Sub Postmaster Scandal is a prime example of the dangers of integrating new technical solutions to replace either legacy systems or manual workflows without proper review, control or regulation.
The lack of accountability, management bull-headedness and incorrect reconciliation processes all contributed to a scandal that has led to some very human consequences.
Some went to prison following convictions for false accounting; many faced financial ruin. Some have since died.
A public inquiry, expected to run for the rest of 2022, is examining the grave miscarriage of justice that took place and the SPMs wrongly convicted of fraudulent crimes.
The scandal’s fallout poses some interesting questions about how we can harness the benefits of technology to support existing systems & processes, ensuring their robustness and continue holding them accountable.
Things to consider include:
- What plans are in place to protect against technical failures?
- What measures exist to account for discrepancies or exceptions?
- How do you know that what the system displays are accurate and complete?
We’ll look into some detailed aspects of the scandal, examine where and why things went wrong, highlight reconciliation and process failures, and the lessons learned to prevent events like Horizon from happening in the future.
Sub Postmaster Scandal background: Post Office introduced Horizon into its network in 1999. The system, developed by the Japanese company Fujitsu was a Point of Sale (POS) system that focused on transactions, accounting and stocktaking tasks.
At the time of its introduction, Horizon was the biggest non-military IT project in Europe and could perhaps be considered a pioneer in the world of general management systems.
However, within a few weeks, SPM’s began filing numerous reports detailing computing errors.
A review conducted by Second Sight, a forensic accountancy firm in 2013, concluded that the system had roughly 12,000 communication failures per year. In addition to software defects at multiple branches.
Lack of communication and transparency fostered a culture where employees felt forced to correct issues themselves rather than have them resolved by POL or Fujitsu.
POL committed severe errors by failing to question the new system or legitimately investigate reports.
These would have been prevented had a proper reconciliation process to validate balances and investigate differences been implemented.
Scandal system failings: SPMs complained about bugs in the system after it reported shortfalls, some of which amounted to many thousands of pounds.
In 2019, a High Court judge ruled that Horizon was “not remotely reliable” for the first ten years of its existence.
The judge concluded Horizon was prone to throwing up errors that could and did affect individual SPM branch accounts (i.e., the premises being managed by the sub-postmaster).
One example of system error was reported in the Computer Weekly periodical in 2015. They reported an anonymous source who identified the Cash Writing Program as a possible cause of serious problems.
He explained that the developers warned POL about data corruption on the bespoke asynchronous communication system that sent messages between branches and the central Horizon set-up.
Horizon stored transaction and account data on each branch’s terminals. This data was then uploaded to a central database via Integrated Services Digital Network (ISDN).
The source said that part of the system did not work:
“The cash account was a piece of software that sat on the counter NT box, asleep all day, At the end of the day, or a particular point in the day, it came to life, and it ran through the message store from the point it last finished. It started at a watermark from yesterday and combed through every transaction in the message store, up until the next watermark.”
“A lot of the messages in there were nonsense because there was no data dictionary, there was no API that enforced message integrity. The contents of the message were freehand, you could write whatever you wanted in the code, and everybody did it differently. And then, when you came back three weeks later, you could write it differently again.”
The source provided an example of a message stored previously when a customer bought a stamp. It was feasible that a new message for buying a stamp weeks later could be slightly different.
“When the cash count came along, it found a message it was not expecting and either ignored it, tripped up, or added something it shouldn’t be adding,”
Four years later, former Fujitsu engineer Richard Roll wrote in a witness statement to the High Court:
“The issues with coding in the Horizon system were extensive. Furthermore, the coding issues impacted on transaction data and caused financial discrepancies on the Horizon system at branch level.”
The judge accepted Roll’s evidence. This suggests that the identified problems with Horizon were not dealt with by the time the system went live and rolled out to the POL branch network.
The Horizon Sub Postmaster Scandal poor management: It was apparent from the outset that POL viewed its SPMs relationship under a Master-Servant doctrine, instead of as an outsourcing partnership opportunity to the mutual benefit of both parties.
POL imposed their expectations on the SPM, assumed their position always correct, and took no responsibility for its actions in the relationship.
The first thing to consider was the contractual relationship between POL and the SPMs.
The contract, consisting of 114 pages, provided POL with a contractual right to seek recovery from SPMs for losses relating to branch accounts.
As noted in the 2013 Second Sight Report:
“The Contract transfers most of the risk of doing business to Sub postmasters”.
Secondly, POL management maintained for many years that Horizon was reliable.
Their position required the SPM to make good any shortfalls reported by Horizon, however inexplicable.
POL used and relied upon the Horizon data to establish that money was missing, i.e., an actual shortfall of cash held in the branch.
They treated the shortfall as caused by dishonesty, or at best carelessness, on the part of the SPM and demanded repayment.
POL’s stance was that it was up to an individual SPM to prove that a shortfall was not their responsibility: if the SPM could not do so, they would have to make good the shortfall.
However, the SPM had no contractual entitlement for investigative support when problems were identified, even though the onus was on them to disprove the discrepancy. There was no entitlement to retrieve data held by POL except for the data routinely made available to the branch by Horizon.
POL management did not look for flaws in its IT system. Instead, it accused SPMs of theft and fraud, pursuing convictions that led to criminal records, prison sentences and personal bankruptcies.
POL maintained this position even after internal documents from 2010 revealed acknowledgement of system bugs that would lead to questioning the integrity of Horizon’s balances. Still, these were never communicated to any SPM.
- Alter the Horizon branch figure remotely by Fujitsu at the counter to show the discrepancy, to which POL stated it was impossible when communicating with SPMs. The comment was:
“This has significant data integrity concerns and could lead to questions of ‘tampering’ with the branch system and could generate questions around how the discrepancy was caused. This solution could have moral implications of Post Office changing branch data without informing the branch.”
- Make journal entries between accounts and recover/refund via normal processes. The comment was:
“Could potentially highlight to branches that Horizon can lose data.”
- Don’t do anything and write off the loss centrally. The comment was:
“Huge moral implications to the integrity of the business, as there are agents that were potentially due a cash gain on their system.”
RECONCILIATION PROCESS FAILURES
Sub Postmaster Scandal process failures: The whole reconciliation process to validate and confirm positions was fundamentally flawed, with the following being of particular interest:
A key component of Horizon was taking a balance position at the end of every trading period.
The SPM was unable to access the system to record new transactions until the system was rolled forward. This could only happen when there was an agreed and matched position within Horizon.
Horizon calculated how much cash and stock should be held in the branch by capturing all transactions at a Branch.
The SPMs reported a daily declaration of the amount of the physical cash held at the branch
POL would process differences and unreconciled positions as Transaction Corrections (TC) in the back-office and post to Branch suspense accounts to ensure work could continue in the branch.
These differences would form the basis of claims made against the SPM.
Contractually, the onus was on the SPM to investigate and prove the legitimacy of any TC differences to POL.
The Trading Statement identified discrepancies between the physical money on hand and the figures generated by the system.
The SPM was required to make good any shortfall. This was done either by putting in their own money (“settling in branch”) or by asking for the sum to be deducted from their future income (“settling centrally”).
SPMs had no way to dispute Horizon’s figures within the system; instead they had to contact the POL Helpline.
POL controlled the Horizon infrastructure, including back-office accounting and reporting functions. Therefore, the SPM at the branch had little opportunity to investigate as there was only limited information available at any given time.
Examples of these limitations include:
- Data not being available even on the day of the transaction.
- Data that was at first open, but after 42 days (later extended to 60 days) no longer available.
- Horizon only produced at the end of the day an aggregate amount and volume for that day’s electronic transactions (i.e., settled by credit or debit card), therefore making it impossible for the SPM to match against specific transactions.
Rather than investigate, POL treated and recorded differences as undisputed debts if challenged through the Helpline by the SPM
POL saw their role only as assisting the Police by providing data in their investigations when pursuing SPMs for outstanding debt and suspected theft.
POL did not undertake any investigations as there was no financial incentive to do so, with the financial risk residing with the SPM.
sub postmaster scandal reconciled positions: The process of reconciling various third-party client accounts for partners such as Royal Mail and DVLA was fundamentally flawed. Accounts were either incorrectly calculated or unbalanced, with differences unexplained and not investigated.
As reported in the Second Sight 2015 Audit report,
“…in each of the financial years 2012, 2013 and 2014, amounts in excess of £100,000 were taken to the credit of Post Office’s P&L Account from their General Suspense Account.”
POL received payments (credits) from its business partners’ accounts and through electronic settlement for the sale of items that could not be matched within its POS system.
The only reasonable explanation is that the corresponding transaction had not been captured in Horizon. This should have raised a red flag.
Even if down to human error or system communication failure, the fact that there remained unmatched credit items should have raised questions about the integrity of the Horizon business system and initiated an investigation at the very least.
Interestingly, unlike the active pursuit of shortfalls (debit balances), POL did not routinely provide SPMs with information concerning these surpluses.
The Horizon Sub Postmaster Scandal Atm Issues: Although the various High Court cases and independent investigations identified numerous issues of incorrect processes and accounting issues, we will focus on the ATM process as just one example of the type of systemic process failures.
POL had substantial unreconciled ATM balances on its suspense accounts at the end of each year.
Second Sight reported that For FY 2014 , these unreconciled balances totalled over £160 million, representing transactions from individual branches in just the preceding six months.
The ATM Reconciliation Process
Reconciling ATMs revolves around ensuring that the physical cash residing within the device can be matched to the expected cash position as obtained from the ATM.
To calculate the expected cash position, a critical element of reconciliation is to correctly identify what data should be used. There are two types of data:
- ATM ‘Host’ data comprises information collected and communicated between the Bank’s core operating system and the ATM network, such as LINK in the UK.
This captures a summary of all transactions as recorded within relevant systems.
- ATM Counter data reflects the physical movement of Cash as captured by the device itself through its counter mechanisms.
This will capture all physical transactions (i.e., cash withdrawals) recorded by the ATM itself.
The Bank relies on (a) Host information to reconcile their position since this data matches individual transactions between the banking system and ATM network rolled up into a summarised overall total.
For anybody responsible for the physical replenishment of the ATM, as individual transactional information is not accessible, the focus should be on the (b) ATM counter data, which captures the physical cash movements within that particular device.
Both options should provide the same cash dispensed figure in normal circumstances, thus providing an exact expected cash position.
However, differences can arise if communication failures, mechanical issues, or theft (cyber and physical) result in a mismatch between the two.
This is a known problem within the ATM replenishment and reconciliation process, and is especially important different parties are involved.
The Post Office Process
SPMs needed to obtain figures from the ‘Bank Totals‘ receipt from their ATM and input this into Horizon in the Post Office process.
This procedure was fundamentally flawed because the SPM appeared to be inputting data into their branch’s Horizon system that the ATM Host had generated and not the ATM Counter data.
POL was matching the same data from the same source by using the ATM Host which had already been received by the Bank through the LINK network.
In other words, it was not a reconciliation.
Accordingly, only errors made by branch staff entering the ATM’s cash dispensed figures into Horizon would be detected.
The SPM was then held accountable for any shortfall if the ATM Host-generated cash dispensed numbers had, for some reason, been under-stated, and more cash was issued than reported.
As explained earlier, in contrast to other Banks and ATM operators, POL did not investigate material differences that arose.
As a result, not only was the POL reconciliation process not actually a reconciliation, there was little or no work done on reviewing or investigating imbalances. In any case, the SPM was held liable in all instances for any shortages.
The Horizon Sub Postmaster Scandal; What lessons can we take from this whole saga?
Test, Test & Test Again
Any system must be fit for purpose and this is particularly true when managing specific niche processes.
It is essential to test for contingencies and take time to test system robustness – there will always be issues that need consideration.
Horizon’s fundamental flaws were due to its rushed development, implementation, and roll-out.
In its haste to obtain an all-singing, all-dancing IT solution to meet its branch sales needs, POL failed to ensure the new system was robust enough to deal with existing branch processes.
Manage Change Better
People do not like change.
Change should be gradual and controlled, with sufficient training, guidance, and support provided throughout the process.
It is clear that POL did not provide adequate training to its SPMs, and its Helpline proved to be more of a hindrance than a help when dealing with disputed items.
It Must Benefit Everyone
The Horizon Sub Postmaster Scandal has shown any outsourcing/franchising arrangement should be to the mutual benefit of both parties. One benefits from cost savings, increased efficiencies and expanded reach, whilst the other has guaranteed revenues to generate profits.
When one party holds all the cards, takes all the benefits and works aggressively, the arrangement will ultimately fail.
By transferring all financial risk to the SPM and not providing an adequate support mechanism for investigating discrepancies, POL were ultimately the architects of their downfall.
Accept You May Be Wrong
For any relationship to succeed, involved parties must have mutual respect, trust, be open to compromise, and accept the possibility they may be wrong.
This is as true in business as it is in a personal relationship.
Despite clear evidence to the contrary, rather than accept the possibility there may be underlying system issues, POL management doubled down on its assertion of the integrity and robustness of Horizon by continuing to pursue debt and prosecute SPMs over many years.
If POL had accepted that Horizon was not infallible and identified system failures earlier, matters would not have escalated.
Reconciliation Is Important
The Horizon Sub Postmaster Scandal has taught us the importance of reconciliation. At its core, reconciliation is a fundamental way of confirming and validating an expected position.
Additionally, from a compliance perspective, a fully reconciled position provides all stakeholders with the accuracy and robustness of its accounting processes.
It is also a meaningful way to identify discrepancies or missing data that need further investigation.
The ATM reconciliation process demonstrates a lack of understanding of the fundamentals of balancing a position, and the significant number of unreconciled accounts should have alerted stakeholders that something was wrong.
It Will Catch Up with You
The Post Office is in the middle of a Public Enquiry. Its reputation is in tatters. This whole debacle will cost the UK taxpayer an estimated £1bn in compensation.
The Horizon Post Office scandal is a salutary lesson on the consequences of implementing a poorly developed and rushed IT system. Combine this with misunderstood business processes, a lack of robust reconciliation controls, and headstrong management; you will end up in a situation with significant financial and emotional ramifications.
For more information on the findings of the Post Office trials, please click this link.