NAO report (HC 513 1994/95): The Banking Service provided by … · HC 513 Session 1994-95...

NATIONAL AUDIT OFFICE

REPORTBYTHE COMPTROLLERAND AUDITORGENERAL

The Banking Service provided by The Office of HM Paymaster General

ORDERED BY THE HOUSE OF COMMONS TO BE PRINTED 26 JUNE 1995

LONDON: HMSO HC 513 Session 1994-95 Published 30 June 1995 f7.40 NET


This report has been prepared under Section 6 of the National Audit Act 1983 for presentation to the House of Commons in accordance with Section 9 of the Act.

John Bourn Comptroller and Auditor General

National Audit Office 12 June 1995

The Comptroller and Auditor General is the head of the National Audit Offke employing some 750 staff. He, and the NAO, are totally independent of Government. He certifies the accounts of all Government departments and a wide range of other public sector bodies; and he has statutory authority to report to Parliament on the economy, efficiency and effectiveness with which departments and other bodies have used their resources.

The Barking Service provided by The Office of HM Paymaster General

Contents

Page

Preface

Part 1: Introduction

Part 2: The quality and efficiency of the banking service provided by the Paymaster General’s Agency

Part 3: Conclusions and recommendations

1

5

27

Figure 1: The relationship between public sector bodies, the Paymaster General’s Agency and the Bank of England in handling a typical banking transaction

4

Note: The above is a simplified illustration of the route followed by a typical banking transaction. The exact steps involved will depend on the nature and type of transaction. For example, payments made by payable order follow the route illustrated in Figure 11 on page 23.

5


Preface

The Office of HM Paymaster General (the Paymaster General’s Agency) is responsible each year for about E900 billion of government banking transactions. In 1994-95 the Agency operated over 1,900 bank accounts for 1,400 customers in the public sector. It handled over 16 million payable orders with a value of !L41 billion and processed one and a quarter million other banking transactions.

With such huge sums passing through its hands, it is important that the Paymaster Generals Agency operates secure systems which minimise the risk of funds being lost through fraud or error. To do so the Agency needs to match the best standards of other financial institutions.

The Paymaster Generals Agency operates bank accounts for a variety of public sector bodies. The monies in these accounts are held at the Bank of England enabling any balances to be invested for the benefit of the Exchequer. Figure 1 illustrates the relationship between public sector bodies, the Paymaster General’s Agency and the Bank of England in handling a typical banking transaction.

The requirement that government departments hold their balances, wherever possible, in Exchequer accounts at the Bank of England reinforces the unique position of the Paymaster General’s Agency in handling government banking business. Nevertheless, the Paymaster General’s Agency is operating in an increasingly competitive market. The Treasury has encouraged departments to test the value for money of banking services provided by the Paymaster General’s Agency against the equivalent services provided by commercial banks. To maintain its customer base in the public sector, the Paymaster Generals Agency therefore needs to be competitive in terms of the price and quality of the service it provides.

Against this background the National Audit Office examination focused on the quality and efficiency of the service provided by the Paymaster Generals Agency to its customers; including the measures taken to ensure the security and continuity of banking. The examination did not cover the arrangements for the investment of funds held in customer accounts at the Bank of England, since this is not the responsibility of the Paymaster Generals Agency.

The Banking Service provided by The Offke of HM Paymaster General

6 The National Audit Office engaged consultants to assist with reviews of the security of information technology systems KPMG) and the quality of service provided by the Paymaster General’s Agency to its customers (the Bank Relationship Consultancy). Gews on the quality of service provided were also obtained from a range of customers in user group meetings.


1. Introduction

1.1 The Paymaster Generals Agency provides a banking and pensions service for government departments and other public sector bodies. The Agency’s main responsibilities are:

. to pay and administer public service pensions;

. to provide secure banking for the public sector, enabling Exchequer balances to be invested overnight with the National Loans Fund, thereby reducing public borrowing;

l to provide information to the Treasury and the Central Statistical Offke about public expenditure.

This Report focuses on the banking service provided by the Paymaster General’s Agency.

1.2 Under the 1848 Paymaster General Act, the Paymaster Generals Agency provides services for the “safety, economy and advantage of the public service”. This statute does not specify what services the Paymaster General’s Agency should provide, but it empowers the Treasury to prescribe rules and regulations controlling the activities of the Agency. The Paymaster General’s Agency became an Executive Agency on 1 April 1993, under the sponsorship of the Treasury.

Objectives

1.3 The top level objectives of the Paymaster General’s Agency are:

l to provide business services that meet the requirements agreed with customers;

. to recover the full costs of these services:

. to achieve a continuing reduction in unit costs expressed in real terms.

1.4 The Paymaster General’s Agency measures its performance against quantitative and qualitative targets defmed in its ammal business plan. Key performance indicators on banking are:


. percentages of banking transactions processed within target periods;

. banking transaction error rates;

v recovery of the full costs of banking;

l percentage improvement in the average unit cost index for processing a banking transaction.

Banking services provided by the Paymaster General’s Agency

1.5 Banking services available from the Paymaster General’s Agency include:

. the clearance of payable orders drawn on customer accounts (payable orders are used in the same way as cheques hut have added security features):

. transfers between account holders;

l payments and receipts made through CHAPS (the Clearing House Automated Payment System), a nationwide inter-bank payments service for single high-value transactions to be settled the same day;

l payments and receipts made through BACS (Bankers’ Automated Clearing Services), a nationwide electronic transfer service designed to handle hatches of payments and receipts;

l the acceptance of credits received through the bank giro credit system;

. the processing of foreign currency transactions.

1.6 Banking services are provided by around 55, mainly clerical, staff who make heavy use of information technology systems to process transactions and maintain accounts. These staff are supported by information technology specialists to maintain and develop enhancements to computer systems. An organisation chart showing the banking arm of the Paymaster Generals Agency is at Figure 2 opposite. In 1993-94 banking services of the Paymaster General’s

2


Figure 2: Organisation Chat for the Banking

Senior Man

‘ice of the Paymaster General’s Agency

:ment Team

source: me Papnasm Ge”era~~Age”c”

Agency cost 24.8 million amounting to 18 per cent of the total cost of the Agency (pension services costing E.21 million accounted for most of the remaining cost of the Agency).

Customer base of the Paymaster General’s Agency

1.7 Banking customers of the Paymaster General’s Agency include:

l All those government departments and agencies who are required to have accounts with the Paymaster General’s Agency to receive funds voted by Parliament. These bodies are not required to use the Paymaster Generals Agency for making payments to the private sector or for processing receipts, although most do so for a considerable part of this business.

l Non-departmental public bodies, who are free to use the Paymaster General’s Agency if they wish.

l Local Education Authorities, who are required to have accounts at the Paymaster Generals Agency for student grant funding.

3

The Batking Service provided by The Office of HM Paymaster General

l National Health Service bodies, who are required to have accounts at the Paymaster General’s Agency to make payments to other National Health Service bodies and the rest of the public sector. However, most National Health Service trusts use private banks for much of their banking business.

1.8 The Paymaster General’s Agency thus has a major role in providing banking services for government departments and agencies, Crown and County Courts, and the National Health Service. A significant number of National Health Service customers and non-depernnental public bodies make use of the full range of banking services available from the Paymaster General’s Agency. Many customers also have commercial bank accounts at the local level (or in a few cases employ the Post Office for certain payments).

4


2. The quality and effkiency of the banking service provided by the Paymaster General’s Agency

2.1 The requirement that government departments hold their balances, wherever possible, in Exchequer accounts reinforces the unique position of the Paymaster General’s Agency in handling government banking business. Nevertheless, the Paymaster General’s Agency is operating in an increasingly competitive environment, with many of its customers undertaking market tests of its banking services. Although some of the Agency’s traditional services such as payable orders are unique, alternative hut similar systems of payment are being developed by the commercial banks. Commercial banks are also able to offer additional services via a local branch network.

2.2 If the Paymaster General’s Agency is to maintain its customer base, it needs to be competitive in terms of the price and quality of the service it provides. This part of the Report examines:

. the performance of the Paymaster General’s Agency against its quality of service and efficiency targets;

. the extent to which the Paymaster General’s Agency has established the requirements of its customers;

l the adequacy of the measures taken by the Paymaster Generals Agency to ensure the security and continuity of its banking service, including controls over the processing of payable instruments.

On performance against quality of service and efficiency targets

2.3 The corporate objectives of the Paymaster Generals Agency are to provide services that meet customers’ needs: to achieve a continuing reduction in unit costs in real terms; and to recover full costs.

5


Because the Paymaster Generals Agency is an Executive Agency, targets are agreed annually between the Chief Executive and the Paymaster General. For 1994-95 they are as follows:

. to meet time and quality targets for processing transactions io accordance with service level agreements with individual customers;

l to achieve a three per cent improvement in the average unit cost of banking transactions;

l to recover through charges the full costs of banking services.

Timeliness targets

2.4 Performance targets for the timeliness of nine specitic banking services provided by the Paymaster Generals Agency are included in customer service agreements. For example, the Agency undertakes to process on the day of receipt all requests for CHAPS payments which are correctly completed and submitted by the deadline agreed with the customer. These targets reflect the requirements of the standard timetable of the bank clearing system. Since the timeliness indicators were introduced in April 1994 the Paymaster Generals Agency has consistently achieved 100 per cent performance against its targets.

Accuracy targets

2.5 Accuracy targets cover 14 of the 15 services for which timeliness targets have been set but are not included in service agreements with customers. The targets are based on research conducted by the Paymaster Generals Agency in 1993. As a result of the review, the overall target for transactions processed without an uncorrected error by the Paymaster General’s Agency was set at 99.95 per cent, which represents the average of the transaction figures achieved for individual services.

2.6 The National Audit Office assessed the performance of the Paymaster Generals Agency against its accuracy targets (Figure 3 opposite). This showed that between March 1994 and March 1995 the Agency’s performance was consistently higher than the target of 99.95 per cent accuracy. The accuracy rate for some of the individual services included within the index was more variable. Where results indicated that there was a problem with its procedures, the Paymaster Generals Agency has taken action to reduce error rates.

6


Figure 3: The accuracy of services provided by the Paymaster General’s Agency

March 1994 99.95 99.97 12outof13

April 1994 99.95 99.976 12outofl3

May 1994 99.95 99.983 13outof13

June 1994 99.95 99.97 12outofi3

July 1994 99.95 99.969 12outof14

August 1994 99.95 99.96 12outof14

September 1994 99.95 99.965 11 outof

October 1994 99.95 99.96 lOoutof14

November 1994 99.95 99.99 13outof14

December 1994 99.95 99.96 11 outof

January 1995 99.95 99.98 12outof14

February 1995 99.95 99.99 13outof14

March 1995 99.95 99.99 12outof14

SO”rm Nahma,A”dIi mice aoams Of dd$ ,mm Ihe PaymasieiGeoeralbrlgency

Notes: 1 The figures represent the average percentage of transactions processed for each service without an uncorrected error by the Paymaster General’s Agency

2 The number of targets was increased to 14 from Jfdy1994.

Between March 1994 and March 1995 the Paymaster General’s Agency met its overall target for accuracy but performance against the targets for individual services was more variable.

Efficiency targets

2.7 The average unit cost of processing a banking transaction is the key performance indicator used by the Paymaster General’s Agency to monitor its efficiency. In 1993-94 the Paymaster General’s Agency achieved a 5.2 per cent reduction in this cost, against its target of a 1.0 per cent reduction. Its target for 1994-95 was set at 3.0 per cent and 4.0 per cent was achieved.

2.8 The efficiency target is based on a forecast volume of transactions. The accuracy of workload forecasts is important, not only in terms of this target but also in setting future prices. Although the Agency’s

7


workload forecasts for 1992-93 and 1993-94 were very accurate for some services, they were much more variable for others (Figure 4). Overall forecasts were more accurate: in 1992-93 total resource requirements were overestimated by around one per cent; whilst in 1993-94 total resource requirements were underestimated by around five per cent. To help to improve forecasting the Paymaster General’s Agency now asks for annual returns from all customers specifying expected usage levels for different services provided by the Agency.

Figure 4: The accwacy of the workload forecasts of the Paymaster General’s Agency, 1992.93 and 1993-94

% ““del cslimale ,$g” ,p”- ““mched CHAPS hlkd Tramfen cf+aps Bda”cs cp&

;&y; my@ ‘rf$ England

Automated ‘rans’em Cp;C e”g”ihS

A”toma,ed A!%“%% Schedules

!y$ !$K!; Clearing setices,

payme” receipb funding

source, ~aho”d,A”d~ mic*

Workload forecasts for 1992.93 and 1993-94 were very accurate for some services but we much more variable for others.

The rccovcry of costs through charges

2.9 From 1 April 1994, the Paymaster General’s Agency has been required to recover the full costs of its banking services. The Agency has developed a pricing strategy to do this and recovered its full costs in 1994-95.

8

The Banking Service provided by The Of&e of HM Paymaster General

The efficiency of information technology systems

2.10 The Paymaster General’s Agency uses two separate computer systems: an ICL mainframe for payable order processing; and a McDonnell Information Systems computer for other banking services, including making transfers and keeping customer accounts. In 1993-94 information technology costs, including development, maintenance and running costs, amounted to E0.9 million (19 per cent of the total cost of banking operations).

2.11 A review by the Paymaster Generals Agency in 1990 concluded that enhancements to its banking services and information technology systems were required to address the widening gap between the services provided by the Paymaster Generals Agency and the commercial sector; and recommended development of a new combined information technology system to improve quality of service. The existing arrangements restricted and slowed the service provided to customers. For example, the Paymaster Generals Agency was unable to provide customers with an overall statement of alI the transactions on their accounts; and there were inefficiencies as a result of the need to transfer information between the two systems. As a result of this initial review, the Paymaster General’s Agency improved some of its services including internal transfers, BACS (Bankers’ Automated Clearing Services) Central Funding and the provision of earlier, more complete and user-friendly statement information.

2.12 In June 1992, the Paymaster General’s Agency initiated a full study to determine and produce costed business and technical options for a replacement computer system. Target completion for this work was November 1993, at a cost of E337,OOO (at 1992 prices). The study was delayed for nine months mainly as a result of the redeployment of both analysts on the study team and other demands on the project manager’s time. In January 1994 work on the project was halted to allow in-house resources to be concentrated on improvements to the existing systems - primarily the introduction and subsequent enhancement of electronic information systems for customers. By November 1994 the review of banking information technology systems and subsequent development work had spanned five years and cost over E420,OOO. which included some E173,OOO for Masterline (paragraph 2.18). As a result of this work the Paymaster General’s Agency was able to streamline and improve its banking processes and provide earlier and better information to customers.

9

The Banking Service provided by The Offke of HM Paymaster General

2.13 The Paymaster General’s Agency has now decided not to replace the two systems (paragraph 2.10) with an entirely new system because it considers that the additional cost would not be justitled. The Agency is focusing efforts on updating and converting the two systems and integrating them on to the same computer hardware. The Paymaster General’s Agency considers this to be the best short-term solution, together with further enhancements to customer information systems to allow payment instructions to be sent electronically to the Agency.

On establishing customer service requirements

2.14 To remain competitive the Paymaster General’s Agency needs to establish and keep up to date with its cm-rent and potential customer needs. To achieve this, the Agency has undertaken customer surveys, established user groups and introduced Service Level Agreements with customers.

Customer surveys

2.15 The Paymaster General’s Agency undertook a survey of the views of its banking customers in 1990. The main fmdings were that 80 per cent of respondents were satisfied with the service provided; and that 73 per cent of respondents found staff of the Paymaster General’s Agency helpful or very helpful. Some improvements to the service were suggested and most have since been implemented, for example, the development of Masterline (paragraph 2.18) and revised procedures for transfers and CHAPS (Clearing House Automated Payment System).

2.16 Since 1990, the creation of more agencies and the introduction of market testing have changed the nature, expectations and requirements of customers. For example, new accounts for National Health Service bodies have led to an increase in the number of transactions through CHAPS and transfers between customer accounts. To ensure that it responds properly to these trends, the Paymaster General’s Agency is carrying out a further customer survey, with results due in April 1995.

User groups

2.17 In 1992 the Paymaster General’s Agency established a National Health Service user group to discuss the service it provides and address some of the concerns expressed by National Health Service customers in the 1990 survey. Both sides consider this user group to have been successful and it has been extended to Include Welsh and Scottish National Health Service customers. In December 1994 representatives from government departments and agencies were

10

Figure 5: Key requirements for a service level agreement

Objectives .

.

.

.

.

m

.

q

.

.

.

.

.

Client and service provider details

Period of agreement and extension

The specification

The method of operation

The quality plan

Performance monitoring

The basis of costs

Resolution of disputes

Remedies in the event of inadequate performance

Review of the agreement

Contacts

Termination


invited to the first meeting of a central government user group. During 1995 the Paymaster General’s Agency plans to establish customer service teams to deal with queries and complaints. Teams will be responsible for specific customers and will be able to provide a personal service.

2.18 As a direct result of discussions with the National Health Service user group about the need for timely information on account balances, the Paymaster General’s Agency has developed Masterline, an electronic banking service. Masterline gives customers access, via a desk-top computer, to the balance on their accounts and details of transactions processed. This service was introduced in April 1994 for National Health Service customers and is now being offered to all other customers.

Customer service agreements

2.19 The Paymaster General’s Agency introduced supply and service level agreements in April 1994. These are intended to specify and clarify the roles and responsibilities of the Paymaster General’s Agency and its customers. The agreements also contain the basis of charging, the terms of payment, dispute and agreement termination procedures, and timeliness targets for some services. The Paymaster General’s Agency agreed the form and content of a standard agreement with the National Health Service user group and with representatives from government departments and agencies. By December 1994 almost 90 per cent of the Paymaster General’s Agency accounts were covered by such agreements.

2.20 The National Audit Of&e examined the standard agreement and found that it conformed to good practice guidance issued by the Government’s Central Unit on Procurement (Figure 5).

Comments and complaints from customers

2.21 Analysis of customers’ comments and complaints provides another important source of information on customer requirements. Correspondence with customers is retained on customer files, but until December 1994 the Paymaster General’s Agency had no central record or analysis of customers’ comments or complaints. The Agency has now introduced manual procedures to record this information, thereby enabling managers to identify specific areas of concern. The new procedures also allow managers to monitor the time taken to reply to enquiries against the Agency’s target to reply to all correspondence within ten days of receipt. This target is for queries or complaints which require investigation. Routine enquiries are dealt with within 24 hours, which is comparable with the target

soLlrce Ga”ei”me”tB cmm, O”Bo” P,oc”,ement service ievd&?ieeme”i G”ide,iner m”w lBO4

11


used by most commercial hanks. More complex enquiries are dealt with by the customer teams referred to at paragraph 2.17 above.

Comparison of the service provided by the Paymaster General’s Agency with that provided by commercial hanks

2.22 Consultants employed by the National Audit OffIce compared the services provided by the Paymaster General’s Agency with those of commercial banks. This showed that the Paymaster General’s Agency had a clear advantage in some areas. For example, customers of the Paymaster General’s Agency are able to make far more of their payments by internal transfer than if their accounts were at commercial banks. And payable orders generally provide a more secure method of payment than cheques. However, the commercial banks scored over the Paymaster General’s Agency in a number of other areas, for example through having a local branch network and in providing information to customers more quickly.

2.23 These findings were confirmed in meetings that the National Audit OfEce had with groups of customers. The National Audit Office sought views on the quality of service provided by the Paymaster General’s Agency and how the services on offer met customers’ banking requirements. The main findings were:

. customers considered that the service provided by the Paymaster General’s Agency had improved in recent years and that the Agency had responded to customer requirements;

. customers were impressed by the friendliness and efficiency of staft

l the Paymaster General’s Agency was generally regarded as being competitive on prices.

2.24 However, customers indicated that the Paymaster General’s Agency could improve the service offered (Figure 6 opposite). The Paymaster General’s Agency is considering how to respond to these needs.

Market testing

2.25 Government departments are required to review their banking arrangements at least once a year. In March 1994 the Treasury encouraged departments to test the banking services provided by the Paymaster General’s Agency against the equivalent services provided by the commercial banks. In the first of such market tests,

12


Figure 6: Improvements suggested by customers in the service provided by the Paymaster General’s Agency

.Sending statements and advice notices more quickly

. Expanding the information contained within receipt notification to include details of the source and nature of the receipt, and passing this to the customer more quickly.

q Allowing a later cut-off time for CHAPS (Clearing House Automated Payment System) payments to bring the cut-off time nearer to that operated by commercial banks.

q Providing local facilities for paying in receipts.

. Providing BACS (Bankers Automated Clearing Services) bureau facilities (a service which prepares BACS tapes for small customers).

mArranging BAGS sponsorship (only the 19 members of BACS and customers sponsored by them can use the BACS service as any BACS transactions which are rejected have to be referred back to a BACS member account).

by a major department and related organisations and agencies, the Paymaster General’s Agency retained most of its existing business. However, it was unsuccessful in obtaining any of the new business on offer.

Marketing strategy

2.26 The Paymaster General’s Agency may take on additional public sector banking business provided that:

l there is no increase in unit costs;

. it produces clear net savings for the public sector overall;

. new customers have a similar status to the existing customer base;

. Treasury Misters are content.

2.27 In September 1993 a review by the Paymaster General’s Agency highlighted the need for a detailed marketing strategy for its banking business. A clear marketing strategy would help the Paymaster General’s Agency to tailor its products more closely to the needs of customers. It would also help to identify which of the gaps between the service provided and customer expectations need to be

13


plugged. Such a strategy should bring together an analysis of the services the Agency does and could provide, the prices that it should seek, and how to improve customer awareness of its services.

2.28 A marketing strategy was due to be completed by the end of October 1994 but was delayed because of other demands on resources. The Paymaster General’s Agency eventually developed a high level marketing strategy by March 1995, for further development and implementation in 1995-96. The National Audit Office consider that as a first step the Paymaster General’s Agency needs to establish a clearer understanding of its existing and potential customer base. This will enable the Paymaster General’s Agency to focus more clearly on what must be done to maintain its existing business and to obtain new business.

On measures to 2.29 An essential element of the service provided by the Paymaster ensure the security General’s Agency is that it should operate secure systems which and continuity of banking

minimise the risk of funds being lost through fraud or error. This section of the report deals with the security of information technology systems, including the continuity of banking.

Security policies and procedures

2.30 The security policy of the Paymaster General’s Agency has four broad objectives for computer systems:

l to design and develop secure systems:

l to protect computerised data against improper use;

. to prevent and detect unauthorised access;

. to deal with breaches of security and plan for contingencies.

The Agency’s security management committee, comprising senior security, business, information technology and internal audit staff, meet quarterly to review adherence to security policy and examine security breaches.

2.31 The National Audit Office examined the security procedures of the Paymaster General’s Agency against the Code of Practice for Information Security Management issued in September 1993 by the Department of Trade and Industry. The examination showed that the policy document on security prepared by the Paymaster General’s Agency lacked an explanation of principles, standards or compliance requirements. Although the Paymaster General’s Agency

14

FiQure 7: Framework Of refereWe documentation

H Mission statement

q Business objectives

u Strategy documents

. Forward planning documents

m Procedures manual

n Technical descriptions of software

q Operating manuals

. Job descriptions

. Organisational charts

. Contingency plans

source ne Paymaste, Ge”eralsAge”cy The Paymaster General’s Agency review of security practice in November 1994 recommended a framework of reference documentation to which all staff should have access.


had followed CCTA (the Government Centre for Information Systems) guidelines and there were references to existing procedures manuals and external guidance on computer security, the Agency had not developed comprehensive security procedures of its own. Detailed procedures and guidelines had not been issued to staff and responsibilities for security were not explicitly defined in job descriptions, particularly for banking operational staff.

2.32 The lack of properly documented security procedures introduces some risk that breaches of security will occur and will remain undetected or unreported, with the possible loss of public funds. The National Audit Office noted that the weaknesses identified had not resulted in a significant level of attempted l?aud on the banking systems of the Paymaster General’s Agency. It is important that the Paymaster General’s Agency develops properly documented security policies and procedures to minimise the risk of fraud or error.

2.33

2.34

The Paymaster General’s Agency told the National Audit Office that it was conscious of the need to improve security and contingency planning and had employed a consultant from April 1994 to report on a number of aspects, including the impact of the loss of computer systems. The absence of detailed security guidelines was confirmed by a review of security commissioned by the Paymaster General’s Agency in June 1994 and published in November 1994. The review considered that the Agency’s strategic business aims needed to be defined and promulgated; that the information technology strategy needed to be updated; that security policy needed to be disseminated and applied; and that security practices needed to be improved and refined. The review recommended that a framework of reference documentation should be set up (Figure 7); and that all staff should have access to this information, with the exception of those documents classified as confidential. The Paymaster General’s Agency plans to introduce the new documentation by the end of May 1995.

The review made 81 recommendations for improving building and data security, contingency planning and security policy (see Figure 8 overleaf). Of these, 35 recommendations have or are to be implemented in fall, 2 are to be partially implemented, 35 are to be considered further but have been accepted in principle, and 9 have been rejected. Most of the recommendations which have not been accepted fall in the category of building security. The Paymaster General’s Agency considers that these recommendations would he too costly to implement and address risks which are minimal or are no longer relevant because of accommodation changes.

15


Figure 8: Summary of the Response by the Paymaster General’s Agency Iry Of tt to the Security Review LU LI~C &curity Review

Accented 11 2 16 6 35

Accepted in principle 6 7 4 18 35

Partially accepted and implemented 2 - 2

Rejected or no longer applicable 7 1 1 9

Total

SoUm: me Paynlaster General’s Agancy

26 10 21 24 81

Breaches of security involving information technology systems

2.35 The security review noted that firm action was not taken when breaches of security procedures were detected. For example, an internal door in the computer hall annexe had not been locked for several months despite repeated requests by the Security Officer for this to be done. There was thus a risk that unauthorised personnel would gain access to computer systems. The Paymaster General’s Agency cunsiders that a new staff stiuclure, which is currently being introduced, will ensure that such breaches are addressed by establishing a clear line of responsibility for security matters, with frm disciplinary action being taken where procedures are not followed.

2.36 Although security incidents have been comparatively few, breaches of security have ranged from the misuse of computer equipment to cracking the network system password. In the latter case the person responsible has been reprimanded and the loophole enabling access to the system has been closed. There was no intention to de&aud the Paymaster General’s Agency. The introduction of detailed security guidelines should help to clarify which security incidents should result in disciplinary action. The National Audit Office noted that

16


none of the recorded breaches of security led to any loss of funds and the Paymaster General’s Agency consider that these could not have led to any loss of funds.

Continuity of the banking service

2.37 Most of the computer hardware of the Paymaster General’s Agency is located in one area. This exposes the Agency to a high risk of total loss in the event of a disaster, such as a tie. Given the reliance of the banking business on information technology, the Paymaster General’s Agency needs an improved contingency plan to enable quick recovery from any major system breakdown. As customers rely more heavily on electronic banking services, they will require better guarantees of system continuity. This was recognised in a recent bid by the Paymaster General’s Agency for work which was being market tested by a government agency. The Agency’s bid included a commitment to provide a standby computer system for rapid restart should the main system break down.

2.38 The Paymaster General’s Agency employed a consultant in 1994 to lead the rewrite of its contingency plan covering business and system recovery. The most important change was the decision to set up a standby system on a separate site, with rapid restart facilities. By the end of 1994 recommended improvements were being implemented and contingency plans were being successfully tested. The security review in November 1994 also recommended further improvements to enhance the ability of the Paymaster General’s Agency to continue providing a service in the event of a disaster.

Risk analysis of computer systems controls

2.39 As part of normal business activities and during systems development the Paymaster General’s Agency has made informal assessments of the risk of fraud or error in its banking operations. It has also employed consultants to review specific risks. However, it has not carried out a formal assessment of its systems to identify and evaluate all the risks of fraud or error. The technology is available to assess overall systems risks through the risk analysis and management methodology (CRAMM) software prepared by the CCTA (the Government Centre for Information Systems). The Paymaster General’s Agency acquired this software, but following a trial decided not to make use of it because of the cost and effort involved relative to the perceived benefit.

17

The Banking Service provided by The Of&e of HM Paymaster General

2.40

Comparison of the computer system controls of the Paymaster General’s Agency with those of other financial institutions

Consultants employed by the National Audit Ofice compared the system controls of the Paymaster General’s Agency with those of other financial institutions -including clearing banks, merchant banks, investment and asset managers, insurance and leasing companies (Figure 9 opposite). The analysis showed that the dependence of the Paymaster General’s Agency on information technology was in line with most other financial institutions, reflecting its extensive use of computerised systems and communications links. On systems development and maintenance controls, the Paymaster General’s Agency scored higher than most other financial institutions -the Agency has an experienced team of systems developers and controls have been formally documented.

2.41 The assessment of the security and management controls of the Paymaster General’s Agency was that they were below that of most other financial institutions. Controls were either informal or not fully documented. These results also reflect the need, referred to above, to develop effective security policies and procedures, and improved contingency planning. More formalised security policies and the recent improvements made in recovery plans should enhance this assessment of the Paymaster General’s Agency against other financial institutions.

On controls over 2.42 This section of the report deals with controls over the processing of the processing of payable instruments and, in particular, controls over payable orders. payable instruments Payable orders are the riskiest of the types of payable instrument

used by the Paymaster General’s Agency. Most attempted frauds on the Agency’s banking systems in recent years have involved the manipulation of payable orders.

Types of payable instrument

2.43 The main instruments used by customers of the Paymaster General’s Agency for making payments are:

. Paymaster transfers -transfers of funds from one account holder to another:

. CHAPS (Clearing House Automated Payment System) payments - electronic inter-bank transfers used for single high value transactions to be settled the same day;

18


Figure 9: Comparison of system controls of the Paymaster Genera’s Agency with those of other financial institutions

Dependence on information technology

Pucmta~s ofl”s6u6one

80%

60%

40%

20%

0%

RI, “I or in,ormtion t(ch”ology

Emnrim “se or inrmlaion kchnology

SyStemS de”elopmenta”d mahltenance CD”trOlS

PSICB”bQ~ nslabU6cns

loo% mectivenaal or canIds is wed to red back and alarcontml pmctrr

E”ecrwe”ePs or cmtmls is mms”ndandnpo”ad

80%

security controls

#y;;;,;*

100% Eriecttienrm 0, caltmll i6 “red m reed back and snercmrm proceil

wec!iva”1~* 0, m”lml9 i9 mamod and repmd

Management CO”b‘OIS

Pmmbga nrmtiblfiona

The dependence of the Paymaster General’s Agency on information technology was in line with most other financial institutions. On systems development and maintenance controls the Agency scored above the average but on security and management controls performance the Paymaster General’s Agency was below the average, reflecting the fact that controk were either informal or not fully documented.

. BACS (Bankers’ Automated Clearing Services) payments - electronic transfers of funds, generally used for batches of transactions;

l Payable orders-paper transactions similar to cheques but with added security features.

19


Electronic transfers of funds (CHAPS and BACS) and internal transfers are generally more secure than payable orders and cheques. Funds are transferred directly from one account to another and there is less opportunity for tiaudsters outside the banking system to manipulate transactions.

2.44 Figure 10 shows the value and number of the different types of payable instrument processed by the Paymaster Generals Agency in 1992-93l The 17 million payable orders processed with a total value of E41 billion represented 97 per cent by number of all transactions but only 8 per cent by value. The average amount paid by payable order was only 552,400 compared with an average value of between E800,OOO and E2.1 million for the other types of payable instrument.

Figure 10: Payable instruments processed by the Paymaster Genera’s Agency in 1992-93

CHAPS payments 28,300 5.2 23,600 0.1 1,200,000

Payable orders 41,500 7.6 17,027,600 97.0 2,400

SACS funding payments ioi,ioo 18.4 47,600 0.3 2,100,000 (note 1)

Paymaster transfers 377,700 68.8 460,900 2.6 800,000 (note 2)

Total 548,600 100.0 17.559,700 100.0 31,000

Same: The Paymaster Osnwak Agency

Notes: (1) The ltgms are for the average of each BACS run made by customers. Each run will consist of a number of payments to individual payee-s.

(2) In 1992-93 the Paymaster Generaf’s Agency a/so processed transfers between its own and other Bank of England accountq totalling f350.000 miltton.

In 1992-93 payable orders represented 97 per cent by number of all transactions but only 6 per cent by value.

1 Figures are available for 1992.93 only, following a special exercise by the Paymaster General’s Agency on behalfof the 7’rea.wry.

20


2.45 The use of payable orders by customers of the Paymaster General’s Agency has declined by 14 per cent over the last four years, from 19.1 million transactions in 1990-91 to 16.4 million transactions in 1993-94. Over the same period the use of BACS -which as noted above is a generally safer means of payment - has more than doubled, from 27,900 funding transactions in 1990-91 to 60,000 funding transactions in 1993-94.

Adequacy of controls over the processing of payments

2.46 Overall, the National Audit Office found a high level of controls witbin the systems of the Paymaster Generals Agency for processing payments, thereby reducing the risk of fraud. In particular, there were satisfactory controls to counter the risk of Internal h-aud witbin the Paymaster General’s Agency. In the past some weaknesses have been apparent ln the controls against external fraud. These weaknesses Involved the procedures for checking transfer payments, opening accounts and accepting telephone and fax instructions from customers. Cases 1 to 3 overleaf illustrate the risks involved.

2.47 The Paymaster Generals Agency is aware of only one attempted fraud involving the processing of CHAPS payments. This occurred in March 1990 and involved g6 million (see Case 31. It was prevented by the Agency’s controls only after the payments had been made, but action was prompt enough for the monies to be frozen and recovered. In response the Agency no longer accepts requests for payment by telephone, and has introduced other controls to tighten procedures.

2.48 The Paymaster Generals Agency has not carried out a formal risk assessment to ensure that controls are at an appropriate level commensurate with the risks involved. The National Audit OftIce noted considerable variations in the level of checks on different items, ranging for example from a full 100 per cent check on the signatories for CHAPS payments to sample checks on the signatories for transfers. Although these variations have been decided by the Paymaster Generals Agency and may in fact reflect the risks involved, there was no evidence that the level of checks had been determined from a formal assessment of the relative risks by the business area. However, the Agency considers that its internal audit team provide independent full assessments through audits agreed, as part of an annual programme, with the Chief Executive.

21


CASE 7 illustrates the risks involved with transfer payments.

A departments regional office contacted the Paymaster General’s Agency in March 1991 for advice on making a transfer payment to another department. The Paymaster Generals Agency explained the procedure and advised the regional office to contact its headquarters for instructions. When the Paymaster General’s Agency was asked by the regional office for a transfer request form it incorrectly assumed that this was on the instruction of the Departments headquarters. As a result the payment of f3,600 was made to the receiving department twice, once by headquarters and once by the regional office, who had no authority to make transfer payments. The Paymaster Generals Agency has since tightened up its procedures in this area.

CASFZillustrates the risks involved when accounts are opened without proper authority

In June 1992 different officers within a department opened a number of new accounts with the Paymaster General’s Agency. In only one case was a formal written request made by an officer from the authorised signatory panel. One account was opened without proper authority and had to be subsequently closed. Although in this case there was no suggestion of fraud, there is a risk that accounts opened without proper authority may be used to process bogus transactions. The Paymaster General’s Agency has since tightened its procedures and a standard, serially numbered, authorisation form has been introduced for opening accounts. This form must be authorised by the customer’s Principal Finance Officer.

CASE3 illustrates the risks involved in accepting telephone instructions for payment

In March 1990, the office in charge of manual payments at an agency received a telephone call, purportedly from the Paymaster General’s Agency, asking for the first and last payable order numbers used on that day’s manual payment schedules. The caller

said that the numbers were needed for end of financial year monitoring. Having been given the numbers, the caller volunteered the next number, indicating an insider knowledge of the system. The caller’s name was not requested.

A few days later the Paymaster General’s Agency received a telephone call, purportedly from the agency, requesting the issue of two payments by CHAPS. The caller gave the agency’s code number and account title and the next two payable order numbers. On these instructions the Paymaster General’s Agency transferred f2,941,635 and f3,275,740 to two different limited companies.

The Paymaster General’s Agency discovered the attempted fraud the next day on checking the manual payment schedules produced bythe agencyand the payments were stopped. The Paymaster General’s Agency has since tightened up its procedures and requests for payment by telephone are no longer accepted.

22


Controls over payable orders

2.49 An important feature of the banking service provided by the Paymaster General’s Agency is the extra security afforded by the use of payable orders rather than cheques for making payments. Payable orders are used in the same way as cheques and are subject to the same legislation. However, unlike cheques, where the amount and authorisation to pay are given in a single document, payable orders are backed up with a separate schedule of issues which provides independent confirmation of the amount and authority to pay. Figure 11 illustrates how payable orders are used by customers and how the Paymaster Generals Agency clears and checks them.

Figure 11: Procedures for issuing, clearing and checking payable orders

The customer checks:

. payment conforms to Government Accounting rules

. payable order details are accurately entered on the schedule

. monthly statements are reconciled with internal records

Commercial Bank

. schedule serial numbers agree to internal records held by

23

The BankIng Service provided by The Office of HM Paymaster General

2.50 The Paymaster General’s Agency relies on its customers’ procedures to ensure that only valid payable orders are authorised and that these are issued to the correct payee. Although the Agency reconciles the amounts on all payable orders with the authorising schedules of orders for payment, it would be impractical to check payee details against those on the schedule as nearly 70,000 payable orders are lodged dally. Furthermore, some changes are quite legitimate and authorising schedules prepared on magnetic tape do not include payee details.

2.51 Despite their added security features compared with cheques, payable orders remain more prone to fraud than other types of payment instrument used by the Paymaster General’s Agency. Most attempted frauds on payment Instrmnents involve alteration of the amount or payee details on payable orders.

2.52 This type of fraud is illustrated by a case involving a Customs and Excise payable order’. The Customs and Excise system Is not covered by this National Audit Office examination, as Customs and Excise payable orders are not drawn on the Paymaster General and are purely the responsibility of Customs and Excise. The case involved the fraudulent encashment of a VAT repayment payable order for 51.2 million issued by HM Customs and Excise. The deception was achieved by altering the name of the payee on the payable order. In response Customs and Excise have improved procedures to make the processing of VAT repayments more secure. The main measures are:

. transferring monies to other government departments and health authorities directly through the Paymaster General’s Agency;

. encouraging more traders to accept payment through BACS;

. redesigning payable orders to incorporate the latest security features available;

. amending the computer programs producing payable orders so that the trader’s name is printed twice and blank spaces are Blled with asterisks;

. disguising the ne.nsmlssion of payable orders to reduce the risk of postal interception;

. checking cashed payable orders over a certain value for signs of alteration or presentation through foreign banks.

2 Source: Re,mrt ofthe Comptroller and Auditor General. Appropriation Accounts. 1993-94, Volume 12, paragraphs 54 to 65.

24


The Treasury has also issued revised guidance to departments on safeguards against fraud, drawing lessons horn this and other cases.

2.53 Like Customs, the Paymaster General’s Agency has introduced an improved design of payable order to reduce the risk of h-aud (paragraph 2.571. As noted in paragraph 2.50 however, measures to prevent and detect alterations to payee details on payable orders issued by the Paymaster General’s Agency rest with the Agency’s customers. The Paymaster General’s Agency should nevertheless remind its customers of further measures they could take - along the lines of those taken by Customs - to improve security over payments.

2.54 Between 1990-91 and 1993-94 the Paymaster Generals Agency detected 217 attempted payable order frauds, with a total value of f604,OOO. Most involved the alteration of the authorised amount on the payable order (for example, see Case 4). These attempted frauds were automatically detected by the Agency’s computer systems, allowing staff to check the payable order to the origimd schedule, contact the originating department and reject the payment. The system would also have detected payable orders which were presented without a valid authorising schedule.

CASE 4 illustrates an attempted payable order fraud which was prevented by the routine controls of the Paymaster General’s Agency

In November 1993, a payable order for f25 made out by a customer was altered to f25.000 by the payee, using an electroset machine. The payee presented the payable order to his local bank. The attempted fraud was automatically detected by the Paymaster General’s Agency when it checked the payable order against the authorising schedule sent to it by the customer. The payable order was immediately rejected before any money was withdrawn.

2.55 In 1993-94 departments notified the Paymaster General’s Agency of 33 attempted frauds, amounting to f169,000, where payee details on payable orders had been altered. These cases will not represent the total of all such frauds since departments are not required to let the Paymaster General’s Agency know of all attempted frauds. Departments are required, however, to report to the Treasury attempted payment frauds where these are perpetrated by staff, involve computer fraud or fraud by contractors, reveal potential system weaknesses, or involve significant new risks which might be faced by other departments. It would assist the monitoring of risk by

25


the Paymaster Generals Agency if departments were also required to notify the Agency of ah frauds involving its series of payable orders.

2.56 In May 1994 a report on payable orders by the internal audit branch of the Paymaster Generals Agency found that the Agency’s system of controls over payable orders was satisfactory. The report concluded that suspected fraudulent alterations of amounts on payable orders were dealt with effectively. The National Audit Office examination confirmed that checks by the Paymaster Generals Agency to detect alterations to the amounts on payable orders were an effective safeguard against this type of fraud. As noted above, however, the Paymaster Generals Agency relies on its customers to check that payable orders are issued to the correct payee. It is also the customer’s responsibility to pursue any cases of suspected fraud and any decision to prosecute in such cases rests solely with the customer.

Measures taken to improve payable order security

2.57 The Paymaster General’s Agency has introduced a new design for payable orders following revised standards on payment instruments issued by the Association of Payment Clearing Services (AFACS). The new design should deter payees from changing the amount box by including the amount to be paid in words, make it harder for the payee details to be changed, and make identification of false payable orders more obvious.

2.58 Customers have been able to obtain the new payable order since October 1994. The APACS standard does not require the destruction of existing stocks of payable orders and customers may use up existing stocks before switching to the new design. The standard asks that the switch he made by 31 December 1995, however.

26


3. Conclusions and recommendations

3.1 This part of the Report s-arises the main fmdings and conclusions i?om the National Audit Office examination and suggests some points for further action by the Paymaster General’s Agency.

On quality of service and efficiency targets

3.2 The Paymaster Generals Agency met its quality of service and efficiency targets for 1994-95. Since April 1994 the Agency has met all 15 performance targets covering the speed and timeliness of its banking operations. The Paymaster General’s Agency has also met its overall target for accuracy, although performance against accuracy targets for individual services has been more variable. The Agency met its 1994-95 efficiency target of a 3 per cent reduction in the average unit cost of processing a banking transaction (paragraphs 2.3 to 2.7).

On the recovery of costs through charges

3.3 Since April 1994 the Paymaster General’s Agency has been required by the Treasury to recover its full banking costs through charges on its customers. The Agency has developed a pricing strategy to do this and recovered its full costs in 1994-95 (paragraph 2.9).

On establishing customer requirements

3.4 The Paymaster Generals Agency has made considerable efforts to establish the requirements its customers. It has set up customer user groups to discuss the service it provides and has introduced customer service teams to deal with queries and complaints. To ensure that it responds properly to customer requirements, the Paymaster General’s Agency is carrying out a further customer survey, with results due in April 1995 (paragraphs 2.15 to 2.21).

On comparisons with the service provided by commercial hanks

3.5 The Paymaster Generals Agency has a clear advantage over commercial banks in some areas. For example, its customers are able to make far more of their payments by internal transfer than if their accounts were at commercial banks. It also makes use of payable orders, which are generally more secure than cheques. However, the commercial banks score over the Paymaster Generals Agency in having a local branch network and in providing information to customers more quickly. The Paymaster General’s Agency is considering how to respond to the needs of its customers in these areas (paragraphs 2.22 to 2.24).

27

On the need for a clear marketing strategy

On security policies and procedures

On continuity of banking

On the assessment of computer system security risks

On comparisons of systems controls with those of other financial institutions


3.6 The Paymaster General’s Agency needs a clear marketing strategy to tailor its products more closely to its customers’ needs. This should bring together an analysis of the services it does and could provide, the prices that it should seek, and how to improve customer awareness of its services. A marketing strategy was due to be completed by October 1994 but was delayed because of other work taking priority. The Paymaster Generals Agency eventually developed a high level marketing strategy by March 1995, for further development and implementation in 1995-96 (paragraphs 2.26 to 2.28).

3.7 The Paymaster General’s Agency currently lacks - but is now developing - properly documented security policies and procedures to minimise the risk of fraud or error. The lack of such documentation introduces some risk that breaches of security will occur and will remain undetected or unreported, with the possible loss of public funds. Following a review of security in November 1994, the Paymaster General’s Agency plans to innoduce reference documentation for its staff by the end of May 1995 (paragraphs 2.30 to 2.36).

3.8 Most of tbe computer hardware of the Paymaster General’s Agency is located in one area, which exposes the Agency to a high risk of total loss in the event of a disaster, such as a the. To counter the risk of its main system breaking down, the Agency has developed and successfully completed main testing of a contingency plan. This includes the provision of a standby computer system on a separate site, with rapid restart facilities (paragraphs 2.37 to 2.38).

3.9 The Paymaster General’s Agency has assessed potential system risks as part of normal business activities and during systems development, and has reviewed specific risks. However, it has not undertaken a comprehensive analysis of the risks of fraud or error in its systems. The Paymaster General’s Agency has purchased the software which would enable it to do this but has decided not to make use of it as yet. It considers that the cost and effort are not commensurate with the perceived benefit (paragraph 2.39).

3.10 The dependence of the Paymaster General’s Agency on information technology is in line with most other 6nancial institutions. The Agency scores highly on systems development and maintenance controls but ranks below most other fmancial institutions on security and management controls. More formalised security

28

On controls over the processing of payment instruments

On controls over payable orders

On measures to improve the security of payable orders

Overall conclusions


policies and procedures and recent improvements to recovery plans should enhance the Agency’s comparative performance (paragraphs 2.40 to 2.41).

3.11 The Paymaster Generals Agency has controls to counter internal fraud and has addressed past weaknesses in controls against external fraud. But it has not carried out a formal risk assessment to ensure that controls are at an appropriate level commensurate with the risk (paragraphs 2.46 to 2.48).

3.12 Most attempted frauds on payment instruments involve alteration of the amount or payee details on payable orders. Alterations to the amounts are detected automatically by the Agency’s computer systems. But for practical reasons the Paymaster Generals Agency must depend on its customers’ procedures to ensure that only valid payable orders are authorised and that they are issued to the correct payee (paragraphs 2.49 to 2.56).

3.13 The Paymaster General’s Agency has introduced a new design for payable orders to reduce the risk of fraud. The new design should make it harder for the amounts and payee details on payable orders to be changed, so that fraudulent payable orders become more obvious (paragraphs 2.57 to 2.58).

3.14 To match what is on offer from commercial banks, the Paymaster General’s Agency must demonstrate that it is able to provide bigb quality services at competitive prices which fully meet customer requirements. The Agency has responded positively to customer concerns with an acknowledged improvement in the quality of service provided. And it has taken significant action on a number of fronts to improve quality of service and efficiency further. This momentum will need to be maintained if the Agency is to continue to compete effectively in the future.

3.15 No system, however well designed and administered, can ever be proof against all fraud. The Paymaster General’s Agency takes the threat of fraud very seriously and deals with suspected fraud cases effectively. Overall, the controls witbin the Agency’s systems are good. But some weaknesses persist, such as the need for clearly laid down security guidelines and more formalised risk assessments of systems.

29

Action points


3.16 These weaknesses in controls have not led to any significant level of attempted fraud on the Agency’s banking systems. Nevertheless, it is important that the Paymaster Generals Agency plugs any gaps - as it is now doing -if it is not to remain exposed to potential security risks in the future.

3.17 In the light of the above fmdings, the National Audit Office consider that the Paymaster Generals Agency should:

l continue to respond to customer needs identified as a result of market testing, through customer surveys and user group meetings and from an analysis of customer comments and complaints;

. address the main areas of its bankIng operations where the commercial banks currently have a comparative advantage;

. establish a clearer understanding of its existing and potential customer base;

l refine and develop its marketing strategy so as to focus more clearly on what must be done to maintain existing business and obtain new business:

. introduce properly documented security policies and procedures;

l maintain up-to-date contingency plans to ensure the continuity of banking;

l undertake a comprehensive analysis of the risk of fraud or error in its systems to ensure that controls are at an appropriate level commensurate with the risk in addition to the work undertaken by internal audit;

l address weaknesses in security and management controls to match the controls of other Ilnancial Institutions.

30

NAO report (HC 513 1994/95): The Banking Service provided by … · HC 513 Session 1994-95...

Documents

Transcript of NAO report (HC 513 1994/95): The Banking Service provided by … · HC 513 Session 1994-95...