BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?
No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!
[Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback] | ||
English and Welsh Courts - Miscellaneous |
||
You are here: BAILII >> Databases >> English and Welsh Courts - Miscellaneous >> Uber London Ltd v Transport for London [2020] EW Misc 20 (MagC) (28 September 2020) URL: http://www.bailii.org/ew/cases/Misc/2020/20.html Cite as: [2020] EW Misc 20 (MagC) |
[New search] [Printable PDF version] [Help]
IN THE MATTER OF AN APPEAL UNDER THE PRIVATE HIRE VEHICLES
(LONDON) ACT 1998
B e f o r e :
Deputy Senior District Judge
____________________
UBER LONDON LIMITED |
Appellant |
|
and |
||
TRANSPORT FOR LONDON |
Respondent |
|
|
||
LONDON TAXI DRIVERS' ASSOCIATION |
Interested Party |
____________________
Crown Copyright ©
See also: Conditions
REASONS
The Appeal
Is the Court satisfied that ULL is (at the time of the hearing) a fit and proper person to hold a PHV operator's licence, such that a licence should be granted? ("Issue 1");
If the Court is satisfied that ULL is a fit and proper person to hold a PHV operator's licence, should that licence be subject to any conditions and, if so, what conditions? ("Issue 2"); and
If the Court is satisfied that ULL is a fit and proper person to hold a PHV operator's licence, for what duration should any such licence be granted? ("Issue 3")
Relevant History
31.05.2012 ULL granted licence for 5 years 22.09.2017 TfL refuses to renew the licence 26.06.2018 Chief Magistrate allows ULL appeal and grants 15 month licence 03.07.2019 ULL applies to renew licence 24.09.2019 TfL grants ULL a 2 month licence as 'unable to resolve 2 questions' 25.11.2019 TfL refuses to renew licence, 'the November decision'
Parties' Positions
i. TfL's Decision was correct: ULL was not fit and proper to hold a licence in November 2019.
ii. Some of the matters that informed that decision have been addressed in the intervening 10 months.
iii. Insofar as the concerns regarding systems, processes or operations have subsequently been dealt with, the court will need to determine whether it has sufficient confidence that ULL no longer poses a risk to public safety. The court must also weigh the further matters of concern that have arisen since November 2019.
iv. They remind the court that 'past misconduct by the licence holder will in every case be a relevant consideration to take into account when considering whether to cancel a licence."
v. TfL, at the appeal hearing seek to assist the court including 'by testing some of Uber's evidence and identifying some of the key themes in the evidence that the court should take into account."
vi. Ultimately, they say that in relation to changes, 'it is relatively early days and ... more time is required to be confident that these interventions have sufficiently embedded." (per evidence of Ms Chapman)
i. ULL has taken action and addressed the concerns raised.
ii. ULL's response to the refusal evidences that they are a fit and proper person.
iii. That there is a substantial body of evidence which supports a finding that they are a fit and proper person. This includes evidence identified by TfL themselves.
iv. On the evidence now before the court, the court can be satisfied that ULL meets the test of 'fit and proper person.'
The Evidence
i. James McPherson Heywood, Regional General Manager for Uber in northern and eastern Europe.
ii. Ms Laurel Powers-Freeling, the non-executive Chair of the Board of ULL.
iii. Christopher Earl Schildt, Senior Manager, Community Operations Divisions, ULL iv. Ms Helen Chapman, Director of Licensing on behalf of TfL.
i. Regulatory breaches since June 2018 (ie, since the grant of the 15 month licence)
ii. Assurance Reports failing to recognise the importance of some of the breaches and that they were insufficient to have confidence in ULL's systems.
iii. The Cognizant report commissioned by TfL concluded that ULL's IT Service Management rated below the standard that would be expected of a company in its position, as regards 'Change Management Systems' and 'Release Management'.
(i) significant delays by ULL in deactivating three drivers who committed sexual assaults against passengers,(ii) further piecemeal explanations of the root cause of the driver photo fraud issue,
(iii) inaccurate and inconsistent data in ULL's Assurance Reports which, in turn, requires further analysis and verification by TfL,
(iv) further regulatory breaches as set out in the February 2020 and May 2020 Assurance Reports, and
(v) data management issues, particularly a data outage of ULL's systems in April 2020.
a. ULL has addressed the IT Change & Release Management Systems highlighted in the Cognizant Report
i. After the Cognizant Report, Uber swiftly implemented changes including additional software tools, implementing compliance review systems, implementing regression testing and policies ensuring prompt escalation to LOMC with additional technical capability.
ii. Uber commissioned a report undertaken by KPMG to review the changes (01 April 2020). They concluded:
Uber's processes ranked at Level 3 maturity overall with four of the ten assessment areas actually scoring a Level 4 rating and that:
'A maturity scoring of Level 3 and Level 4 across the assessment domains for both Change Management and Release Management demonstrates a level of maturity which is characterised by processes which are standardised, documented, well understood and reinforced through training.'
'The maturity level of the Change Management and Release Management processes have been improved. We would expect the improved controls, including but not limited to increased automation, improved testing processes and increased governance to significantly reduce the likelihood of regulatory breaches caused by Change Management and Release Management.'
iii. KPMG updated their Report on 12 June 2020 and stated:
all of the improvements had been sustained, the new processes were being consistently followed, and the Level 3 (with Level 4 elements) rating remained valid.
iv. PA Consulting were then instructed by TIL to review progress and KPMG's Report and concluded that:
ULL's change and release management systems should be assigned a maturity level of Level 3 and that ULL had now addressed the major gaps identified within the Cognizant ITSM assessment.
PAC has described a level 3 rating as meaning that the relevant systems are 'fit for purpose in minimising the risk of regulatory breaches.'
v. In the words of Ms Chapman 'this gives TfL comfort that ULL has addressed the deficiency in its change and release management process identified by Cognizant"
She also states, however, 'in light of the fact that some of the interventions were introduced as recently as March 2020, I think it is fair to say that it is relatively early days and that more time is required to be confident that these interventions have sufficiently embedded."
vi. TfL accepts that a Level 3 rating provides it with sufficient confidence that ULL's systems are adequate.
b. Continued implementation of Programme Zero to Reduce Regulatory Breaches
i. This programme was in fact rolled out in February 2019 and before the refusal of the licence. It seeks to eliminate regulatory breaches altogether, ie to zero. There are 7 strands of work and these are the subject of Board level scrutiny on a monthly basis. Mr Heywood described the practical steps on document compliance, complaints handling, safe and compliant trips, safe change, governance, risk and control and a focus on organisational culture.
ii. The evidence is that the number of regulatory breaches has reduced from 55 in Q3 2018 to 4 in Q2 2020.
iii. Regulatory breaches such as drivers not being insured with appropriate cover create clear risk to passengers. ULL was convicted of two offences of causing or permitting drivers to use their vehicles without insurance at Westminster Magistrates' Court.
c. Specific Steps on invalid insurance / insurance fraud
iv. There has clearly been a failure to properly review and validate that drivers have valid insurance documents.
v. Prior to the previous appeal before the Chief Magistrate in 2018, ULL was convicted in 2014 for causing or permitting drivers to use their vehicles for hire and reward without insurance.
vi. In 2019, ULL were once again convicted of the same offences in relation to 2 drivers. I do however observe that these convictions were known to TfL when they renewed the licence for 2 months in October 2019.
The situation is aggravated though, by the fact that a total of 12 drivers have been identified as using their vehicles without the necessary insurance during the period early 2018 to October 2018. The figure is higher than just the 2 that were prosecuted. This resulted in many uninsured trips, 2 uninsured drivers undertaking over 1400 bookings just between them.
vii. ULL says it has since addressed the issues, and argued the following:
a) Improvement to its electronic and manual processes.
b) Its review of all other insurance documents it held for drivers to identify if there were any other failures.
c) The close involvement of the Board which directed a number of actions be taken to find out why these failures occurred and to put in place actions to prevent them occurring again.
d) That the Board, and ULL as a whole, has committed to zero errors in relation to breaches.
e) Investment in resources in eradicating errors, both in the form of new staff and new technological solutions.
f) That it had communicated proactively with TIL on this issue and readily shared information with TIL once it emerged.
g) Its continued engagement with several insurance companies specialising in taxi and private hire.
h) The further extension of ULL's Instadoc system to additional insurance providers, enabling insurance documentation to be submitted directly to Uber by the insurer.
viii. Instadoc is an industry first and allows providers to send insurance documentation directly to ULL. It has allowed identification of fraud that had previously gone undetected. Indeed, it has identified previously unknown instances of invalidity or fraud in relation to vehicle insurance.
ix. There has also been the issue of 9 drivers being allowed to drive on the App with insurance that had not yet commenced. This was identified in July 2019. Software changes were, however, introduced within 3 hours of identification of the issue to prevent the use of post-dated insurance documents.
Fraudulent Documents, Driver Photo Fraud and ULL's Response
x. Document fraud including MOTs, driving licences and TIL PHV driver licences all present a challenge.
xi. ULL drew TfL's attention to 6 drivers who presented 'modified' insurance documents on 04 February 2019. TIL says the issue was not properly escalated in accordance with normal established routes. On 22 February , ULL referred to those 6 cases and an additional 6 cases. After a meeting with James McPherson Heywood, Regional General Manager and Ms Laurel Powers-Freeling on 11 April, TfL asked for full and frank information and wrote to ULL thereafter. On 02 May, at a further meeting, ULL explained that they had reported 10 of them to Action Fraud or the Metropolitan Police. ULL stated that they had developed more effective controls and that 45 drivers had been dismissed due to fraudulent documents since 01 January 2018. On 09 August 2019, ULL updated that it had identified a further 27 suspicious documents.
xii. TfL also had concerns that prior to September 2018, ULL did not suspend
a driver pending investigation of a fraudulent document.
xiii. ULL explained new steps to combat the use of fraudulent documents:
They include:
a) Introduction of a secondary review of all documents before they are approved;b) An increase in the number of ongoing assurance checks that are undertaken after document approval;c) Document fraud training that has been developed with the support of the Home Office and the Metropolitan Police Service;d) Availability of reference guides for agents that include examples of official documentation;e) Introduction of a feedback loop to update agent training material as and when new fraud techniques and patterns are identified;f) Extension of the Instadoc system to additional insurance providers, enabling insurance documentation to be submitted directly to Uber by the insurer;g) Enhancements to its document approval system, for example functionality that will flag to an agent when a driver re-submits a document multiple times.
On 21 November 2019, they stated they were in discussion with the City of London Police to convene a cross-industry working group to share information and best practice.
xiv. I now turn to the issue of Driver Photo Fraud.
xv. A single male individual was identified by ULL as having their photo on the profile of a female driver. On 14 November 2018, aPHV105 was sent to TfL notifying them that the driver had been dismissed.
xvi. In February 2019, a second case was identified, and discovered to have involved a further individual on 04 March 2019. A fourth case was identified by an Uber agent on 08 March 2019. Mr Heywood accepted that at that stage, they realised 'it was a broader problem than we had originally thought at the time of the first case." PHV105s were sent and the issue raised in the monthly update with TfL in May 2019.
Following further investigation, including further audits which were conducted from October 2018 to August 2019, a total of 24 individuals were found to have fraudulently used active Uber driver accounts between August 2018 and January 2019. This involved 14,788 trips. Mr Heywood accepted that this posed a significant risk to passengers. The 23 drivers were dismissed and relevant PHV105s sent to TfL within the 14 day condition.
xvii. Mr Heywood stated that 97 to 98% of complaints of wrong driver (ie passengers complaining that the driver did not match the photo on the app) are, in fact, not upheld and are mistakes. The rest can be put down to account sharing.
xviii. In October 2019, ULL tightened up their process for responding to wrong driver complaints.
xix. TfL expresses real concern on the issue, including whether the concerns were taken seriously, slowness to report the issue of driver photo fraud, the detail in some of the PHV105s, ULL's vulnerability to such fraud and the risk of recurrence and the time it took to uncover the root causes.
xx. The issue was addressed by all 3 of ULL's witnesses who gave live evidence. I found all 3 to be credible and honest in the evidence they gave.
Mr Heywood's Evidence
xxi. Mr Heywood made 3 witness statements and gave live evidence in court, xxii. He explained the difficulty of identifying who the borrowers were (the individuals who had their photos fraudulently on the real drivers accounts). I accept that they did not know who any of the borrowers were till April 2019.
xxiii. He insisted that ULL treated it as a safety issue from the very beginning and said it had been codified as such by the investigating agent in Limerick. A fix in the software was implemented and ULL had wrongly thought the issue had been resolved. The PHV105 was sent to TfL. He now accepted that the form was incomplete with no reference to fraud but stated that the systemic vulnerability had not been identified at that stage. He conceded that ULL should have shared more and should have categorised it as a breach of regulations with TfL. They did not, he said because they had not seen anything like it before though he did not seek now to provide a justification.
xxiv. In March 2019, he personally became aware of 2 more cases. He accepted he should have been told before. He accepted that the link with the earlier case should have been identified earlier.
xxv. He stated that another photo change was identified after it was thought the software fix had resolved the issue. In retrospect, he accepted that notification to TfL in the PHV105 did not adequately notify that there was an ongoing investigation into a vulnerability in the App.
xxvi. He accepted that in retrospect that there should have been earlier escalation to senior TfL leadership and clearer information in the PHV105. He added that is not how ULL would deal with the situation now.
xxvii. He stated that at the relevant time, ULL was not clear as to which of the channels to use, to report serious safety issues and what to put in Assurance Reports.
xxviii. By 23 April 2019, ULL were aware that that either the fix did not work, their audit had not worked or there was further vulnerability in the app. He accepted that the impression they had given to TIL was that the issue had been addressed. That was wrong.
xxix. The issue was dealt with in Annex 2 of the 26 June 2019 Assurance Report. He rejected the idea that it had been buried but accepted that they had failed to communicate this problem to TIL in a manner that was appropriate and that drew its seriousness to TfL's attention. He accepted that TIL was right to take into account the failings in communication. They were properly taken into account by TIL in refusing renewal.
xxx. He accepted that they had initially failed to understand the root cause of the issue in two versions of the app, thinking it only affected the Carbon app. There had been a failure by the engineering team to exercise proper rigour. The audit that followed was therefore not wide enough in scope and missed 13 drivers. He described it as 'a disaster.' Later audits then uncovered yet further instances.
xxxi. There had since been changes, including some as a result of the Cognizant Report. There was further senior-level review of technical analysis before it was provided to LOMC. In particular, the Head of Engineering now personally reviewed any root cause analysis. ULL had also accelerated some work that was planned to include ensuring standards were ISO 27001 compliant. 17 changes were introduced. These had been reviewed by KPMG and PA Consulting and suggested that their systems were now at least to a Level 3 standard.
Ms Laurel Powers-Freeling's Evidence
xxxii. She made 2 witness statements and gave live evidence in court.
xxxiii. She rejected the suggestion of concealment or hiding the issue of driver photo fraud.
xxxiv. She confirmed that she had sought improvements to the way information on breaches is presented to the Board. The Board only came to know of the driver photo fraud on 25 March 2019. She accepted it should have been escalated as a regulated breach by then. The issue was a significant safety breach and should, with the benefit of hindsight, have been escalated to the Board back in October. This failure hindered to the ability of the Board to confront the issue. There had been reasons why that did not happen. She suggested that the seriousness was, initially, not fully understood and so ULL did not initially report beyond the PHV105s.
xxxv. She conceded that communication with TfL could have been better and clearer and that information that should have been sent had been missing. The significant safety concern had not been highlighted effectively when it ought to have been. The PHV105 notifications were insufficient. She re-iterated her concessions were with the benefit of hindsight.
xxxvi. She accepted that the May Monthly Update to TfL gave the impression that the problem had been fixed when investigations were ongoing and it was unknown.
xxxvii. She accepted that the fraud raised fundamental risks for passenger safety and was extremely serious. It was something TfL rightly took into account in its considerations. She accepted mistakes had been made in understanding the issue in terms of the cause and the scale. She added they had addressed the issue which transpired to be a vulnerability in the change and release management processes. Cognizant had identified areas of improvement and they had been implemented.
xxxviii. She conceded that the Cognizant Report had accelerated the implementation of improvements but added that systems and processes were the subject of constant review in any event.
xxxix. She stated that a new non-executive Board member had also been appointed after the said report. He had expertise in IT service management and testing and been a Chief Technology Officer with a FTSE 100 company.
xl. She conceded that some changes were reactive to TfL in their role as regulator rather than proactive. She accepted that was relevant to being a 'fit and proper person'.
xli. She accepted that there had been failure in internally escalating the fraud issue to the Board. Importantly she recognised the consequence in that the delay had hindered the ability to confront the Board. She accepted that communication with TfL should have been better, clearer and more comprehensive and safety concerns highlighted more effectively. She agreed that there made been mistakes on ULL's initial understanding of the cause and scale of the driver photo fraud.
Analysis
' TfL considers that this second breach of the criminal law in relation to insurance is significant and provides a strong indicator that ULL is not a fit and proper person to hold a PHV operator's licence. The provision of uninsured PHV services is a matter of the utmost seriousness to TfL: it exposes the public to an unacceptable risk and places their safety in peril.'
Summary of Conclusions
ULL to pay TfL's costs in the sum of £374,770 to be paid by 26 October 2020.
Tanweer Ikram
Deputy Senior District Judge
28 September 2020