A financial services company had been regularly overpaying its policyholders by small amounts for years. There were 9,500 customers with this policy and they had each been receiving overpayments of between £5 and £30 (an average of £20) per year for an average of 8 years. Recovery of the money was rejected as an option due to the potential legal costs, and the potential adverse publicity. Total direct losses were £1.52m and systems correction costs were approx. £550,000. Also, the event had to be reported to the regulator.
The error was discovered accidentally when an employee checked their own policy in detail. It had been caused by a minor error in the computer code which had been insufficiently tested at the time due to severe pressure on the project implementation date, inadequately experienced testing staff and a commercial imperative to launch the product quickly. Over-complex and opaque client and business documentation had obscured the error. High staff turnover had resulted in staff with inadequate experience administering the business, and the IT systems were old with limited audit trails, poor error reporting and almost non-existent data validation.
The end-to-end business process involved several IT systems of varying ages and technologies, linked by manual processes which were not fully documented or audited. Controls reports had been put in place at the time but the manager had moved on. These were complex and poorly documented and existing staff could not understand them although they did not communicate this to their managers. This gave a false level of comfort to senior management.