A report into the effectiveness of vetting and counter-corruption arrangements in the City of London Police
Contents
Print this document
About us
His Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS) independently assesses the effectiveness and efficiency of police forces and fire and rescue services, in the public interest. In preparing our reports, we ask the questions the public would ask, and publish the answers in accessible form. We use our expertise to interpret the evidence and make recommendations for improvement.
1. Introduction
Vetting, IT monitoring and counter-corruption: requires improvement
In September 2021, we changed the way we report on how effectively forces manage vetting and counter-corruption.
Previously, we inspected these areas as part of our police effectiveness, efficiency and legitimacy (PEEL) programme and provided our findings in the inspection report.
The new arrangements mean we will inspect each force separately to PEEL, although we will continue to use the same methods and produce a report containing our findings, graded judgments and any areas for improvement or causes of concern. The report will be accessible via a web link from the most recent force PEEL report.
In October 2022, we inspected the City of London Police to examine the effectiveness of the force’s vetting, IT monitoring and counter-corruption arrangements. We briefed senior personnel in the force at the end of the inspection. It should be noted that we didn’t gather evidence during our inspection in relation to the wider culture of the workforce. We didn’t assess the overall leadership of the executive team and senior managers in setting expectations and standards across the organisation.
This report sets out our findings. It includes areas for improvement identified at the time of the inspection, which we recognise the force may have already addressed.
2. How effectively does the force vet its officers and staff?
Vetting authorised professional practice
In 2021, the College of Policing published the authorised professional practice (APP) on vetting. The APP explains the role of vetting in assessing the suitability of people to serve in the police service, as a police officer, special constable or member of staff. It sets out the minimum standards that should be applied for each clearance level. It also lists the minimum vetting checks that should be undertaken on the applicant, their family and associates. The APP has a large section providing guidance on assessing threat and risk in relation to vetting decisions.
The vetting APP applies to the police forces maintained for the police areas of England and Wales as defined in section 1 of the Police Act 1996.
Force vetting IT system
In April 2021, the City of London Police’s force vetting unit (FVU) introduced an IT system to manage vetting. It is shared with British Transport Police. The City of London Police is in the process of transferring data to the new system. However, the FVU still needs to access the vetting records on the older system. This is time-consuming.
Currently, the vetting IT system does not link automatically with the HR IT system. We found no established process for HR and the FVU to exchange information relating to demand. Because of this, the FVU can’t accurately forward plan.
Current vetting of workforce
The force told us that as of October 2022, it had a total of 1,406 police officers, special constables, police staff and police community support officers. The force told us there were 63 people without the correct level of vetting for their role because it had expired. Of these, 61 were management vetting (MV) cases.
Demand and workload
The FVU doesn’t have enough staff to cope with current demand, including vetting renewals or conducting MV for those moving to designated posts.
The force acknowledged that it isn’t currently completing vetting renewals. In September 2022, it decided to prioritise other vetting work.
This included clearances related to the Police Uplift Programme and the force’s responsibility for vetting the call handlers working at the national reporting centre for fraud and cybercrime. This prioritisation was decided by a gold group that the force formed to oversee how the FVU was managing competing demands. The decision resulted in expired vetting renewals not being progressed. The City of London Police told us there were plans to increase staffing levels in the FVU. And by collaborating with another force, it intended to clear all outstanding vetting renewals by 31 March 2023.
The force grants non-police personnel vetting (NPPV) clearance to contractors, volunteers and people who work at organisations that share police premises. The force told us that as of October 2022, there were 264 people with NPPV.
Designated posts
Some police roles have access to more sensitive information and require MV. The extent to which the role requires working with vulnerable people is also a factor for forces to consider when deciding if a role requires MV. The vetting APP states that forces should keep a record of all MV roles on a designated posts list.
The City of London Police maintains a list of designated posts, which it last reviewed in January 2022. However, the FVU isn’t managing its MV procedures effectively. There is no established process to make sure that HR notifies the FVU in advance when people are assigned or promoted to designated posts. This means some people take up posts without MV clearance. The FVU did not have a clear understanding of who occupies all its designated posts.
We reviewed a selection of recent MV cases. In each case the FVU had completed all the required minimum checks.
Transferees
Vetting APP allows forces to accept vetting clearance from another force if it is no more than one year old. But many forces choose to vet officers and staff new to their organisation, even if they are transferring from another force with a current vetting clearance.
The City of London Police has chosen to vet all transferees and those who have left the service and applied to rejoin. The FVU requests a professional standards department (PSD) complaint and conduct history, as well as any counter-corruption unit (CCU) intelligence, from all forces in which the individual has previously served.
Change of circumstances
The force has taken steps to improve the workforce’s awareness that they must report any changes of personal circumstances, for example, marital status, name changes or significant changes to personal finances. This includes an internal professionalism newsletter and training from the CCU engagement officer.
However, when changes are reported to the FVU, no immediate action is taken. Instead, they are considered when vetting is due for renewal, which could take several years.
The FVU complies with the APP requirement to review a person’s vetting status if misconduct proceedings result in reduction in rank, written warning or final written warning.
Vetting decisions
Vetting researchers complete relevant enquiries. They make a recommendation in each case, which a dedicated vetting decision-maker considers.
The FVU sometimes conducts interviews to clarify written responses in vetting applications.
Risk mitigation measures
The force produces a counter-corruption strategic threat assessment (STA). This outlines the current threats it faces. The CCU keeps the FVU up to date on the main threats at a fortnightly meeting.
FVU staff told us they discuss the suitability of some vetting applicants with the CCU. We reviewed three files where the discussion was recorded but we found no record of the cases in the CCU database. Risk mitigation measures, such as monitoring the applicant’s use of the force’s IT systems, would have been appropriate.
Appeals and quality assurance
The force vetting manager handles all appeals. If the applicant has a protected characteristic, the equality and inclusion manager provides advice. Other than appeals, there is currently no process to quality assure vetting decisions.
Disproportionality
The APP states there is a risk that vetting has a disproportionate impact on underrepresented groups. Furthermore, it requires forces to monitor vetting applications, at all levels, against protected characteristics to understand whether there is any disproportionate impact on particular groups. Where disproportionality is identified, forces must take positive steps to address this.
The City of London Police doesn’t monitor or analyse vetting decisions to identify potential disproportionality. For example, it doesn’t compare the proportion of vetting rejections for people who have declared a protected characteristic to those without the protected characteristic. As a result, the force has no way of understanding the reasons for any disproportionality, so it isn’t taking any action to address it.
Vetting file review
We reviewed 31 vetting clearance decisions from the preceding 3 years with a vetting specialist from another force. These files related to police officers and staff who had previously committed criminal offences or those that the force had other concerns about. The files included transferee and recruitment vetting decisions.
We agreed with 24 decisions. In seven cases, we found that the rationale contained insufficient detail to justify granting clearance. We encourage the force to make greater use of the National Decision Model and more explicit reference to risk factors outlined in the vetting APP. We also encourage the force to introduce a quality assurance process to ensure vetting decision-makers record their rationale with sufficient detail.
Areas for improvement
The force should improve its vetting arrangements to ensure that:
- it has a clear understanding of the level of vetting required for all posts and that all personnel have been vetted to a high enough level for the posts they hold;
- it has a clear understanding of the vetting required for all non-police personnel and that all non-police personnel have been vetted to a high enough level for their role;
- the vetting unit has sufficient staff to meet the demand it faces;
- it has a comprehensive process for the workforce to report changes of personal circumstances and when such changes are reported, the vetting unit carries out suitable enquiries;
- when concerning adverse information has been identified during the vetting process, all vetting decisions (refusals, clearances and appeals) are supported with a sufficiently detailed written rationale;
- when granting vetting clearance to applicants with concerning adverse information, the force vetting unit creates and implements effective risk mitigation strategies, with clearly defined responsibilities and robust oversight; and
- it analyses vetting data to identify, understand and respond to any disproportionality.
3. How effectively does the force protect the information and data it holds?
Lawful business and IT monitoring capability
The force can monitor all its IT systems. This includes handheld and mobile devices. The force proactively checks data against devices linked to vulnerable victims and organised crime groups.
We found the forces IT monitoring software isn’t being used to its full potential. Generally, the CCU has sufficient resources to meet current demand. But the force acknowledges it will need more staff if it increases the scope of its IT monitoring.
The IT department doesn’t consult with the PSD or CCU when procuring new IT systems, so they may not include suitable auditing functions or other measures designed to prevent and detect misuse.
For example, one existing IT system had temporarily restricted the force’s ability to monitor some devices. We urge the force to ensure future IT procurements are developed in consultation with the CCU.
IT monitoring policy
The force has a lawful business monitoring policy for monitoring and recording staff communications. It allows the force to proactively monitor and audit all force mobile phones for call data and text messages.
Digital device management
The force can attribute all force devices, including mobile phones and tablets, issued to individuals across the workforce. The IT department is updated when a mobile device is returned and reallocated. The CCU can audit access to any force systems from devices it has issued.
Information security – encrypted apps
The force has a comprehensive social media policy that has been circulated to the workforce. It allows the use of some encrypted apps for specific operations. The force should reassure itself that it fully understands the risks of having encrypted apps on its devices and take steps to mitigate those risks.
4. How well does the force tackle potential corruption?
Intelligence
Sources of corruption-related intelligence
The force has an effective confidential reporting line. Between 1 January 2020 and October 2022, it received 80 reports:
- 16 reports in 2020;
- 19 in 2021; and
- 45 in 2022.
The workforce can also report wrongdoing through a third-party company, but this is rarely used.
We examined 60 corruption intelligence files. We found the confidential reporting line was the force’s most frequent source of intelligence. We also saw intelligence received from other PSDs and the National Crime Agency.
Police corruption categorisation
The force correctly categorises intelligence in line with the counter-corruption APP.
Partnership working to identify potential corruption
The CCU has developed relationships with agencies and organisations that support vulnerable people. It has provided the force’s vulnerable victim co-ordinator with guidance on abuse of position for a sexual purpose (AoPSP). The PSD engagement officer has provided AoPSP guidance to NHS staff, charities and the force liaison officer who support sex workers. A recent article in the newsletter the force circulates to businesses highlighted warning signs of AoPSP.
Identifying corruption threats
Counter-corruption strategic threat assessment
The force has a counter-corruption STA, which is due for renewal in 2023.
It includes the five main corruption risks facing the force and emerging threats. It makes good use of case studies to demonstrate the main threats. But it is not clear how risks and emerging threats were identified. More analysis of the data would be helpful to understand the scale of the risks. It would also make sure that risks are accurately categorised. For example, the force combined several different types of corruption risk, such as computer misuse or notifiable associations, under one generic heading “corruption”. Also, the STA incorrectly categorises sexual misconduct in the workplace as AoPSP.
Counter-corruption control strategy
The force has a counter-corruption control strategy. It clearly sets out the force’s approach to counter the five threats identified in the STA.
Implementation plan
Each of the threats identified has a separate implementation plan. These are structured using the PIEE-framework (prevention, intelligence, enforcement and engagement). A named person is responsible for each plan and addressing the risks it identifies. The head of PSD reviews progress on a quarterly basis.
Managing corruption threats
Intelligence development
We reviewed 60 corruption intelligence case files. In most cases the CCU responded effectively with good supervisory oversight. We found the CCU routinely produces an investigation plan for all counter-corruption investigations. However, we found three cases where the CCU missed some opportunities to fully develop intelligence.
The force used a variety of techniques to develop and investigate corruption-related intelligence. We found two cases of proactive intelligence collection. One resulted from routine checking of eBay. The other was found during monitoring of a force IT system.
Identification of those who pose a corruption risk
The force doesn’t have an established people intelligence meeting. Instead, the CCU collects and reviews information on members of the workforce from a range of departments, including finance and HR. Senior managers consider if action should be taken to reduce the risk of those who pose a potential corruption threat.
At the time of our inspection, the force had identified two people who posed a corruption risk. However, this was based on their conduct and complaint history, rather than formal assessment using a risk matrix.
At the time of our inspection, the force was drafting a policy outlining how it will manage corruption risks. It was due to be published in December 2022. The force was also in the process of establishing a register of people identified as a corruption risk. The CCU will assess the level of risk for each person and develop an action plan to manage them.
Capacity and capability to investigate corruption
The CCU is a small team comprising experienced detectives. The CCU develops intelligence and passes cases to PSD if a misconduct investigation is necessary. Due to the size of the team, there is limited opportunity for the CCU to gather corruption-related intelligence proactively.
Specialist resources
It has been several years since the City of London Police has used specialist covert tactics for corruption investigations. We were told that, if necessary, it would access covert resources through the CCU tasking and co-ordination process. The CCU can also request specialist resources from other forces.
Policies designed to prevent corruption
Clear and concise corruption prevention policies help to guard against corrupt activity, but can’t guarantee to prevent corruption, or in themselves stop corrupt practice. They provide guidance on how police officers and staff should behave. They should clearly state what is expected of members of the workforce and what actions they should take to protect themselves and the organisation from corruption.
The counter-corruption (prevention) APP sets out what policies forces should have and gives guidance on their content. Our inspectors examine their policies in these areas:
- Notifiable associations: policies should cover how the force should manage the risks related to officers and staff who may associate with, for example, criminals, private investigators, or members of extremist groups. They should require the disclosure by officers and staff of such associations.
- Business interests: policies should state when the force should allow or deny officers and staff the opportunity to hold other jobs. They should explain how the force will manage the risks that arise when officers and staff are allowed to hold them.
- Gifts and hospitality: policies should cover the circumstances in which police officers and staff should accept or reject offers of gifts and/or hospitality.
The City of London Police’s policies are comprehensive and reflect APP guidance. Members of the workforce report notifiable associations, business interests and gifts and hospitality through an online form that the PSD retains in a register. PSD oversees these registers, but we found potential shortcomings in each of them.
For example, line managers aren’t informed when a member of the workforce reports a notifiable association. This means the force is missing an opportunity to reduce the potential corruption risk.
The business interest policy doesn’t cover all activities that normally constitute paid or unpaid secondary employment. For example, the force doesn’t consider volunteer work as a business interest unless the activity potentially “conflicts with the force values or standards”. In addition, we found business interest reviews aren’t being completed in a timely manner. The force can’t confirm how many of these reviews remain outstanding.
We found several entries in the gifts and hospitality register where the authorisation decision had not been recorded. We found no evidence of senior management oversight of gifts and hospitality. This presents a risk to the force.
Sexual misconduct
The force recognises AoPSP as serious corruption. The College of Policing training on AoPSP is mandatory for the entire workforce. The PSD engagement officer provides additional training to new recruits and supervisors.
During our file review, we found one case identified as AoPSP and this was referred to the Independent Office for Police Conduct. The suspect was a member of police staff. It is force policy that HR carries out misconduct investigations for police staff. However, AoPSP cases should be investigated by a suitably experienced CCU detective. They can monitor IT systems, which may identify wider serious corruption. We urge the force to review its approach.
Areas for improvement
The force should improve how it collects, assesses, develops, and investigates counter-corruption intelligence by ensuring that:
- it carries out proactive intelligence collection and accurately assesses all corruption-related intelligence; and
- it has current policies relating to notifiable associations, business interests and gifts/hospitality and implements them effectively to identify and manage corruption threats.