed audit and
investigation but we think this trend will also be driven by the deteriorating economic
conditions. We have also identified new levels of losses in some products. Errors by
branch staff in calculating travel insurance premiums have led to POL needing to
refund up to £615k to customers. Fraud levels on Post Office Savings Stamps had
reached £200k per month — corrective action has reduced this to £60k and further
steps are being taken to provide a permanent solution (e.g. card based product).
Unacceptably high levels of ‘stock adjustment’ transactions by subpostmasters have
been identified as a means of creating an artificial accounting cash surplus — whether
intentionally or not. Manual corrections are being processed pending a long term
system solution.
7. The POL Network Efficiency Programme has been established in response to the
recognised need to achieve a step change across all aspects of branch conformance
and compliance. Key elements of 08/09 activity - undertaken with a view to a
significant improvement in performance in 09/10 - are the introduction of
e aclear standard index of conformance and compliance throughout the
business; and
e Arevised tough but fair consequences policy.
8. Following POL ET's review of POL's Top Risks the following risks have been added:
¢ POLruns out of cash - e.g. where cheques are not despatched quickly on
receipt by branches POL will not receive proceeds to enable it in turn to settle
with product owners on a timely basis. These difficulties were experienced
during the recent October launch of a Post Office Growth Bond;
* POL does not secure funding for post 2011 — this is now on the critical path as
there is a minimum two year lead time based on our experience of agreeing
and obtaining funding including EU clearance.
Detailed Report
9. Inthe Annex attached to this summary is a more detailed explanation of alll of the
points covered above.
Peter Corbett
Finance Director
Post Office Limited
November 2008
RMG00000074
‘Reco000007%
Post Office Limited — Strictly Confidential
Annex A
POST OFFICE LIMITED — POL Risk and Compliance issues: Detailed report
Index
4. Financial services compliance arrangements (paragraphs 1-7)
2. Treating Customers Fairly (paragraphs 8 — 10)
3. Post Office Christmas Club (paragraphs 11 — 15)
4. Telephony (paragraphs 16 — 21)
5. Losses (paragraphs 22 — 26)
6. Network Efficiency (paragraphs 27 — 32)
7. Top Risks (paragraphs 33— 38)
4. Financial services compliance arrangements
14. POL’s role as distributor rather than provider of financial services has purposefully put
POL in the position that it should be able to rely on product providers as principals to
take responsibility for regulatory compliance in respect of their products and services
in most instances. Following this model, the Bank of Ireland (the bank) takes
regulatory responsibility for POL's compliance with FSA requirements for activities
regulated by FSA i.e. intermediation in relation to General Insurance and investment
products. Arranging bank savings products is regulated by the Banking Code
Standards Board and POL must follow the bank's instructions about the way in which
these products are introduced to customers to ensure that the bank remains
compliant with the Code requirements. A Regulatory Guidance Manual issued by the
bank to POL is intended to provide clarity for POL about what it can and cannot do
when dealing with customers.
2. NS&l are not regulated by FSA but are also a voluntary signatory to the Banking
Code and NS&l look to POL, through their contract with us, to enable them to meet
their obligations under the Code.
3. For bureau de change and money transmission services, POL itself is directly
accountable to HM Revenue and Customs (HMRC) for compliance with anti-money
laundering statutory and regulatory obligations. And POL has recently become a
signatory to the Banking Code and a voluntary participant in the Financial
Ombudsman Scheme in respect of its bureau de change and Postal Order services.
4. Whether fulfilling indirect or direct obligations, POL's strategic objective to build a
viable financial services business, and its reputation and brand values are put at risk
by non compliance. To ensure that POL is correctly positioned to manage these
compliance risks, we commissioned Deloitte & Touche to undertake a review of the
adequacy of our financial services compliance arrangements both against regulatory
requirements in relation to POL’s role as distributor, and against standards reflecting
industry best practice in compliance.
5. Key findings from the Deloitte review, as presented to POL ET in September, in
respect of regulatory responsibilities were that:-
RMG00000074
Post Office Limited — Strictly Confidential
© whilst policies and standards are appropriate, the levels of conformance with
compliance requirements in the POL branch network are generally
significantly short of those that FSA would look for; and
© allocation of some aspects of regulatory responsibilities between POL and
Product providers is not documented in agreements with those providers.
In respect of industry good practices, they noted that:-
© there appeared to be an acceptance of levels of non conformance that were
inconsistent with POL’s stated low risk appetite
© the frequency of audit in branches is low with a large proportion of branches
Not likely to receive a compliance audit where they are perceived to be low
risk;
© MI for line managers about compliance is not put in context with other
business indicators; and
9 the Compliance Department does not have a role in areas where a
compliance functions in an authorised firm would have a strong involvement,
including the allocation and fulfilment of senior management responsibilities or
prudential ‘systems and controls’. These are areas that are largely driven by
FSA's Principles for Business as distinct from tules directly applicable to
POL's activities.
Deloitte also suggested that POL should consider whether reliance on the Bank of
!reland for compliance guidance is the best strategic positioning for POL. They said
that TCF provides an example where the bank's and POL’s interests may not be
wholly aligned. They also said that POL should consider segmentation of the branch
network to differentiate between those outlets that do a level of business that would
justify greater investment in training and other controls to ensure adequate
compliance and those that do not. We should consider reducing risks by restricting
the product and service offering in the latter type of branch.
POL ET accepted that it should address all these issues. An implementation plan to
address Deloitte's recommendations is being developed at the time of writing and will
be put to POL ET for approval on 10 November. This plan will give priority to
addressing issues relating to directly applicable responsibilities and will ensure
alignment of POL's strategic programmes (see comments below on Network
Efficiency) and other initiatives with the actions necessary to address Compliance
gaps.
. Treating Customers Fairly
FSA has given a high profile over recent years to its retail theme of Treating
Customers Fairly. This theme was a response by FSA to mis-selling ‘scandals’ in
which firms put their own interests ahead of those of their customers. The FSA has
Set a deadline of the end of December this year for authorised firms to be able to
demonstrate that they are meeting its required ‘outcomes’ and that they are treating
customers fairly, The Bank of Ireland is accountable for ensuring compliance, where
the requirements are relevant to POL's role as distributor of FSA regulated products.
The bank has worked through the Post Office Financial Services (POFS) joint venture
to meet FSA's requirements in respect of the POFS products. Through the
Regulatory Guidance Manual it controls how we deal with customers, the bank
approves all customer facing material and internal training material and its approval is
required for all product development. We understand that in its reviews of the bank's
TCF work, FSA has not challenged any aspect of the bank's approach in relation to
POL’s activities.
in commissioning Deloitte we asked that they review, in the context of meeting
industry best practice standards, whether POL would meet FSA's broader TCF
RMG00000074
‘Reco0000074
10.
Post Office Limited — Strictly Confidential
requirements for authorised firms. They concluded that the POL initiative to embed.
‘Fairer, Easier, Better’ as brand values in all that POL does, was likely to also meet
many of FSA's expectations in relation to TCF. They recommended that;
* the alignment between FEB and TCF should be documented and any gaps
identified and addressed to ensure that POL could demonstrate culturally
embedded consideration of fairness for customers in senior management
decision making;
* CF values should be reinforced through inclusion of specific TCF/FEB
objectives within the performance management process;
* new Mi should be developed to better evidence TCF/FEB delivery; and
* controls over customer experience in Post Office branches should be
strengthened to improve product knowledge and reduce risks that advice is
given.
Actions to address these recommendations will be included in the implementation
plan for the Deloitte review.
3. Post Office Christmas Club
11. POL launched its Post Office Christmas Club in January this year and received strong
12
Support from Government Ministers and from consumer groups concerned with easy
access to safe Christmas savings schemes. This followed the failure of the Farepack
hamper company scheme. The product is provided by Bank of Ireland cross border
from Ireland and is structured as an E-money card rather than as a bank savings
account. As such it falls outside the coverage of either the UK or the Irish deposit
protection schemes. The security of having funds held by a major bank was seen as
a strong feature of the scheme and we believed that the E-money card was the only
economically viable product we could offer that provided good payment features for
customers, The current average balance on cards (i.e. at the point just before they
can be spent) is less than £100 and the maximum saving is £1000. The absence of
protection in the unlikely event of the Bank of Ireland defaulting was explained in
terms and conditions and repeated immediately adjacent to the customer's signature
box on the application form.
FSA do not regulate any aspect of the provision or sale of this product in the UK.
However, eartier this year their retail policy team raised a number of questions about
the product and how it was structured, focussing solely on the issue of protection
coverage. Their concem was said to be that under TCF Principles it was not
appropriate for POL to have designed a product that was aimed at ‘vulnerable’
customers that did not benefit from protection of funds at every stage. We responded
to their questions and im September agreed to their requests that we should consider
whether the product could be restructured on a viable basis, to bring it within the Irish
Deposit Protection Scheme and if not to give a greater prominence in leaflets to the
lack of compensation cover. Whilst we do not believe that POL or the bank are in fact
in breach of any legislative or regulatory requirement or that FSA has any jurisdiction
in relation to this product, we none the less felt that it would not be appropriate to risk
confrontation with FSA.
FSA — with support apparently from HMT - then told DBERR that it was still not
Satisfied and that it was formaily considering whether or not it should itself publicise
the weakness (in its view) of the scheme under the broad umbrella of fulfilling its
Statutory objectives in relation to consumer protection. They asked DBERR to pass
this message to POL. DBERR did so but with a strong message of its own to FSA
that OBERR did not regard this as an appropriate matter for them to be getting
invoived in. We arranged to meet FSA directly to address their remaining issues.
RMG00000074-
Rego000007%
Post Office Limited — Strictly Confidential
14. Before that meeting took place the Irish Government announced its scheme to
guarantee the obligations of a number of Irish banks including Bank of Ireland, Advice
from the bank was that the guarantee would cover E-money funds. In our subsequent
discussion with FSA they agreed that so long as the guarantee remains in place, they
would regard the funds as secure and that they did not propose further action unless
and until that changed. We restated that we were in any case seeking guidance from
the Irish Deposit Protection Scheme to enable us to identify what changes could be
made to the structure of the Christmas Club to bring it within the scope of the
protection scheme.
15. We are now progressing those discussions with the Bank with a view to introducing
any changes from the relaunch of the scheme for 2009.
4. Telephony
16. POL’s HomePhone and Broadband products are provided by BT Wholesale (BTW)
aS a ‘managed service’. BTW undertake end to end activities including customer
facing call centres and application processing, servicing and complaints handling and
billing. There are comprehensive service level agreements and non-compliance
penalties in POL's contracts with BTW. However, BTW has struggled to deliver
appropriate standards in many areas since the transfer of this business to them in
November last year, resulting in poor service to our customers, breaches of
regulatory requirements and damage to confidence in the products in our branch
network . POL believes that BTW have been on a steep learning curve and we have
tried to work with them to prioritise actions and focus on delivering service standards
for our customers. But we recognise that POL has also not tackled BTW in the most
effective way. An Internal Audit review of the management of BTW's delivery of this
service for POL reported in August with an ‘improvement required’ rating. The most
significant issues from that report are included below.
17. POL’s management of the relationship with BTW has been split across Marketing and
Operations functions within POL resulting in a risk of duplicated activities and of poor
communication between the two areas. This has now been addressed and all
relationship management activities and accountabilities are now focussed on the
Operations team. At the same time work is underway to rationalise the MI received by
POL, to ensure that it is able to identify and address key issues more effectively
18. Regulatory breaches have occurred because BTW has failed to meet Ofcom
requirements for publishing audited quality of service measures showing standards of
handling of new customer set ups, fault reports, complaints and other customer
service activities. External audits of the accuracy of data collected by BTW for these
Measures have been failed each quarter since last November, putting POL in breach.
These failures originate in weaknesses in BTW’s systems, training and controls that it
has been seeking to resolve, but we are now looking to the improved focus of our
relationship management activity to give this area higher priority for BTW.
19. Similarly Ofcom sets externally audited standards that larger providers must meet in
relation to the accuracy of call metering and billing and POL should have met those
requirements from the end of the last financial year. BTW have experienced difficulty
managing the HomePhone billing systems and POL has had to work with them to
manage down the number of customers who have not been billed for services. This
work has been following an agreed plan that will mean that the number of bills that
have been held up for any reason is less than 2000 at any one time from early 2009.
POL has been working with the British Standards Institution to gain approval for
BTW’s metering and billing systems and they and Ofcom are aware of our progress
on these issues,
RMG00000074
RMG00000074
20.
21.
5.
a.
23
24
m@00000074
Post Office Limited — Strictly Confidential
. AS POL is accountable to Ofcom for the regulatory breaches, we have kept Ofcom
informed of the issues we have experienced since BTW took on the provision of our
telecoms services and we do not believe that, in respect of either the quality of
service or billing requirements, they are contemplating any form of investigation or
other action. However they have commented about the high level of calls they
receive from our customers about billing problems and if we fail to deliver on
reductions in the number of unbilled customers, they may feel that there is a case to
investigate.
Under our contracts with BTW, they are responsible for financial losses that arise
from billing failures and there will be instances where we have not been able to bill
older call charges and line rental because Ofcom limit the period we can bill for. We
intend to pursue settlement from BTW for this lost income and where possible for
penalties on service level failures.
Losses
POL incurs losses from controls and compliance failures in its activities through:
* Robberies and burglaries in branches and attacks on cash in transit
* Fraud and theft against POL by customers, staff and subpostmasters
* Transaction Processing errors in branches including cheque collection
* Stock mis-management and write offs of unsaleable stock
* Bad debts on telecoms products
in 08/09 we currently expect these items to amount to £17.25m. That is broadly in line
with recent years and the overall level of losses has proved difficult to reduce. Some
loss types are influenced by external factors — for example we anticipate that
recession in the UK economy and contraction of bank lending will increase the
likelihood of subpostmaster fraud — others are the result of weaknesses in product
design or accounting processes that facilitate fraud or make processing errors more
likely.
Crown Office losses were £2.2m last year and an initiative has been underway since
the start of this year to achieve a 25% reduction this year, This has included
implementing in September a revised Losses and Gains policy requiring branch
Subpostmasters can commit fraud by inflating cash, stock or cheques values to hide
theft. POL’s first line of defence is its branch audit team. To the end of period 6 this
year, branch audit had identified £4.2 million of accounting discrepancies in 633
Analysis of subpostmaster fraud has shown that the risk is greatest in the first five
years of an appointment and within the Network Efficiency Programme (see below) a
number of initiatives are being developed to improve the effectiveness of vetting and
monitoring of the credit worthiness of subpostmasters, the Support by way of
RMG00000074
m@00000074
Post Office Limited — Strictly Confidential
recovery against subpostmaster losses, utilising powers to confiscate assets under
the Proceeds of Crime Act. £1.2 m has been recovered to date this year in this way
and an additional accredited Financial Investigator has been taken on to boost
resources to prosecute and recover
26. Product specific loss issues:
* Stock adjustments: Branches perform some 3 million stock adjustment
transactions a year. In almost all cases this is an inappropriate way of
Correcting accounting records. They are typically using the “other postage”
icon in Horizon for ease to account for other things and then attempting to
reverse that out by doing a “stock adjustment”. The three prime feasons are:
© booking in stock from Swindon — but using "stock adjustment” instead
of the “stock remittance” icon;
© reversing sales entries — again using “stock adjustments” instead of
the reversals icon; and
© Stock quantity errors — €.g. booking in rolls of 1,000 stamps as 1,000
rolls.
A stock adjustment transaction will change the reported cash position on
Horizon and branches may be using this transaction to fraudulently
manipulate cash balances or may merely have been surprised to find Horizon
telling them that they have a cash surplus.
Transaction corrections are being processed going back over the last 3
months to recover funds from branches and POL has stepped up its controls
the impact of these ‘adjustments’ on our accounting to them for sales of mails
Products. The cost to POL this year is estimated at £1.2m.
¢ Savings stamps: POL's Savings Stamps Product is paper based, with
branches selling £5 savings stamps that customers then attach to a card and
recently stepped up their checking of these returns and have reduced
discrepancies from inflated claims or failure to return stamps from £215k to
needs more effectively.
* Travel insurance refunds: POL discovered earlier this year that there was
around a 6% error rate in branch calculations of travel insurance premiums.
Data identifying these errors had been in POL's hands for over two years and
concerns had focussed on the possibility of recovery of undercharges from
Subpostmasters, but some 50,000 customers had been overcharged in the
far paid out £375k. Calculations will be automated through Horizon from mid
November which should remove the risk of this error in branches. Costs of
writing off of both under and over charges and remedial action are likely to ¢
exceed £2m :
RMG00000074
00000074
Post Office Limited — Strictly Confidential
* Post Shop: POL has taken the decision to focus its Post Shop offering on
Stationery and mails related products and to drop the much wider range of
electrical and other products. This will involve write downs in values this year
currently estimated at £1.7m. Where possible old stock is being sold back to
suppliers but much will be disposed of as having no value.
6. Network Efficiency
27.
28.
20)
30.
31.
POL has over 45, 000 people working at counters in over 12,000 branches. Over
three quarters of those are employed by someone other than Post Office Limited and
in circumstances where we have little Control over their competence and Skills. To
little if any experience of running a retail outlet or of managing a small business. POL
has traditionally accepted that the level of non-conformance that this gives rise tois a
Cost of running our business. We have carried the costs of writing off small value
of having more cash held in branches than is necessary, of settlement delayed
because branches have held on to cheques and of course of complaints to our
customer care teams about service in branches.
To deliver our 2011 objectives we cannot ignore the potential savings from driving up
conformance and, equally we need to ensure that failure to meet statutory and
regulatory requirements does not threaten our ability to deliver sales and income.
FSA, Ofcom and HMRC all have Powers to require us to stop sales activities and will
do so were they to find that we have systematically failed to meet their standards,
To tackle these challenges we have established a cross functional programme as
part of POL’s 2011 Strategic Programme with the objective of optimising benefits
from conformance improvements and achieving a step change in branch
POL does not Currently have a single measure or index of all aspects of branch
conformance. We have in the last two years established a ‘regulatory’ Network
Compliance Scorecard that incorporates numbers from branch audit activity,
compliance mystery shopping and monitoring of all over £5k bureau de change
transactions for identification compliance. A single regulatory compliance basket
measure is calculated from the Scorecard, but that measure does not pick up other
broader conformance measures such as the number of branches exceeding their
expected cash holdings or the number of transaction corrections. The Network
Efficiency Programme will address this to create a new composite measure can be
used by Network line managers to focus efforts on failing branches and track
improvement.
POL typically has between £400m and £600m in cash held at branches at any time.
This is inflated when additional one off benefits payments are being made and is
currently being pushed up by the roll out of ATMs and an extension of bureau on
demand branches. A number of specific activities have already been undertaken to
drive reductions in Overnight cash holdings (ONCH). These have included improving
management of cash in ATMs, where we are seeking a reduction of £25m in ONCH
33,
35.
we
Post Office Limited — Strictly Confidential
economy generally have given rise to a number of new or refocused risks being
identified in the latest review.
POL has long recognised the risk that industrial action by union members in branches
oF in management could damage POL's delivery of services to customers and its
brand. The pay settlements in 2007 should have reduced this risk, but a number of
Issues May re-emerge over the next year. In particular, RMG's plan to fulfil the ‘Safe
Net’ service themselves will create 150 redundant posts in POL's Cash in Transit
business and could lead to industrial action. And if inflation remains higher than
POL's five year plan to 2011 called for Significant growth in Sales across the new
product areas of financial Services and telecoms Products. In some product areas —
Particularly in Savings even before the inflow of funds in October ~ we had done well
Objectives of the 2011 plan we will have to fill Yaps through new income streams from
developments in other areas, such as new identification validation products, or
through greater cost Savings (see below) and we remain confident that we can
achieve the planned outcomes.
RMG00000074
‘Reco0000074
=
38.
END
Post Office Limited — Strictly Confidential
target. Further savings are expected to be delivered through efficiency savings in
Network and Cash in Transit costs and POL has done well in the recent past on
delivering cost objectives. However, reliance on cost cutting to hit plan objectives is
becoming increasingly difficult and budgets for 09/10 may have to incorporate lower
headcount targets across the business. Inflation pressures on costs, in particular staff
costs, would exacerbate this issue as will increased pension contributions by POL.
POL's current funding agreement with Government lasts until March 2011. Based on
our experience of the length of time taken to reach agreement and obtain approval,
and the extreme impact of failure to do so, POL ET agreed that this should be added
to our Top Risks. Modelling of what may be required will be undertaken in this quarter
with a view to developing a strategic approach before the end of this financial year.
RMG00000074
Rw@00000074