Post on 08-Feb-2020
transcript
Project Spice
Summary Report for UK Asset Resolution
Limited
Dated 11 July 2013
Deloitte LLP
2 Hardman Street
Manchester
M3 3HF
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013
Important Notice
This Summary Report has been prepared by Deloitte LLP for UK Asset Resolution Limited in
accordance with our engagement terms and on the basis of the scope and limitations set out
below. It has been prepared solely for the purposes of assisting UK Asset Resolution Limited
in connection with its investigation into errors identified in annual statements and arrears
notices issued by Northern Rock (Asset Management) Limited (formerly known as Northern
Rock plc). It should not be used for any other purpose or in any other context, and Deloitte
LLP accepts no responsibility for its use in either regard.
This Summary Report is provided exclusively for use by UK Asset Resolution Limited. No
party other than UK Asset Resolution Limited is entitled to rely on this Summary Report for
any purpose whatsoever and Deloitte LLP accepts no responsibility or liability to any party
other than UK Asset Resolution Limited in respect of this Summary Report or its contents.
This Summary Report and its contents do not constitute financial or other professional advice
and specific advice should be sought about your specific circumstances. To the fullest extent
possible by law, both Deloitte LLP and UK Asset Resolution Limited disclaim any liability
arising out of the use (or non-use) of this Summary Report and its contents, including any
action or decision taken as a result of such use (or non-use).
All copyright and other proprietary rights in this Summary Report remain the property of
Deloitte LLP, with Deloitte LLP reserving its rights to the fullest extent possible by law.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013
Glossary of abbreviationsAnnual Statements Statements issued (or to be issued) to customers annually in line with the
requirements of the CCA 2006
Arrears Notices Collective name for the NOSIA and SNOSIA
B&B Bradford & Bingley plc
BRD Business Requirements Document
CCA The Consumer Credit Act, used to refer collectively to the Consumer Credit
Act 1974 and its successor legislation, including the Consumer Credit
Regulations used to implement the Consumer Credit Act
CCA 1974 The Consumer Credit Act 1974
CCA 2006 The Consumer Credit Act 2006, including the Consumer Credit (Information
Requirements and Duration of Licenses and Charges) Regulations 2007
(being the secondary legislation which specifies the form and content of the
various statements and notices that were introduced in the Consumer Credit
Act 2006)
Deloitte, we, us Deloitte LLP
New Northern Rock Gosforth Subsidiary No 1 Ltd, later renamed Northern Rock plc and
purchased by Virgin Money
NOSIA Notice of Sums in Arrears, a document which, under the CCA 2006, must be
provided to customers who are in arrears
NRAM Northern Rock (Asset Management) Limited
OFT Office of Fair Trading
Old Northern Rock Northern Rock plc until the company was divided on 31 December 2009
Project Spice The project name given to the internal review undertaken by UKAR and
subsequently adopted as the project name for the investigation undertaken
by Deloitte
Project Spice Issues Collectively, the errors in Annual Statements, NOSIA and SNOSIA
SNOSIA Subsequent Notice of Sums in Arrears, a document which must be provided
to customers who are still in arrears, having been first provided with a NOSIA,
under the CCA 2006
SoR Statement of Requirements
Standalone Products Unsecured lending products administered by a third party services provider
Three Lines of
Defence Risk
Management Model
First Line: Business line management
Second Line: Compliance and Risk Management Functions
Third Line: Internal Audit
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013
Transitional
Arrangements
The arrangements under the Consumer Credit Regulations implementing the
CCA 2006 for the non-provision of certain information that would otherwise
be required, subject to the provision of disclosure on the nature of the
information omitted and the provision of the omitted information to customers
on request
UKAR UK Asset Resolution Limited
UKAR Legal The combined NRAM and B&B legal teams
Virgin Money Virgin Money plc
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 1
Introduction
1. On 22 February 2008, following a ‘run on the bank’, shares in Northern Rock plc were
transferred into public ownership under the Banking (Special Provisions) Act 2008.
With effect from 1 January 2010, Northern Rock plc was divided into two new entities.
One entity assumed the name Northern Rock plc and took certain assets and
liabilities with the objective of creating a well-capitalised, deposit taking, mortgage
providing banking organisation. The remaining assets and liabilities were retained by
the original legal entity, which was re-named Northern Rock (Asset Management)
Limited (“NRAM”).
2. In July 2012, errors were identified in the notices of sums in arrears (“NOSIA”) and
subsequent notices of sums in arrears (“SNOSIA”) (collectively, the “Arrears Notices”)
issued by NRAM on certain of its Consumer Credit Act (“CCA”) regulated products.
Having discovered the initial errors, UK Asset Resolution Limited (“UKAR”), the
holding company for the government investment in NRAM, initiated an internal
review, called Project Spice, which confirmed the errors in the Arrears Notices,
identified further errors in the Annual Statements1 and determined that the errors
were historical in nature, dating back to the time before Northern Rock plc was
divided. UKAR has also taken steps to remediate customers affected by the errors.
3. At the request of UKAR, Deloitte LLP (“Deloitte”, “we” and/or “us”)2 commenced work
on 26 November 2012 to undertake an investigation into events surrounding the
errors that had been identified in the Arrears Notices and Annual Statements
(collectively, the “Project Spice Issues”). Although the Deloitte engagement is
separate from the internal review, for expediency we have adopted the internal
project name of Project Spice.
1 Defined as statements issued (or to be issued) annually to customers under the requirements of the CCA 2006 (asdefined in paragraph 3iii).
2 Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Deloitte LLP is the UnitedKingdom member firm of Deloitte Touche Tohmatsu Limited ("DTTL"), a UK private company limited by guarantee,whose member firms are legally separate and independent entities. Please see www.deloitte.co.uk/about for adetailed description of the legal structure of DTTL and its member firms.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 2
4. Our Summary Report, which should be read in conjunction with the Important Notice
page, is set out as follows:
Section Paragraph
Scope of our work 5 to 7
Background 8 to 22
Work carried out and limitations 23 to 29
Overview of key events 30 to 32
Circumstances which led to the documentary errors noted in the
CCA 2006 Annual Statements and Arrears Notices
33 to 41
Deficiencies in the systems and controls processes which allowed
these errors to occur
42 to 46
Oversight arrangements in place in relation to the CCA 2006 at the
time the Project Spice Issues originated
47 to 59
Events since CCA 2006 implementation which ought to have
resulted in the errors being identified earlier
60 to 74
Escalation of errors to become Project Spice 75 to 76
Knowledge of the issues within UKAR at the point of acquisition of
NRAM
77
Concluding on functional responsibility for the identification and
rectification of the Project Spice Issues
78 to 89
Assessment of the control environment at the point of UKAR being
established and as at 31 December 2012, to understand whether
deficiencies still exist and whether the Project Spice Issues could
still occur under the current framework
90 to 100
Scope of our work
5. Our work has been divided into two phases, described below. Phase One sought to
establish (as far as possible from the information available):
i. the circumstances which led to the errors comprising the Project Spice
Issues;
ii. the nature of any deficiencies that could be identified in the systems and
controls processes which allowed these errors to occur in the first place;
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 3
iii. the oversight arrangements which were in place in relation to the Consumer
Credit Act 2006 (“CCA 2006”) at the time the errors occurred; and
iv. whether any events, since the time the errors occurred, ought to have
resulted in the errors being identified earlier.
6. Phase Two comprised:
i. consideration of whether any apparent deficiencies in the control environment
(as identified in Phase One) ought to have been identified at an earlier date;
and
ii. an assessment of any such deficiencies against the control environment
present within UKAR at the point UKAR was established and at
December 2012, to ensure that any control deficiencies have been
appropriately addressed.
7. In addressing the points in paragraph 6 above, Phase Two was to include:
i. an assessment of the functional responsibilities in place in relation to CCA
2006 compliance from the period when the errors occurred to
December 2012;
ii. a conclusion on which functions had an element of responsibility for
identification and rectification during this period;
iii. an assessment of the control environment at the point of UKAR being
established and as at December 2012, to understand whether the
deficiencies identified still exist and if the errors could still occur under the
current framework; and
iv. an identification of any improvements to the systems and controls and
recommendations.
Background
8. The scope of our instructions covers an extended period of time, during which what
was originally Northern Rock plc has undergone a series of changes. On
22 February 2008, its shares were transferred into public ownership under the
Banking (Special Provisions) Act 2008. For expediency, in this Summary Report, we
have adopted a naming convention for Northern Rock plc and its successors, namely:
Old Northern Rock, New Northern Rock and NRAM:
i. Old Northern Rock – Northern Rock plc until 31 December 2009, when it was
divided into New Northern Rock and NRAM;
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 4
ii. New Northern Rock – initially called ‘Gosforth Subsidiary No 1 Limited’, and
later renamed Northern Rock plc. New Northern Rock took certain assets
and liabilities, with the objective of creating a well-capitalised, deposit-taking
and mortgage-providing bank with the intention of returning this to the private
sector in due course and recovering value for the taxpayer. New Northern
Rock was acquired by Virgin Money plc (“Virgin Money”) on 1 January 2012;
and
iii. NRAM – Northern Rock (Asset Management) Limited, the same legal entity
as Old Northern Rock, which retained the remaining assets and liabilities not
transferred to New Northern Rock. On 1 October 2010, NRAM came under
the control of UKAR.
Changing corporate structure of Old Northern Rock and its successor organisations
9. Figure 1 below summarises the changes to the corporate structure of Old Northern
Rock (that is, the original Northern Rock plc) and its successor organisations during
the period considered by Project Spice.
Figure 1 – Corporate structure
Introduction of the CCA 2006
10. The Consumer Credit Act 1974 (“CCA 1974”) provided the legislative framework for
the provision of unsecured lending to the general public. It has been implemented by
a number of pieces of secondary legislation which provide detailed requirements for
the provision of unsecured credit.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 5
11. The CCA 2006 received Royal Assent in March 2006 and came into force in
April 2007, although many of its requirements were not implemented until 2008. The
CCA 2006 amended the CCA 1974, but did not wholly replace it. The form and
content of the various statements and notices introduced by the CCA 2006 are
governed by the Consumer Credit (Information Requirements and Duration of
Licences and Charges) Regulations 2007, which came into force in stages between
6 April 2008 and 1 October 2008.
12. The CCA 2006 introduced new requirements for lenders, which included the provision
of certain post-contract transparency information (the Arrears Notices and default
notices) and the provision of Annual Statements, both containing certain required
information and prescribed wording.
13. In this Summary Report, references to the CCA should be viewed as referring to the
CCA 1974 and/or the CCA 2006 and their related implementing regulations (for
example, the Consumer Credit (Information Requirements and Duration of Licences
and Charges) Regulations 2007). This terminology is used where it is necessary to
refer to the CCA as a continuing set of requirements, which have changed over time,
rather than to the CCA 1974 or CCA 2006 specifically.
Project Spice Issues
14. We understand from the legal team at UKAR (“UKAR Legal”, being the combined
NRAM and B&B legal teams) that the Project Spice Issues include, for unsecured
loan products regulated by the CCA:
i. the Annual Statements include neither the original amount borrowed nor the
Transitional Arrangements3;
ii. the omission from the Arrears Notices of prescribed wording drawing the
reader’s attention to the copy of the current Office of Fair Trading (“OFT”)
arrears information sheet. It is also unclear whether the OFT arrears
information sheet was provided to customers in arrears; and
iii. a number of other omissions or amendments to prescribed wording.
15. We understand that the omission of the original amount borrowed is the primary
reason for the remediation process that UKAR is currently undertaking. The
remediation process is outside the scope of our work.
3 Concessionary arrangements, which we have termed the “Transitional Arrangements”, under which lenders arepermitted to omit certain information that would otherwise be required (including the amount of credit originallyprovided) from the Annual Statements as long as they disclose the nature of the information that has been omittedand state that they will provide it to customers, free of charge, on request. The Transitional Arrangements areavailable to lenders until 2018.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 6
16. The scope of our work does not include giving any views on the completeness of the
CCA issues identified by UKAR Legal or on UKAR’s or NRAM’s on-going compliance
with the CCA.
Products involved
17. A number of different products administered by Old Northern Rock have been
affected by the Project Spice Issues.
18. The administration, collections and customer service function relating to a number of
standalone unsecured loan products was outsourced to a third party services
provider. In response to a Ministerial statement provided to Parliament on
11 December 2012 and press reports in December 2012, UKAR announced publicly
that the standalone unsecured loans were not affected. We have been advised that
these are the loans administered by the third party services provider (the “Standalone
Products”), and which are, therefore, not included in the scope of Project Spice.
19. In the course of our investigation, we have sought to understand how the Standalone
Products came to comply with the CCA 2006, while the loans administered by Old
Northern Rock and/or NRAM themselves did not.
Internal review
20. In July 2012, UKAR initiated a process called Project Spice, which by early
September 2012 had identified a number of errors in the prescribed wording and
information included in the Annual Statements and Arrears Notices provided to
customers in respect of certain unsecured loan products regulated under the CCA
2006.
21. The internal review identified the nature of the errors and quantified the size of the
anticipated cost of customer remediation (including compensation / repayment of
interest and other charges and the costs of the remediation exercise itself). The
internal review also provided preliminary conclusions on the events surrounding the
Project Spice Issues, including how they had arisen.
Engagement of Deloitte
22. Deloitte commenced work on 26 November 2012 to investigate the Project Spice
Issues. As noted in paragraph 3 above, although the Deloitte engagement is
separate from the internal review, for expediency we have adopted the internal
project name of Project Spice.
Work carried out and limitations
23. In overview, we have sought to obtain relevant information from the following sources:
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 7
i. hardcopy material held in archive facilities by UKAR, by third party archiving
suppliers on UKAR’s behalf or by Virgin Money;
ii. electronic material retained by UKAR and by third parties on UKAR’s behalf
and electronic information relating to Old Northern Rock and New Northern
Rock retained by Virgin Money;
iii. additional requests for specific information from UKAR;
iv. information retained by other third parties, primarily professional advisors;
and
v. interviewing individuals still working for the UKAR group of companies
(NRAM and B&B4) who work or have worked on Old Northern Rock or NRAM
related matters and individuals formerly employed by Old Northern Rock or
NRAM, some of whom are now employed by Virgin Money.
24. In performing our work, we have searched 200 boxes of archived material, identified
1.1 million electronic documents for electronic review, manually reviewed
approximately 83,000 electronic documents and interviewed 26 individuals.
25. It should be recognised that, as with any investigation, our findings draw upon the
hardcopy and electronic material that have been reviewed by us, along with
information and explanations that have been provided to us by individuals through
fact-finding interviews. In this instance, the Project Spice Issues that we have
investigated span a number of years and involve different organisations, with
ownership of the relevant entities being initially wholly in the private sector and now
split between UKAR and Virgin Money. Whilst we have collected a significant amount
of material, these aspects have resulted in some limitations on our access to
information outside of UKAR’s control and to individuals who are no longer in UKAR’s
employ.
26. This Summary Report summarises our findings based on work performed up to
20 May 2013. It is in the nature of investigations of this type that we cannot rule out
the possibility that, had further work been conducted, our findings might have been
different or that we may have identified additional matters that may have warranted
inclusion in this Summary Report. In addition, this Summary Report provides only a
summary of our findings, and does not set out the detailed aspects of our work.
27. This Summary Report should not be construed as expressing opinions on matters of
law. However, it necessarily reflects our understanding of the legal issues affecting
Project Spice.
4 As noted in Figure 1 at paragraph 9 above, B&B is also under the control of UKAR.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 8
28. For the purposes of this Summary Report, and in line with normal practice in
investigations of this nature, save where we have been able to corroborate
information, we have had to assume that the documents or other information
(including electronic material and comments by interviewees) available to us are
reliable. In addition, our investigation was heavily dependent on the co-operation and
honesty of the people to whom we spoke. While we have sought to compare
information provided by interviewees with available documentary evidence, this has
not always been possible. We are aware that the information we have received may
not be complete. Where possible, we have sought to identify additional information to
supplement our knowledge. There may be instances where the information we have
received is incomplete or inaccurate that we are not aware of and we have therefore
had to rely on the information available. This Summary Report should be considered
in that light and we cannot accept any liability for our findings being prejudiced
through provision of incomplete or unreliable information or material.
29. In addition, the extended time period covered by Project Spice, together with the
organisational changes to which Old Northern Rock, NRAM and UKAR have been
subject over the period of the review, impact on the availability of individuals (as well
as documentation). As such, there are a number of individuals to whom we would
otherwise have spoken, but with whom we have not been able to make contact.
Overview of key events
30. Figure 2 shows an overview of certain key events relating to the implementation of
the CCA 2006, the potential opportunities for the Project Spice Issues to be identified
and resolved sooner and the eventual response to those issues.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 9
Figure 2 – Overview of key events
31. In July 2012, issues were identified in respect of the inclusion of wording prescribed
under the CCA 2006 in Arrears Notices documentation. During the course of
establishing the extent of these issues, further issues were identified with the Annual
Statements.
32. Following an internal review and quantification of the financial implications of the
issues by UKAR, Deloitte was appointed to conduct an in depth investigation, with our
investigation adopting the internal project name of Project Spice. The issues
referenced in the previous paragraph are referred to as the Project Spice Issues in
this Summary Report.
Old
North
ern
Rock
Old
North
ern
Rock
New
North
ern
Rock
UK
AR
(NR
AM
)N
RA
M
NR
AM
UK
AR
(NR
AM
)
New
North
ern
Rock
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 10
Circumstances which led to the documentary errors noted in the CCA
2006 Annual Statements and Arrears Notices
33. The implementation of the changes required by the CCA 2006 appears to have been
managed through the production of ‘bible’ documentation setting out the new
requirements. Two sets of requirements documentation were produced, one set
(including four separate documents) for Old Northern Rock products (the Old
Northern Rock Statement of Requirements - “SoR”) and one document for the
Standalone Products (the Third Party Business Requirements Document - “BRD”).
Annual Statements
34. The Old Northern Rock SoR for Annual Statements reflected the Project Spice
Issues, including the erroneous assertion that the amount of credit was only required
for loans completed on or after 1 October 2008. The Annual Statements SoR was
drafted by a member of the Business Services team, although it appears to have
drawn heavily on information provided by others, notably a summary of the CCA 2006
requirements prepared by the Old Northern Rock legal team in April 20075.
35. Either from the outset or at some stage in the drafting of the Annual Statements’ SoR,
information regarding the Transitional Arrangements was omitted, leading to the
erroneous understanding that the amount of credit was only relevant for loans drawn
down on or after 1 October 2008.
36. The Annual Statements’ SoR was reviewed by at least one member of the Old
Northern Rock legal team. It is our conclusion that this review failed to identify the
error in the SoR in respect of the amount of credit, despite raising other comments at
the relevant time on the related paragraph of the SoR. Two members of the Old
Northern Rock legal team appear to have been involved in the implementation
process, with one taking primary responsibility for the Old Northern Rock SoR and the
other for the Third Party BRD.
37. When interviewed, members of the Old Northern Rock legal team commented that
the responsibility for ensuring compliance with the CCA 2006 did not rest solely with
their team and that other people involved in the sign-off of the SoR could have
confirmed the SoR, either to the regulations or to the summary of the regulations
which was produced by a CCA expert in the Old Northern Rock legal team in April
2007. However, based on our interviews, the consensus outside the Old Northern
Rock legal team was that the legal team was responsible for the technical legal
content of the SoR.
5 This Summary Report refers to, but does not quote, the prescribed wording in relation to the TransitionalArrangements.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 11
38. While the Third Party BRD was reviewed by an external legal advisor in
November 2007, we have not seen any evidence to suggest that any of the Old
Northern Rock SoR were reviewed by external legal advisors. However, as the
requirement in relation to the amount of credit was correctly reflected in the Third
Party BRD before this external legal review was conducted, this difference in process
cannot in our view be said to have been the only difference between the Third Party
BRD process and the Old Northern Rock SoR process which led to the Old Northern
Rock Annual Statements being different in terms of their compliance with the CCA
2006.
39. There appears to have been no comparison performed of the Third Party BRD with
any of the Old Northern Rock SoR, despite product similarities and despite the two
lawyers who appear to have been primarily responsible for reviewing the BRD and
the SoR for compliance with the CCA 2006 working in the same team.
Arrears Notices
40. The Old Northern Rock SoR for Arrears Notices reflected some of the related Project
Spice Issues, although the prescribed wording in relation to the OFT appears to have
been accurately reflected in the SoR. We understand from UKAR Legal that the
omission of the OFT wording is a key issue in respect of the legislative compliance of
the Arrears Notices.
41. We have not been able to ascertain when the prescribed wording in relation to the
OFT information sheet was removed from the Arrears Notices. However, as part of
the internal review, UKAR Legal examined a SNOSIA dated January 2009 in which
the prescribed wording was omitted.
Deficiencies in the systems and controls processes which allowed these
errors to occur
42. While there appears to have been a review process in place at Old Northern Rock
which might have been expected to identify and resolve the Project Spice Issues,
there appears to have been some confusion over who held ultimate responsibility. It
is unclear whether anyone actually took responsibility for comparing the completed
SoRs to the requirements of the CCA 2006 directly.
43. Those individuals who might reasonably have been expected, based on their
knowledge, experience and area of responsibility, to have identified the Project Spice
Issues did not do so.
44. There appears to have been insufficient formality and project management in relation
to the CCA 2006 implementation, including a lack of formal external legal sign-off on
relevant documentation.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 12
45. We understand from individuals who worked for Old Northern Rock at the time, that
the period in 2008 when the CCA 2006 was implemented was one characterised by
significant uncertainty and management stretch within Old Northern Rock. The
inference that we draw from their comments in interview is that the uncertainty
affected the performance of individuals and may have contributed to the apparently
poor project management around the CCA 2006 implementation.
46. In addition, the failure to compare the Third Party BRD and the Old Northern Rock
SoR allowed a different application of the CCA 2006 to persist between the two
groups of unsecured loan products. Had this comparison been performed, we
consider that the Project Spice Issues, in particular the omission of the amount of
credit (which we understand is the primary basis for the remediation exercise
currently underway), would likely have been identified and hence resolved at an
earlier time.
Oversight arrangements in place in relation to the CCA 2006 at the time
the Project Spice Issues originated
47. Oversight responsibility for the implementation of the CCA 2006 does not appear to
have rested with one individual or department. Old Northern Rock Business Services
were responsible for writing the Old Northern Rock SoR for Annual Statements and
for Arrears Notices. However, the responsibility for ensuring technical compliance
does not appear to have rested with them.
48. The Old Northern Rock SoR documents were signed off by individuals from a number
of different departments, including Old Northern Rock Legal, Mortgage
Communications, Mortgage Review and Personal Secured Lending Marketing, and
Key Facts Illustration Content.
Corporate governance
49. The governance structure within Old Northern Rock consisted of the Board, along
with a number of sub-committees to which the Board delegated authority in line with
governance practice widely accepted within the industry. Oversight of risk issues was
delegated in full to the Group Risk Committee. Compliance with the CCA 2006 was
specifically included within the definitions of regulatory risk and legal risk.
50. Oversight of the wider system of internal control was delegated by the Board to the
Audit Committee.
51. Management of risk within Old Northern Rock was ultimately the responsibility of the
Executive Committee, which established the Operational Risk and Compliance
Committee to focus on the management of several risks, including regulatory risk and
legal risk.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 13
52. Old Northern Rock established a number of working groups to act as forums for
discussing and managing various matters in relation to the CCA 2006. These
working groups existed outside of the formal governance structure. It has not been
possible to determine the interaction of these working groups with the formal
governance structure or indeed between the different working groups because they
lacked formality. Often, the roles of the working groups were unclear, with no defined
terms of reference, reporting lines or management information requirements. The
working groups did not identify the Project Spice Issues, thereby failing in what
appears to have been a significant element of their remit.
Old Northern Rock legal department
53. There were a number of changes to the organisational structure of the Old Northern
Rock legal team during the period when the CCA 2006 was being implemented.
However, the individuals with specific responsibility for CCA compliance appear to
have remained the same, notwithstanding changes in their reporting lines. We have
not seen any evidence to suggest that the line managers of those individuals with
CCA expertise reviewed either the Old Northern Rock SoR or the Third Party BRD.
Executive oversight
54. The CCA 2006 implementation project had both an executive sponsor and a project
lead, both of whom were relatively senior line managers within Old Northern Rock.
As noted in paragraphs 44 and 47 above, there was a lack of clearly defined roles
and project governance in relation to the CCA 2006 implementation project.
Responsibility for establishing a clearly defined project would typically rest with
executive management.
Internal Audit
55. We have not seen any evidence that Internal Audit was asked to sign-off on the Old
Northern Rock SoR for either Annual Statements or Arrears Notices. The distribution
lists included in the SoR for Annual Statements and SoR for the Arrears Notices do
not include anyone in the Internal Audit function. In our experience, it would not be
unusual for Internal Audit not to be asked to approve documents like the Old Northern
Rock SoR before implementation.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 14
56. In addition, we understand that Internal Audit would not have effected a comparison
of the wording of the Annual Statements and Arrears Notices to the CCA 2006 in any
event (either at the time of implementation if they had been asked to review the Old
Northern Rock SoR or in later audits). Internal Audit’s terms of reference appear to
have included reviewing systems to ensure compliance with law and regulations
between January 2008 and January 2009, although we have not identified any
evidence of Internal Audit’s involvement in CCA compliance (either with the CCA
2006 or with historical compliance to the CCA 1974) within this period. We
understand that Internal Audit did not consider that CCA compliance was a major risk
in 2008 or 2009.
57. We have not evaluated the role of external audit. Our investigation has revealed no
instances of the work of the external auditors being linked with the Project Spice
Issues.
Compliance
58. We have not seen any evidence that the Old Northern Rock Compliance team was
asked to sign-off on the Old Northern Rock SoR for either Annual Statements or
Arrears Notices. The distribution lists included in the SoRs for the Annual Statements
and the Arrears Notices include an individual from the Compliance team, but “for
comment” only. We have not identified any evidence that the individual reviewed
either SoR or raised any comments on them.
59. Documentation from late 2008 identified by our investigation suggests that the
Compliance function had responsibility for ensuring regulatory and legal compliance
(although, as we discuss in paragraph 90 below, there appears to have been some
uncertainty about the exact remit of the Compliance function), but that the
Compliance function could be assisted by other functions, such as the Old Northern
Rock legal team.
Events since CCA 2006 implementation which ought to have resulted in
the errors being identified earlier
60. Between the implementation of the CCA 2006 in 2008 and the commencement of the
internal review leading to Project Spice in July 2012, a number of opportunities arose
for the Project Spice Issues to come to prominence and be resolved. For clarity, we
have sought to identify the prevailing corporate structure at the time of each of these
incidents. However, there are some events that straddle a change in corporate
structure.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 15
Old Northern Rock (October 2008 to December 2009)
61. Between the implementation of the CCA 2006 in 2008 and the business being split
into New Northern Rock and NRAM on 31 December 2009, a number of events
occurred, which in different circumstances, may have given rise to the Project Spice
Issues being identified earlier.
62. In July 2008, questions were raised by a member of the Mortgage Communications
team over the absence of the amount of credit in the Old Northern Rock Annual
Statements. The question was put to members of the Old Northern Rock legal team,
although we have not identified a response, nor can the members of the Old Northern
Rock legal team that we interviewed recall the email correspondence. Based on
notes of advice received from the legal team earlier in the implementation phase, but
without contemporaneous guidance from the legal team, the Mortgage
Communications team eventually came to the erroneous conclusion that this was not
problematic.
63. It is not clear to us why the CCA experts consulted appear not to have responded to
the question raised by Mortgage Communications with the Old Northern Rock legal
team. Neither was able to recall the email when questioned. Had the query raised by
Mortgage Communications been answered appropriately, the Project Spice Issues
may have been identified before the deadline for CCA 2006 implementation
(October 2008).
64. In July 2009, a member of the Old Northern Rock legal team was asked to review the
Arrears Notices. This review correctly identified that the wording relating to the OFT
information sheet had been omitted (one of the Project Spice Issues) from the
SNOSIA. However, when revised documents were provided to the same member of
the legal team as part of the same review process in August 2009, the fact that this
issue had not been rectified was neither identified nor escalated.
65. In August / September 2009, issues were identified with the default notices relating to
both Old Northern Rock products and Standalone Products. The issues affecting the
default notices were resolved by March 2010 (by which time NRAM and New
Northern Rock were separate legal entities). In March 2010, in response to the issues
with the default notices, a member of the Old Northern Rock legal team confirmed
that the CCA related documentation (including the NOSIA and SNOSIA) had been
reviewed and deemed them to be compliant, even though they appear not to have
been.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 16
66. It is not clear to us whether the Annual Statements were included in the review
conducted by the Old Northern Rock legal team in March 2010. Had this review
included the Annual Statements and identified the related Project Spice Issues, or
those related to the NOSIA and SNOSIA, the Project Spice Issues might have been
escalated and resolved earlier. However, this would have required that both the
Project Spice Issues were identified and that their implications were understood
sufficiently to trigger an escalation process.
NRAM before UKAR’s period of ownership (January 2010 to September 2010)
67. On 31 December 2009, effective from 1 January 2010, Old Northern Rock divided
into two separate businesses, namely New Northern Rock and NRAM. On
1 October 2010, NRAM became a wholly owned subsidiary of UKAR.
68. The issues affecting the default notices referred to in paragraph 65 above remained
unresolved when NRAM was established. A regular six-monthly review of all CCA
documentation (which might have been expected to identify the Project Spice Issues)
was instituted in June 2010, although we have only found evidence that one review
took place. The first review appears to have begun in August 2010, with examples of
CCA related documentation being sent for external legal review. The results of the
external legal review were received after NRAM had become a subsidiary of UKAR.
NRAM controlled by UKAR (October 2010 onwards)
69. UKAR assumed control of NRAM on 1 October 2010. We understand that this
process was not a traditional acquisition and the shareholder and the majority of the
Board were unchanged. The process was more akin to a change of management,
and hence not subject to due diligence procedures.
70. In December 2010, as part of the external legal review that was initiated in
August 2010 (see paragraph 68 above), email comments were received on a number
of CCA 2006 related documents for both the Standalone Products and the Old
Northern Rock products, including the Annual Statements and the Arrears Notices.
The comments provided identified many of the Project Spice Issues. However, we
note that the external legal comments correctly identified the omission of the amount
of credit from the Annual Statements, but did not identify the absence of the
alternative wording of the Transitional Arrangements6, nor the consequences of these
omissions.
6 Concessionary arrangements under which lenders are permitted to omit certain information that would otherwise berequired (including the amount of credit originally provided) from the Annual Statements as long as they disclosethe nature of the information that has been omitted and state that they will provide it to customers, free of charge,on request. The Transitional Arrangements are available to lenders until 2018.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 17
71. The comments from the external legal review were provided to the NRAM legal team.
However, while the relatively minor amendments required in respect of the
Standalone Products appear to have been initiated in July 2011 and completed in
August 2011, those comments that were made in respect of the Old Northern Rock
products were not implemented.
72. In August 2011, the existence of the external legal comments was recorded on an
issues log which had been put in place to manage CCA related issues. The
importance of the CCA related issues was not made clear in the issues log. The
implications of these issues would not have been obvious to anyone unless they had
read the original comments from December 2010 and had a reasonable
understanding of the CCA 2006.
73. In September 2011, during the initial stages of an IT transformation project, the
omission of the amount of credit from the Annual Statements was correctly identified
as an issue, initially by a member of the IT department and later confirmed by a
member of the legal team. It appears that those involved did not consider or
understand the possibility that this may have been a historical issue, rather than an
opportunity to correct documents being developed during the IT implementation in
2011.
74. We consider the sequence of events that occurred in August and September 2011 to
be the actions of individuals who did not appreciate the significance of the errors at
the time, rather than the deliberate suppression of the errors, and conclude that the
events did not constitute a material breakdown of UKAR controls.
Escalation of errors to become Project Spice
75. In July 2012, an IT error was identified which had caused some information to be
omitted from certain customer documentation. In order to determine the extent of the
issue, a review of a sample of documentation was undertaken and this led to the
identification of the Project Spice Issues.
76. In our view, the escalation in July 2012 flowed from the clear recognition of the
seriousness of the issues involved. In this respect, it would appear that July 2012
was the first instance when the full historical implications were first considered in
relation to the Project Spice Issues. It may also be of relevance that the individuals in
UKAR Legal to whom the Project Spice Issues were initially raised in July 2012 were
different from the individuals involved in both the implementation of the CCA 2006
and in subsequent events.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 18
Knowledge of the issues within UKAR at the point of acquisition of
NRAM
77. Paragraphs 61 to 68 above identify a number of events where the Project Spice
Issues were known to certain individuals up to and at the time of the transition to
UKAR ownership. We have not identified any evidence to indicate that the Project
Spice Issues were known by or escalated to senior management, or the UKAR or
NRAM Boards, prior to July 2012.
Functional responsibilities in place within UKAR and its predecessor
legal entities in relation to CCA 2006 compliance
78. We have identified a number of relevant functional areas in the course of our work,
comprising: Legal Services; Compliance; Internal Audit; Risk Management; and the
overall corporate governance structure.
79. We consider that functional responsibility for ensuring compliance with CCA
legislation was not clearly or consistently defined during the period from the
implementation of the CCA 2006 requirements until 31 December 2012. Framework
documents, policies and terms of reference relating to the on-going responsibility and
provision of assurance over legal risks, such as CCA 2006 compliance, were
sometimes unclear.
Old Northern Rock and NRAM before UKAR control
80. We understand from the documents we have reviewed that, in the period prior to the
formation of UKAR, the Legal Services function was pivotal in identifying and
implementing new and changing legislation, including the CCA 2006 amendments. It
was the Legal Services function’s responsibility to provide technical input into CCA
matters as they had the technical knowledge of the legislation and the Old Northern
Rock (later NRAM) legal team included lawyers with specific CCA expertise.
81. Various operational departments, including Debt Management, were responsible for
managing customer documentation (such as the Annual Statements and Arrears
Notices) on a day-to-day basis once the implementation of the CCA 2006 was
complete.
82. In common with normal industry practice, the Three Lines of Defence Risk
Management Model operated within Old Northern Rock and NRAM during the
relevant period, and continues to operate within UKAR. It comprises: operational
front line departments, including Debt Management managing customer
documentation on a day-to-day basis (first line); Compliance and Risk Management
(second line); and Internal Audit (third line).
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 19
83. As part of its second line responsibilities in the Three Lines of Defence Risk
Management Model, the Compliance function was responsible for monitoring the
controls in place in relation to regulatory risk, but it is unclear whether this included
responsibility for monitoring controls in place in relation to legal risk. The
documentation we have identified is inconsistent on this point. Our investigation has
identified independent reports highlighting that the compliance framework required
improvement to the focus and the formalisation of compliance monitoring activity.
84. The Internal Audit function (a third line of defence activity under the Three Lines of
Defence Risk Management Model) was responsible for monitoring the system of
internal control, including those controls relevant to ensuring compliance with
legislation (such as the CCA 2006). The work of the Internal Audit function was
focused on areas identified as key net risks by the business at a time when CCA
compliance was not identified as a significant risk. Internal Audit concentrated on the
effectiveness of key controls, rather than accuracy of customer level documentation.
85. Whilst the Board and executive level committees had overall responsibility for the
business, they were reliant on the management information received from the
business through individuals, working groups and assurance functions. We have not
identified any evidence that the Project Spice Issues were reported to the relevant
committees.
NRAM controlled by UKAR
86. The Legal Services function maintained its role in relation to the implementation and
communication of emerging legislation within UKAR. It was responsible for the
provision of technical advice in relation to CCA matters. The Legal Services function
employed lawyers with specific responsibility for CCA and the advice of external legal
counsel was sought, albeit apparently on an ad hoc basis. The Legal Services
function was required to provide input into all relevant projects and controls were in
place to ensure this input was sought and obtained.
87. Under UKAR, the Compliance function is responsible for the oversight of regulatory
risk, but in practice has no remit to monitor any legal aspects, such as CCA 2006,
that are included within the broader definition of regulatory risk. The interaction
between different risk management and policy documents in terms of responsibility
for monitoring the controls in place in relation to some aspects of regulatory risk
would benefit from some further clarification.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 20
88. The Internal Audit function within UKAR is responsible for monitoring the system of
internal control, including those controls relevant to ensuring compliance with
legislation (such as the CCA 2006). We have been informed that Internal Audit
planning focused on areas identified as key net risks and approved by the Audit
Committee, which did not include CCA compliance. Again therefore, the work of the
Internal Audit function has concentrated on the effectiveness of key controls, rather
than accuracy of customer level documentation, which was not considered to be a
significant risk area.
89. Whilst the UKAR Board and executive level committees have overall responsibility for
the business they are reliant on the management information received from the
business through individuals and the various working groups. We have not identified
any evidence that the Project Spice Issues were reported to the relevant committees
prior to July 2012, when the prescribed escalation process was followed.
Concluding on functional responsibility for the identification and
rectification of the Project Spice Issues
90. CCA 2006 compliance was not considered a key net risk (taking into account both the
underlying risk and the mitigating factors believed to be in place) by the business until
the Project Spice Issues were identified in 2012. There was reliance on the Old
Northern Rock legal team having advised correctly when the CCA 2006 was
implemented. In addition, reliance was placed on the Old Northern Rock legal team
to escalate and manage the on-going risk of non-compliance with the CCA 2006.
The evidence indicates that the initial advice was not correct and Legal Services did
not appreciate the significance of the on-going risk regarding CCA compliance.
91. We have sought to identify what responsibilities for assurance work existed within
UKAR and within its predecessor entities (Old Northern Rock and NRAM), and the
scope of such work. Some of the documentation available, in particular legal risk and
regulatory risk policy documentation, suggests that, at times (primarily under Old
Northern Rock and NRAM), the Compliance function may have had some
responsibility for legislative assurance, alongside its traditional regulatory assurance
and guidance role. However, it is clear that this was never the primary focus of the
Compliance function, and is not within the remit of the Compliance function under
UKAR. Our interpretation of the UKAR terms of reference for Compliance is that the
Compliance function does not have responsibility for legislative (including CCA 2006)
compliance and its work reflects this.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 21
92. As is common practice in the industry, the Legal Services function did not, in the
normal course of its work, undertake retrospective reviews of legislation or assurance
activities over business documentation. Reliance was placed instead on the quality
of the initial process of implementation to ensure legislative requirements had been
met. This continued to be the case from the implementation of the CCA 2006 until
well after NRAM came under UKAR’s control.
93. The front line departments, such as Debt Management, seem to have consistently
recognised that compliance with legislation was a risk, but lacked the technical
expertise to undertake independent checks. This is apparent in the limitations of the
risk and control self-assessment work undertaken. Reliance was placed on the initial
input of the Legal Services function during the implementation phase to ensure
documentation was compliant.
94. The broad scope of the Internal Audit function suggests that CCA legislation would be
within the scope of its activities. However, we understand that CCA compliance
would only have formed part of the work of Internal Audit if it was considered a
significant risk to Old Northern Rock (later, NRAM or UKAR). Compliance with the
CCA 2006 was not considered a significant risk either before or after UKAR took
control of NRAM and was therefore not part of the Internal Audit focus.
95. From 2008 onwards, the Risk function has been seeking to embed risk management
in the business, albeit we note that this process has been impacted by the
organisational and ownership changes affecting the business. The risk framework
was reviewed and updated and the risk and control self-assessment has been rolled
out across the business. The Risk function itself appears to have had no
responsibility for CCA legislation, and no scope to undertake assurance work.
96. The Project Spice Issues are, in themselves, relatively technical in nature. The lack
of CCA legislation knowledge outside of the Legal Services function created a
limitation that rendered it relatively unlikely that either the Annual Statements or the
Arrears Notices would be subject to the level of technical scrutiny required to identify
the error.
Assessment of the control environment at the point of UKAR being
established and as at 31 December 2012, to understand whether
deficiencies still exist and whether the Project Spice Issues could still
occur under the current framework
97. The control environment within NRAM when ownership transferred to UKAR on
1 October 2010 contained a number of weaknesses, including a lack of clarity in
terms of responsibility for compliance with the CCA 2006. There is evidence to
suggest that a risk management culture was not fully embedded within NRAM at this
time.
Project Spice: Summary Report for UK Asset Resolution Limited
dated 11 July 2013 22
98. We understand that the period around October 2010 was characterised by
uncertainty and change within NRAM and UKAR, which resulted in high staff turnover
and a lack of continuity in key roles. There was also significant resource stretch as a
result of the integration process and high-profile issues unrelated to the Project Spice
Issues latent in the business. The transfer of NRAM to UKAR control represented a
change in management and the Project Spice Issues remained latent.
99. A number of steps were taken between October 2010 and December 2012 to improve
the control environment and the risk management framework. Some improvements
continue to be required in relation to the risk management framework. However, due
to the specific nature of the Project Spice Issues, and the circumstances relating to
them, there is no evidence that, had these improvements been made, the Project
Spice Issues would have been identified sooner.
100. Whilst it is not possible, given the specific nature of the Project Spice Issues, to
guarantee that similar errors could not occur under the current framework, there is an
established process in place for ensuring that major projects receive appropriate input
from the Legal Services function. UKAR are also undertaking a full review of all key
customer documentation.
“Deloitte” refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private
company limited by guarantee, and its network of member firms, each of which is a legally
separate and independent entity. Please see www.deloitte.co.uk/about for a detailed
description of the legal structure of DTTL and its member firms. Deloitte LLP (“Deloitte”) is
the United Kingdom member firm of DTTL.