Project Spice - UK Asset Resolution/media/Files/U/Ukar-V2/... · 2013-07-15 · Project Spice:...

Project Spice

Summary Report for UK Asset Resolution

Limited

Dated 11 July 2013

Deloitte LLP

2 Hardman Street

Manchester

M3 3HF

Project Spice: Summary Report for UK Asset Resolution Limited

dated 11 July 2013

Important Notice

This Summary Report has been prepared by Deloitte LLP for UK Asset Resolution Limited in

accordance with our engagement terms and on the basis of the scope and limitations set out

below. It has been prepared solely for the purposes of assisting UK Asset Resolution Limited

in connection with its investigation into errors identified in annual statements and arrears

notices issued by Northern Rock (Asset Management) Limited (formerly known as Northern

Rock plc). It should not be used for any other purpose or in any other context, and Deloitte

LLP accepts no responsibility for its use in either regard.

This Summary Report is provided exclusively for use by UK Asset Resolution Limited. No

party other than UK Asset Resolution Limited is entitled to rely on this Summary Report for

any purpose whatsoever and Deloitte LLP accepts no responsibility or liability to any party

other than UK Asset Resolution Limited in respect of this Summary Report or its contents.

This Summary Report and its contents do not constitute financial or other professional advice

and specific advice should be sought about your specific circumstances. To the fullest extent

possible by law, both Deloitte LLP and UK Asset Resolution Limited disclaim any liability

arising out of the use (or non-use) of this Summary Report and its contents, including any

action or decision taken as a result of such use (or non-use).

All copyright and other proprietary rights in this Summary Report remain the property of

Deloitte LLP, with Deloitte LLP reserving its rights to the fullest extent possible by law.


dated 11 July 2013

Glossary of abbreviationsAnnual Statements Statements issued (or to be issued) to customers annually in line with the

requirements of the CCA 2006

Arrears Notices Collective name for the NOSIA and SNOSIA

B&B Bradford & Bingley plc

BRD Business Requirements Document

CCA The Consumer Credit Act, used to refer collectively to the Consumer Credit

Act 1974 and its successor legislation, including the Consumer Credit

Regulations used to implement the Consumer Credit Act

CCA 1974 The Consumer Credit Act 1974

CCA 2006 The Consumer Credit Act 2006, including the Consumer Credit (Information

Requirements and Duration of Licenses and Charges) Regulations 2007

(being the secondary legislation which specifies the form and content of the

various statements and notices that were introduced in the Consumer Credit

Act 2006)

Deloitte, we, us Deloitte LLP

New Northern Rock Gosforth Subsidiary No 1 Ltd, later renamed Northern Rock plc and

purchased by Virgin Money

NOSIA Notice of Sums in Arrears, a document which, under the CCA 2006, must be

provided to customers who are in arrears

NRAM Northern Rock (Asset Management) Limited

OFT Office of Fair Trading

Old Northern Rock Northern Rock plc until the company was divided on 31 December 2009

Project Spice The project name given to the internal review undertaken by UKAR and

subsequently adopted as the project name for the investigation undertaken

by Deloitte

Project Spice Issues Collectively, the errors in Annual Statements, NOSIA and SNOSIA

SNOSIA Subsequent Notice of Sums in Arrears, a document which must be provided

to customers who are still in arrears, having been first provided with a NOSIA,

under the CCA 2006

SoR Statement of Requirements

Standalone Products Unsecured lending products administered by a third party services provider

Three Lines of

Defence Risk

Management Model

First Line: Business line management

Second Line: Compliance and Risk Management Functions

Third Line: Internal Audit


dated 11 July 2013

Transitional

Arrangements

The arrangements under the Consumer Credit Regulations implementing the

CCA 2006 for the non-provision of certain information that would otherwise

be required, subject to the provision of disclosure on the nature of the

information omitted and the provision of the omitted information to customers

on request

UKAR UK Asset Resolution Limited

UKAR Legal The combined NRAM and B&B legal teams

Virgin Money Virgin Money plc


dated 11 July 2013 1

Introduction

1. On 22 February 2008, following a ‘run on the bank’, shares in Northern Rock plc were

transferred into public ownership under the Banking (Special Provisions) Act 2008.

With effect from 1 January 2010, Northern Rock plc was divided into two new entities.

One entity assumed the name Northern Rock plc and took certain assets and

liabilities with the objective of creating a well-capitalised, deposit taking, mortgage

providing banking organisation. The remaining assets and liabilities were retained by

the original legal entity, which was re-named Northern Rock (Asset Management)

Limited (“NRAM”).

2. In July 2012, errors were identified in the notices of sums in arrears (“NOSIA”) and

subsequent notices of sums in arrears (“SNOSIA”) (collectively, the “Arrears Notices”)

issued by NRAM on certain of its Consumer Credit Act (“CCA”) regulated products.

Having discovered the initial errors, UK Asset Resolution Limited (“UKAR”), the

holding company for the government investment in NRAM, initiated an internal

review, called Project Spice, which confirmed the errors in the Arrears Notices,

identified further errors in the Annual Statements1 and determined that the errors

were historical in nature, dating back to the time before Northern Rock plc was

divided. UKAR has also taken steps to remediate customers affected by the errors.

3. At the request of UKAR, Deloitte LLP (“Deloitte”, “we” and/or “us”)2 commenced work

on 26 November 2012 to undertake an investigation into events surrounding the

errors that had been identified in the Arrears Notices and Annual Statements

(collectively, the “Project Spice Issues”). Although the Deloitte engagement is

separate from the internal review, for expediency we have adopted the internal

project name of Project Spice.

1 Defined as statements issued (or to be issued) annually to customers under the requirements of the CCA 2006 (asdefined in paragraph 3iii).

2 Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Deloitte LLP is the UnitedKingdom member firm of Deloitte Touche Tohmatsu Limited ("DTTL"), a UK private company limited by guarantee,whose member firms are legally separate and independent entities. Please see www.deloitte.co.uk/about for adetailed description of the legal structure of DTTL and its member firms.



4. Our Summary Report, which should be read in conjunction with the Important Notice

page, is set out as follows:

Section Paragraph

Scope of our work 5 to 7

Background 8 to 22

Work carried out and limitations 23 to 29

Overview of key events 30 to 32

Circumstances which led to the documentary errors noted in the

CCA 2006 Annual Statements and Arrears Notices

33 to 41

Deficiencies in the systems and controls processes which allowed

these errors to occur

42 to 46

Oversight arrangements in place in relation to the CCA 2006 at the

time the Project Spice Issues originated

47 to 59

Events since CCA 2006 implementation which ought to have

resulted in the errors being identified earlier

60 to 74

Escalation of errors to become Project Spice 75 to 76

Knowledge of the issues within UKAR at the point of acquisition of

NRAM

77

Concluding on functional responsibility for the identification and

rectification of the Project Spice Issues

78 to 89

Assessment of the control environment at the point of UKAR being

established and as at 31 December 2012, to understand whether

deficiencies still exist and whether the Project Spice Issues could

still occur under the current framework

90 to 100

Scope of our work

5. Our work has been divided into two phases, described below. Phase One sought to

establish (as far as possible from the information available):

i. the circumstances which led to the errors comprising the Project Spice

Issues;

ii. the nature of any deficiencies that could be identified in the systems and

controls processes which allowed these errors to occur in the first place;



iii. the oversight arrangements which were in place in relation to the Consumer

Credit Act 2006 (“CCA 2006”) at the time the errors occurred; and

iv. whether any events, since the time the errors occurred, ought to have

resulted in the errors being identified earlier.

6. Phase Two comprised:

i. consideration of whether any apparent deficiencies in the control environment

(as identified in Phase One) ought to have been identified at an earlier date;

and

ii. an assessment of any such deficiencies against the control environment

present within UKAR at the point UKAR was established and at

December 2012, to ensure that any control deficiencies have been

appropriately addressed.

7. In addressing the points in paragraph 6 above, Phase Two was to include:

i. an assessment of the functional responsibilities in place in relation to CCA

2006 compliance from the period when the errors occurred to

December 2012;

ii. a conclusion on which functions had an element of responsibility for

identification and rectification during this period;

iii. an assessment of the control environment at the point of UKAR being

established and as at December 2012, to understand whether the

deficiencies identified still exist and if the errors could still occur under the

current framework; and

iv. an identification of any improvements to the systems and controls and

recommendations.

Background

8. The scope of our instructions covers an extended period of time, during which what

was originally Northern Rock plc has undergone a series of changes. On

22 February 2008, its shares were transferred into public ownership under the

Banking (Special Provisions) Act 2008. For expediency, in this Summary Report, we

have adopted a naming convention for Northern Rock plc and its successors, namely:

Old Northern Rock, New Northern Rock and NRAM:

i. Old Northern Rock – Northern Rock plc until 31 December 2009, when it was

divided into New Northern Rock and NRAM;



ii. New Northern Rock – initially called ‘Gosforth Subsidiary No 1 Limited’, and

later renamed Northern Rock plc. New Northern Rock took certain assets

and liabilities, with the objective of creating a well-capitalised, deposit-taking

and mortgage-providing bank with the intention of returning this to the private

sector in due course and recovering value for the taxpayer. New Northern

Rock was acquired by Virgin Money plc (“Virgin Money”) on 1 January 2012;

and

iii. NRAM – Northern Rock (Asset Management) Limited, the same legal entity

as Old Northern Rock, which retained the remaining assets and liabilities not

transferred to New Northern Rock. On 1 October 2010, NRAM came under

the control of UKAR.

Changing corporate structure of Old Northern Rock and its successor organisations

9. Figure 1 below summarises the changes to the corporate structure of Old Northern

Rock (that is, the original Northern Rock plc) and its successor organisations during

the period considered by Project Spice.

Figure 1 – Corporate structure

Introduction of the CCA 2006

10. The Consumer Credit Act 1974 (“CCA 1974”) provided the legislative framework for

the provision of unsecured lending to the general public. It has been implemented by

a number of pieces of secondary legislation which provide detailed requirements for

the provision of unsecured credit.



11. The CCA 2006 received Royal Assent in March 2006 and came into force in

April 2007, although many of its requirements were not implemented until 2008. The

CCA 2006 amended the CCA 1974, but did not wholly replace it. The form and

content of the various statements and notices introduced by the CCA 2006 are

governed by the Consumer Credit (Information Requirements and Duration of

Licences and Charges) Regulations 2007, which came into force in stages between

6 April 2008 and 1 October 2008.

12. The CCA 2006 introduced new requirements for lenders, which included the provision

of certain post-contract transparency information (the Arrears Notices and default

notices) and the provision of Annual Statements, both containing certain required

information and prescribed wording.

13. In this Summary Report, references to the CCA should be viewed as referring to the

CCA 1974 and/or the CCA 2006 and their related implementing regulations (for

example, the Consumer Credit (Information Requirements and Duration of Licences

and Charges) Regulations 2007). This terminology is used where it is necessary to

refer to the CCA as a continuing set of requirements, which have changed over time,

rather than to the CCA 1974 or CCA 2006 specifically.

Project Spice Issues

14. We understand from the legal team at UKAR (“UKAR Legal”, being the combined

NRAM and B&B legal teams) that the Project Spice Issues include, for unsecured

loan products regulated by the CCA:

i. the Annual Statements include neither the original amount borrowed nor the

Transitional Arrangements3;

ii. the omission from the Arrears Notices of prescribed wording drawing the

reader’s attention to the copy of the current Office of Fair Trading (“OFT”)

arrears information sheet. It is also unclear whether the OFT arrears

information sheet was provided to customers in arrears; and

iii. a number of other omissions or amendments to prescribed wording.

15. We understand that the omission of the original amount borrowed is the primary

reason for the remediation process that UKAR is currently undertaking. The

remediation process is outside the scope of our work.

3 Concessionary arrangements, which we have termed the “Transitional Arrangements”, under which lenders arepermitted to omit certain information that would otherwise be required (including the amount of credit originallyprovided) from the Annual Statements as long as they disclose the nature of the information that has been omittedand state that they will provide it to customers, free of charge, on request. The Transitional Arrangements areavailable to lenders until 2018.



16. The scope of our work does not include giving any views on the completeness of the

CCA issues identified by UKAR Legal or on UKAR’s or NRAM’s on-going compliance

with the CCA.

Products involved

17. A number of different products administered by Old Northern Rock have been

affected by the Project Spice Issues.

18. The administration, collections and customer service function relating to a number of

standalone unsecured loan products was outsourced to a third party services

provider. In response to a Ministerial statement provided to Parliament on

11 December 2012 and press reports in December 2012, UKAR announced publicly

that the standalone unsecured loans were not affected. We have been advised that

these are the loans administered by the third party services provider (the “Standalone

Products”), and which are, therefore, not included in the scope of Project Spice.

19. In the course of our investigation, we have sought to understand how the Standalone

Products came to comply with the CCA 2006, while the loans administered by Old

Northern Rock and/or NRAM themselves did not.

Internal review

20. In July 2012, UKAR initiated a process called Project Spice, which by early

September 2012 had identified a number of errors in the prescribed wording and

information included in the Annual Statements and Arrears Notices provided to

customers in respect of certain unsecured loan products regulated under the CCA

2006.

21. The internal review identified the nature of the errors and quantified the size of the

anticipated cost of customer remediation (including compensation / repayment of

interest and other charges and the costs of the remediation exercise itself). The

internal review also provided preliminary conclusions on the events surrounding the

Project Spice Issues, including how they had arisen.

Engagement of Deloitte

22. Deloitte commenced work on 26 November 2012 to investigate the Project Spice

Issues. As noted in paragraph 3 above, although the Deloitte engagement is

separate from the internal review, for expediency we have adopted the internal

project name of Project Spice.

Work carried out and limitations

23. In overview, we have sought to obtain relevant information from the following sources:



i. hardcopy material held in archive facilities by UKAR, by third party archiving

suppliers on UKAR’s behalf or by Virgin Money;

ii. electronic material retained by UKAR and by third parties on UKAR’s behalf

and electronic information relating to Old Northern Rock and New Northern

Rock retained by Virgin Money;

iii. additional requests for specific information from UKAR;

iv. information retained by other third parties, primarily professional advisors;

and

v. interviewing individuals still working for the UKAR group of companies

(NRAM and B&B4) who work or have worked on Old Northern Rock or NRAM

related matters and individuals formerly employed by Old Northern Rock or

NRAM, some of whom are now employed by Virgin Money.

24. In performing our work, we have searched 200 boxes of archived material, identified

1.1 million electronic documents for electronic review, manually reviewed

approximately 83,000 electronic documents and interviewed 26 individuals.

25. It should be recognised that, as with any investigation, our findings draw upon the

hardcopy and electronic material that have been reviewed by us, along with

information and explanations that have been provided to us by individuals through

fact-finding interviews. In this instance, the Project Spice Issues that we have

investigated span a number of years and involve different organisations, with

ownership of the relevant entities being initially wholly in the private sector and now

split between UKAR and Virgin Money. Whilst we have collected a significant amount

of material, these aspects have resulted in some limitations on our access to

information outside of UKAR’s control and to individuals who are no longer in UKAR’s

employ.

26. This Summary Report summarises our findings based on work performed up to

20 May 2013. It is in the nature of investigations of this type that we cannot rule out

the possibility that, had further work been conducted, our findings might have been

different or that we may have identified additional matters that may have warranted

inclusion in this Summary Report. In addition, this Summary Report provides only a

summary of our findings, and does not set out the detailed aspects of our work.

27. This Summary Report should not be construed as expressing opinions on matters of

law. However, it necessarily reflects our understanding of the legal issues affecting

Project Spice.

4 As noted in Figure 1 at paragraph 9 above, B&B is also under the control of UKAR.



28. For the purposes of this Summary Report, and in line with normal practice in

investigations of this nature, save where we have been able to corroborate

information, we have had to assume that the documents or other information

(including electronic material and comments by interviewees) available to us are

reliable. In addition, our investigation was heavily dependent on the co-operation and

honesty of the people to whom we spoke. While we have sought to compare

information provided by interviewees with available documentary evidence, this has

not always been possible. We are aware that the information we have received may

not be complete. Where possible, we have sought to identify additional information to

supplement our knowledge. There may be instances where the information we have

received is incomplete or inaccurate that we are not aware of and we have therefore

had to rely on the information available. This Summary Report should be considered

in that light and we cannot accept any liability for our findings being prejudiced

through provision of incomplete or unreliable information or material.

29. In addition, the extended time period covered by Project Spice, together with the

organisational changes to which Old Northern Rock, NRAM and UKAR have been

subject over the period of the review, impact on the availability of individuals (as well

as documentation). As such, there are a number of individuals to whom we would

otherwise have spoken, but with whom we have not been able to make contact.

Overview of key events

30. Figure 2 shows an overview of certain key events relating to the implementation of

the CCA 2006, the potential opportunities for the Project Spice Issues to be identified

and resolved sooner and the eventual response to those issues.



Figure 2 – Overview of key events

31. In July 2012, issues were identified in respect of the inclusion of wording prescribed

under the CCA 2006 in Arrears Notices documentation. During the course of

establishing the extent of these issues, further issues were identified with the Annual

Statements.

32. Following an internal review and quantification of the financial implications of the

issues by UKAR, Deloitte was appointed to conduct an in depth investigation, with our

investigation adopting the internal project name of Project Spice. The issues

referenced in the previous paragraph are referred to as the Project Spice Issues in

this Summary Report.

Old

North

ern

Rock

Old

North

ern

Rock

New

North

ern

Rock

UK

AR

(NR

AM

)N

RA

M

NR

AM

UK

AR

(NR

AM

)

New

North

ern

Rock



Circumstances which led to the documentary errors noted in the CCA

2006 Annual Statements and Arrears Notices

33. The implementation of the changes required by the CCA 2006 appears to have been

managed through the production of ‘bible’ documentation setting out the new

requirements. Two sets of requirements documentation were produced, one set

(including four separate documents) for Old Northern Rock products (the Old

Northern Rock Statement of Requirements - “SoR”) and one document for the

Standalone Products (the Third Party Business Requirements Document - “BRD”).

Annual Statements

34. The Old Northern Rock SoR for Annual Statements reflected the Project Spice

Issues, including the erroneous assertion that the amount of credit was only required

for loans completed on or after 1 October 2008. The Annual Statements SoR was

drafted by a member of the Business Services team, although it appears to have

drawn heavily on information provided by others, notably a summary of the CCA 2006

requirements prepared by the Old Northern Rock legal team in April 20075.

35. Either from the outset or at some stage in the drafting of the Annual Statements’ SoR,

information regarding the Transitional Arrangements was omitted, leading to the

erroneous understanding that the amount of credit was only relevant for loans drawn

down on or after 1 October 2008.

36. The Annual Statements’ SoR was reviewed by at least one member of the Old

Northern Rock legal team. It is our conclusion that this review failed to identify the

error in the SoR in respect of the amount of credit, despite raising other comments at

the relevant time on the related paragraph of the SoR. Two members of the Old

Northern Rock legal team appear to have been involved in the implementation

process, with one taking primary responsibility for the Old Northern Rock SoR and the

other for the Third Party BRD.

37. When interviewed, members of the Old Northern Rock legal team commented that

the responsibility for ensuring compliance with the CCA 2006 did not rest solely with

their team and that other people involved in the sign-off of the SoR could have

confirmed the SoR, either to the regulations or to the summary of the regulations

which was produced by a CCA expert in the Old Northern Rock legal team in April

2007. However, based on our interviews, the consensus outside the Old Northern

Rock legal team was that the legal team was responsible for the technical legal

content of the SoR.

5 This Summary Report refers to, but does not quote, the prescribed wording in relation to the TransitionalArrangements.



38. While the Third Party BRD was reviewed by an external legal advisor in

November 2007, we have not seen any evidence to suggest that any of the Old

Northern Rock SoR were reviewed by external legal advisors. However, as the

requirement in relation to the amount of credit was correctly reflected in the Third

Party BRD before this external legal review was conducted, this difference in process

cannot in our view be said to have been the only difference between the Third Party

BRD process and the Old Northern Rock SoR process which led to the Old Northern

Rock Annual Statements being different in terms of their compliance with the CCA

2006.

39. There appears to have been no comparison performed of the Third Party BRD with

any of the Old Northern Rock SoR, despite product similarities and despite the two

lawyers who appear to have been primarily responsible for reviewing the BRD and

the SoR for compliance with the CCA 2006 working in the same team.

Arrears Notices

40. The Old Northern Rock SoR for Arrears Notices reflected some of the related Project

Spice Issues, although the prescribed wording in relation to the OFT appears to have

been accurately reflected in the SoR. We understand from UKAR Legal that the

omission of the OFT wording is a key issue in respect of the legislative compliance of

the Arrears Notices.

41. We have not been able to ascertain when the prescribed wording in relation to the

OFT information sheet was removed from the Arrears Notices. However, as part of

the internal review, UKAR Legal examined a SNOSIA dated January 2009 in which

the prescribed wording was omitted.

Deficiencies in the systems and controls processes which allowed these

errors to occur

42. While there appears to have been a review process in place at Old Northern Rock

which might have been expected to identify and resolve the Project Spice Issues,

there appears to have been some confusion over who held ultimate responsibility. It

is unclear whether anyone actually took responsibility for comparing the completed

SoRs to the requirements of the CCA 2006 directly.

43. Those individuals who might reasonably have been expected, based on their

knowledge, experience and area of responsibility, to have identified the Project Spice

Issues did not do so.

44. There appears to have been insufficient formality and project management in relation

to the CCA 2006 implementation, including a lack of formal external legal sign-off on

relevant documentation.



45. We understand from individuals who worked for Old Northern Rock at the time, that

the period in 2008 when the CCA 2006 was implemented was one characterised by

significant uncertainty and management stretch within Old Northern Rock. The

inference that we draw from their comments in interview is that the uncertainty

affected the performance of individuals and may have contributed to the apparently

poor project management around the CCA 2006 implementation.

46. In addition, the failure to compare the Third Party BRD and the Old Northern Rock

SoR allowed a different application of the CCA 2006 to persist between the two

groups of unsecured loan products. Had this comparison been performed, we

consider that the Project Spice Issues, in particular the omission of the amount of

credit (which we understand is the primary basis for the remediation exercise

currently underway), would likely have been identified and hence resolved at an

earlier time.

Oversight arrangements in place in relation to the CCA 2006 at the time

the Project Spice Issues originated

47. Oversight responsibility for the implementation of the CCA 2006 does not appear to

have rested with one individual or department. Old Northern Rock Business Services

were responsible for writing the Old Northern Rock SoR for Annual Statements and

for Arrears Notices. However, the responsibility for ensuring technical compliance

does not appear to have rested with them.

48. The Old Northern Rock SoR documents were signed off by individuals from a number

of different departments, including Old Northern Rock Legal, Mortgage

Communications, Mortgage Review and Personal Secured Lending Marketing, and

Key Facts Illustration Content.

Corporate governance

49. The governance structure within Old Northern Rock consisted of the Board, along

with a number of sub-committees to which the Board delegated authority in line with

governance practice widely accepted within the industry. Oversight of risk issues was

delegated in full to the Group Risk Committee. Compliance with the CCA 2006 was

specifically included within the definitions of regulatory risk and legal risk.

50. Oversight of the wider system of internal control was delegated by the Board to the

Audit Committee.

51. Management of risk within Old Northern Rock was ultimately the responsibility of the

Executive Committee, which established the Operational Risk and Compliance

Committee to focus on the management of several risks, including regulatory risk and

legal risk.



52. Old Northern Rock established a number of working groups to act as forums for

discussing and managing various matters in relation to the CCA 2006. These

working groups existed outside of the formal governance structure. It has not been

possible to determine the interaction of these working groups with the formal

governance structure or indeed between the different working groups because they

lacked formality. Often, the roles of the working groups were unclear, with no defined

terms of reference, reporting lines or management information requirements. The

working groups did not identify the Project Spice Issues, thereby failing in what

appears to have been a significant element of their remit.

Old Northern Rock legal department

53. There were a number of changes to the organisational structure of the Old Northern

Rock legal team during the period when the CCA 2006 was being implemented.

However, the individuals with specific responsibility for CCA compliance appear to

have remained the same, notwithstanding changes in their reporting lines. We have

not seen any evidence to suggest that the line managers of those individuals with

CCA expertise reviewed either the Old Northern Rock SoR or the Third Party BRD.

Executive oversight

54. The CCA 2006 implementation project had both an executive sponsor and a project

lead, both of whom were relatively senior line managers within Old Northern Rock.

As noted in paragraphs 44 and 47 above, there was a lack of clearly defined roles

and project governance in relation to the CCA 2006 implementation project.

Responsibility for establishing a clearly defined project would typically rest with

executive management.

Internal Audit

55. We have not seen any evidence that Internal Audit was asked to sign-off on the Old

Northern Rock SoR for either Annual Statements or Arrears Notices. The distribution

lists included in the SoR for Annual Statements and SoR for the Arrears Notices do

not include anyone in the Internal Audit function. In our experience, it would not be

unusual for Internal Audit not to be asked to approve documents like the Old Northern

Rock SoR before implementation.



56. In addition, we understand that Internal Audit would not have effected a comparison

of the wording of the Annual Statements and Arrears Notices to the CCA 2006 in any

event (either at the time of implementation if they had been asked to review the Old

Northern Rock SoR or in later audits). Internal Audit’s terms of reference appear to

have included reviewing systems to ensure compliance with law and regulations

between January 2008 and January 2009, although we have not identified any

evidence of Internal Audit’s involvement in CCA compliance (either with the CCA

2006 or with historical compliance to the CCA 1974) within this period. We

understand that Internal Audit did not consider that CCA compliance was a major risk

in 2008 or 2009.

57. We have not evaluated the role of external audit. Our investigation has revealed no

instances of the work of the external auditors being linked with the Project Spice

Issues.

Compliance

58. We have not seen any evidence that the Old Northern Rock Compliance team was

asked to sign-off on the Old Northern Rock SoR for either Annual Statements or

Arrears Notices. The distribution lists included in the SoRs for the Annual Statements

and the Arrears Notices include an individual from the Compliance team, but “for

comment” only. We have not identified any evidence that the individual reviewed

either SoR or raised any comments on them.

59. Documentation from late 2008 identified by our investigation suggests that the

Compliance function had responsibility for ensuring regulatory and legal compliance

(although, as we discuss in paragraph 90 below, there appears to have been some

uncertainty about the exact remit of the Compliance function), but that the

Compliance function could be assisted by other functions, such as the Old Northern

Rock legal team.

Events since CCA 2006 implementation which ought to have resulted in

the errors being identified earlier

60. Between the implementation of the CCA 2006 in 2008 and the commencement of the

internal review leading to Project Spice in July 2012, a number of opportunities arose

for the Project Spice Issues to come to prominence and be resolved. For clarity, we

have sought to identify the prevailing corporate structure at the time of each of these

incidents. However, there are some events that straddle a change in corporate

structure.



Old Northern Rock (October 2008 to December 2009)

61. Between the implementation of the CCA 2006 in 2008 and the business being split

into New Northern Rock and NRAM on 31 December 2009, a number of events

occurred, which in different circumstances, may have given rise to the Project Spice

Issues being identified earlier.

62. In July 2008, questions were raised by a member of the Mortgage Communications

team over the absence of the amount of credit in the Old Northern Rock Annual

Statements. The question was put to members of the Old Northern Rock legal team,

although we have not identified a response, nor can the members of the Old Northern

Rock legal team that we interviewed recall the email correspondence. Based on

notes of advice received from the legal team earlier in the implementation phase, but

without contemporaneous guidance from the legal team, the Mortgage

Communications team eventually came to the erroneous conclusion that this was not

problematic.

63. It is not clear to us why the CCA experts consulted appear not to have responded to

the question raised by Mortgage Communications with the Old Northern Rock legal

team. Neither was able to recall the email when questioned. Had the query raised by

Mortgage Communications been answered appropriately, the Project Spice Issues

may have been identified before the deadline for CCA 2006 implementation

(October 2008).

64. In July 2009, a member of the Old Northern Rock legal team was asked to review the

Arrears Notices. This review correctly identified that the wording relating to the OFT

information sheet had been omitted (one of the Project Spice Issues) from the

SNOSIA. However, when revised documents were provided to the same member of

the legal team as part of the same review process in August 2009, the fact that this

issue had not been rectified was neither identified nor escalated.

65. In August / September 2009, issues were identified with the default notices relating to

both Old Northern Rock products and Standalone Products. The issues affecting the

default notices were resolved by March 2010 (by which time NRAM and New

Northern Rock were separate legal entities). In March 2010, in response to the issues

with the default notices, a member of the Old Northern Rock legal team confirmed

that the CCA related documentation (including the NOSIA and SNOSIA) had been

reviewed and deemed them to be compliant, even though they appear not to have

been.



66. It is not clear to us whether the Annual Statements were included in the review

conducted by the Old Northern Rock legal team in March 2010. Had this review

included the Annual Statements and identified the related Project Spice Issues, or

those related to the NOSIA and SNOSIA, the Project Spice Issues might have been

escalated and resolved earlier. However, this would have required that both the

Project Spice Issues were identified and that their implications were understood

sufficiently to trigger an escalation process.

NRAM before UKAR’s period of ownership (January 2010 to September 2010)

67. On 31 December 2009, effective from 1 January 2010, Old Northern Rock divided

into two separate businesses, namely New Northern Rock and NRAM. On

1 October 2010, NRAM became a wholly owned subsidiary of UKAR.

68. The issues affecting the default notices referred to in paragraph 65 above remained

unresolved when NRAM was established. A regular six-monthly review of all CCA

documentation (which might have been expected to identify the Project Spice Issues)

was instituted in June 2010, although we have only found evidence that one review

took place. The first review appears to have begun in August 2010, with examples of

CCA related documentation being sent for external legal review. The results of the

external legal review were received after NRAM had become a subsidiary of UKAR.

NRAM controlled by UKAR (October 2010 onwards)

69. UKAR assumed control of NRAM on 1 October 2010. We understand that this

process was not a traditional acquisition and the shareholder and the majority of the

Board were unchanged. The process was more akin to a change of management,

and hence not subject to due diligence procedures.

70. In December 2010, as part of the external legal review that was initiated in

August 2010 (see paragraph 68 above), email comments were received on a number

of CCA 2006 related documents for both the Standalone Products and the Old

Northern Rock products, including the Annual Statements and the Arrears Notices.

The comments provided identified many of the Project Spice Issues. However, we

note that the external legal comments correctly identified the omission of the amount

of credit from the Annual Statements, but did not identify the absence of the

alternative wording of the Transitional Arrangements6, nor the consequences of these

omissions.

6 Concessionary arrangements under which lenders are permitted to omit certain information that would otherwise berequired (including the amount of credit originally provided) from the Annual Statements as long as they disclosethe nature of the information that has been omitted and state that they will provide it to customers, free of charge,on request. The Transitional Arrangements are available to lenders until 2018.



71. The comments from the external legal review were provided to the NRAM legal team.

However, while the relatively minor amendments required in respect of the

Standalone Products appear to have been initiated in July 2011 and completed in

August 2011, those comments that were made in respect of the Old Northern Rock

products were not implemented.

72. In August 2011, the existence of the external legal comments was recorded on an

issues log which had been put in place to manage CCA related issues. The

importance of the CCA related issues was not made clear in the issues log. The

implications of these issues would not have been obvious to anyone unless they had

read the original comments from December 2010 and had a reasonable

understanding of the CCA 2006.

73. In September 2011, during the initial stages of an IT transformation project, the

omission of the amount of credit from the Annual Statements was correctly identified

as an issue, initially by a member of the IT department and later confirmed by a

member of the legal team. It appears that those involved did not consider or

understand the possibility that this may have been a historical issue, rather than an

opportunity to correct documents being developed during the IT implementation in

2011.

74. We consider the sequence of events that occurred in August and September 2011 to

be the actions of individuals who did not appreciate the significance of the errors at

the time, rather than the deliberate suppression of the errors, and conclude that the

events did not constitute a material breakdown of UKAR controls.

Escalation of errors to become Project Spice

75. In July 2012, an IT error was identified which had caused some information to be

omitted from certain customer documentation. In order to determine the extent of the

issue, a review of a sample of documentation was undertaken and this led to the

identification of the Project Spice Issues.

76. In our view, the escalation in July 2012 flowed from the clear recognition of the

seriousness of the issues involved. In this respect, it would appear that July 2012

was the first instance when the full historical implications were first considered in

relation to the Project Spice Issues. It may also be of relevance that the individuals in

UKAR Legal to whom the Project Spice Issues were initially raised in July 2012 were

different from the individuals involved in both the implementation of the CCA 2006

and in subsequent events.



Knowledge of the issues within UKAR at the point of acquisition of

NRAM

77. Paragraphs 61 to 68 above identify a number of events where the Project Spice

Issues were known to certain individuals up to and at the time of the transition to

UKAR ownership. We have not identified any evidence to indicate that the Project

Spice Issues were known by or escalated to senior management, or the UKAR or

NRAM Boards, prior to July 2012.

Functional responsibilities in place within UKAR and its predecessor

legal entities in relation to CCA 2006 compliance

78. We have identified a number of relevant functional areas in the course of our work,

comprising: Legal Services; Compliance; Internal Audit; Risk Management; and the

overall corporate governance structure.

79. We consider that functional responsibility for ensuring compliance with CCA

legislation was not clearly or consistently defined during the period from the

implementation of the CCA 2006 requirements until 31 December 2012. Framework

documents, policies and terms of reference relating to the on-going responsibility and

provision of assurance over legal risks, such as CCA 2006 compliance, were

sometimes unclear.

Old Northern Rock and NRAM before UKAR control

80. We understand from the documents we have reviewed that, in the period prior to the

formation of UKAR, the Legal Services function was pivotal in identifying and

implementing new and changing legislation, including the CCA 2006 amendments. It

was the Legal Services function’s responsibility to provide technical input into CCA

matters as they had the technical knowledge of the legislation and the Old Northern

Rock (later NRAM) legal team included lawyers with specific CCA expertise.

81. Various operational departments, including Debt Management, were responsible for

managing customer documentation (such as the Annual Statements and Arrears

Notices) on a day-to-day basis once the implementation of the CCA 2006 was

complete.

82. In common with normal industry practice, the Three Lines of Defence Risk

Management Model operated within Old Northern Rock and NRAM during the

relevant period, and continues to operate within UKAR. It comprises: operational

front line departments, including Debt Management managing customer

documentation on a day-to-day basis (first line); Compliance and Risk Management

(second line); and Internal Audit (third line).



83. As part of its second line responsibilities in the Three Lines of Defence Risk

Management Model, the Compliance function was responsible for monitoring the

controls in place in relation to regulatory risk, but it is unclear whether this included

responsibility for monitoring controls in place in relation to legal risk. The

documentation we have identified is inconsistent on this point. Our investigation has

identified independent reports highlighting that the compliance framework required

improvement to the focus and the formalisation of compliance monitoring activity.

84. The Internal Audit function (a third line of defence activity under the Three Lines of

Defence Risk Management Model) was responsible for monitoring the system of

internal control, including those controls relevant to ensuring compliance with

legislation (such as the CCA 2006). The work of the Internal Audit function was

focused on areas identified as key net risks by the business at a time when CCA

compliance was not identified as a significant risk. Internal Audit concentrated on the

effectiveness of key controls, rather than accuracy of customer level documentation.

85. Whilst the Board and executive level committees had overall responsibility for the

business, they were reliant on the management information received from the

business through individuals, working groups and assurance functions. We have not

identified any evidence that the Project Spice Issues were reported to the relevant

committees.

NRAM controlled by UKAR

86. The Legal Services function maintained its role in relation to the implementation and

communication of emerging legislation within UKAR. It was responsible for the

provision of technical advice in relation to CCA matters. The Legal Services function

employed lawyers with specific responsibility for CCA and the advice of external legal

counsel was sought, albeit apparently on an ad hoc basis. The Legal Services

function was required to provide input into all relevant projects and controls were in

place to ensure this input was sought and obtained.

87. Under UKAR, the Compliance function is responsible for the oversight of regulatory

risk, but in practice has no remit to monitor any legal aspects, such as CCA 2006,

that are included within the broader definition of regulatory risk. The interaction

between different risk management and policy documents in terms of responsibility

for monitoring the controls in place in relation to some aspects of regulatory risk

would benefit from some further clarification.



88. The Internal Audit function within UKAR is responsible for monitoring the system of

internal control, including those controls relevant to ensuring compliance with

legislation (such as the CCA 2006). We have been informed that Internal Audit

planning focused on areas identified as key net risks and approved by the Audit

Committee, which did not include CCA compliance. Again therefore, the work of the

Internal Audit function has concentrated on the effectiveness of key controls, rather

than accuracy of customer level documentation, which was not considered to be a

significant risk area.

89. Whilst the UKAR Board and executive level committees have overall responsibility for

the business they are reliant on the management information received from the

business through individuals and the various working groups. We have not identified

any evidence that the Project Spice Issues were reported to the relevant committees

prior to July 2012, when the prescribed escalation process was followed.

Concluding on functional responsibility for the identification and

rectification of the Project Spice Issues

90. CCA 2006 compliance was not considered a key net risk (taking into account both the

underlying risk and the mitigating factors believed to be in place) by the business until

the Project Spice Issues were identified in 2012. There was reliance on the Old

Northern Rock legal team having advised correctly when the CCA 2006 was

implemented. In addition, reliance was placed on the Old Northern Rock legal team

to escalate and manage the on-going risk of non-compliance with the CCA 2006.

The evidence indicates that the initial advice was not correct and Legal Services did

not appreciate the significance of the on-going risk regarding CCA compliance.

91. We have sought to identify what responsibilities for assurance work existed within

UKAR and within its predecessor entities (Old Northern Rock and NRAM), and the

scope of such work. Some of the documentation available, in particular legal risk and

regulatory risk policy documentation, suggests that, at times (primarily under Old

Northern Rock and NRAM), the Compliance function may have had some

responsibility for legislative assurance, alongside its traditional regulatory assurance

and guidance role. However, it is clear that this was never the primary focus of the

Compliance function, and is not within the remit of the Compliance function under

UKAR. Our interpretation of the UKAR terms of reference for Compliance is that the

Compliance function does not have responsibility for legislative (including CCA 2006)

compliance and its work reflects this.



92. As is common practice in the industry, the Legal Services function did not, in the

normal course of its work, undertake retrospective reviews of legislation or assurance

activities over business documentation. Reliance was placed instead on the quality

of the initial process of implementation to ensure legislative requirements had been

met. This continued to be the case from the implementation of the CCA 2006 until

well after NRAM came under UKAR’s control.

93. The front line departments, such as Debt Management, seem to have consistently

recognised that compliance with legislation was a risk, but lacked the technical

expertise to undertake independent checks. This is apparent in the limitations of the

risk and control self-assessment work undertaken. Reliance was placed on the initial

input of the Legal Services function during the implementation phase to ensure

documentation was compliant.

94. The broad scope of the Internal Audit function suggests that CCA legislation would be

within the scope of its activities. However, we understand that CCA compliance

would only have formed part of the work of Internal Audit if it was considered a

significant risk to Old Northern Rock (later, NRAM or UKAR). Compliance with the

CCA 2006 was not considered a significant risk either before or after UKAR took

control of NRAM and was therefore not part of the Internal Audit focus.

95. From 2008 onwards, the Risk function has been seeking to embed risk management

in the business, albeit we note that this process has been impacted by the

organisational and ownership changes affecting the business. The risk framework

was reviewed and updated and the risk and control self-assessment has been rolled

out across the business. The Risk function itself appears to have had no

responsibility for CCA legislation, and no scope to undertake assurance work.

96. The Project Spice Issues are, in themselves, relatively technical in nature. The lack

of CCA legislation knowledge outside of the Legal Services function created a

limitation that rendered it relatively unlikely that either the Annual Statements or the

Arrears Notices would be subject to the level of technical scrutiny required to identify

the error.

Assessment of the control environment at the point of UKAR being

established and as at 31 December 2012, to understand whether

deficiencies still exist and whether the Project Spice Issues could still

occur under the current framework

97. The control environment within NRAM when ownership transferred to UKAR on

1 October 2010 contained a number of weaknesses, including a lack of clarity in

terms of responsibility for compliance with the CCA 2006. There is evidence to

suggest that a risk management culture was not fully embedded within NRAM at this

time.



98. We understand that the period around October 2010 was characterised by

uncertainty and change within NRAM and UKAR, which resulted in high staff turnover

and a lack of continuity in key roles. There was also significant resource stretch as a

result of the integration process and high-profile issues unrelated to the Project Spice

Issues latent in the business. The transfer of NRAM to UKAR control represented a

change in management and the Project Spice Issues remained latent.

99. A number of steps were taken between October 2010 and December 2012 to improve

the control environment and the risk management framework. Some improvements

continue to be required in relation to the risk management framework. However, due

to the specific nature of the Project Spice Issues, and the circumstances relating to

them, there is no evidence that, had these improvements been made, the Project

Spice Issues would have been identified sooner.

100. Whilst it is not possible, given the specific nature of the Project Spice Issues, to

guarantee that similar errors could not occur under the current framework, there is an

established process in place for ensuring that major projects receive appropriate input

from the Legal Services function. UKAR are also undertaking a full review of all key

customer documentation.

“Deloitte” refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private

company limited by guarantee, and its network of member firms, each of which is a legally

separate and independent entity. Please see www.deloitte.co.uk/about for a detailed

description of the legal structure of DTTL and its member firms. Deloitte LLP (“Deloitte”) is

the United Kingdom member firm of DTTL.

Date post:	08-Feb-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Project Spice - UK Asset Resolution/media/Files/U/Ukar-V2/... · 2013-07-15 · Project Spice:...

Documents